AD Bridge Enterprise Settings and Descriptions

Authorization and Identification

GPO Name Description
Lsassd: Enable use of the event log Turns on event logging, includes: log on and off events, authentication and identification events.
Lsassd: Log network connectivity events Turns on event logging for network connection failures.
Lsassd: Prepend default domain name for AD users and groups Turns on the feature to add a domain name to user and groups. Use this policy with Lsassd: Default domain name to prepend for AD user and groups.
Lsassd: Default domain name to prepend for AD users and groups

Set the domain name to add to the user and group names. Use Lsassd: Prepend default domain name for AD users and groups policy to turn this feature on.

lsassd: System time synchronization Synchronizes the lsass service computer with the Active Directory Domain Controller.
Home Directory Template and Path Prefix Use the home directory path template and path prefix policy settings together to customize the way that the home directory path is determined for a user account.
Remote directory path template Sets the network connected share (Home Folder) location defined in the Active Directory user account profile.
Login shell template Defines the login shell for an AD account only when it is not set on the AD Bridge Cell Settings tab in Active Directory.
Local account login shell template Use for a local AD Bridge account.
Local account home directory path prefix Use for a local AD Bridge account.
Local account home directory path template Sets the homedir-template setting of the user home directory path on target systems running lsassd.
Lsassd: Enable signing and sealing for LDAP traffic Sign and seal LDAP traffic to certify and encrypt it so that others cannot see your LDAP traffic on your network as it travels between a AD Bridge client and a domain controller.
Lsassd: Enable user credential refreshing Sets if the credentials must be refreshed.
Lsassd: Enable user group membership trimming

Specifies whether to discard cached information from a Privilege Attribute Certificate (PAC) entry when it conflicts with new information retrieved through LDAP. Otherwise, PAC information, which does not expire, is updated the next time the user logs on. It is turned on by default.

Lsassd: Enable cache only group membership enumeration for NSS

Specifies whether to return only cached information for the members of a group when queried through the name service switch, or nsswitch.

The setting determines whether nsswitch-based group APIs obtain group membership information exclusively from the cache, or whether they search for additional group membership data through LDAP.

Lsassd: Enable cache only user membership enumeration for NSS

When set to enabled, enumerates the groups to which a user belongs using information based solely on the cache. When set to disabled, it checks the cache and searches for more information over LDAP. It is turned off by default.

Lsassd: Enable NSS enumeration Controls whether all users or all groups can be incrementally listed through NSS. On Linux computers and Unix computers, the default setting is set in the registry as 0, or turned off. To allow third-party software to show Active Directory users and groups in lists, you can turn on this setting, but performance might be affected.
Lsassd: Force authentication to use unprovisioned mode

To use the AD Bridge agent to join a computer to a domain that has not been configured with cell information, you must set this group policy to unprovisioned mode.

Lsass: User names to ignore

User account names to ignore on target AD Bridge clients. The policy can contain a comma-separated list of account names.

If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.

Backups of existing system files are performed before initial policy application.

Lsass: Group names to ignore

Group names to ignore on target AD Bridge clients. The policy can contain a comma-separated list of group names.

If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.

Backups of existing system files are performed before initial policy application.

Lsass: Ignore all trusts during domain enumeration

Determines whether the authentication service discovers domain trusts. In the default configuration of disabled, the service enumerates all the parent and child domains and forest trusts to other domains.

For each domain, the service establishes a preferred domain controller by checking for site affinity and testing server responsiveness, a process that can be slowed by WAN links, subnet firewall blocks, stale AD site topology data, or invalid DNS information.

When it is unnecessary to enumerate all the trusts – for example, the intended users of the target computer are only from the forest that the computer is joined to – turning on this setting can improve startup times of the authentication service.

Lsass: Domain trust enumeration include list When turned on, only the domain names in the include list are enumerated for trusts and checked for server availability.
Lsass: Domain trust enumeration exclude list When turned off (default setting), the domain names in the exclude list are not enumerated for trusts and not checked for server availability.
Lsass: Require trust enumeration to complete during startup

Sets the AD Bridge authentication service (Lsass) to finish enumerating all the domain trusts before the service indicates that it has started. You can use this policy to help sequence services, such as crond, that depend on Lsass for user and group object lookups. Default is turned off.

Domain Separator Character

Configures the domain separator used by the AD Bridge agent for user and group account name lookups witha character that you choose.

Cache Expiration Time You can use this policy to improve the performance of your system by increasing the expiration time of the cache.
Machine account password expiration time (machine password timeout) Set the machine account password expiration time on target computers. The expiration time specifies when machine account passwords are reset in Active Directory.
Replacement character for names with spaces

Replace spaces in Active Directory user and group names with a character that you choose. For example, when you set the replacement character to caret (^), the group DOMAIN\Domain Users in ActiveDirectory appears as DOMAIN\domain^users on target computers.

Maximum Tolerance for Kerberos Clock Skew (clockskew)

You can create a group policy to set the maximum amount of time that the clock of the Kerberos Distribution Center (KDC) can deviate from the clock of target hosts.

For security, a host rejects responses from any KDC whose clock is not within the maximum clock skew, as set in the host's krb5.conf file.

The default clock skew is 300 seconds, or 5 minutes. This policy changes the clock skew value in the krb5.conf file of target hosts.

Logon

GPO Name Description
Allow Logon Rights

Set the Active Directory users and groups allowed to log on to target computers. Users and groups who have logon rights can log on to the target computers either locally or remotely.

You can also use this policy to enforce logon rules for local users and groups. To use this policy, you must grant the users access to the AD Bridge cell that contains the target computer object. By default, all Unix and Linux computers are joined to the default cell, and all members of the Domain Users group are allowed to access the default cell. AD Bridge checks requiremembershipof information in both the authentication phase and the account phase.

Cumulative Allow Logon Rights Sets logon rights to child OUs.
Denied logon rights message Sets a message to display when a user cannot log on because the allow logon right policy is not set.
Create a home directory for a User Account at Logon

You can automatically create a home directory for an AD user account or a local AD Bridge user account on target AD Bridge clients. When the user logs on the computer, the home directory is created if it does not exist.

For AD accounts, the location of the home directory is specified in the AD Bridge settings of the user account in Active Directory Users and Computers.

Template files for a new user home directory

AD Bridge can add the contents of skel to the home directory created for an AD user account or a AD Bridge local user account on target AD Bridge clients.

Using the skel directory ensures that all users begin with the same settings or environment.

Home Directory Creation Mask AD Bridge can set permissions for the home directory that is created when a user logs on target AD Bridge clients. The home directory and all the files in the directory are preset with the ownership settings of the file creation mask, or umask. There is a umask policy for local accounts and a umask policy for AD accounts.
Local account password expiration Sets the number of days a local account is notified before a password expires.
Local account password lifespan Sets the number of days a password is valid.
Create a .k5Login file in user home directory Creates a .k5Login.
Log PAM debugging information Logs winbind debugging information.
Ignore group alias When turned on, group names are displayed using the NT4 format (DOMAIN\SAMaccountname).

Smart Card

GPO Name Description
Smart card removal policy

Sets the action to take when a smart card is removed from a target. For example, lock out the computer.

Require smart card for login Turns on the requirement to use Smart Card two-factor authentication.

Reaper Syslog Settings

GPO Name Description
Unmatched Error Events Sets the policy to capture Error class events from syslog reaper service.
Unmatched Warning Events Sets the policy to capture Warning class events from syslog reaper service.
Unmatched Info Events Sets the policy to capture Information class events from syslog reaper service.

Group Policy Agent

GPO Name Description
Enable use of event log

Turns on logging for group policy events on target computers. You can use this policy to help improve security and to troubleshoot group policies by capturing information in the AD Bridge event log about the application and processing of group policy objects, including such events as errors, adding a new GPO, updating a GPO for a new version, and removing a GPO that no longer applies to a user or computer.

Computer Policy Refresh Interval

Sets how often a computer's group policies are updated while the computer is in use. By default, when this policy is undefined, a computer's group policies are updated when the system starts and every 30 minutes while the computer is in use. The updates take place in the background without interrupting the user.

User Policy Refresh Interval

Sets how often the user settings are updated while the user is logged on. By default, when this policy is undefined, a user's settings are updated when the user logs on and every 30 minutes while the user is logged on. The updates take place in the background without interrupting the user. Only applies to AD Bridge group policies.

User Policy Loopback Processing Mode

The policy is designed for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.

By default, the user's group policy objects determine which user settings apply. If this setting is enabled, when a user logs on to this computer, the computer's group policy objects determine which set of group policy objects applies.

Enable user logon group policies

By default, the AD Bridge group policy agent processes and applies user policies when a user logs on with an Active Directory account, a process that can delay logon. If no user group policy objects apply to a target set of computers and the users who access them, defining this group policy and setting it to disabled stops the AD Bridge group policy agent from attempting to process user policies, resulting in faster logons.

Event Log

GPO Name Description
Max disk usage Set the maximum event log size.
Max number of events Set the maximum number of events that can be saved in the event log.
Max event lifespan Set the number of days that pass before events are deleted.
Remove events as needed

Deletes events when the Max disk usage policy reaches the size threshold configured.

Used with the Max disk usage policy.

Allow read-event access Set the Active Directory users that can read events from the AD Bridge event log.
Allow write-event access Set the Active Directory users and groups allowed to write events in to the AD Bridge event log.
Allow delete-event access Set the Active Directory users and groups allowed to delete events from the AD Bridge event log of target computers.

Event Forwarder

GPO Name Description
Event log collector

Sets the event log collector for the target computers.

Service principal for collector Set the service principal account name that the event forwarder daemon process uses to contact the collector.

User Monitor

GPO Name Description
Enable monitoring of users and groups

AD Bridge includes a User Monitor service for entitlement reports. This feature is designed to support computers that are critical to regulatory compliance and for which restricted access by only essential staff is vital. A computer that is openly accessible to hundreds of users would be a source of unnecessary audit activity in such a situation and would significantly increase resource requirements, such as for Auditing Database sizing.

This policy setting turns on the User Monitor service to monitor account and group changes. The service queries all local user accounts, local groups, and Active Directory users and groups. The service detects additions, deletions, and modifications that occur. Information is then sent to the Eventlog service for reporting purposes.

Monitoring check interval Sets the frequency with which the User Monitor service attempts to detect user and group changes on target computers.

 

SNMP Settings

GPO Name Description
Configure SNMP

The following groups of SNMP trap settings can be applied using a GPO:

  • Account
  • Domain
  • Logon Authentication
  • SUDO
  • System Services

To use SNMP policies, you must also turn on Lsassd: Enable use of the event log in the Authorization and Identification group policy.

 

Account Override

GPO Name Description
User Account Attributes (to override)

You can override the following user attributes:

  • Login Name
  • UID Number
  • Primary GID
  • GECOS
  • Home directory
  • Login shell

 

If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.

Backups of existing system files are performed before initial policy application.

Group Account Attributes (to override)

You can override the following group attributes:

  • Group Alias
  • GID Number

 

If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.

Backups of existing system files are performed before initial policy application.