Endpoint Protection

Original admin (database-based login) logs in fine. I have only one directory server connection setup, that everyone shares, and the directory server user name is a dedicated non-admin user.

One SEPM full admin that is also a domain admin tests out with "Directory account authenticated" and can login fine. All other SEPM admins are not domain admins and test with "Unable to authenticate the directory account". If I place my domain admin name into the Account Name field for another user then they test as "Directory account authenticated". If I place the dedicated non-admin user used in the directory server connection into the Account Name field then they test as "Directory account authenticated". If I place their login ID into the Account Name field I get "Unable to authenticate the directory account".

How do I make this work for non-domain admins?

It shouldn't matter what group the user is in in AD. Adding an AD server in SEPM is just for authenticating to AD, regardless of what group they're in.

So was this working prior and has something recently changed? What is the exact SEPM verrsion?

12.1 RU6 MP5. The users are newly created so it has not worked in the past.

I have found a second account that will produce the "Directory account authenticated" test.

The only thing I can think of that changed recently was domain admin rights removed from the user in directory server connection setup and an upgrade of domain level from 2003 to 2008. 

I should rephrase. I had one user working and continues to work with directory server connection. Newly created users do not work.

Is it possible that they're authenticating to a different DC?

Maybe try removing and adding the server back.

I am pointed directly at a single domain controller. I had previously changed the domain controlled that was specified as a test. I have now created a new directory services entry at a different domain controller that is still testing as "Unable to authenticate the directory account".