Network and Security Settings Reference

GPO Name Description
DNS

Sets the DNS servers and search domains on target computers.

The search domains are automatically appended to names that are typed in Internet applications. For example, if you set campus.college.edu as a search domain on a Mac computer, a user can type server1 in the Finder’s Connect To Server dialog box to connect to server1.campus.college.edu.

Setting this group policy can lead to a conflict with the settings in the resolv.conf file on some target computers, especially those running newer versions of Linux that include NetworkManager.

NetworkManager's dynamic maintenance of resolv.conf will likely conflict with this policy's resolver options. When turned on, NetworkManager typically leaves a comment in resolv.conf to indicate that it generated the file:

[root@bvt-rad12-32 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search corpqa.pbisdemo.com corp.pbisdemo.com
nameserver 10.100.1.24
nameserver 10.100.1.45
nameserver 10.100.1.51

When the GPO is processed, a new resolv.conf file is generated and named resolv.conf.gp. The old resolv.conf file is saved as resolv.conf.lwidentity.orig, and then the new resolv.conf.gp is renamed resolv.conf. When the network interface is restarted, however, the updated resolv.conf settings can be overwritten with values from other configuration repositories, even if NetworkManager is not turned on.

We recommend that you use a target platform filter to apply the policy only to Unix platforms or other systems on which resolv.conf is not dynamically modified.

Sudoers

This policy specifies a sudo configuration file for target computers running Linux, Unix, or Mac OS X. The sudo configuration file is copied to the local machine and replaces the existing sudo file.

A sudo file can reference local users and groups or Active Directory users and groups. Sudo, or superuser do, allows a user to run a command as root or as another user.

Example:
DOMAIN\\adminuser ALL=(ALL) ALL

%DOMAIN\\domain^admins ALL=(ALL) ALL

User and group need to be entered as they appear on the target computer.

Related Policy/Settings:
Lsassd: Prepend default domain name for AD user: Changes accounts to use only shortname

Certificates Autoenrollment

AD Bridge autoenrollment policy is used to automatically enroll domain, root, and select certificate templates.

The following Windows server roles are required. Ensure the roles are properly configured before setting the policy in AD Bridge.

  • Active Directory Certificate Services (AD CS)
  • Web Server (IIS) with Certificate Enrollment Web service and Certificate Enrollment Web Service (CES)

The auto enrollment service is managed by the lwsm service manager. When the autoenrollment group policy is downloaded, gpagentd will start up the autoenroll daemon and download the certificates. The autoenroll service will renew expired or revoked certificates and remove revoked certificates if configured.

As of 8.5.4, root certificates are downloaded from:

CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com

to the local directory:

/etc/pbis/security/certs/<DOMAIN>/

If the computer leaves the domain, then the autoenrollment of certificates stops. However, certificates on the system will remain on the system.

This policy was tested on:

  • RHEL 6, 7 x86_64
  • Ubuntu 16.04, 18.04 LTS x86_64

  • The autoenrollment policy only enrolls computer certificates.
  • Templates with Publish certificate in Active Directory enabled will fail to enroll.

Wireless

The AD Bridge wireless policy configures a wireless interface using Network Manager. When the policy is downloaded to the workstations, the policy automatically enrolls in this certificate template and configures a wireless interface. The name of the certificate template must match the name as stated in the certificate authority template list.

This policy is tested on:

  • Ubuntu 14.04 LTS x86_64
  • RHEL 6.6, 7.0 x86_64
  • CentOS 6.6, 7.0 x86_64