While setting up a new Cisco Identity Services Engine (ISE) instance I came across this error: Groups fetch failed : Insufficient permissions to retrieve groups. Issue was intermittent and only domain admins were able to retrieve groups successfully.
I went through all the steps described in this Q&A article but all the settings checked out fine.
The fix was to re-enforce the settings with command line script. Best way to do it is on the domain controllers ISE nodes were joint to. Script needs to be executed from elevated command line prompt.
dsacls “OU=Your_OU,DC=Your_Domain,DC=Your_Domain” /I:T /G “ISE-NODE-NAME$”:rp;tokenGroups
where ISE-NODE-NAME is ISE hostname. Make sure and keep the $ sign.
The closer to User OU you apply it the better but if your users are not in the same OU you may have to apply it at the DC level.
Once the script was executed permission issue was fixed right away.