After the AD-based User Roles interface is enabled, a new tab, “Mappings,” will be visible when you view the Login Accounts page. Clicking on this tab opens the Active Directory User Role Mappings page. This is where you create rules to map computers with specified AD data to certain roles.

You can create mapping rules that test for matching AD data including organizational units, domains, security groups, computer names, and user names. Keep the following in mind when creating mapping rules:

  • App Control does not support policy mapping for AD object names that contain double quotes. Object names with double quotes cannot be handled properly by the directory object browser you use to create a mapping rule.
  • In general, create as few rules as possible and use them to test for groups rather than individual objects.

The following table shows the rule parameters you provide for a mapping rule.

Table 1. AD User Role Mapping Rule Parameters



Object to Test

The object that will be tested to see whether it matches the rule. This is always “user”.


The relationship being evaluated between the Directory Object specified in the rule and the AD data from the user attempting to log in. The choices are:

  • is member of group
  • is in OU or domain
  • is
  • is not in any domain

Directory Object

The object in AD that the data from the tested object must match. Clicking the right end of this field opens an AD browser from which you can search for an object from your AD environment.

The choices for the Directory object field change depending upon which Relationship you choose. If you choose “is not in any domain,” no Directory object is necessary.

The object browser for choosing the directory object is similar to the one for AD policy mapping. See AD Object Browser Options for a more detailed description of this browser.

User Role to Apply

The role to apply to a computer if its tested object matches the rule. The dropdown menu shows all available roles.

Stop Evaluation

Checking this box causes evaluation of users against mappings to stop when this rule is reached. If this is the first rule that matches a user, the role it assigns will be the only role they have.

Leaving the box unchecked allows evaluation to continue to the next ranked rule.

The result of providing these parameters is a rule that can be read like a sentence. The following is how you might set up one rule.

Table 2. Example Rule Creation


Example (value in bold)

Computer Object to Test

If a User


is in OU or domain

Directory Object

…matching OU = Support,DC=hq,DC=xyzcorp,DC=local

User Role to Apply

… assign the Help Desk role to the user...

Stop Evaluation

… and do not assign roles from any lower-ranked rules, even if this user matches their conditions.

The procedure that follows shows how to configure a mapping rule. Although entry of most of the parameters are reasonably straightforward, pay particular attention to the Directory Object field, which requires use of a special AD browser.

Create AD Mapping Rules

Use this procedure to create an AD role mapping rule.


  1. In the console menu, click the configuration (gear) icon and choose Login Accounts.
  2. Click the User Role Mappings tab. The Active Directory Mappings page appears with the User Role Mappings table.
    Note: If you have upgraded from a pre-8.0 version of Carbon Black App Control (Bit9 Server) and were using AD group mapping there, a series of default mappings appear. Otherwise the table only has a default mapping to no role.
    The Login Accounts page showing the Active Directory Mappings tab
    Note: If no Mapping tab appears, the AD mapping interface has not been enabled. Go to the General tab of the System Administration page and enable the feature.
  3. On the Active Directory Mappings tab, click Add Rule. This displays the User Role Mapping Rule panel in which you enter the rule parameters.

    The User Role Mapping Rule page showing the rule parameters

  4. Choose the Relationship between the data of the user being tested and the Directory Object specified in the rule. The choice for this field changes the choices available in the other fields.

    In this field, you can specify that objects must be in a OU or domain, a security group, in no domain, or that they exactly match the directory object you choose (the “is” choice on the Relationship menu).

  5. Choose the Directory Object that the data from the tested computer must match.
    1. Click in the Directory Object field to open the AD browser. The browser opens immediately below the Directory object field. The left panel is labeled “Search in,” and shows a tree of your AD domains.
    2. To expand the AD tree in the left panel, click on the plus button, next to the node you want to expand. To collapse the view on the left, click the minus button next to the node you want to collapse.
    3. Click on the object in the left pane that defines the scope of your search.

      EXAMPLE: if you have two domains, you might click on one of them, such as “DC=hq,DC=xycorp,DC=Local” in the example above.

    4. If you see the object in the right panel that you want to use for this rule, double-click on it. The object, including full information about its location in the AD object tree, appears in the Directory Object field of the Rule Parameters panel and the browser will close.
    5. If your actions did not automatically close the browser, click the ‘X’ button in the top right corner to close it.
    Note: There are additional options for using the directory object browser. See AD Object Browser Options for more information.
  6. From the User Role to Apply dropdown menu, choose the role you want assigned to users whose AD details match this rule. Only existing roles appear on the dropdown.
  7. When you have entered all of the parameters for the rule, click Save. A newly created rule goes to the top of the table of AD rules.
  8. Rolling the mouse cursor over the i button next to an object in the Match column provides a description of the object.
  9. If necessary, use the up- and down-arrow buttons on the left side of each rule (or the drag-and-drop method) to change the order in which the rules are evaluated against a user.
  10. Repeat this procedure beginning with step 3 for any other rules you need to create.