The UX system acts as an Active Directory client. By default, the UX is able to obtain any readable field in the Active Directory.
Accessing Active Directory
Accessing AD values requires that we have an account with credentials on the particular domain to be queried. Anonymous binds to AD are typically not supported by the domain controller. Administrators are required to create a new user in their system (following standard Active Directory add user practices), preferably one whose credentials never expire, and configure these credentials in UX. UX will use these configured credentials when communicating with AD.
If for some reason the Active Directory server is unreachable, access to UX will fall back to local-only.
Active Directory Queries and Domain Membership Requirements
Domain membership is not required for the UX to query Active Directory. It is important to note that Global Catalog binds are not supported. Only LDAP binds are used to query and collect Active Directory data. The configuration requires the domain controller's IP address to be specified. Multiple domain controllers can be configured. The list will be traversed in order if any of the former entries fail to bind. If all the IPs are unreachable or fail to bind, the UX will retry the bind at one minute intervals.
The UX supports multiple domains within the same AD forest. That way the domains have internal trust and hence, the UX can access them with the same user. If mapping to a domain group in a specific domain is required, you need to create a group with a unique group name in that specific domain, so that you can map to that group. If the group name is not unique, the UX is going to query each domain controller for the same group.
Global Catalog binds are not supported. Only LDAP binds are used to query and collect Active Directory data.
In case a user group is configured under multiple authorization modes, the highest authorization level is used. For example, if a user belongs to multiple groups with authorization levels Administrator and Read Only, the user will be authorized as an Administrator.