commvault.com commvault.com
Solved

User Group properties - AD groups user not removed after removing

  • 2 June 2021
  • 3 replies
  • 612 views
T
Rank
Userlevel 2
Badge +5

hi,

 

i was wondering if is expected that the an ad groups users are automatically managed by commvault?

a customer noticed after removing a user from a group that it was still in the user group according to commvault, even after a succesfull sync.

and i could not find a statement in the docs which says that it will automatically remove user if they are disassociated from the group in ad.

 

 

so we used the above sync now button which was succesfull.

and we expected a user which is not in the ad group to be removed:

but it is still listed there.

so i was wondering is that expected?

 

 

kind Regards,

 

Thos Gieskes.

icon

Best answer by Cheyenne Jarvis 2 June 2021, 17:39

View original

3 replies

Mike Struening RETIRED
Rank
Userlevel 7
Badge +23

Hi @Thos Gieskes , if I understand correctly, what is happening is that we discover a group and keep it there even if we do not see it NOW because we have no way of knowing if it will be coming back (and entities within the database might be associated to those groups).

Let me confirm that for you.

https://www.linkedin.com/in/michael-struening
Cheyenne Jarvis
Rank
Userlevel 1
Badge +2

Hi @Thos Gieskes 

 

I just performed testing of this scenario in my lab CommCell running 11.23.3 and can confirm the user is no longer listed as being part of the external user group upon the next login attempt.

 

Testing:

===========

  1. I created a test domain user and placed that user in an external AD user group. Once logged in, the user shows as a member of the test group in the CommCell Console and inherited all permissions assigned at the external user group level.
  1. I removed the test user from the user group in AD and logged into the CommCell Console with my admin user account and could still see the test user as a member of the external user group just like you have described. 
  1. I then tried to log back into the console as the test user, but because it was no longer a part of the external user group and had no other permissions assigned to it on the user level I could not actually log into the Console as the test user. (a user must at least have view permissions to login)
  2. Even though the test user login attempt failed, when logging back into the console once more with my admin account I found that the test user was no longer listed as being a member of the external user group - so the group membership validation takes place when we validate the user credentials upon logging in.

 

If this user is no longer going to be logging into the CommCell Console at all, you can also delete the user. Just be sure to transfer ownership of any entities the user may have to a valid/active user account before doing so. Otherwise, if there is a concern of this user still having the inherited permissions set at the external user group level they will not have these permissions when they login next if they are not in the external user group in AD.

 

Hope this helps!

Cheyenne Jarvis || Customer Support Engineer - Tier II (Server)
T
Rank
Userlevel 2
Badge +5

Hi @Cheyenne Jarvis,

 

thanks a lot. i have supplied the information to my end customer.

it seems to match what happend in his enviroment.

 

Thos Gieskes.

Reply


Terms & ConditionsCookie settings