DocumentationRelease Notes
Documentation

GROUP POLICY SETTINGS USER GUIDE

Suggest Edits

What are AD Bridge group policy settings?

AD Bridge enables you to configure group policy settings for computers running Linux and Unix. AD Bridge includes more than 100 policy settings that are designed to manage non-Windows computers.

All the policy settings are integrated with the Microsoft Group Policy Management Editor, part of the Microsoft Group Policy Management Console (GPMC).

How are AD Bridge group policy settings useful?

You can use a group policy setting to control who can use sudo for access to root-level privileges by specifying a common sudoers file for target computers. You could create an Active Directory group called SudoUsers, add Active Directory users to the group, and then apply the sudo group policy setting to the container, giving those users sudo access on their Linux and Unix computers. In the sudoers file, you can specify Windows-style user names and identities. Using a group policy setting for sudo gives you a powerful method to remotely and uniformly audit and control access to Unix and Linux resources.

How to I access AD Bridge group policy settings?

AD Bridge stores its Unix and Linux policy settings in Group Policy Objects (GPOs) in the same location and in the same format as the default GPOs in Windows Server: in the system volume (sysvol) shared folder. Unix and Linux computers that are joined to an Active Directory domain receive GPOs in the same way that a Windows computer does.

Diagram of Windows and Linux computers joined to a domain

AD Bridge Group Policy Agent

The AD Bridge Group Policy Agent is automatically installed when you install the AD Bridge agent.

To apply and enforce policy settings, the AD Bridge Group Policy Agent runs continuously as a daemon processing user policy and computer policy:

  • Computer policy processing: The agent traverses the computer's distinguished name (DN) path in Active Directory.
  • User policy processing: Occurs when a user logs on; the agent traverses the user's DN path in Active Directory.

The AD Bridge Group Policy Agent connects to Active Directory, retrieves changes, and applies them once every 30 minutes, when a computer starts or restarts, or when requested by the GPO refresh tool.

The AD Bridge Group Policy Agent uses the computer account credentials to securely retrieve policy template files over the network from the domain’s protected system volume shared folder.

The AD Bridge Group Policy Agent applies only AD Bridge Group Policy settings: those in the Unix and Linux Settings collection in the Group Policy Management Editor; it does not apply any other group policy settings that may be specified in the GPOs.

Inheritance

There are two types of policy settings:

  • File-based: File-based policy settings, such as sudo and automount, typically replace the local file. File‑based policy settings are not inherited and do not merge with the local file.
  • Property-based: Property-based policy settings are inherited, meaning that the location of a GPO in the Active Directory hierarchy can affect its application. Property-based settings merge with local policy settings. Local policy settings are not replaced by property-based settings.

Most policy settings are based on properties.

Filter by target platform

You can set the target platforms for a GPO. The GPO is applied only to the platforms that you select. You can select the target platforms by operating system, distribution, and version. For example, you can target a GPO at:

  • Only computers running SUSE Linux Enterprise Server
  • A mixture of operating systems and distributions, such as Red Hat Linux, Sun Solaris, and Ubuntu Desktop

Some policy settings, however, apply only to specific platforms.

ℹ️

Note

For more information, see the Help for the policy setting that you want to use.

Target Platforms
CentOS LinuxDebian LinuxFedora Linux
IBM AIXOpenSUSE LinuxRed Hat Linux
Red Hat Enterprise Linux (ES and AS)Sun SolarisSUSE Linux
SUSE Linux Enterprise DesktopSUSE Linux Enterprise ServerUbuntu Linux

Go to the Target Platform Filter policy to select targets for the GPO.

Target Platforms Filter

AD BridgeGPO update tool

Use the AD Bridge GPO update tool to force a computer to pull the latest version of group policy settings. The tool includes the following options:

OptionDescriptionExample
helpDisplays the help for the tool .gpupdate --help
verboseDisplays information on the policies that were added, updated, removed.gpupdate --verbose
rsopDisplays the Resultant Set of Policy (RSoP) information. The RSoP is the set of group policy settings the group policy agent will apply, either when it runs as part of periodically applying settings or when gpupdate is run. gpupdate --rsop does not apply group policy settings.gpupdate --rsop
no-pagerDo not page output. By default, gpupdate automatically pages output using the command set in the PAGER environment variable.gpupdate --no-pager

The --verbose command provides details on the group policy extensions being run, whether settings were added, modified or removed and whether those changes were successfully applied.

Run the following command at the shell prompt: /opt/pbis/bin/gpupdate --verbose

The command returns a success or failure result similar to the following:

  • On success: GPO Update succeeded
  • On failure: GPO Update was unsuccessful, error code (

Updated 20 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.