What is true regarding this scenario?

For security reasons, an administrator removes a user from the Active Directory domain used by all ESXi hosts for authentication. At the time the user is removed they are actively logged into an ESXi 5.x host through the vSphere Client.

What is true regarding this scenario?

A.
The user immediately loses connectivity to and permissions on the host.

B.
The user retains permissions and connectivity to the host for up to 24 hours.

C.
The user retains permissions on the host until the host is rebooted.

D.
The user retains permissions on the object until the next time the user logs in to vCenter Server.

12 Comments on “What is true regarding this scenario?

    1. Deji says:

      the answer is correct. When your permission is removed from Vcenter that is when the answer is B. When your permission is removed from AD then the host will need to reboot for that setting to be applied

  1. SC says:

    NOTE –
    Users who are logged in and are removed from the domain keep their host permissions until you restart the host.

  2. FS84 says:

    Sorry but i cannot find specified in the vmware documentation where is mentioned the case of a user logged in directly into an esxi server. Could someone please help me to find it??

    Thanks in advance

    Fabio

  3. xenon says:

    You can remove a user from the host.
    Users who are logged in and are removed from the domain keep their host permissions until you restart the host.

    To remove users from vCenter Server, you must remove them from the domain or Active Directory users list.
    Users who are logged in and are removed from the domain keep their vSphere permissions until the next validation period. The default is every 24 hours.

    C is correct for ESXi hosts, B is correct for vCenter Server

  4. Pablo says:

    answer is B
    vSphere 5.0 Security Guide, page 43
    http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf

    “Removing or Modifying vCenter Server Users
    When you remove users from vCenter Server, you also remove permissions granted to those users. Modifying a user or group name causes the original name to become invalid.
    To remove users from vCenter Server, you must remove them from the domain or Active Directory users list.
    If you remove users from the vCenter Server domain, they lose permissions to all objects in the vSphere environment and cannot log in again.
    NOTE
    Users who are logged in and are removed from the domain keep their vSphere permissions until the
    next validation period. The default is every 24 hours.
    Removing a group does not affect the permissions granted individually to the users in that group or permissions granted as part of inclusion in another group.
    If you change a user’s name in the domain, the original user name becomes invalid in the vCenter Server system. If you change the name of a group, the original group becomes invalid after you restart the vCenter Server system.”

  5. B-Art says:

    For security reasons, an administrator removes a user from the Active Directory domain used by all ESXi hosts for authentication. At the time the user is removed they are actively logged into an ESXi 5.x host through the vSphere Client.

    The ONLY Active Directory DOMAIN with this SCOPE(!) would be VSPHERE.LOCAL!

    http://pubs.vmware.com/vsphere-55/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-31F302A6-D622-4FEC-9007-EE3BA1205AEA.html

    Deleting a user from vsphere.local:
    http://pubs.vmware.com/vsphere-55/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-4C51B8F0-17EB-4FB1-ACF8-FAB24FD92FFC.html

    Deleting an application user from vsphere.local:
    http://pubs.vmware.com/vsphere-55/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-58B88A46-45BE-4E4B-900A-A778745E05FF.html


Leave a Reply

Your email address will not be published. Required fields are marked *