• User's Role in Console is mapped to the Active Directory Group, "Protected Users"
• Logs for Active Directory Troubleshooting have results similar to:
  • ServerLog-TIMESTAMP.bt9 shows an empty result for the Canonical Name:

    (10388 Admin Thread 1)UserStorage::LoginUserAD: Calling ValidateLogin DOMAIN\USER
    (10388 Admin Thread 1)UserStorage::LoginUserAD: Check if canonical name '' exists
    (10388 Admin Thread 1)ReportLogin called username = DOMAIN\USER, successful = 0

  • AppControlAD-TIMESTAMP.bt9 finds the DOMAIN\USER result:

    DEBUG ADHelper.ADInfo.GetDirectoryEntry - Bind successful with ldap path = LDAP://DOMAIN.TLD/CN=Protected User,CN=Users,DC=DOMAIN,DC=TLD
    DEBUG ADHelper.ADInfo.GetADUserList - Found adUser for userName = DOMAIN\USER
    DEBUG ADHelper.ADHandler.ParityServerADMapping - Computer = , Users = DOMAIN\USER, Ruleset = 2

• App Control Server: 8.9.0-8.10.4

This issue was tracked under EPCB-21147 and resolved with the release of Server 8.11.0.

The following temporary workaround can be used to force the "old logic" for Active Directory using vbscript. This should be reverted after upgrading to 8.11.0+

1. Navigate to https://AppControlServer/shepherd_config.php
   1. Select the Property: AllowADScript
   2. Change the Value to true.
2. Restart the App Control Server & Reporter services.
3. Verify the AD accounts are able to log in correctly.