1. You want to use LDAP unless you are dealing with multiple domains. As long as it's only OUs, no problem. 2. Only two things you need to do in production is add a SSL certificate to your domain controller you will use for LDAP since changing passwords requires ldaps. Every DC is a LDAP server, but you only really need to pick one and one more for redundancy. You also need a LDAP "Bind" user that has the right to update passwords. 3. Start your LDAP search base at the uppermost OU (domain OU) as other described. It's counter-intuitive, but AD authentication is very limiting. The only benefits are allowing specifying of domains and automatic group use. LDAP allows you to use user attributes for drive mappings, and much better password management. The only down side is having to populate your catalog with the groups you are going to be using. At first I tried AD authentication with LDAP authorization, but this doesn't help you with the password issues. Bottom line: Use LDAP ============================= Finding user entries Base DN: dc=domain,dc=company,dc=com Filter: samaccountname=<USER> Determining group membership Base DN: dc=domain,dc=company,dc=com Filter: cn=<GROUPNAME> Member Attribute: member "Uncheck" Reverse group search Query Attribute: Nested Group Level: 3 ?Note: never specify more than 5 per JTAC? Nested Group Search: "Check" Search all nested groups
... View more