The Carbon Black App Control Server stores user information for AD accounts that have logged in to the console, but re-validates that information for each login attempt.
Any AD account changes that occur while that user is logged in to the console take place only after they log out and log in again. Also, account updates depend upon how frequently the AD domain controllers on the network send out changes. Among the AD account changes that can affect console login accounts are:
- User accounts added to AD become available as console login accounts as long as they meet the security group and forest criteria.
- User accounts eliminated from AD can no longer be used to log in to the console.
- If there is a change in an AD-based user’s security group assignment in AD, and if that AD change affects mapping of Carbon Black App Control user roles, the user’s access level in the console changes when they next login.
- Other console User Details (contact information, etc.) for an AD-based user can be changed in AD and will appear when that user next logs in to the console.
Important:
- All of the AD-based login features depend on the Carbon Black App Control Server being able to communicate with the AD system and being in the Domain. If for some reason the Carbon Black App Control Server cannot communicate with the AD System (due to network setup change, network failure, AD system unavailable, etc.), AD-based Logins will stop working until the condition is corrected.
- AD-based login features also require that AD security groups are defined in each forest that contains users who will access the Carbon Black App Control Server; and that users you want to allow access to the Carbon Black App Control Server are added to the forest-specific security group.
