Cloud Control 12c: Microsoft Active Directory Based Authentication
we try to create "normal user" for EM with using MS AD:
http://docs.oracle.com/cd/E24628_01/doc.121/e24473/security.htm
13.2.6 Microsoft Active Directory Based Authentication
Active Directory administrators don't want to give "admin right" to EM user, but in Oracle documentation, Principal User/Password is necessary and "It must be in the Administrators group"
Principal User/Password: The Principal User created in Active Directory that will be used to authenticate WebLogic Server. It must be in the Administrators group and belong to the correct Organizational Unit designated in the User base DN. Ensure the "User must change password at next logon" is not checked during setup.