7 Replies Latest reply on Sep 7, 2010 4:06 AM by robpow

    Active Directory User Login - Permission Sets

    woodsjw

      I'm trying to setup ePO 4.5 P3 so that we can provision users and permission sets by AD group membership.  I have the following pieces in place:

       

      A functioning AD LDAP registered server

      A group in AD with members

      A permissions set in ePO associated to the AD group.

      Server setting "Active Directory User Login" set to true (according to KB67576 this should automatically create ePO user records for Active Directory users upon login)

       

      I've asked a member of the AD group associated to the permissions set to try logging in to ePO.  They receive this message "You do not have permissions to access ePolicy Orchestrator".  Referring to KB67576 again this apparently means the person has successfully authenticated to the ePO console but had no permissions set assigned.  However, when I look, no user record was created for this user which should have happened based on the "Active Directory User Login" setting.  So I feel like I'm stuck in a chicken/egg situation.  How to I assign a permissions set (other than AD group association which is already done) to a user record that doesn't exist?  If it won't let them login without a permissions set, how do you get the account created?  Manually creating an account would be rediculous and would make the "Active Directory User Login" completely useless.

       

      Does anyone know what I'm missing here?  My next step is to open an SR.  But since the support portal is down I thought I'd ask the community first.