You can map Windows Active Directory groups to Building Operation user account groups if Building Operation runs on a network that uses this directory to manage users and user account groups. A Building Operation user account group that includes a Windows account group can be member of another Building Operation user account group.
You can map Windows Active Directory universal and global groups to Building Operation user groups, but you cannot map Windows Active Directory domain local user groups.
Mapping Windows Active Directory account groups to Building Operation user account groups has advantages both for administrators and operators. Administrators can manage the user accounts in the Windows Active Directory, rather than managing the accounts in two places. Any changes are instantly implemented to the mapped Building Operation user account group. Operators only have to remember the Windows login. Once logged in to a Windows user account that is mapped to a Building Operation account, the user is authenticated to access WorkStation without having to log in a second time.
Windows Active Directory account groups can only be mapped on SmartStruxure servers such as Enterprise Servers, which are based upon Microsoft Windows operating system. SmartStruxure server devices cannot map Windows Active Directory groups.
For example, the Windows Active Directory user account groups Main Admin and Main User are mapped to the Building Operation user account groups Administrators and External Users. The External Users user account group is a member of the Operator user account group. The Administrators account group, which is a member of the External Users, inherits access to the Operator workspace.
If several Windows Active Directory account groups have the same name, any Building Operation user account group mapped to one of these groups will also be mapped to the other Windows Active Directory account groups with the same name.
The default account for running the Enterprise Server service is the Windows Local System account. The Windows Local System account has sufficient permissions for accessing the Active Directory by default.
Make sure that the Enterprise Server service account has sufficient access permissions to read all user groups necessary in all locations in the Active Directory in order to be able to log on to the Enterprise Server using the Windows authentication.