Every now and then, we have to install a product that needs to be able to look stuff up in Active Directory. Most of the time, all you need is a valid AD account in that domain, or a valid account in a root domain and then connect on port 3268, the global catalog port. That allows directory traversing for queries, quite nice when your device is in sub-domain1.company.com and the account being checked is in sub-domain2.company.com.
But if the AD is locked down hard because security, that account you're using will likely come up with a "failed to BIND" error message. That's because it can find the domain controller, it can open a connection on the right port, the account info is accurate... but you don't have the right permissions with that account.
Fear not, this article can help: http://www.dscentral.in/2011/08/17/locked-down-active-directory-ldap-authentication/
Basically, the admin will go into AD Users and Computers, enable Advanced Features, then go to that account, properties, security tab (available because you have advanced features turned on), advanced, and then add the "List Contents" ability for "this object and all child objects".
The account will now be able to BIND. :smug: