I'm using the example code posted here [URL]http://blogs.msdn.com/azman/archive/2006/05/06/591230.aspx[/URL] to authenticate users in an ADAM instance and also to query their group membership. I am able to authenticate a user and get their SID, groupTokens SIDs, and DN, open the ADAM store to set the IAzApplication2 object, create an emply IAzClientContext2, ... but when it comes to making the IAzClientContext2.AccessCheck call I get the following error: "The security identifier provided does not have a domain component. (Exception from HRESULT: 0x800704EA)" I've found that if I manually set the IAzClientContext2.RoleForAccessCheck property to any value I don't get the error, but I don't get valid data back either (values of 5 returned for all my resource ids). Even if I could get this to work, it wouldn't be correct as resource checks should be based upon the LDAP Application Groups in AzMan combined with the IAzClientContext2.LDAPQueryDN value, not on RoleForAccessCheck. My application code is running on a XP SP2 machine on the same domain as the 2003 R2 server where AzMan 5.2 /ADAM 1.1 are running. Thanks for any suggestions. Don