Re: How to make vCenter detect AD group changes fa...

aslk5 · ‎08-19-2020

Is there any way to change the time it takes for vCenter to detect changes in AD group membership?

Example:

GroupA is assigned permissions to a folder in vCenter. UserA is a member of GroupA

UserA logs in and everything is fine.

Remove UserA from GroupA

UserA is still able to login and it seems to take 24 hours before they lose permission.

I tried changing the validation period under advanced settings in vcenter but that didn't seem to help. Is there something I'm missing?

Trying a similar test to grant access worked right away detects the change right away but removing access doesn't get detected until the next day (I think I've seen a similar issue with nested groups and not detecting a change in membership in the past which I assume is related)

Thanks

msripada · ‎08-19-2020

Restarting vCenter which is not supposedly a valid one but that is only way....

thanks,

MS

Lalegre · ‎08-19-2020

I assume this is the validation time that you changed: Change User Validation Settings

I am thinking right now that as a workaround you can maybe add that user to the No Access group once to remove it from the AD Group to not have permissions at all.

All

How to make vCenter detect AD group changes faster than 24 hours