Administration Guides
Eyeglass Active Directory User SID resolution considerations
Home

Active Directory Planning

Your SID to friendly name resolution uses PowerScale Authentication providers to resolve a SID for all products that use the ECA.   


Eyeglass User Lockout Active Directory Planning Ransomare Defender

The lockout process identifies all shares the user has access permissions based on searching all shares in all access zones on all clusters managed by Eyeglass.  This list of shares will have a real-time deny permission added to the share for the affected user.

A special case is handled for the “Everyone” well known group which should be understood how it operates in multi-domain Active Directory configurations.

Two scenarios can exist with AD domains on PowerScale clusters.  

Scenario #1:

  • The first is parent and child AD domains that are members of the same forest and a trust relationship exists.

Scenario #2:

  • The second scenario covers two domains that are not members of the same forest and no trust relationship exists between the domains

The “Everyone” well known group if applied to a share in each scenario is shown below and a lockout permission applied regardless of which domain the user is located.  This is required since Eyeglass has no way to know if the domains trust each other or not.  This solution ensures all everyone shares are locked out, which is more secure than skipping some shares.

Reference the diagram below.

 

© Superna LLC