We recently upgraded from Unity 4 to Unity 5.0. We set up most of our Helpdesk people with a Class of Service called "Helpdesk" to enable them to ONLY change passwords for users.
I have 3 Helpdesk people who cannot log on at all - but the others can - and they should all be set up the same in AD (I am not the AD Admin). Here is the command I used:
d:\CommServer>grantunityaccess -u xxxx -s yyyy
Where xxxx is the users 'x' account and the yyyy is their LAN ID (and what their Subscriber account uses).
They are attemting to log in via the webpage with this URL:
(where 0.0.0.0 is the actual IP of the server).
They they log on with na\xxxx and their 'x' account password.
Not sure why these 3 users cannot login when everyone else can.