Jump to content

Mapped Domain Security Group - Not recognizing user change


Recommended Posts

Hello,

I'm currently running ESMC 7.0.471.0 and I have two mapped domain security groups that I use in order to apply different permission sets dependent upon the persons role. The current two groups are eset admins and eset users. I have one employee who currently exists in the users group. I'm now trying to give him admin permissions. I have removed him from our eset users group in AD, and then added him to the eset admins group. I then ran users sync task in ESMC, to make sure it had the current groups (I didn't know if this step should be involved or not? since I'm looking for AD Group Membership and not at an OU change). However, when the employee logs into ESMC, they still have the user permission set. I then tried removing the employee from both the eset user and eset admins groups in AD, re-ran the user sync task, and the employee can still login to the console. The only way I can prevent them from logging in is by disabling their account in AD, or removing the eset users mapped security domain group from ESMC. Does anyone have any insight into where to look when diagnosing this issue? I'm kind of at a loss here. My ESMC sync tasks look ok, and they are successful, but it seems like the console is not updating AD group membership status. Any help is appreciated. Thanks!

Also, our ESMC console is a virtual appliance running on CentOS 6. My apologies for forgetting to mention that earlier.

Edited by whitelistCMD
Link to post
Share on other sites
  • ESET Staff

Hello, 

If you are using the old ESMC 7.0 VA, it uses the Samba/Winbind to synchronize domain groups. It´s possible that this part is not correctly synced with AD. You can execute a command "wbinfo", if the user is corrently referenced in the domain: wbinfo --user-domgroups <username SID>”. This command will return the SIDs of groups where the user belongs. If it returns the old list, problem will be here. 

In the upcoming ESMC 7.1 (to be released in mid-November), we have adjusted the way how domain users are authenticated, where Samba/Winbind will no longer be used. That would be the recommended solution. 

Regards,
Michal 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...