[Freeipa-users] Users and Admin access for AD Accounts

Hey All, Let's suppose I have two AD groups: unixadmin unixusers In FreeIPA, I would like to give unixadmin group access to ALL FreeIPA functions. Whereas for the unixusers, I would like to give R/O access. I've already done the group mappings from AD to FreeIPA. What is the best way to achieve this? I'm finding related links online but not quite what I'm looking for. I did a test to see if nesting the unixadmin group within the FreeIPA admins group would work but I still can't login to FreeIPA with my AD user, despite my ID residing in the unixadmin group which in turn is nested in the FreeIPA admins group. This is FreeIPA 4.6.4 . -- Thx, TK.