Eyeglass User Lockout Active Directory Planning
The lockout process identifies all shares the user has access permissions, based on searching all shares, in all Access Zones, on all clusters managed by Eyeglass. This list of shares will have a real-time deny permission added to the share for the affected user.
A special case is handled for the “Everyone” well-known group, which how it operates in multi-domain Active Directory configurations should be understood.
Two scenarios can exist with AD domains on PowerScale clusters.
Scenario #1
- The first is parent and child AD domains that are members of the same forest, and a trust relationship exists.
Scenario #2
- The second scenario covers two domains that are not members of the same forest, and no trust relationship exists between the domains
The “Everyone” well-known group, if applied to a share in each scenario, is shown below, and lockout permission is applied regardless of which domain the user is located. This is required since Eyeglass has no way to know if the domains trust each other. This solution ensures all “Everyone” shares are locked out, which is more secure than skipping some shares.
Reference the diagram below.
