Learn about the Community. Join our Core Community to Get Started

Schneider Electric Exchange Community

Discuss and solve problems in energy management and automation. Join conversations and share insights on products and solutions. Co-innovate and collaborate with a global network of peers.

Register Now
Knowledge Base
Showing results for 
Search instead for 
Did you mean: 

Integrating Windows Active Directory user accounts with SmartStruxure


Setting up, using and troubleshooting Windows Active Directory with Building Operation Workstation and WebStation.

Product Line

EcoStruxure Building Operation


  • Enterprise Server
  • WebStation
  • Windows Active Directory
  • Windows Server


When integrating SmartStruxure with Windows Active Directory, NO user accounts need to be created in SmartStruxure, all that needs to be done is map the SmartStruxure User Account Group(s) with the Windows group(s) that will be used. 

  • You can map Windows Active Directory groups to Building Operation user account groups if Building Operation runs on a network that uses this directory to manage users and user account groups.
  • A Building Operation user account group that includes a Windows account group can also be a member of another Building Operation user account group.
  • Mapping Windows Active Directory account groups to Building Operation user account groups has advantages both for administrators and operators. Administrators can manage the user accounts in the Windows Active Directory, rather than managing the accounts in two places. Any changes are instantly implemented to the mapped Building Operation user account group. Operations only have to remember the Windows login. Once logged in to a Windows user account that is mapped to a Building Operation account, the user is authenticated to access WorkStation without having to log in a second time.


  • The Building Operation domain used to map the Windows Active Directory user account groups must be a member of the Windows domain where the Active Directory is located.
  • Windows Active Directory account groups can only be mapped on servers that are based upon Microsoft Windows operating system. Other servers, for example Automation Servers, cannot map Windows Active Directory groups.
    • For example, the Windows Active Directory user account groups Main Admin and Main User are mapped to the Building Operation user account groups Administrators and External Users. The External Users user account group is a member of the Operator user account group. The Administrators account group, which is a member of the External Users, inherits access to the Operation workspace.
  • The user will then log into Windows on the PC where the WorkStation is installed. When logging into SmartStruxure Workstation the authentication is automatically done from the Windows user account.


Start by using StruxureWare Building Operation WebHelp for information and How to guides on setting up Windows Active Directory. This will require the creation of a new SBO Domain and User Group tied to the desired Windows group name.

Troubleshooting Windows Active Directory with Workstation

Log in Error: Wrong user name or password

  • If the StruxureWare Building Operation Domain has the same name as the Windows Active Directory domain name, it will expect the user account to exist locally in the Building Operation domain.

Log in Error: User account not associated with a group. Contact your Administrator.

  • Verify that the Windows user is a part of the Windows group configured in the Building Operation Group settings.
    • In order to identify every group that the current windows user belongs to, run the command: whoami /groups
  • Once the Windows user has been confirmed as a member of the configured Windows group, try changing the Log On as credentials for the Enterprise Server service. The default user that is used when installed is the "Local System account". The Windows account used to run the Enterprise Server service needs read access to all places (e.g. OUs) in the Active directory where user groups potentially involved in an SBO Windows log on can be found.

    Note: By default, all domain users in an Active Directory have read access to Active Directory "Users and Computers" objects so it is the sites which have restricted this in some way which may face issues. You do not need to use “domain admin” type accounts for this as they are granted way too much authority in general. An account having read access to sufficient parts of the AD while having only normal local user privileges on the machine where the Enterprise Server is running will suffice.
    1. From the Windows Start menu, launch Computer Management. In Computer Management go to Services and Application > Services.
    2. Find Building Operation X.X Enterprise Server, select it and Stop the service.
    3. Right click on Building Operation X.X Enterprise Server and go to Properties. Select the Log On tab.
    4. Under Log on as, select "This account". Enter a Windows user login that has sufficient Windows rights for the Enterprise Server to log on as. 
    5. Click OK and then start the service again.
    6. Log in to Workstation again using Active Directory.

Troubleshooting Windows Active Directory with WebStation

From version 1.5.0 and up, using Windows Domain accounts is supported in WebStation. However, the following must be done in order to login.

  1. You need to use HTTPS.
  2. Use your Windows username and password.
  3.  The Windows domain must be defined (It needs to be the actual Windows domain, not what you named the domain in SmartStruxure).

Download a TVDA for Single Sign On Instructions

Tags (1)
Labels (1)
No ratings