Content Studio runtime must have certain permissions in Active Directory

Applies to: Content Studio ver. 3.2 + running on a server that is member in Active Directory

The Content Studio runtime account must have permissions to read all domain user's group membership and their public information from Active Directory. This right was granted by default in NT 4 domains but in Active Directory this permissions are controlled by ACL:s on domain, container or object-level. In AD this permission is emulated by the alias "Pre-Windows 2000 Compatibility Access" that by default has the right to read this information. By default the Everyone group is member of this group but if an administrator has removed this group it is likely that the Content Studio runtime will fail reading the needed information. Make sure that this runtime account is a member of this alias. Content Studio uses this user information when a user opens a session i Content Studio in order to be able to detect the users full name and her group membership. This information is cached internally in the user session and without it Content Studio cannot authenticate the user and access is denied. By using Active Directory ACL:s it is possible to prevent users to enter Content Studio unless they are using Anonymous Access. Just prevent the runtime account to read public information on a certain OU or on a certain user object in AD. The user will then get Access denied directly after doing a Windows logon in Internet Explorer.