Groups Based User Management
Keeping track of which users in your domain are activated for two-factor authentication becomes hard in large domains. To solve this problem, ESET Secure Authentication On-Prem provides automatic bookkeeping for your 2FA users by means of Active Directory groups membership.
There are several Active Directory groups are created at installation time:
•ESA Users
The ESA Users group does not contain any users directly, but contains the ESA SMS Users, ESA Mobile Application Users, ESA Hard Token Users and ESA FIDO Users group. Transitive Group Membership may therefore be used to locate all 2FA users in your domain using this group.
•ESA SMS Users
The ESA SMS Users group contains all users in your domain that have been enabled for SMS OTPs
•ESA Mobile App Users
The ESA Mobile App Users group contains all users that have been enabled for mobile application OTPs.
•ESA Hard Token Users
The ESA Hard Token Users group contains all users that have been enabled for Hard Token OTPs.
•ESA FIDO Users
The ESA FIDO Users group contains all users that have been enabled for mobile application OTPs.
•EsaCoreAuthServices, EsaServices and ESA Admins store no real users. They are related to internal security of ESET Secure Authentication On-Prem.
Group membership is updated in real-time when users are configured in the ADUC or ESA Web Console. Finding all users that have been enabled for SMS OTPs (for example), is simple:
1.Launch the ADUC
2.Right-click your domain node, and select Find
3.Type in "ESA SMS" and hit Enter - the group will be displayed in the Search Result section
4.Double click the group and select the Members tab to view all users in your domain that have been enabled for SMS OTPs.