Understand OS Group security with multiple AD domains

If your network is configured with multiple Windows AD domains, and you intend to use OS Group security with MES Web Portal, you must select only Global and Universal domain groups when configuring MES groups. This is because MES Web Portal will not authenticate users in local groups if the system is part of multiple domains.

As an example, say your network has multiple domains and you pick a local domain group to be an MES group. You configure that group to have access to an entity, to run Operator, and to not allow editing of entity settings. A user who belongs to that local domain group (and does not belong to any other groups configured to be an MES group) would be able to log into the entity in MES Operator and perform operations on that entity. However, the same user would not see the entity in MES Web Portal because MES Web Portal will not authenticate the user from that domain local group.

You should only select local domain groups if you are sure that your network has only one domain. Consult your network administrator if you are unsure about whether your network has multiple domains or if you are unsure about whether a domain group is local, global, or universal.