Domain authentication notes
See Security Roles with Domain Authentication for how to automatically give users rights in VSys based on their Active Directory groups.
Organizational Units
If your domain includes one or more Organizational Units (and most do), VSys offers the option of allowing only a subset of those OUs to be used for domain login. Selecting one or more OUs here will limit the user IDs shown when searching for an account to be linked to Active Directory, rather than potentially searching the entire domain's list of users.
An Active Directory user who is added to VSys One and then has her OU changed does not lose access to VSys: the OU filters are used when creating the account in VSys, not when authenticating.
Active Directory settings
Allow individual users to have non-domain accounts |
See below. |
When logging in via domain, if logging in as the same user authenticated on the local machine, do not require password |
If this is checked, and a user is logging into VSys with a login that's the same as the Windows login authenticated on the current machine, the user can leave the Password field blank when logging in. Note that secondary authentication such as to access Security Manager will still require that the user provide User ID and Password when accessing certain tools. |
Automatically create new users based on Active Directory logins |
If a user unknown to VSys attempts to log in, and this field is checked, VSys will authenticate the user against Active Directory. If that authentication succeeds and the user has the required Active Directory groups (if any; see below), then VSys will automatically create the user in VSys during the login process. |
Update existing users based on Active Directory logins |
If checked, when a user logs into VSys using an Active Directory account, VSys will attempt to update that user's personal information from his Active Directory profile. |
Required Active Directory groups (all required) |
If any groups are checked here, when a user authenticates to VSys for an AD account, VSys will require that the user have all of these Active Directory groups. If one or more of the required groups are not present, the user will not be able to log into VSys. Note that inherited/implied groups are not permitted: to meet the criteria here, the user must be explicitly and directly in all of these groups. |
Required Active Directory groups (one or more required) |
If any groups are checked here, the user must be a member of at least one of these Active Directory groups to log in to VSys (see above). |
Mixed-mode authentication
If domain authentication is enabled, you can still allow individual users to authenticate without using Active Directory. Check Allow individual users to have non-domain accounts, and then users can, on a user-by-user basis, be allowed to authenticate to VSys with a VSys password rather than via Active Directory.
Why would you do this? Having one user who can authenticate without Active Directory allows you to restore the data to a workstation or server not on the domain and still be able to access it. This could be laptops set up for testing or training, or an off-site backup center.