AD Bridge group policy settings reference
This page lists the AD Bridge group policy settings and describes their use.
Authorization and identification
Logon
GPO Name | Description |
---|---|
Allow Logon Rights | Set the Active Directory users and groups allowed to log on to target computers. Users and groups who have logon rights can log on to the target computers either locally or remotely. You can also use this policy to enforce logon rules for local users and groups. To use this policy, you must grant the users access to the AD Bridge cell that contains the target computer object. By default, all Unix and Linux computers are joined to the Default Cell, and all members of the Domain Users group are allowed to access the Default Cell. AD Bridge checks requiremembershipof information in both the authentication phase and the account phase. |
Cumulative Allow Logon Rights | Sets logon rights to child OUs. |
Denied logon rights message | Sets a message to display when a user cannot log on because the allow logon right policy is not set. |
Create a home directory for a User Account at Logon | You can automatically create a home directory for an AD user account or a local AD Bridge user account on target AD Bridge clients. When the user logs on the computer, the home directory is created if it does not exist. For AD accounts, the location of the home directory is specified in the AD Bridge settings of the user account in Active Directory Users and Computers. |
Template files for a new user home directory | AD Bridge can add the contents of skel to the home directory created for an AD user account or a AD Bridge local user account on target AD Bridge clients. Using the skel directory ensures that all users begin with the same settings or environment. |
Home Directory Creation Mask | AD Bridge can set permissions for the home directory that is created when a user logs on target AD Bridge clients. The home directory and all the files in the directory are preset with the ownership settings of the file creation mask, or umask. There is a umask policy for local accounts and a umask policy for AD accounts. |
Local account password expiration | Sets the number of days a local account is notified before a password expires. |
Local account password lifespan | Sets the number of days a password is valid. |
Create a .k5Login file in user home directory | Creates a .k5Login. |
Log PAM debugging information | Logs winbind debugging information. |
Ignore group alias | When turned on, group names are displayed using the NT4 format (DOMAIN\SAMaccountname). |
Smart card
GPO Name | Description |
---|---|
Smart card removal policy | Sets the action to take when a smart card is removed from a target. For example, lock out the computer. |
Require smart card for login | Turns on the requirement to use Smart Card two-factor authentication. |
Reaper syslog settings
GPO Name | Description |
---|---|
Unmatched Error Events | Sets the policy to capture Error class events from syslog reaper service. |
Unmatched Warning Events | Sets the policy to capture Warning class events from syslog reaper service. |
Unmatched Info Events | Sets the policy to capture Information class events from syslog reaper service. |
Group Policy agent
GPO Name | Description |
---|---|
Enable use of event log | Turns on logging for group policy events on target computers. You can use this policy to help improve security and to troubleshoot group policies by capturing information in the AD Bridge event log about the application and processing of group policy objects, including such events as errors, adding a new GPO, updating a GPO for a new version, and removing a GPO that no longer applies to a user or computer. |
Computer Policy Refresh Interval | Sets how often a computer's group policies are updated while the computer is in use. By default, when this policy is undefined, a computer's group policies are updated when the system starts and every 30 minutes while the computer is in use. The updates take place in the background without interrupting the user. |
User Policy Refresh Interval | Sets how often the user settings are updated while the user is logged on. By default, when this policy is undefined, a user's settings are updated when the user logs on and every 30 minutes while the user is logged on. The updates take place in the background without interrupting the user. Only applies to AD Bridge group policies. |
User Policy Loopback Processing Mode | The policy is designed for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used. By default, the user's group policy objects determine which user settings apply. If this setting is enabled, when a user logs on to this computer, the computer's group policy objects determine which set of group policy objects applies. |
Enable user logon group policies | By default, the AD Bridge group policy agent processes and applies user policies when a user logs on with an Active Directory account, a process that can delay logon. If no user group policy objects apply to a target set of computers and the users who access them, defining this group policy and setting it to disabled stops the AD Bridge group policy agent from attempting to process user policies, resulting in faster logons. |
Event log
GPO Name | Description |
---|---|
Max disk usage | Set the maximum event log size. |
Max number of events | Set the maximum number of events that can be saved in the event log. |
Max event lifespan | Set the number of days that pass before events are deleted. |
Remove events as needed | Deletes events when the Max disk usage policy reaches the size threshold configured. Used with the Max disk usage policy. |
Allow read-event access | Set the Active Directory users that can read events from the AD Bridge event log. |
Allow write-event access | Set the Active Directory users and groups allowed to write events in to the AD Bridge event log. |
Allow delete-event access | Set the Active Directory users and groups allowed to delete events from the AD Bridge event log of target computers. |
Event forwarder
GPO Name | Description |
---|---|
Event log collector | Sets the event log collector for the target computers. |
Service principal for collector | Set the service principal account name that the event forwarder daemon process uses to contact the collector. |
User monitor
GPO Name | Description |
---|---|
Enable monitoring of users and groups | AD Bridge includes a User Monitor service for entitlement reports. This feature is designed to support computers that are critical to regulatory compliance and for which restricted access by only essential staff is vital. A computer that is openly accessible to hundreds of users would be a source of unnecessary audit activity in such a situation and would significantly increase resource requirements, such as for Auditing Database sizing. This policy setting turns on the User Monitor service to monitor account and group changes. The service queries all local user accounts, local groups, and Active Directory users and groups. The service detects additions, deletions, and modifications that occur. Information is then sent to the Eventlog service for reporting purposes. |
Monitoring check interval | Sets the frequency with which the User Monitor service attempts to detect user and group changes on target computers. |
SNMP settings
GPO Name | Description |
---|---|
Configure SNMP | The following groups of SNMP trap settings can be applied using a GPO:
|
Account override
DC validation
GPO Name | Description |
---|---|
Enable domain controller cache | Enables the DC validation cache to cut down on network overhead. |
Cache expiry interval | Sets the DC validation cache expiry (minutes). |
Enable domain controller validation | Enables DC validation support through secure channel connection. |
Message settings and descriptions
Logging and audit settings and descriptions
File system settings
Task settings and descriptions
Network and security dettings reference
GPO Name | Description |
---|---|
DNS |
Sets the DNS servers and search domains on target computers. The search domains are automatically appended to names that are typed in Internet applications.
When the GPO is processed, a new resolv.conf file is generated and named resolv.conf.gp. The old resolv.conf file is saved as resolv.conf.lwidentity.orig, and then the new resolv.conf.gp is renamed resolv.conf. When the network interface is restarted, however, the updated resolv.conf settings can be overwritten with values from other configuration repositories, even if NetworkManager is not turned on. We recommend that you use a target platform filter to apply the policy only to Unix platforms or other systems on which resolv.conf is not dynamically modified. |
Sudoers |
This policy specifies a sudo configuration file for target computers running Linux or Unix. The sudo configuration file is copied to the local machine and replaces the existing sudo file. A sudo file can reference local users and groups or Active Directory users and groups. Sudo, or superuser do, allows a user to run a command as root or as another user. DOMAIN\\adminuser ALL=(ALL) ALL %DOMAIN\\domain^admins ALL=(ALL) ALL
|
Certificates Autoenrollment |
AD Bridge autoenrollment policy is used to automatically enroll domain, root, and select certificate templates. The following Windows server roles are required. Ensure the roles are properly configured before setting the policy in AD Bridge.
The auto enrollment service is managed by the lwsm service manager. When the autoenrollment group policy is downloaded, gpagentd will start up the autoenroll daemon and download the certificates. The autoenroll service will renew expired or revoked certificates and remove revoked certificates if configured. As of 8.5.4, root certificates are downloaded from: CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com to the local directory: /etc/pbis/security/certs/<DOMAIN>/ If the computer leaves the domain, then the autoenrollment of certificates stops. However, certificates on the system will remain on the system. This policy was tested on:
|
Wireless |
The AD Bridge wireless policy configures a wireless interface using Network Manager. When the policy is downloaded to the workstations, the policy automatically enrolls in this certificate template and configures a wireless interface. The name of the certificate template must match the name as stated in the certificate authority template list. This policy is tested on:
|
Updated 29 days ago