Work with AD Bridge Enterprise Group Policy Settings

This section contains general information about AD Bridge Enterprise Group Policy settings.

  • About Group Policy Settings
  • Managing GPOs
  • Apply a Group Policy to a Cell
  • View a Report on a Group Policy's Settings
  • Create and Test a sudo Group Policy

About Group Policy Settings

AD Bridge Enterprise enables you to configure Group Policy settings for computers running Linux, Unix, and macOS. AD Bridge Enterprise includes more than 100 policy settings that are designed to manage non-Windows computers.

All the policy settings are integrated with the Microsoft Group Policy Management Editor, part of the Microsoft Group Policy Management Console (GPMC).

For example, you can use a group policy setting to control who can use sudo for access to root-level privileges by specifying a common sudoers file for target computers. You could create an Active Directory group called SudoUsers, add Active Directory users to the group, and then apply the sudo group policy setting to the container, giving those users sudo access on their Linux and Unix computers. In the sudoers file, you can specify Windows-style user names and identities. Using a group policy setting for sudo gives you a powerful method to remotely and uniformly audit and control access to Unix and Linux resources.

Diagram of Windows and Linux computers joined to a domain

AD Bridge Enterprise stores its Unix and Linux policy settings in Group Policy Objects (GPOs) in the same location and in the same format as the default GPOs in Windows Server: in the system volume (sysvol) shared folder. Unix and Linux computers that are joined to an Active Directory domain receive GPOs in the same way that a Windows computer does:

 

The following topics are covered:

AD Bridge Group Policy Agent

The AD Bridge Group Policy Agent is automatically installed when you install the AD Bridge Enterprise agent.

To apply and enforce policy settings, the AD Bridge Group Policy Agent runs continuously as a daemon processing user policy and computer policy:

  • Computer policy processing: The agent traverses the computer's distinguished name (DN) path in Active Directory.
  • User policy processing: Occurs when a user logs on; the agent traverses the user's DN path in Active Directory.

The AD Bridge Group Policy Agent connects to Active Directory, retrieves changes, and applies them once every 30 minutes, when a computer starts or restarts, or when requested by the GPO refresh tool.

The AD Bridge Group Policy Agent uses the computer account credentials to securely retrieve policy template files over the network from the domain’s protected system volume shared folder.

The AD Bridge Group Policy Agent applies only AD Bridge Enterprise Group Policy settings: those in the Unix and Linux Settings collection in the Group Policy Management Editor; it does not apply any other group policy settings that may be specified in the GPOs.

Inheritance

There are two types of policy settings:

  • File-based: File-based policy settings, such as sudo and automount, typically replace the local file. File‑based policy settings are not inherited and do not merge with the local file.
  • Property-based: Property-based policy settings are inherited, meaning that the location of a GPO in the Active Directory hierarchy can affect its application. Property-based settings merge with local policy settings. Local policy settings are not replaced by property-based settings.

Most policy settings are based on properties.

Filter by Target Platform

You can set the target platforms for a GPO. The GPO is applied only to the platforms that you select. You can select the target platforms by operating system, distribution, and version. For example, you can target a GPO at:

  • Only computers running SUSE Linux Enterprise Server
  • A mixture of operating systems and distributions, such as Red Hat Linux, Sun Solaris, Ubuntu Desktop, and HP-UX
  • Computers running macOS

Some policy settings, however, apply only to specific platforms.

For more information, please see the Help for the policy setting that you want to use.

Target Platforms
macOS CentOS Linux Debian Linux
Fedora Linux Hewlett-Packard HP-UX IBM AIX
OpenSUSE Linux Red Hat Linux Red Hat Enterprise Linux(ES and AS)
Sun Solaris SUSE Linux SUSE Linux Enterprise Desktop
SUSE Linux Enterprise Server Ubuntu Linux  

Target Platform Filter

Go to the Target Platform Filter policy to select targets for the GPO.

 

AD Bridge EnterpriseGPO Update Tool

Use the AD Bridge Enterprise GPO update tool to force a computer to pull the latest version of group policy settings. The tool includes the following options:

Option Description Example
help Displays the help for the tool . gpupdate --help
verbose Displays information on the policies that were added, updated, removed. gpupdate --verbose
rsop Displays the Resultant Set of Policy (RSoP) information. The RSoP is the set of group policy settings the group policy agent will apply, either when it runs as part of periodically applying settings or when gpupdate is run. gpupdate --rsop does not apply group policy settings. gpupdate --rsop
no-pager Do not page output. By default, gpupdate automatically pages output using the command set in the PAGER environment variable. gpupdate --no-pager

The --verbose command provides details on the group policy extensions being run, whether settings were added, modified or removed and whether those changes were successfully applied.

Run the following command at the shell prompt: /opt/pbis/bin/gpupdate --verbose

The command returns a success or failure result similar to the following:

  • On success: GPO Update succeeded
  • On failure: GPO Update was unsuccessful, error code <code> (<error message>)

On target computers, AD Bridge Enterprise stores policy settings in /var/lib/pbis/grouppolicy.