https://community.checkpoint.com/t5/Spark-Firewall-SMB/Block-active-directory-user-on-firewall-without-associated-group/m-p/181835#M8958 <P>If its a Locally Managed appliance, this is a known limitation that you cannot select specific users from AD on SMB appliances.<BR /><BR />See <A href="https://support.checkpoint.com/results/sk/sk105977" target="_self">sk105977 -&nbsp;There is no option to add specific Active Directory users and organization units inside policy rules, when using Identity Awareness blade on SMB appliances</A></P> <P><EM><STRONG>&gt;&nbsp;&nbsp;This is the current design for locally managed SMB appliances. It is a best practice to use Active Directory groups to make maintenance easier.</STRONG></EM></P> Wed, 24 May 2023 00:42:53 GMT Tom_Hinoue 2023-05-24T00:42:53Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Block-active-directory-user-on-firewall-without-associated-group/m-p/181732#M8954 <P>Hello,<BR />Is it possible to block internet access through the firewall to a specific user in the active directory without creating an AD group?<BR />I have a Spark 1570 with Gaia Embedded R81.10.05</P><P>I know it's possible to list the AD groups but I can't list the users...</P> Tue, 23 May 2023 10:21:20 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Block-active-directory-user-on-firewall-without-associated-group/m-p/181732#M8954 jorgemsassuncao 2023-05-23T10:21:20Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Block-active-directory-user-on-firewall-without-associated-group/m-p/181822#M8957 <P>Unfortunately, there is no way to refer to a specific user in LDAP, only the group(s) they are a part of.<BR />This sounds like a permissions issue with your AD user.</P> Tue, 23 May 2023 19:20:46 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Block-active-directory-user-on-firewall-without-associated-group/m-p/181822#M8957 PhoneBoy 2023-05-23T19:20:46Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Block-active-directory-user-on-firewall-without-associated-group/m-p/181835#M8958 <P>If its a Locally Managed appliance, this is a known limitation that you cannot select specific users from AD on SMB appliances.<BR /><BR />See <A href="https://support.checkpoint.com/results/sk/sk105977" target="_self">sk105977 -&nbsp;There is no option to add specific Active Directory users and organization units inside policy rules, when using Identity Awareness blade on SMB appliances</A></P> <P><EM><STRONG>&gt;&nbsp;&nbsp;This is the current design for locally managed SMB appliances. It is a best practice to use Active Directory groups to make maintenance easier.</STRONG></EM></P> Wed, 24 May 2023 00:42:53 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Block-active-directory-user-on-firewall-without-associated-group/m-p/181835#M8958 Tom_Hinoue 2023-05-24T00:42:53Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Block-active-directory-user-on-firewall-without-associated-group/m-p/181837#M8959 <P>AS&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/8345">@Tom_Hinoue</a>&nbsp;said, it is limitation for locally managed appliance. If its centrally managed, should be doable with access role, if you add say a group from AD server that contains a single user.</P> <P>Andy</P> Wed, 24 May 2023 01:17:48 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Block-active-directory-user-on-firewall-without-associated-group/m-p/181837#M8959 the_rock 2023-05-24T01:17:48Z