AD Bridge Enterprise Settings and Descriptions
Authorization and Identification
GPO Name | Description |
---|---|
Lsassd: Enable use of the event log | Turns on event logging, includes: log on and off events, authentication and identification events. |
Lsassd: Log network connectivity events | Turns on event logging for network connection failures. |
Lsassd: Prepend default domain name for AD users and groups | Turns on the feature to add a domain name to user and groups. Use this policy with Lsassd: Default domain name to prepend for AD user and groups. |
Lsassd: Default domain name to prepend for AD users and groups |
Set the domain name to add to the user and group names. Use Lsassd: Prepend default domain name for AD users and groups policy to turn this feature on. |
lsassd: System time synchronization | Synchronizes the lsass service computer with the Active Directory Domain Controller. |
Home Directory Template and Path Prefix | Use the home directory path template and path prefix policy settings together to customize the way that the home directory path is determined for a user account. |
Remote directory path template | Sets the network connected share (Home Folder) location defined in the Active Directory user account profile. |
Login shell template | Defines the login shell for an AD account only when it is not set on the AD Bridge Cell Settings tab in Active Directory. |
Local account login shell template | Use for a local AD Bridge account. |
Local account home directory path prefix | Use for a local AD Bridge account. |
Local account home directory path template | Sets the homedir-template setting of the user home directory path on target systems running lsassd. |
Lsassd: Enable signing and sealing for LDAP traffic | Sign and seal LDAP traffic to certify and encrypt it so that others cannot see your LDAP traffic on your network as it travels between a AD Bridge client and a domain controller. |
Lsassd: Enable user credential refreshing | Sets if the credentials must be refreshed. |
Lsassd: Enable user group membership trimming |
Specifies whether to discard cached information from a Privilege Attribute Certificate (PAC) entry when it conflicts with new information retrieved through LDAP. Otherwise, PAC information, which does not expire, is updated the next time the user logs on. It is turned on by default. |
Lsassd: Enable cache only group membership enumeration for NSS |
Specifies whether to return only cached information for the members of a group when
queried through the name service switch, or nsswitch. |
Lsassd: Enable cache only user membership enumeration for NSS |
When set to enabled, enumerates the groups to which a user belongs using information based solely on the cache. When set to disabled, it checks the cache and searches for more information over LDAP. It is turned off by default. |
Lsassd: Enable NSS enumeration | Controls whether all users or all groups can be incrementally listed through NSS. On Linux computers and Unix computers, the default setting is set in the registry as 0, or turned off. To allow third-party software to show Active Directory users and groups in lists, you can turn on this setting, but performance might be affected. |
Lsassd: Force authentication to use unprovisioned mode |
To use the AD Bridge agent to join a computer to a domain that has not been configured with cell information, you must set this group policy to unprovisioned mode. |
Lsass: User names to ignore |
User account names to ignore on target AD Bridge clients. The policy can contain a comma-separated list of account names. If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.
Backups of existing system files are performed before initial policy application. |
Lsass: Group names to ignore |
Group names to ignore on target AD Bridge clients. The policy can contain a comma-separated list of group names. If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.
Backups of existing system files are performed before initial policy application. |
Lsass: Ignore all trusts during domain enumeration |
Determines whether the authentication service discovers domain trusts.
In the default configuration of disabled, the service enumerates all the parent and child
domains and forest trusts to other domains. |
Lsass: Domain trust enumeration include list | When turned on, only the domain names in the include list are enumerated for trusts and checked for server availability. |
Lsass: Domain trust enumeration exclude list | When turned off (default setting), the domain names in the exclude list are not enumerated for trusts and not checked for server availability. |
Lsass: Require trust enumeration to complete during startup |
Sets the AD Bridge authentication service (Lsass) to finish enumerating all the domain trusts before the service indicates that it has started. You can use this policy to help sequence services, such as crond, that depend on Lsass for user and group object lookups. Default is turned off. |
Domain Separator Character |
Configures the domain separator used by the AD Bridge agent for user and group account name lookups witha character that you choose. |
Cache Expiration Time | You can use this policy to improve the performance of your system by increasing the expiration time of the cache. |
Machine account password expiration time (machine password timeout) | Set the machine account password expiration time on target computers. The expiration time specifies when machine account passwords are reset in Active Directory. |
Replacement character for names with spaces |
Replace spaces in Active Directory user and group names with a character that you choose. For example, when you set the replacement character to caret (^), the group DOMAIN\Domain Users in ActiveDirectory appears as DOMAIN\domain^users on target computers. |
Maximum Tolerance for Kerberos Clock Skew (clockskew) |
You can create a group policy to set the maximum amount of time that the clock of the Kerberos Distribution
Center (KDC) can deviate from the clock of target hosts. |
Logon
GPO Name | Description |
---|---|
Allow Logon Rights |
Set the Active Directory users and groups allowed to log on to target computers. Users and groups who have logon rights can log on to the target computers either locally or
remotely. |
Cumulative Allow Logon Rights | Sets logon rights to child OUs. |
Denied logon rights message | Sets a message to display when a user cannot log on because the allow logon right policy is not set. |
Create a home directory for a User Account at Logon |
You can automatically create a home directory for an AD user account or a local AD Bridge user account on target AD Bridge clients. When the user logs on the computer, the home directory is created if it does not exist. |
Template files for a new user home directory |
AD Bridge can add the contents of skel to the home directory created for an AD user account or a AD Bridge local user
account on target AD Bridge clients. |
Home Directory Creation Mask | AD Bridge can set permissions for the home directory that is created when a user logs on target AD Bridge clients. The home directory and all the files in the directory are preset with the ownership settings of the file creation mask, or umask. There is a umask policy for local accounts and a umask policy for AD accounts. |
Local account password expiration | Sets the number of days a local account is notified before a password expires. |
Local account password lifespan | Sets the number of days a password is valid. |
Create a .k5Login file in user home directory | Creates a .k5Login. |
Log PAM debugging information | Logs winbind debugging information. |
Ignore group alias | When turned on, group names are displayed using the NT4 format (DOMAIN\SAMaccountname). |
Smart Card
GPO Name | Description |
---|---|
Smart card removal policy |
Sets the action to take when a smart card is removed from a target. For example, lock out the computer. |
Require smart card for login | Turns on the requirement to use Smart Card two-factor authentication. |
Reaper Syslog Settings
GPO Name | Description |
---|---|
Unmatched Error Events | Sets the policy to capture Error class events from syslog reaper service. |
Unmatched Warning Events | Sets the policy to capture Warning class events from syslog reaper service. |
Unmatched Info Events | Sets the policy to capture Information class events from syslog reaper service. |
Group Policy Agent
GPO Name | Description |
---|---|
Enable use of event log |
Turns on logging for group policy events on target computers. You can use this policy to help improve security and to troubleshoot group policies by capturing information in the AD Bridge event log about the application and processing of group policy objects, including such events as errors, adding a new GPO, updating a GPO for a new version, and removing a GPO that no longer applies to a user or computer. |
Computer Policy Refresh Interval |
Sets how often a computer's group policies are updated while the computer is in use. By default, when this policy is undefined, a computer's group policies are updated when the system starts and every 30 minutes while the computer is in use. The updates take place in the background without interrupting the user. |
User Policy Refresh Interval |
Sets how often the user settings are updated while the user is logged on. By default, when this policy is undefined, a user's settings are updated when the user logs on and every 30 minutes while the user is logged on. The updates take place in the background without interrupting the user. Only applies to AD Bridge group policies. |
User Policy Loopback Processing Mode |
The policy is designed for special-use computers, such as those in public places, laboratories, and
classrooms, where you must modify the user setting based on the computer that is being used. |
Enable user logon group policies |
By default, the AD Bridge group policy agent processes and applies user policies when a user logs on with an Active Directory account, a process that can delay logon. If no user group policy objects apply to a target set of computers and the users who access them, defining this group policy and setting it to disabled stops the AD Bridge group policy agent from attempting to process user policies, resulting in faster logons. |
Event Log
GPO Name | Description |
---|---|
Max disk usage | Set the maximum event log size. |
Max number of events | Set the maximum number of events that can be saved in the event log. |
Max event lifespan | Set the number of days that pass before events are deleted. |
Remove events as needed |
Deletes events when the Max disk usage policy reaches the size threshold configured. Used with the Max disk usage policy. |
Allow read-event access | Set the Active Directory users that can read events from the AD Bridge event log. |
Allow write-event access | Set the Active Directory users and groups allowed to write events in to the AD Bridge event log. |
Allow delete-event access | Set the Active Directory users and groups allowed to delete events from the AD Bridge event log of target computers. |
Event Forwarder
GPO Name | Description |
---|---|
Event log collector |
Sets the event log collector for the target computers. |
Service principal for collector | Set the service principal account name that the event forwarder daemon process uses to contact the collector. |
User Monitor
GPO Name | Description |
---|---|
Enable monitoring of users and groups |
AD Bridge includes a User Monitor service for entitlement reports. This feature is designed to support
computers that are critical to regulatory compliance and for which restricted access by only essential staff is vital. A
computer that is openly accessible to hundreds of users would be a source of unnecessary audit activity in such a
situation and would significantly increase resource requirements, such as for Auditing Database sizing. |
Monitoring check interval | Sets the frequency with which the User Monitor service attempts to detect user and group changes on target computers. |
SNMP Settings
GPO Name | Description |
---|---|
Configure SNMP |
The following groups of SNMP trap settings can be applied using a GPO:
To use SNMP policies, you must also turn on Lsassd: Enable use of the event log in the Authorization and Identification group policy. |
Account Override
GPO Name | Description |
---|---|
User Account Attributes (to override) |
You can override the following user attributes:
If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.
Backups of existing system files are performed before initial policy application. |
Group Account Attributes (to override) |
You can override the following group attributes:
If Apply Policy is set to Always (default), any changes to managed system files on the agent system will be replaced when group policy is next applied. If a managed system file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once, any changes to managed system files on the agent system will only be replaced when the policy is updated or gpagent is restarted.
Backups of existing system files are performed before initial policy application. |