If you use Active Directory and the Carbon Black App Control Server has been joined to an Active Directory domain, you can use AD accounts to log in to the console.

When a user logs into the console with an AD-based account name, that account is added as a Carbon Black App Control Console account. Users attempting to login to the console with a legitimate AD account but who are not members of a group that is not mapped to any role will be added to the console accounts table, but without any privileges. As such, they will not be able to login to the console.

You can map an AD account to multiple Carbon Black App Control Console roles, either intentionally or because the account happens to match more than one mapping rule. If you choose, you can stop evaluation when an account matches the highest ranking mapping rule in the list. See “ Managing Console User Roles for more details.

Note: Unless you are using a Windows 2000 domain controller, you can specify a security domain separate from the login domain of your user accounts. This allows you to create Carbon Black App Control Console user roles in the named security domain rather than in the domain for each of your users.
Note: With Server 8.9.0, you can log in with the user principal name. For example, if the User logon name and the User logon name (pre-Windows 2000) are different, you can log in using either logon name.