Using AD groups (permission sets) to login to the eposerver doesn't seem to work.
"You do not have permissions to access ePolicy Orchestrator."
following KB67576 this message informs you that a user has no Permission Set
But the users are member of a group of a permission set???
The account used for querying AD (registered server) is a domain admin account.
And the "Allow AD users login" setting is enabled.
What am I missing here?
Is this the same domain the epo server is connected to? If they're not the same you have to add the domain under windows authentication. To get the menu selection you have to change a file on the epo server. You can find more info in the product manual.
Under the permission set you want the user to have did you select the AD groups to map to it?
Are you loggin in with the user name: domain\username
I know it's been nearly a year since you posted this problem but I was having the exact same issue and found a work around. I am using McAfee ePO version 220.127.116.117.
As I mentioned I was having the same problem after doing the following:
1. My ePO Server is joined to the domain that my Domain Controller is running.
2. Added my domain controller as a Registered server on my ePO server.
3. Turned on Active Directory User Login in the list of Server Settings.
4. Created a permissions set for my Active Directory users.
5. Tried to login to ePO using an Active Directory account using domain\username and password and received the error:
You do not have permissions to access ePolicy Orchestrator.
To fix the problem I had to:
1. Use the directions found in the Configuring Windows Authentication section of the McAfee ePolicy Orchestrator 4.5 Product Guide. These directions are also located here:
I used these directions to add my domain controller to a list stored by ePO.
2. Here's the tricky and important. For some reason I had trouble when trying to login to ePO using an Active Directory user who was ONLY part of the "Domain Users" group. For instance, if I created a Permission Set and only mapped the "Domain Users" group to this Permission set I would NOT be able to login to ePO using a user listed in "Domain Users".
I had to create a permissions set and map it to a group in Active Directory that I created. Meaning a group other than "Domain Users", "Domain Admins", etc. Once I did this I could then login to ePO using a user account that is a member of my manually created AD group, as long as I had NEVER attempted to login to ePO with this user account before. The order of steps is VERY important.
Hopefully this helps someone who searches for this issue. I have a suspicion that this problem of mapping permission sets to "Domain Users" and other server created AD groups may be fixed in ePO 4.6 or some other later version of 4.5.