The rule in question:
The "Data Center" group mirrors what is on the old PAM Server, as does the Windows wcc credential. unifid.log from the new PAM server shows:
Wed May 30 12:22:13 2018, 78, 1433954048, 2908, Info, cmdctrl request denied for '<rdpDirect> WCC\C00000039@v3tsw00422' from C00000039@v3tsw00422
while unifid.log from the old PAM server shows:
Wed May 30 12:18:44 2018, 886, 1262679808, 13775, Info, cmdctrl request accepted for '<rdpDirect> WCC\C00000039@v3tsw00421' from C00000039@v3tsw00421 as wcc\SubmitUser@v3tsw00421
Anyone have any ideas? Both the old and new wcc domain have the SubmitUser credential.