In the VMware Identity Manager service, groups are identified uniquely by both the group name and domain.

Beginning with VMware Identity Manager 3.1, when new groups are added to the directory from Active Directory, the group names are synced to the directory. Users that are members of the group can sync to the directory under the following conditions.

  • The group is entitled to an application in Workspace ONE.

  • The group name is added to an access policy.

  • The users in the group are manually synced from the Group > Users profile page.

Before 3.1, members of the group were synced to the directory when the group was added.


If some users need to authenticate before a group syncs to the directory, you can add the individual user to the directory's Sync Settings > Users page .

The VMware Identity Manager service supports having multiple groups with the same name in different Active Directory domains. Group names must be unique within a domain. For example, you can have a group called ALL_USERS in the domain and another group called ALL_USERS in the domain

During directory sync, groups that have the same name but different domains are synced successfully. If there is a group name conflict within a domain, the first group is synced and an error occurs for subsequent groups with the same name.

In the VMware Identity Manager console User & Groups tab Groups page, Active Directory groups are listed by their group name and domain. In this list, you can distinguish between groups that have the same name. Groups that are created locally in the VMware Identity Manager service are listed by the group name. The domain is listed as Local Users.