The ListModels.dss and CheckModelAccess.dss scripts use the executable RetrieveModels.exe to determine whether the user has access to a model based on file system authorization. When access to the model files is granted to a domain group, in some situations the users in this group will not be granted access to the models.
Firstly, when the ITP/Server services are configured to run under a local machine account, ITP/Server may not be able to determine domain group membership, due to the default access restrictions on Active Directory. To enable authorization based on domain group membership, there are two possible solutions:
Even when the ITP/Server user account is allowed to query the Active Directory, the user may not be granted access when he is authorized through nested domain groups. This is due to the way that RetrieveModels.exe determines the groups that a user is in. By default, it does this using Microsoft Windows functionality, without using Active Directory directly. If you are experiencing this problem, you can enable the direct use of Active Directory by passing the parameter "/ad" to the RetrieveModels.exe call in the scripts mentioned above.