I am new to the McAfee community and this is my first post. So I would like to thank everyone who's willing to participate and help in this discussion.
The situation is the following. My goal is to use AD groups for granting support team members with access to ePO to offload the account creation from my team.
I have ePO 5.3 console with enabled Windwos Authentication. I've added ldap servers and they can sync with AD.
I can see that members of the AD group are receiving dynamically allocated permissions for the permission set where the AD group is added.
I have "Allow Active Directory users to log on if they have at least one permission set" set to "Yes".
And now the strange thing...
Every account from the AD can login to my ePO. They do not have any permissions assigned to them but their accounts are created in the ePO after they successfully authenticate with domain\account and password.
I did check the admin guide and it says:
"Active Directory User Login
When you have configured the previously discussed sections, you can enable the User autocreation
server setting. User autocreation allows user records to be automatically created when the following
conditions are met:
• Users provide valid credentials, using the <domain\name> format. For example, a user with
Windows credentials jsmith1, who is a member of the Windows domain named eng, would supply
the following credentials: eng\jsmith1, along with the appropriate password.
• An Active Directory server that contains information about this user has been registered with
• The user is a member of at least one Domain Local or Domain Global group that maps to an ePolicy Orchestrator permission set."
So I am OK with the first two bullets but then why when the account is not in the AD group which is assigned to the epo permission set hence the user is not authorized can actually login??
Thank you all!
For all people wondering on this, I just got an update from McAfee stating that this issue is covered in KB86371 ePolicy Orchestrator 5.3.1 allows auto-creation of Active Directory users without an assigned permission set