Understanding Active Directory security problems

With security configured, the Meridian users and services need privileges to access the domain user account and group membership information. By default, Active Directory users and the Windows SYSTEM account do not have these privileges. Without sufficient access, Meridian security may not function and users can be denied access to documents or commands. It may seem to work at times or in certain situations, but problems can still occur.

This problem typically occurs after security is applied to a vault, resulting in all users being denied access to the vault. No folders or documents can be seen by any user. Only the vault’s root folder appears in the application with a nearby lock icon indicating that the user has no access. In some cases, a subset of users is denied access to the vault even when they have appropriate privileges in the vault. In such cases, it is not uncommon for a user to be denied access, even though their group membership is identical to a user who is not denied access.

Because Meridian uses Windows domain security authentication to control security privileges in the vault, the AutoManager EDM Server service used by Meridian must have privileges to query the domain user accounts and group memberships. In Active Directory, these privileges may be granted in one of two ways:

• Granting domain privileges with a service account
• Granting domain privileges to the Meridian application server

Both of these methods rely on the Pre-Windows 2000 Compatible Access group that is available in each Active Directory domain. The group is a convenient way to grant necessary privileges to the AutoManager EDM Server service.

Note    When Meridian users reside in multiple domains within an Active Directory forest, you have to add the service to the group in every domain where the users reside.

Meridian security will also work if the Everyone group or the Authenticated Users group is added to the Pre-Windows 2000 Compatible Access group. However, this will likely breach your organization’s security policy, so you should choose one of the above solutions.