This is a quick article to walk you thru on an issue where external group membership for Cisco ISE does not get updated when you add or remove new members and you get an error message using the newly added users. in this case it is Microsoft Active Directory.
This is issue is caused by SID values not being updated in the Cisco ISE application server and you will need to manually update the SID values and below is the error message you will get when you are trying to login to the Cisco ISE admin portal using the Active Directory username and password.
Go to Administration and External Identity Sources usinig the admin credentials
Once you click on the “External Identity Sources” It will list all external sources and in this case, you will choose “Active Directory” and it will list domain, highlight the domain and choose groups on the right
Once you the ‘Groups’ has highlighted then click on ‘Update SID Values’ which will update the group membership in AD
try again and you should be good to go – I hope this helps