New in the Community? Get started here

Schneider Electric Exchange Community

Discuss and solve problems in energy management and automation. Join conversations and share insights on products and solutions. Co-innovate and collaborate with a global network of peers.

Register Now
Knowledge Base
Showing results for 
Search instead for 
Did you mean: 

- Who are the top users of September? Discover them here!

- Check out the ESS Active Energy Management Blog now! 

- Join us on October 23rd for a live Panel session to discuss The Power of a Sustainable Ecosystem with Hervé Coureil, Chief Digital Officer of Schneider Electric and other great speakers. Register here!

Integrating Windows Active Directory user accounts with EcoStruxure


Setting up, using, and troubleshooting Windows Active Directory with Building Operation Workstation and WebStation.

Product Line

EcoStruxure Building Operation


  • Building Operation Enterprise Server
  • Building Operation WebStation
  • Windows Active Directory
  • Windows Server


When integrating EcoStruxure with Windows Active Directory, NO user accounts need to be created in EcoStruxure, all that needs to be done is map the EcoStruxure User Account Group(s) with the Windows group(s) that will be used. 

  • You can map Windows Active Directory groups to Building Operation user account groups if Building Operation runs on a network that uses this directory to manage users and user account groups.
  • A Building Operation user account group that includes a Windows account group can also be a member of another Building Operation user account group.
  • Mapping Windows Active Directory account groups to Building Operation user account groups has advantages both for administrators and operators. Administrators can manage the user accounts in the Windows Active Directory, rather than managing the accounts in two places. Any changes are instantly implemented to the mapped Building Operation user account group. Operations only have to remember the Windows login. Once logged in to a Windows user account that is mapped to a Building Operation account, the user is authenticated to access WorkStation without having to log in a second time.


  • The Building Operation domain used to map the Windows Active Directory user account groups must be a member of the Windows domain where the Active Directory is located.
  • Windows Active Directory account groups can only be mapped on servers that are based upon Microsoft Windows operating system. Other servers, for example, Automation Servers, cannot map Windows Active Directory groups.
    • For example, the Windows Active Directory user account groups Main Admin and Main User are mapped to the Building Operation user account groups Administrators and External Users. The External Users user account group is a member of the Operator user account group. The Administrators account group, which is a member of the External Users, inherits access to the Operation workspace.
  • The user will then log into Windows on the PC where the WorkStation is installed. When logging into EcoStruxure Workstation the authentication is automatically done from the Windows user account.


First and foremost Active Directory association cannot be achieved using the inbuilt Local Domain

Create a new EBO Domain and associate it with your active windows Domain

AD Domain.png

Then create an EBO Domain Group within that new Domain and associate it with the Windows Domain Group in which the Windows Active Directory user(s) reside.

Ad Group.png

Then simply log in using Windows Username, Password, and Domain rather than EBO credentials

(When logged on the Enterprise Server PC as a Domain User it is also possible to Tick the Log on as box)

See WebHelp:

Troubleshooting Windows Active Directory with Workstation

Log in Error: Wrong user name or password
Wrong password.png

  • If the EcoStruxure Building Operation Domain has the same name as the Windows Active Directory domain name, it will expect the user account to exist locally in the Building Operation domain.

Log in Error: User account not associated with a group. Contact your Administrator.
Missing Group.png

  • Verify that the Windows user is a part of the Windows group configured in the Building Operation Group settings.
    • In order to identify every group that the current windows user belongs to, run the command: whoami /groups
  • Once the Windows user has been confirmed as a member of the configured Windows group, try changing the Log On as credentials for the Enterprise Server service. The default user that is used when installed is the "Local System account". The Windows account used to run the Enterprise Server service needs read access to all places (e.g. OUs) in the Active Directory where user groups potentially involved in an EBO Windows log on can be found.

    Note: By default, all domain users in an Active Directory have read access to Active Directory "Users and Computers" objects so it is the sites which have restricted this in some way which may face issues. You do not need to use “domain admin” type accounts for this as they are granted way too much authority in general. An account has read access to sufficient parts of the AD while having only normal local user privileges on the machine where the Enterprise Server is running will suffice.
    1. From the Windows Start menu, launch Computer Management. In Computer Management go to Services and Application > Services.
    2. Find Building Operation X.X Enterprise Server, select it and Stop the service.
    3. Right-click on Building Operation X.X Enterprise Server and go to Properties. Select the Log On tab.
    4. Under Log On as select "This account". Enter a Windows user login that has sufficient Windows rights for the Enterprise Server to log on as.
    5. Click OK and then start the service again.
    6. Log in to Workstation again using Active Directory.

Troubleshooting Windows Active Directory with WebStation

From version 1.5.0 and up, using Windows Domain accounts is supported in WebStation. However, the following must be done in order to log in.

  1. You need to use HTTPS.
  2. Use your Windows username and password.
  3.  The Windows domain must be defined (It needs to be the actual Windows domain, not what you named the domain in SmartStruxure).

Download a TVDA for Single Sign-On Instructions

Tags (2)
Labels (1)
100% helpful (1/1)