1 Reply Latest reply on Jun 27, 2016 8:58 AM by aviyachki

    ePO 5.3 - Allow Active Directory users to log on if they have at least one permission set setting does not really work

    aviyachki

      Hello,

       

      I am new to the McAfee community and this is my first post. So I would like to thank everyone who's willing to participate and help in this discussion.

       

      The situation is the following. My goal is to use AD groups for granting support team members with access to ePO to offload the account creation from my team.

      I have ePO 5.3 console with enabled Windwos Authentication. I've added ldap servers and they can sync with AD.

      I can see that members of the AD group are receiving dynamically allocated permissions for the permission set where the AD group is added.

      I have "Allow Active Directory users to log on if they have at least one permission set" set to "Yes".

      And now the strange thing...

      Every account from the AD can login to my ePO. They do not have any permissions assigned to them but their accounts are created in the ePO after they successfully authenticate with domain\account and password.

      I did check the admin guide and it says:


      "Active Directory User Login

      When you have configured the previously discussed sections, you can enable the User autocreation

      server setting. User autocreation allows user records to be automatically created when the following

      conditions are met:

           • Users provide valid credentials, using the <domain\name> format. For example, a user with

      Windows credentials jsmith1, who is a member of the Windows domain named eng, would supply

      the following credentials: eng\jsmith1, along with the appropriate password.

           • An Active Directory server that contains information about this user has been registered with

      ePolicy Orchestrator.

           • The user is a member of at least one Domain Local or Domain Global group that maps to an ePolicy Orchestrator permission set."

       

      So I am OK with the first two bullets but then why when the account is not in the AD group which is assigned to the epo permission set hence the user is not authorized can actually login??


      Thank you all!

      //Atanas