AD User SID Resolution
Active Directory Planning
Your method for resolving SIDs to friendly names relies on PowerScale Authentication providers. This approach resolves SIDs for all products that use the ECA.
Eyeglass User Lockout Active Directory Planning for Ransomware Defender
The lockout process identifies all shares that you can access by searching all shares across all access zones on all clusters managed by Eyeglass. A real-time deny permission is added to these shares for the affected user.
A special consideration is the "Everyone" well-known group, especially in multi-domain Active Directory configurations. Understanding how it operates in different scenarios is crucial.
Two scenarios can occur with Active Directory domains on PowerScale clusters.
Scenarios
-
Trusted AD Domains - User Lockout Example
- Parent and child Active Directory domains are members of the same forest with an existing trust relationship.
- Parent and child Active Directory domains are members of the same forest with an existing trust relationship.
-
Untrusted AD Domains - User Lockout Example
- Two domains are not members of the same forest, and no trust relationship exists between them.
- Two domains are not members of the same forest, and no trust relationship exists between them.
If the "Everyone" well-known group is applied to a share in either scenario, a lockout permission is applied regardless of the user's domain. Since Eyeglass cannot determine whether the domains trust each other, this solution ensures all shares accessible by "Everyone" are locked out, enhancing security by not skipping any shares.