Hi,

The tree on a customers site is built like this:
[ROOT]
O=ORG1
OU=SITE1
OU=USERS111
OU=USERS112
OU=SITE2
OU=USERS121
OU=USERS122
O=ORG2
OU=USERS201
OU=APPS

This is only a small part, the total number of OU's is over 100.

I want to associate some applications with all users in OU=USERS111 and OU=USERS121, but not OU=USERS112 and OU=USERS122.

How can I do this without having to associate every user or OU with the application?

I tried with a group that contains all users and associate the application with the group, but the users don't see the application. Inheritance level is set to -1, so NAL looks up to the root. Read group for users is on.
Where should I put the group?