search cancel

EEM-Dynamic Group Policy for domain user to access PAM not working


Article ID: 7021


Updated On:


CA Process Automation Base


EEM was initially setup to use the BASIC LDAP connection only.
This was updated to use Multiple MicroSoft Actve Directory Domains

When setting this up, you are prompted to provide the domain name. This is looking for just the name (second level domain) without the top level domain (.info, .com, .net, etc). So if your domain is the second level domain is "company" and the top level domain is ".net".

So for this issue, the first entry in EEM was set with just the second level domain, and the second entry was set with both second and top level domain.

In process Automation, when Multi MS AD domains are set in EEM, we need to define a default AD domain. The setting in the file is

In this case, the defaultDomain was set to



Release: ITPASA99000-4.3-Process Automation-Add On License for-CA Server Automation


To resolve the issues with the users not being able to complete any tasks in CA Process Automation, the following was done:

1. In the EEM User Store, when setting up the Multiple Active Directory Domain, the domain prompt for each was set to only use the second level domain name, ie: company and company2  instead of or

2. In the file, the defaultDomain was set to company   and not as:

3.  There was a modification in the group level configuration in EEM to resolve all of the groups in both AD servers. To do this, log into EEM to the Global application as EiamAdmin, select Configure, then User Store, then from the left menu Group Configuration. 

   For the top section - Global Group Configuration 

   Set the Group Resolution Level: to Resolve Direct Groups, and change the Group cache size from the default of 1000 to 5000. 

   The Application Group Configuration should be set as Resolve nested groups.


At this point, you can now log into Process Automation and complete tasks. If you are a member of the default domain (company) then you only need to use your "username" to log in. If you are a member of the other domain (company2) then you must use "domain\username" or in this example "company2\username" to log into Process Automation. 

Users of either domain will be able to complete tasks.