Work with AD Bridge Enterprise Group Policy Settings
This section contains general information about AD Bridge Enterprise Group Policy settings.
- About Group Policy Settings
- Managing GPOs
- Apply a Group Policy to a Cell
- View a Report on a Group Policy's Settings
- Create and Test a sudo Group Policy
About Group Policy Settings
AD Bridge Enterprise enables you to configure Group Policy settings for computers running Linux, Unix, and macOS. AD Bridge Enterprise includes more than 100 policy settings that are designed to manage non-Windows computers.
All the policy settings are integrated with the Microsoft Group Policy Management Editor, part of the Microsoft Group Policy Management Console (GPMC).
For example, you can use a group policy setting to control who can use sudo for access to root-level privileges by specifying a common sudoers file for target computers. You could create an Active Directory group called SudoUsers, add Active Directory users to the group, and then apply the sudo group policy setting to the container, giving those users sudo access on their Linux and Unix computers. In the sudoers file, you can specify Windows-style user names and identities. Using a group policy setting for sudo gives you a powerful method to remotely and uniformly audit and control access to Unix and Linux resources.
AD Bridge Enterprise stores its Unix and Linux policy settings in Group Policy Objects (GPOs) in the same location and in the same format as the default GPOs in Windows Server: in the system volume (sysvol) shared folder. Unix and Linux computers that are joined to an Active Directory domain receive GPOs in the same way that a Windows computer does:
The following topics are covered:
The AD Bridge Group Policy Agent is automatically installed when you install the AD Bridge Enterprise agent.
To apply and enforce policy settings, the AD Bridge Group Policy Agent runs continuously as a daemon processing user policy and computer policy:
- Computer policy processing: The agent traverses the computer's distinguished name (DN) path in Active Directory.
- User policy processing: Occurs when a user logs on; the agent traverses the user's DN path in Active Directory.
The AD Bridge Group Policy Agent connects to Active Directory, retrieves changes, and applies them once every 30 minutes, when a computer starts or restarts, or when requested by the GPO refresh tool.
The AD Bridge Group Policy Agent uses the computer account credentials to securely retrieve policy template files over the network from the domain’s protected system volume shared folder.
The AD Bridge Group Policy Agent applies only AD Bridge Enterprise Group Policy settings: those in the Unix and Linux Settings collection in the Group Policy Management Editor; it does not apply any other group policy settings that may be specified in the GPOs.
There are two types of policy settings:
- File-based: File-based policy settings, such as sudo and automount, typically replace the local file. File‑based policy settings are not inherited and do not merge with the local file.
- Property-based: Property-based policy settings are inherited, meaning that the location of a GPO in the Active Directory hierarchy can affect its application. Property-based settings merge with local policy settings. Local policy settings are not replaced by property-based settings.
Most policy settings are based on properties.
You can set the target platforms for a GPO. The GPO is applied only to the platforms that you select. You can select the target platforms by operating system, distribution, and version. For example, you can target a GPO at:
- Only computers running SUSE Linux Enterprise Server
- A mixture of operating systems and distributions, such as Red Hat Linux, Sun Solaris, Ubuntu Desktop, and HP-UX
- Computers running macOS
Some policy settings, however, apply only to specific platforms.
For more information, please see the Help for the policy setting that you want to use.
|macOS||CentOS Linux||Debian Linux|
|Fedora Linux||Hewlett-Packard HP-UX||IBM AIX|
|OpenSUSE Linux||Red Hat Linux||Red Hat Enterprise Linux(ES and AS)|
|Sun Solaris||SUSE Linux||SUSE Linux Enterprise Desktop|
|SUSE Linux Enterprise Server||Ubuntu Linux|
Go to the Target Platform Filter policy to select targets for the GPO.
Use the AD Bridge Enterprise GPO update tool to force a computer to pull the latest version of group policy settings. The tool includes the following options:
|help||Displays the help for the tool .||gpupdate --help|
|verbose||Displays information on the policies that were added, updated, removed.||gpupdate --verbose|
|rsop||Displays the Resultant Set of Policy (RSoP) information. The RSoP is the set of group policy settings the group policy agent will apply, either when it runs as part of periodically applying settings or when gpupdate is run. gpupdate --rsop does not apply group policy settings.||gpupdate --rsop|
|no-pager||Do not page output. By default, gpupdate automatically pages output using the command set in the PAGER environment variable.||gpupdate --no-pager|
The --verbose command provides details on the group policy extensions being run, whether settings were added, modified or removed and whether those changes were successfully applied.
Run the following command at the shell prompt: /opt/pbis/bin/gpupdate --verbose
The command returns a success or failure result similar to the following:
- On success: GPO Update succeeded
- On failure: GPO Update was unsuccessful, error code <code> (<error message>)
On target computers, AD Bridge Enterprise stores policy settings in /var/lib/pbis/grouppolicy.