Hello again - I've learned that Active Directory has no 'member' attribute (well, its blank by default) that OTRS tries to look for as a search filter when authenticating groups for my Agent. I'm familiar with the AuthModule::LDAP::AccessAttr setting, however when this is set to: $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; ...I see in the logs that the filter being used is still based on 'memberUid'. If I set this property to: $Self->{'AuthModule::LDAP::AccessAttr'} = 'member12345'; ...I see in the logs that the filter is then based on 'member12345'. Its as if this property passes what you assign it to, unless its value is 'member', otherwise it will pass 'memberUid'. I can't get over this roadblock. Secondarily, am I also correct in assuming that I can use this property to restrict which Agents can actually log in? I know I can further restrict their access using Roles in OTRS, but as far as simply allowing or denying login access (regardless of role permissions), is this sufficient? Anyone else seen this behaviour before? If so, what did you do to resolve it? Thanks! -dant