Group Policy

BeyondTrust empowers you to define group policies for computers running Linux, Unix, and Mac OS X. Likewise includes more than 100 policies that are custom made for non-Windows computers. All the policies are integrated with the Microsoft Group Policy Object Editor.

For example, you can use a group policy to control who can use sudo for access to root-level privileges by specifying a common sudoers file for target computers. You could, for instance, create an Active Directory group called SudoUsers, add Active Directory users to the group, and then apply the sudo group policy to the container, giving those users sudo access on their Linux and Unix computers. In the sudoers file, you can specify Windows-style user names and identities. Using a group policy for sudo gives you a powerful method to remotely and uniformly audit and control access to Unix and Linux resources.

BeyondTrust stores its Unix and Linux group policies in the same locations and in the same format as the default Windows group policies -- in the system volume (sysvol) shared directory. Unix and Linux computers that are joined to an Active Directory domain receive their group policies in the same way that a Windows system does:security group, or the Group Policy Creator Owners security group. With the Microsoft Group Policy Management Console, you can grant users permission to create Group Policy Objects (GPOs).

In the Group Policy Object Editor, the Likewise group policies are in the UNIX and Linux Settings folder in the console tree under Computer Configuration; the BeyondTrust user settings are under User Configuration:

The BeyondTrust Group Policy Agent is automatically installed when you install the BeyondTrust Agent on a Linux, Unix, or Mac OS X computer.

To apply group policies and enforce them on a computer, the Group Policy Agent runs continuously as a daemon. It processes both user policy and computer policy types. For computer policies, the agent traverses the computer's distinguished name (DN) path in Active Directory. For a user's policy processing, which occurs when a user logs on, the agent traverses the user's DN path in Active Directory. The Group Policy Agent uses the computer's machine account credentials to securely retrieve policy template files over the network from the domain's protected system volume shared directory. The BeyondTrust Group Policy Agent, however, does not apply Windows policies.

The Group Policy Agent connects to Active Directory, retrieves changes, and applies them once every 30 minutes, when a computer boots or restarts, or when requested by the GPO refresh tool. You can change the group policy refresh interval to the time period that you want by modifying the Group Policy refresh interval for computers.

To force a Unix, Linux, or Mac OS X computer to pull the latest version of its group policies, you can run the GPO refresh tool at any time by executing the following command at the shell prompt:
/opt/likewise/bin/gporefresh

The command should return a result that looks like this: 20070731100621:0xb7f046c0:INFO:GPO Refresh succeeded

On target computers, Likewise stores its group policies in /var/lib/likewise/grouppolicy.

The BeyondTrust group policies are of two general types: file based or property based. Most policies are property based. Property-based policies are inherited, meaning that the location of a GPO within the Active Directory hierarchy can affect its application. Property-based policies do not replace local policies -- they merge with them.

File-based policies -- such as sudo and automount -- typically replace the local file. File-based policies are not inherited and do not merge with the local file.

You can set group policies to target all versions of the following platforms. Some group policies, however, apply only to specific platforms. For instance, some group polices apply only to Linux.