9
you wish to manage user permissions in Active Directory, you could create a single group that you then add and
remove users to/from; alternatively, you can add and remove individual users from XenServer, or a combination
of users and groups as your would be appropriate for your authentication requirements. The subject list can be
managed from XenCenter or using the CLI as described below.
When authenticating a user, the credentials are first checked against the local root account, allowing you to
recover a system whose AD server has failed. If the credentials (i.e. username then password) do not match/
authenticate, then an authentication request is made to the AD server – if this is successful the user's information
will be retrieved and validated against the local subject list, otherwise access will be denied. Validation against the
subject list will succeed if the user or a group in the transitive group membership of the user is in the subject list.
Note:
When using Active Directory groups to grant access for Pool Administrator users who will
require host ssh access, the number of users in the Active Directory group must not exceed
500.

Allowing a user access to XenServer using the CLI

To add an AD subject to XenServer:
xe subject-add subject-name=<entity name>
The entity name should be the name of the user or group to which you want to grant access. You may
optionally include the domain of the entity (for example, '<xendt\user1>' as opposed to '<user1>') although
the behavior will be the same unless disambiguation is required.

Removing access for a user using the CLI

1. Identify the subject identifier for the subject t you wish to revoke access. This would be the user or the group
containing the user (removing a group would remove access to all users in that group, providing they are
not also specified in the subject list). You can do this using the subject list command:
xe subject-list
You may wish to apply a filter to the list, for example to get the subject identifier for a user named user1
in the testad domain, you could use the following command:
xe subject-list other-config:subject-name='<domain\user>'
2. Remove the user using the subject-remove command, passing in the subject identifier you learned in the
previous step:
xe subject-remove subject-uuid=<subject-uuid>
3. You may wish to terminate any current session this user has already authenticated. See Terminating all
authenticated sessions using xe and Terminating individual user sessions using xe for more information about
terminating sessions. If you do not terminate sessions the users whose permissions have been revoked may
be able to continue to access the system until they log out.

Listing subjects with access

To identify the list of users and groups with permission to access your XenServer host or pool, use the
following command:
xe subject-list
Removing Access for a User
Once a user is authenticated, they will have access to the server until they end their session, or another user
terminates their session. Removing a user from the subject list, or removing them from a group that is in the
subject list, will not automatically revoke any already-authenticated sessions that the user has; this means that