To list the number of group mappings:

show user group list

To list the members of a particular group show in the results of

show user group list

show user group name "cn=some groupname with whitespace,ou=AnOUname,ou=AnotherOUname,dc=example,dc=com"

To force the firewall to refresh the members of groups from a particular group mapping:

debug user-id reset group-mapping NameOfGroupMapping

• When creating an authentication profile for firewall administrators, remember, if you are using a group mapping, set the admin accounts to use an Authentication Sequence that only contains the authentication profile.
• Add the NetBIOS domain name (example rather than example.local) to the user domain field on the authentication profile.
• In the past, when moving a group that had previously only had 'dc' and 'cn' in its full path to a path that also contains 'ou', I had to remove 'sAMAccountName' from the Authentication Profiles that used that group to make the Authentication profiles work. I also had to ensure that the domain (e.g. example rather than example.local) was in the Authentication Profile configuration.
• If you set an “Allow List” you must ensure you enter the group name in *lower case* (that included the CN, OU, etc)