AD Bridge group policy settings reference

This page lists the AD Bridge group policy settings and describes their use.

Authorization and identification

GPO Name	Description
Lsassd: Enable use of the event log	Turns on event logging, includes: log on and off events, authentication and identification events.
Lsassd: Log network connectivity events	Turns on event logging for network connection failures.
Lsassd: Prepend default domain name for AD users and groups	Turns on the feature to add a domain name to user and groups. Use this policy with Lsassd: Default domain name to prepend for AD user and groups.
Lsassd: Default domain name to prepend for AD users and groups	Set the domain name to add to the user and group names. Use Lsassd: Prepend default domain name for AD users and groups policy to turn this feature on.
lsassd: System time synchronization	Synchronizes the lsass service computer with the Active Directory Domain Controller.
Home Directory Template and Path Prefix	Use the home directory path template and path prefix policy settings together to customize the way that the home directory path is determined for a user account.
Remote directory path template	Sets the network connected share (Home Folder) location defined in the Active Directory user account profile.
Login shell template	Defines the login shell for an AD account only when it is not set on the AD Bridge Cell Settings tab in Active Directory.
Local account login shell template	Use for a local AD Bridge account.
Local account home directory path prefix	Use for a local AD Bridge account.
Local account home directory path template	Sets the homedir-template setting of the user home directory path on target systems running lsassd.
Lsassd: Enable signing and sealing for LDAP traffic	Sign and seal LDAP traffic to certify and encrypt it so that others cannot see your LDAP traffic on your network as it travels between a AD Bridge client and a domain controller.
Lsassd: Enable user credential refreshing	Sets if the credentials must be refreshed.
Lsassd: Enable user group membership trimming	Specifies whether to discard cached information from a Privilege Attribute Certificate (PAC) entry when it conflicts with new information retrieved through LDAP. Otherwise, PAC information, which does not expire, is updated the next time the user logs on. It is turned on by default.
Lsassd: Enable cache only group membership enumeration for NSS	Specifies whether to return only cached information for the members of a group when queried through the name service switch, or nsswitch. The setting determines whether nsswitch-based group APIs obtain group membership information exclusively from the cache, or whether they search for additional group membership data through LDAP.
Lsassd: Enable cache only user membership enumeration for NSS	When set to enabled, enumerates the groups to which a user belongs using information based solely on the cache. When set to disabled, it checks the cache and searches for more information over LDAP. It is turned off by default.
Lsassd: Enable NSS enumeration	Controls whether all users or all groups can be incrementally listed through NSS. On Linux computers and Unix computers, the default setting is set in the registry as 0, or turned off. To allow third-party software to show Active Directory users and groups in lists, you can turn on this setting, but performance might be affected.
Lsassd: Force authentication to use unprovisioned mode	To use the AD Bridge agent to join a computer to a domain that has not been configured with cell information, you must set this group policy to unprovisioned mode.
Lsass: User names to ignore	User account names to ignore on target AD Bridge clients. The policy can contain a comma-separated list of account names. ℹ️ Note If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.Backups of existing system files are performed before initial policy application.
Lsass: Group names to ignore	Group names to ignore on target AD Bridge clients. The policy can contain a comma-separated list of group names. ℹ️ Note If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.Backups of existing system files are performed before initial policy application.
Lsass: Ignore all trusts during domain enumeration	Determines whether the authentication service discovers domain trusts. In the default configuration of disabled, the service enumerates all the parent and child domains and forest trusts to other domains. For each domain, the service establishes a preferred domain controller by checking for site affinity and testing server responsiveness, a process that can be slowed by WAN links, subnet firewall blocks, stale AD site topology data, or invalid DNS information. When it is unnecessary to enumerate all the trusts – for example, the intended users of the target computer are only from the forest that the computer is joined to – turning on this setting can improve startup times of the authentication service.
Lsass: Domain trust enumeration include list	When turned on, only the domain names in the include list are enumerated for trusts and checked for server availability.
Lsass: Domain trust enumeration exclude list	When turned off (default setting), the domain names in the exclude list are not enumerated for trusts and not checked for server availability.
Lsass: Require trust enumeration to complete during startup	Sets the AD Bridge authentication service (Lsass) to finish enumerating all the domain trusts before the service indicates that it has started. You can use this policy to help sequence services, such as crond, that depend on Lsass for user and group object lookups. Default is turned off.
Domain Separator Character	Configures the domain separator used by the AD Bridge agent for user and group account name lookups witha character that you choose.
Cache Expiration Time	You can use this policy to improve the performance of your system by increasing the expiration time of the cache.
Machine account password expiration time (machine password timeout)	Set the machine account password expiration time on target computers. The expiration time specifies when machine account passwords are reset in Active Directory.
Replacement character for names with spaces	Replace spaces in Active Directory user and group names with a character that you choose. For example, when you set the replacement character to caret (^), the group DOMAIN\Domain Users in ActiveDirectory appears as DOMAIN\domain^users on target computers.
Maximum Tolerance for Kerberos Clock Skew (clockskew)	You can create a group policy to set the maximum amount of time that the clock of the Kerberos Distribution Center (KDC) can deviate from the clock of target hosts. For security, a host rejects responses from any KDC whose clock is not within the maximum clock skew, as set in the host's krb5.conf file. The default clock skew is 300 seconds, or 5 minutes. This policy changes the clock skew value in the krb5.conf file of target hosts.

Logon

GPO Name	Description
Allow Logon Rights	Set the Active Directory users and groups allowed to log on to target computers. Users and groups who have logon rights can log on to the target computers either locally or remotely. You can also use this policy to enforce logon rules for local users and groups. To use this policy, you must grant the users access to the AD Bridge cell that contains the target computer object. By default, all Unix and Linux computers are joined to the Default Cell, and all members of the Domain Users group are allowed to access the Default Cell. AD Bridge checks requiremembershipof information in both the authentication phase and the account phase.
Cumulative Allow Logon Rights	Sets logon rights to child OUs.
Denied logon rights message	Sets a message to display when a user cannot log on because the allow logon right policy is not set.
Create a home directory for a User Account at Logon	You can automatically create a home directory for an AD user account or a local AD Bridge user account on target AD Bridge clients. When the user logs on the computer, the home directory is created if it does not exist. For AD accounts, the location of the home directory is specified in the AD Bridge settings of the user account in Active Directory Users and Computers.
Template files for a new user home directory	AD Bridge can add the contents of skel to the home directory created for an AD user account or a AD Bridge local user account on target AD Bridge clients. Using the skel directory ensures that all users begin with the same settings or environment.
Home Directory Creation Mask	AD Bridge can set permissions for the home directory that is created when a user logs on target AD Bridge clients. The home directory and all the files in the directory are preset with the ownership settings of the file creation mask, or umask. There is a umask policy for local accounts and a umask policy for AD accounts.
Local account password expiration	Sets the number of days a local account is notified before a password expires.
Local account password lifespan	Sets the number of days a password is valid.
Create a .k5Login file in user home directory	Creates a .k5Login.
Log PAM debugging information	Logs winbind debugging information.
Ignore group alias	When turned on, group names are displayed using the NT4 format (DOMAIN\SAMaccountname).

Smart card

GPO Name	Description
Smart card removal policy	Sets the action to take when a smart card is removed from a target. For example, lock out the computer.
Require smart card for login	Turns on the requirement to use Smart Card two-factor authentication.

Reaper syslog settings

GPO Name	Description
Unmatched Error Events	Sets the policy to capture Error class events from syslog reaper service.
Unmatched Warning Events	Sets the policy to capture Warning class events from syslog reaper service.
Unmatched Info Events	Sets the policy to capture Information class events from syslog reaper service.

Group Policy agent

GPO Name	Description
Enable use of event log	Turns on logging for group policy events on target computers. You can use this policy to help improve security and to troubleshoot group policies by capturing information in the AD Bridge event log about the application and processing of group policy objects, including such events as errors, adding a new GPO, updating a GPO for a new version, and removing a GPO that no longer applies to a user or computer.
Computer Policy Refresh Interval	Sets how often a computer's group policies are updated while the computer is in use. By default, when this policy is undefined, a computer's group policies are updated when the system starts and every 30 minutes while the computer is in use. The updates take place in the background without interrupting the user.
User Policy Refresh Interval	Sets how often the user settings are updated while the user is logged on. By default, when this policy is undefined, a user's settings are updated when the user logs on and every 30 minutes while the user is logged on. The updates take place in the background without interrupting the user. Only applies to AD Bridge group policies.
User Policy Loopback Processing Mode	The policy is designed for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used. By default, the user's group policy objects determine which user settings apply. If this setting is enabled, when a user logs on to this computer, the computer's group policy objects determine which set of group policy objects applies.
Enable user logon group policies	By default, the AD Bridge group policy agent processes and applies user policies when a user logs on with an Active Directory account, a process that can delay logon. If no user group policy objects apply to a target set of computers and the users who access them, defining this group policy and setting it to disabled stops the AD Bridge group policy agent from attempting to process user policies, resulting in faster logons.

Event log

GPO Name	Description
Max disk usage	Set the maximum event log size.
Max number of events	Set the maximum number of events that can be saved in the event log.
Max event lifespan	Set the number of days that pass before events are deleted.
Remove events as needed	Deletes events when the Max disk usage policy reaches the size threshold configured. Used with the Max disk usage policy.
Allow read-event access	Set the Active Directory users that can read events from the AD Bridge event log.
Allow write-event access	Set the Active Directory users and groups allowed to write events in to the AD Bridge event log.
Allow delete-event access	Set the Active Directory users and groups allowed to delete events from the AD Bridge event log of target computers.

Event forwarder

GPO Name	Description
Event log collector	Sets the event log collector for the target computers.
Service principal for collector	Set the service principal account name that the event forwarder daemon process uses to contact the collector.

User monitor

GPO Name	Description
Enable monitoring of users and groups	AD Bridge includes a User Monitor service for entitlement reports. This feature is designed to support computers that are critical to regulatory compliance and for which restricted access by only essential staff is vital. A computer that is openly accessible to hundreds of users would be a source of unnecessary audit activity in such a situation and would significantly increase resource requirements, such as for Auditing Database sizing. This policy setting turns on the User Monitor service to monitor account and group changes. The service queries all local user accounts, local groups, and Active Directory users and groups. The service detects additions, deletions, and modifications that occur. Information is then sent to the Eventlog service for reporting purposes.
Monitoring check interval	Sets the frequency with which the User Monitor service attempts to detect user and group changes on target computers.

GPO Name

Description

Enable monitoring of users and groups

AD Bridge includes a User Monitor service for entitlement reports. This feature is designed to support computers that are critical to regulatory compliance and for which restricted access by only essential staff is vital. A computer that is openly accessible to hundreds of users would be a source of unnecessary audit activity in such a situation and would significantly increase resource requirements, such as for Auditing Database sizing. This policy setting turns on the User Monitor service to monitor account and group changes. The service queries all local user accounts, local groups, and Active Directory users and groups. The service detects additions, deletions, and modifications that occur. Information is then sent to the Eventlog service for reporting purposes.

Monitoring check interval

Sets the frequency with which the User Monitor service attempts to detect user and group changes on target computers.

SNMP settings

GPO Name	Description
Configure SNMP	The following groups of SNMP trap settings can be applied using a GPO: Account Domain Logon Authentication SUDO System Services To use SNMP policies, you must also turn on Lsassd: Enable use of the event log in the Authorization and Identification group policy.

Account override

GPO Name	Description
User Account Attributes (to override)	You can override the following user attributes: Login Name UID Number Primary GID GECOS Home directory Login shell ℹ️ Note If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.Backups of existing system files are performed before initial policy application.
Group Account Attributes (to override)	You can override the following group attributes: Group Alias GID Number ℹ️ Note If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.Backups of existing system files are performed before initial policy application.

GPO Name

Description

User Account Attributes (to override)

You can override the following user attributes:

Login Name
UID Number
Primary GID
GECOS
Home directory
Login shell

ℹ️ Note
If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.Backups of existing system files are performed before initial policy application.

Group Account Attributes (to override)

You can override the following group attributes:

Group Alias
GID Number

ℹ️ Note
If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.Backups of existing system files are performed before initial policy application.

DC validation

GPO Name	Description
Enable domain controller cache	Enables the DC validation cache to cut down on network overhead.
Cache expiry interval	Sets the DC validation cache expiry (minutes).
Enable domain controller validation	Enables DC validation support through secure channel connection.

Message settings and descriptions

GPO Name	Description
Login Prompt	Set a message in the /etc/issue file on target computers. The message, which appears before the login prompt, can display the name of the operating system, the kernel version, and other information that identifies the system. In the message text, you can use characters, numbers, and special characters; there is no limit to the length of the message. ℹ️ Note If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.Backups of existing system files are performed before initial policy application.
Message of the Day	Set a message of the day in the /etc/motd file on target computers. The message of the day, which appears after a user logs in but before the logon script executes, can give users information about a computer. For example, the message can remind users of the next scheduled maintenance window. The policy replaces the motd file on the target computer. ℹ️ Note If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.Backups of existing system files are performed before initial policy application.
Password Prompts	Users can set password prompts to indicate which account is prompting for the password. There are three types of password prompts that can be configured: Local Account passwords Active Directory passwords Other account passwords

Logging and audit settings and descriptions

GPO Name	Description
SELinux	SELinux puts in place mandatory access control using the Linux Security Modules, or LSM, in the Linux kernel. The security architecture, which is based on the principle of least privilege, provides fine-grained control over the users and processes that are allowed to access a system or execute commands on it. SELinux can secure processes from each other. For example, if you have a public web server that is also acting as a DNS server, SELinux can isolate the two processes so that a vulnerability in the web server process does not expose access to the DNS server.
SysLog	A syslog policy can help you manage, troubleshoot, and audit your systems. You can log different facilities, such as cron, daemon, and auth, and you can use priority levels and filters to collect messages. The policy can import syslog, rsyslog, and syslog-ng configuration files. There are options to replace or append to the current configuration. ℹ️ Note If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.Backups of existing system files are performed before initial policy application.
LogRotate	To help you manage, troubleshoot, and archive your system's log files, you can create a group policy to configure and customize your log-rotation daemon. For example, you can choose to use either a logrotate or logrotate.d file, specify the maximum size before rotation, compress old log files, and set an address for emailing log files and error messages. You can also enter commands to run before and after rotation. ℹ️ Note If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.Backups of existing system files are performed before initial policy application.

File system settings

GPO Name	Description
Files, Directories and Links	You can define a group policy to create directories, files, commands, and symbolic links on target computers. This policy can be applied to either computers or users. The policy, which is not inherited, does not concatenate a series of settings across multiple group policy objects in different locations in the Active Directory hierarchy. Instead, the closest local policy object is applied. You can add more than one script when setting up scripts using this policy setting. All scripts will automatically merge and run. Note that a script can be applied at the system level using the Run Scripts policy. For example, you might want to run a common script (for example, /etc/resolv.config) on all systems but then configure other scripts that are different depending on the system (for example, /etc/sysconfig/iptables). Configure the system specific policies using a Files, Directories and Links policy setting. When setting up the local user or local group, you can prefix the ID with a number sign (#). AD Bridge does not validate a user or group ID prefixed by a number sign; you must provide a valid user or a valid group. To use the ID of 0 for the root account, however, do not use the # prefix.
AutoMount	Starts a daemon that automatically mounts a file system on target computers. When a user tries to access an unmounted file system, the file that you associate with this policy automatically mounts it. ℹ️ Note If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.Backups of existing system files are performed before initial policy application.
Files System Mounts (fstab)	Create a group policy for the file systems table, or fstab, on target computers and add mount entries to it by using a graphical user interface. Fstab, typically located in /etc/fstab, is a configuration file that specifies how a computer is to mount partitions and storage devices. The mount entries are appended to the contents of /etc/fstab (/etc/vfstab on Solaris), but the file systems are not mounted until you explicitly mount them using a command such as mount -a even though the group policy has been polled by the target computer. To mount the file systems, you can do one of the following: Log on to the target computer and execute the mount -a command (or a similar command, depending on your operating system) or restart the computer. Run a cron job that resets the mounts remotely or restarts the computer. ℹ️ Note If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.Backups of existing system files are performed before initial policy application.

GPO Name

Description

Files, Directories and Links

You can define a group policy to create directories, files, commands, and symbolic links on target computers. This policy can be applied to either computers or users.
The policy, which is not inherited, does not concatenate a series of settings across multiple group policy objects in different locations in the Active Directory hierarchy. Instead, the closest local policy object is applied.
You can add more than one script when setting up scripts using this policy setting. All scripts will automatically merge and run. Note that a script can be applied at the system level using the Run Scripts policy.
For example, you might want to run a common script (for example, /etc/resolv.config) on all systems but then configure other scripts that are different depending on the system (for example, /etc/sysconfig/iptables). Configure the system specific policies using a Files, Directories and Links policy setting.
When setting up the local user or local group, you can prefix the ID with a number sign (#). AD Bridge does not validate a user or group ID prefixed by a number sign; you must provide a valid user or a valid group. To use the ID of 0 for the root account, however, do not use the # prefix.

AutoMount

Starts a daemon that automatically mounts a file system on target computers. When a user tries to access an unmounted file system, the file that you associate with this policy automatically mounts it.

ℹ️ Note
If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.Backups of existing system files are performed before initial policy application.

Files System Mounts (fstab)

Create a group policy for the file systems table, or fstab, on target computers and add mount entries to it by using a graphical user interface. Fstab, typically located in /etc/fstab, is a configuration file that specifies how a computer is to mount partitions and storage devices.
The mount entries are appended to the contents of /etc/fstab (/etc/vfstab on Solaris), but the file systems are not mounted until you explicitly mount them using a command such as mount -a even though the group policy has been polled by the target computer.
To mount the file systems, you can do one of the following:

Log on to the target computer and execute the mount -a command (or a similar command, depending on your operating system) or restart the computer.
Run a cron job that resets the mounts remotely or restarts the computer.

ℹ️ Note
If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.Backups of existing system files are performed before initial policy application.

Task settings and descriptions

GPO Name	Description
Run script	Use a GPO to execute a text-based script file on target computers. The script file runs under the root account when the target computer first receives the GPO or when the policy object's version changes. When a target system is restarted, the script runs again. This policy replaces the local file. It is not inherited and does not merge with the local file. The default ordering of the script policy is as follows: Default domain policy Higher-level OU policies Current-level OU policies Within an OU, the ordering is from highest link number to the lowest link order number.
Crontab/Cron.d	Schedules commands, or cron jobs, that are executed at a set time on target computers. ℹ️ Note If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.Backups of existing system files are performed before initial policy application.

GPO Name

Description

Run script

Use a GPO to execute a text-based script file on target computers. The script file runs under the root account when the target computer first receives the GPO or when the policy object's version changes. When a target system is restarted, the script runs again. This policy replaces the local file. It is not inherited and does not merge with the local file.
The default ordering of the script policy is as follows:

Default domain policy
Higher-level OU policies
Current-level OU policies

Within an OU, the ordering is from highest link number to the lowest link order number.

Crontab/Cron.d

Schedules commands, or cron jobs, that are executed at a set time on target computers.

ℹ️ Note
If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.Backups of existing system files are performed before initial policy application.

Network and security dettings reference

GPO Name	Description
DNS	Sets the DNS servers and search domains on target computers. The search domains are automatically appended to names that are typed in Internet applications. ℹ️ Note Setting this group policy can lead to a conflict with the settings in the resolv.conf file on some target computers, especially those running newer versions of Linux that include NetworkManager. NetworkManager's dynamic maintenance of resolv.conf will likely conflict with this policy's resolver options. When turned on, NetworkManager typically leaves a comment in resolv.conf to indicate that it generated the file: [root@bvt-rad12-32 ~]# cat /etc/resolv.conf # Generated by NetworkManager search corpqa.pbisdemo.com corp.pbisdemo.com nameserver 10.100.1.24 nameserver 10.100.1.45 nameserver 10.100.1.51 When the GPO is processed, a new resolv.conf file is generated and named resolv.conf.gp. The old resolv.conf file is saved as resolv.conf.lwidentity.orig, and then the new resolv.conf.gp is renamed resolv.conf. When the network interface is restarted, however, the updated resolv.conf settings can be overwritten with values from other configuration repositories, even if NetworkManager is not turned on. We recommend that you use a target platform filter to apply the policy only to Unix platforms or other systems on which resolv.conf is not dynamically modified.
Sudoers	This policy specifies a sudo configuration file for target computers running Linux or Unix. The sudo configuration file is copied to the local machine and replaces the existing sudo file. A sudo file can reference local users and groups or Active Directory users and groups. Sudo, or superuser do, allows a user to run a command as root or as another user. DOMAIN\\adminuser ALL=(ALL) ALL %DOMAIN\\domain^admins ALL=(ALL) ALL ℹ️ Note User and group need to be entered as they appear on the target computer. Related Policy/Settings: Lsassd: Prepend default domain name for AD user: Changes accounts to use only shortname
Certificates Autoenrollment	AD Bridge autoenrollment policy is used to automatically enroll domain, root, and select certificate templates. The following Windows server roles are required. Ensure the roles are properly configured before setting the policy in AD Bridge. Active Directory Certificate Services (AD CS) Web Server (IIS) with Certificate Enrollment Web service and Certificate Enrollment Web Service (CES) The auto enrollment service is managed by the lwsm service manager. When the autoenrollment group policy is downloaded, gpagentd will start up the autoenroll daemon and download the certificates. The autoenroll service will renew expired or revoked certificates and remove revoked certificates if configured. As of 8.5.4, root certificates are downloaded from: CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com to the local directory: /etc/pbis/security/certs/<DOMAIN>/ If the computer leaves the domain, then the autoenrollment of certificates stops. However, certificates on the system will remain on the system. This policy was tested on: RHEL 6, 7 x86_64 Ubuntu 16.04, 18.04 LTS x86_64 ℹ️ Note The autoenrollment policy only enrolls computer certificates. Templates with Publish certificate in Active Directory enabled will fail to enroll.
Wireless	The AD Bridge wireless policy configures a wireless interface using Network Manager. When the policy is downloaded to the workstations, the policy automatically enrolls in this certificate template and configures a wireless interface. The name of the certificate template must match the name as stated in the certificate authority template list. This policy is tested on: Ubuntu 14.04 LTS x86_64 RHEL 6.6, 7.0 x86_64 CentOS 6.6, 7.0 x86_64