For security reasons, an administrator removes a user from the Active Directory domain used by all ESXi hosts for authentication. At the time the user is removed they are actively logged into an ESXi 5.x host through the vSphere Client.
What is true regarding this scenario?
A.
The user immediately loses connectivity to and permissions on the host.
B.
The user retains permissions and connectivity to the host for up to 24 hours.
C.
The user retains permissions on the host until the host is rebooted.
D.
The user retains permissions on the object until the next time the user logs in to vCenter Server.
This should be answer ‘B’
http://pubs.vmware.com/vsphere-4-esx-vcenter/index.jsp?topic=/com.vmware.vsphere.dcadmin.doc_41/vsp_dc_admin_guide/managing_users_groups_roles_and_permissions/c_removing_or_modifying_users_and_groups.html
the answer is correct. When your permission is removed from Vcenter that is when the answer is B. When your permission is removed from AD then the host will need to reboot for that setting to be applied
In the question the user is logging directly into an ESXi host NOT into vCenter Server. So B. may not be correct.
http://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vsphere.install.doc_50%2FGUID-16E1D78F-2466-4794-8D12-BE5EC7AA41D3.html
I still think the answer is b, if it C can someone explain why
http://www.vmware.com/pdf/vsphere4/r41/vsp_41_esxi_server_config.pdf
Page 170
=> C is correct for ESXi hosts (B applies only to vCenter).
NOTE –
Users who are logged in and are removed from the domain keep their host permissions until you restart the host.
Chris – Thanks
Sorry but i cannot find specified in the vmware documentation where is mentioned the case of a user logged in directly into an esxi server. Could someone please help me to find it??
Thanks in advance
Fabio
Answer C.
http://pubs.vmware.com/vsphere-51/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-511-security-guide.pdf
Page 57
NOTE Users who are logged in and are removed from the domain keep their host permissions until you restart the host.
You can remove a user from the host.
Users who are logged in and are removed from the domain keep their host permissions until you restart the host.
To remove users from vCenter Server, you must remove them from the domain or Active Directory users list.
Users who are logged in and are removed from the domain keep their vSphere permissions until the next validation period. The default is every 24 hours.
C is correct for ESXi hosts, B is correct for vCenter Server
answer is B
vSphere 5.0 Security Guide, page 43
http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf
“Removing or Modifying vCenter Server Users
When you remove users from vCenter Server, you also remove permissions granted to those users. Modifying a user or group name causes the original name to become invalid.
To remove users from vCenter Server, you must remove them from the domain or Active Directory users list.
If you remove users from the vCenter Server domain, they lose permissions to all objects in the vSphere environment and cannot log in again.
NOTE
Users who are logged in and are removed from the domain keep their vSphere permissions until the
next validation period. The default is every 24 hours.
Removing a group does not affect the permissions granted individually to the users in that group or permissions granted as part of inclusion in another group.
If you change a user’s name in the domain, the original user name becomes invalid in the vCenter Server system. If you change the name of a group, the original group becomes invalid after you restart the vCenter Server system.”
For security reasons, an administrator removes a user from the Active Directory domain used by all ESXi hosts for authentication. At the time the user is removed they are actively logged into an ESXi 5.x host through the vSphere Client.
The ONLY Active Directory DOMAIN with this SCOPE(!) would be VSPHERE.LOCAL!
http://pubs.vmware.com/vsphere-55/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-31F302A6-D622-4FEC-9007-EE3BA1205AEA.html
Deleting a user from vsphere.local:
http://pubs.vmware.com/vsphere-55/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-4C51B8F0-17EB-4FB1-ACF8-FAB24FD92FFC.html
Deleting an application user from vsphere.local:
http://pubs.vmware.com/vsphere-55/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-58B88A46-45BE-4E4B-900A-A778745E05FF.html