A security group added to User Scope in Management Policy 1, and is Excluded from the security group of MP2 are not accessible by helpdesk
Two management policies are configured. These policies have different workflows for the different users.
One management policy is for all the internal users. The user scope is defined as domain users.
The second management policy is for External users and the user scope is defined as the External users groups.
The External users security group members are also in the Domain users group and they have to be for other processes in their environment.
They can put the external users in the Excluded group for the first Management policy, but as soon as they do that, those users are now no longer accessible to the Helpdesk administrators, even though both policies have the same Helpdesk scope.
The external users are added as the included group to the second management policy and they CAN still access the self service site and this sends them to the correct workflow/management policy. However, they are not accessible in the helpdesk site at all.
The Exclusion is for the =Self service = site NOT the helpdesk site.
This has been confirmed as a bug by the development team. It’s a limitation due to an algorithm that has been implemented in Password Manager and as such may take a long time to fix and test.
The bug tracking number is 625355.
The suggested workaround is to have separate groups or OU’s for All Users in AD.
Waiting for fix is a future release of Password Manager