Joined directly to Windows 2012 domain controller
/opt/quest/bin/vastool user checkaccess user201 returns the following:
ALLOWED [user=user201] [service=login]
Access Rule = [Allow Group - DOMAIN\access-group (users.allow)]
However /opt/quest/bin/vastool user checklogin user201 shows
Access policy denial. User is not authorized to access this host.
DENIED (access denied) [user=user201] [service=login]
Access Rule = [Only Allow rules defined, user does not match any allow rule]
The below command shows that the group is not in the pac
/opt/quest/bin/vastool -u user201 auth -ps groups
* vasd: Support for Windows 2012 SID compression added in 220.127.116.11
Support for SID compression was added in Authentication Services 18.104.22.168
Turn off SID Compression in 2012. Please refer to Microsoft for information about this.
Join specify to Windoes 2008 or 2003 domain controllers only.
Please refer to the following KBs on how to accomplish this:
Upgrade to Authentication Services 4.1 Maintenance Release.