diff --git a/uw_cfg_common.module b/uw_cfg_common.module
index c423f46718614ed95e836b730db6b69ed769665e..f18e72a1fb96463d71dcc4bbb7be2181664d1c44 100644
--- a/uw_cfg_common.module
+++ b/uw_cfg_common.module
@@ -977,14 +977,18 @@ function uw_cfg_common_webform_access(WebformInterface $webform, string $operati
         return AccessResult::forbidden();
       }
       // Access control by Active Directory group.
+      // Convert all groups to lowercase for case-insensitive matching.
       $user_ad_groups = uw_cfg_common_get_user_ad_groups() ?: [];
+      $user_ad_groups = array_map('strtolower', $user_ad_groups);
       // Required group. If at least one is provided, the user must be in it.
       $ad_require_groups = $webform->getThirdPartySetting('uw_cfg_common', 'ad_require_groups');
+      $ad_require_groups = array_map('strtolower', $ad_require_groups);
       if ($ad_require_groups && !array_intersect($ad_require_groups, $user_ad_groups)) {
         return AccessResult::forbidden();
       }
       // Deny group. If at least one is provided, the user must not be in it.
       $ad_deny_groups = $webform->getThirdPartySetting('uw_cfg_common', 'ad_deny_groups');
+      $ad_deny_groups = array_map('strtolower', $ad_deny_groups);
       if ($ad_deny_groups && array_intersect($ad_deny_groups, $user_ad_groups)) {
         return AccessResult::forbidden();
       }