Group Policy

Centrify Suite 2012

Group Policy GuideNovember 2011

Centrify Corporation

Legal notice

This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document as is without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you.

This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time.

2004-2011 Centrify Corporation. All rights reserved. Portions of Centrify DirectControl are derived from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software.

U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the governments rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.

Centrify, DirectAudit, DirectControl and DirectSecure are registered trademarks and DirectAuthorize and DirectManage are trademarks of Centrify Corporation in the United States and other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries.

Centrify Suite is protected by U.S. Patents 8,024,360 and 7,591,005.

The names of any other companies and products mentioned in this document may be the trademarks or registered trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies, organizations, domain names, people and events herein are fictitious. No association with any real company, organization, domain name, person, or event is intended or should be inferred.

Adding DirectControl policies to a Group Policy Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Creating a new Group Policy Object for DirectControl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Enabling Centrify Suite 2012 policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Contents

About this guide 5

Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Conventions used in this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Where to go for more information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Contacting Centrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 1 Understanding group policies and Active Directory 9

Understanding Group Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Understanding how Group Policy Objects are applied . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Understanding inheritance and policy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Viewing and editing a Group Policy Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Configuring group policies to be refreshed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Chapter 2 Understanding Centrify Suite 2012 group policies 18

Mapping configuration settings to a virtual registry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Configuring settings in administrative templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Mapping computer configuration policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Mapping user configuration policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Using standard Windows group policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Updating configuration policies manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Reporting group policy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter 3 Working with Group Policies Objects and Centrify Suite 2012 24

Administrative templates and Group Policy Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Linking Group Policy Objects to Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Linking a group policy object to computers in a zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Chapter 4 Setting Centrify Suite 2012 configuration group policies 39

Adding the centrifydc_settings file to a Group Policy Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Configuring DirectControl policies for computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Configuring common UNIX settings for computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Editing DirectControl configuration options manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Chapter 5 Using additional group policies for UNIX services 92

Adding additional group policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Configuring crontab entries by group policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Configuring screen locking by group policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Configuring commands to run by group policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Configuring secure shell (ssh) authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Configuring basic firewall settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Configuring network login message settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Chapter 6 Using group policies for GNOME settings 101

Understanding GNOME. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Setting DirectControl GNOME policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Verifying Gnome policy settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

About the top-level Enable Gnome group policies setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Chapter 7 Using group policies for Mac OS X users and computers 105

Understanding group policies and system preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Adding Mac OS X group policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Enabling and disabling Mac OS X group policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Setting Mac OS X computer policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Setting Mac OS X user policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Chapter 8 Defining custom group policies and administrative templates 112

Implementing custom group policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Creating a custom Administrative Template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Adding a mapper program to DirectControl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Index 122Group Policy Guide 4

introduction to what group policies provide, how they are enabled and how they are applied to Active Directory objects.

Chapter 2, Understanding Centrify Suite 2012 group policies, provides an overview of how Centrify Suite 2012 group policies work.About this guide

Centrify Suite 2012 with DirectControl delivers secure access control and centralized identity management by seamlessly integrating with Microsoft Active Directory to support: Diverse UNIX, Linux, and Mac OS X operating environments

Broadly-used Web and J2EE application platforms, such as Apache, Tomcat, JBoss, WebLogic, and WebSphere

Popular database platforms, such as DB2, Oracle, and SAP

With Centrify Suite 2012, organizations can improve IT efficiency, better comply with regulatory requirements, and move toward a more secure, connected infrastructure for their heterogeneous computing environment.

Intended audienceThis guide provides information for using Centrify Suite 2012 group policies to manage configuration settings for computers and users through the Microsoft Group Policy Object Editor. This guide is intended for administrators who want to customize the operation of Centrify Suite 2012 by modifying Centrify Suite 2012 group policies.

This guide is intended as a supplement to the main Centrify Suite 2012 documentation set and assumes that you have a working knowledge of Centrify Suite 2012 architecture and administration. For information about installing and working with Centrify Suite 2012, see the Centrify Suite 2012 Administrators Guide.

This guide also assumes that you have a working knowledge of Active Directory and understand how to use group policies. For more complete information about defining and applying group policies through Active Directory, see your Microsoft documentation.

Using this guideDepending on your environment and role as an administrator or user, you may want to read portions of this guide selectively. The guide provides the following information: Chapter 1, Understanding group policies and Active Directory, provides an 5

Conventions used in this guide Chapter 3, Working with Group Policies Objects and Centrify Suite 2012, describes how to add Centrify Suite 2012 group policies to a Group Policy Object and how to edit group policy settings.

Chapter 4, Setting Centrify Suite 2012 configuration group policies, describes the group policies that control Centrify Suite 2012 configuration parameters.

Chapter 5, Using additional group policies for UNIX services, describes the single-purpose group policies you can add to a Group Policy Object.

Chapter 6, Using group policies for GNOME settings, describes the Gnome group policies you can add to a Group Policy Object.

Chapter 7, Using group policies for Mac OS X users and computers, provides an overview of the group policies available for Mac OS X users and computers.

Chapter 8, Defining custom group policies and administrative templates, describes how to create custom administrative templates to implement your own group policies.

Youll also find an index provided for your reference.

Conventions used in this guideThe following conventions are used in this guide: Fixed-width font is used for sample code, program names, program output, file names,

and commands that you type at the command line. When italicized, the fixed-width font is used to indicate variables. In addition, in command line reference information, square brackets ([ ]) indicate optional arguments.

Bold text is used to emphasize commands, buttons, or user interface text, and to introduce new terms.

Italics are used for book titles and to emphasize specific words or terms.

For simplicity, UNIX is used generally in this guide to refer to all supported versions of the UNIX, Linux, and Macintosh OS X operating systems unless otherwise noted.

Where to go for more informationThe Centrify Suite 2012 documentation set includes several sources of information. Depending on your interests, you may want to explore some or all of these sources further: Centrify Suite 2012 Release Notes provide the most up-to-date information about the

current release, including system requirements and supported platforms, and any additional information not be included in other Centrify Suite 2012 documentation.Group Policy Guide 6

Contacting Centrify Centrify Suite 2012 Quick Start provides a brief summary of the steps for installing Centrify Suite 2012 and getting started so you can begin working with the product right away.

Centrify Suite 2012 Evaluation Guide provides information to help you set up an evaluation environment and use Centrify Suite 2012 to test typical authentication and authorization scenarios, such as resetting user passwords for UNIX computers, preventing a user from accessing unauthorized UNIX computers, or enforcing specific lockout policies when users attempt to log on to UNIX computers using Centrify Suite 2012.

Centrify Suite 2012 Planning and Deployment Guide provides guidelines, strategies, and best practices to help you plan for and deploy Centrify Suite 2012 in a production environment.This guide covers issues you should consider in planning a Centrify Suite 2012 deployment project. The Planning and Deployment Guide should be used in conjunction with the information covered in the Administrators Guide.

Centrify Suite 2012 Administrators Guide describes how to perform administrative tasks using the Centrify Suite 2012 Administrator Console and UNIX command line programs. The Administrators Guide focuses on managing your environment after deployment.

Centrify Suite 2012 Administrators Guide for Mac OS X provides information for Mac OS X system administrators about the administrative issues and tasks that are specific or unique to a Mac OS X environment. You should refer to this guide for information about the group policies for Mac OS X computers and users.

Centrify Suite 2012 Authentication Guide for Apache describes how to use Centrify Suite 2012 with Apache Web servers and applications to provide authentication and authorization services through Active Directory. If you are using Centrify Suite 2012 with Apache, you should refer to this supplemental documentation for details about how to configure your Apache server to use Centrify Suite 2012 and Active Directory.

Centrify Suite 2012 Authentication Guide for Java Applications describes how to use Centrify Suite 2012 with J2EE applications to provide authentication and authorization services through Active Directory. If you are using Centrify Suite 2012 with Java servlets, such as Tomcat, JBoss, WebLogic, or WebSphere, you should refer to this supplemental documentation for details about how to configure your applications to use Centrify Suite 2012 and Active Directory.

Individual UNIX man pages for command reference information for Centrify Suite 2012 UNIX command line programs.

Contacting CentrifyIf you have questions or comments, we look forward to hearing from you. For information about contacting Centrify with questions or suggestions, visit our Web site at About this guide 7

Contacting Centrifywww.centrify.com. From the Web site, you can get the latest news and information about Centrify products, support, services, and upcoming events. For information about purchasing or evaluating Centrify products, send email to [email protected] Policy Guide 8

Chapter 1each.

Every Group Policy Object includes a default set of Administrative Templates that are created automatically as part of the Group Policy Object. Administrative templates define sets of related configuration options and describe how those options are displayed in the Understanding group policies and Active Directory

This chapter provides an overview of how to use group policies configuration management in an Active Directory environment. It includes an introduction to the concept of Group Policy Objects on Windows and a summary of how group policies settings are inherited through an Active Directory structure.

The following topics are covered: Understanding Group Policy Objects

Understanding how Group Policy Objects are applied

Understanding inheritance and policy settings

Viewing and editing a Group Policy Object

Configuring group policies to be refreshed

Note This chapter only provides an overview of key concepts for working with group policies and Group Policy Objects. For more complete information about creating and using group policies and working with Group Policy Objects, see your Active Directory documentation. If you are already familiar with group policies and inheritance rules for Group Policy Objects, you can skip this chapter.

Understanding Group Policy ObjectsGroup policies allow you to specify a variety of configuration options and apply those settings to specific groups of computers and users through Active Directory. In a standard Windows environment, these configuration options control many aspects of computer operation and the user experience, including the users desktop environment, operations performed during startup and shutdown, local security enforcement, user- and computer-based settings in the local Windows registry, and software installation and maintenance services.

The configuration options available and the settings you make for those options are defined in a Group Policy Object (GPO) linked to an Active Directory object. Each Group Policy Object can consist of configuration information that applies to computers, configuration information that applies to users, or sections of policy specifically devoted to 9

Understanding how Group Policy Objects are appliedGroup Policy Object Editor. You must use the Group Policy Object Editor to edit the settings for any individual Group Policy Object.

There are two default Group Policy Objects available when you install or promote a server to be a Windows domain controller: Default Domain Controllers Policy

Default Domain Policy

Your organization may have additional Group Policy Objects customized to suit your environment. You can use any existing Group Policy Object to include settings for Centrify Suite 2012-managed computers and users or you can create your own custom Group Policy Objects, as needed. Before deciding whether to use an existing Group Policy Object or create a new Group Policy Object, however, you should be sure you understand how Group Policy Objects are linked to Active Directory objects and how policies are inherited through the Active Directory tree.

Understanding how Group Policy Objects are appliedGroup Policy Objects are applied by linking them to a specific organizational unit, domain, or site in Active Directory. How you create this link depends on your environment.

By default, most organizations use an Active Directory MMC snap-in, such as Active Directory Users and Computers, to select an organizational unit, domain, or site. You can then right-click to view the Properties for that organizational unit, domain, or site. From the Properties dialog box, you can click the Group Policy tab to: Create a new Group Policy Object and link it to the current organizational unit,

domain, or site.

Add a link from the current organizational unit, domain, or site to an existing Group Policy Object.

Edit the configuration settings for a Group Policy Object already linked to the current organizational unit, domain, or site, which opens the Group Policy Object in the Group Policy Object Editor.Group Policy Guide 10

Understanding how Group Policy Objects are appliedFor example, if you select the domain arcade.com in Active Directory Users and Computers, right-click and select Properties, you can view the Group Policy tab:

If you want to link a Group Policy Object to a site, you would use Active Directory Sites and Services to select the site, then view the Properties and click the Group Policy tab.

As an alternative to using Active Directory MMC snap-ins, you can download and install the Microsoft Group Policy Management Console. This optional MMC snap-in makes it easier to view existing Group Policy Objects and to link existing Group Policy Objects to organizational units, domains, or sites.

Note To set group policy for a selected Active Directory site, domain, or organizational unit, you must have read and write permission to access the system volume of the domain controller and the right to modify the selected directory object.

Once you link a Group Policy Object to an organizational unit, domain, or site, the specific policies you set are applied when computers are rebooted, when users logon, or at the next update interval if you set policies to be periodically refreshed.

Because you can link multiple Group Policy Objects throughout the hierarchical structure of the Active Directory tree, policies are applied in the following order unless you explicitly configure them to behave differently: Local Group Policy Objects are applied first.

Site-level Group Policy Objects are applied in priority order.

Domain-level Group Policy Objects are applied in priority order.

Organizational Unit-level Group Policy Objects are applied in priority order down the hierarchical structure of your organization, so that the last Group Policy Object used in the one that applies to the Organizational Unit the user or computer resides in.

As this set of rules suggests, a Group Policy Object linked to a site applies to all domains at the site. A Group Policy Object applied to a domain applies directly to all users and computers in the domain and by inheritance to all users and computers in organizational Chapter 1 Understanding group policies and Active Directory 11

Understanding inheritance and policy settingsunits and containers farther down the Active Directory tree. A Group Policy Object applied to an organizational unit applies directly to all users and computers in the organizational unit and by inheritance to all users and computers in organizational units farther down the Active Directory tree. You can modify the specific users and computers the GPO is applied to by choosing a different point in the hierarchy, blocking the default inheritance, using security groups to create Access Control Lists, or defining WMI filters.

Note You cannot link a Group Policy Object to a generic Active Directory container, such as the generic containers for Users, Computers, and Domain Controllers. However, users and computers in generic Active Directory containers do receive policy by inheritance from Group Policy Objects linked at a higher level of Active Directory. For example, the Users and Computers containers you see in Active Directory Users and Computers cannot have Group Policy Objects linked directly to them, but they do receive domain-linked Group Policy Objects by means of inheritance.

Understanding inheritance and policy settingsThe order in which Group Policy Objects apply is significant because, by default, policy applied later overwrites policy applied earlier for each setting where the later applied policy was either Enabled or Disabled. Settings that are Not Configured dont overwrite anything any Enabled or Disabled setting applied earlier is allowed to persist. You can modify this default behavior by forcing or preventing Group Policy Objects from affecting specific groups of users or computers, but in most cases, you should avoid doing so.

As an example, consider an organization with a single domain called arcade.com which is divided into the following top-level organizational units: USA

Spain

Korea

Each of these may be divided into lower-level organizational units, indicating major departmental or functional groupings for the top-level organizational unit. For example, the USA organizational unit may be divided into CorporateHQ, Development, and Sales. Each of these second-tier organizational units may then be divided into additional organizational units. For example, the Development OU may include organizational units such as Windows QA and UNIX QA.

A computer placed in the Windows QA organizational unit may then have several different Group Policy Objects applied to it. For example, the arcade.com organization may have a default domain Group Policy Object that applies to all organizational units in the domain, and each organizational unit may also have its own Group Policy Object applied. The following table illustrates the configuration settings for two computer configuration policiesWindows Update > Configure Automatic Updates and Windows Media Group Policy Guide 12

Understanding inheritance and policy settingsPlayer > Prevent Desktop Shortcut Creationfor the Group Policy Objects applied to the example organization arcade.com.

For example, if you were managing the default domain policies used in this example, you would:

1 Start Active Directory Users and Computers.

2 Right-click the domain, arcade.com, then click Properties.

3 Click the Group Policy tab.

4 Select the Default Domain Policy, then click Edit to open the Default Domain Policy in the Group Policy Object Editor.

5 Click Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates to Enabled and the set the Auto download and notify for install update option and click OK:

6 Click Computer Configuration > Administrative Templates > Windows Components > Windows Media Player > Prevent Desktop Shortcut Creation to Enabled and

GPO name Linked to Sample policy configuration settings

Default Domain Policy arcade.com Configure Automatic Updates: Enabled with Auto download and notify for install

Prevent Desktop Shortcut Creation: Enabled

USA-Specific USA Configure Automatic Updates: Not Configured

Prevent Desktop Shortcut Creation: Enabled

All Development Development Configure Automatic Updates: Not Configured

Prevent Desktop Shortcut Creation: Disabled

Windows Lab Windows QA Configure Automatic Updates: Enabled with Notify for download and notify for install

Prevent Desktop Shortcut Creation: Not ConfiguredChapter 1 Understanding group policies and Active Directory 13

Viewing and editing a Group Policy Objectclick OK.

You would perform similar steps to configure the group policies for the other organizational units.

When all of the policies described in the table are applied in their default order, a computer in the Windows QA organizational unit would be configured with the following policy settings: Configure Automatic Updates: Enabled with Notify for download and notify for

install

Prevent Desktop Shortcut Creation: Disabled

It is important to consider the impact of these inheritance rules when you are planning how you will apply Group Policy Objects to sites, domains, or organizational units that contain UNIX users and computers.

Viewing and editing a Group Policy ObjectAny time you create a new Group Policy Object for an organizational unit, domain, or site, it includes a set of default configuration options for computers and users. Initially, all of these default configuration options are defined as Not configured or Not defined and have no effect. You can then enable the specific policies you want to use for the organizational unit, domain, or site linked to the current Group Policy Object. You do this by opening the specific Group Policy Object in the Group Policy Object Editor.

Note Keep in mind that the default policies are all intended to provide configuration options for Windows users and computers in the associated organizational unit, domain, or site. In general, they do not apply to Centrify Suite 2012-managed systems or users and Windows-specific settings in a Group Policy Object are ignored for Centrify Suite 2012-managed computers and users.

To open a specific Group Policy Object in the Group Policy Object Editor: You can select the Group Policy Object from the Group Policy tab in an Active

Directory console when viewing the properties for an organizational unit, domain, or site. To use this method, you need to know the organizational unit, domain, or site to which the GPO is linked.

You can select the Group Policy Object directly from the list of existing Group Policy Objects in the Group Policy Management Console. To use this method, you need to download and install the Group Policy Management Console, but you do not need to know the organizational unit, domain, or site to which the GPO is linked.

You can open the Group Policy Object Editor as a MMC snap-in and browse to find the specific GPO you want to view or edit.Group Policy Guide 14

Viewing and editing a Group Policy ObjectTo view or edit a specific Group Policy Object from Active Directory Users and Computers:

1 Start Active Directory Users and Computers and select an organizational unit or domain, right-click, then select Properties.


3 Select the Group Policy Object you want to view or edit from the list of Group Policy Object Links, then click Edit.

If the Group Policy Object you want to work with is not listed but should be linked to the current organizational unit or domain: Click New and type a name to create a new Group Policy Object and link it to the

current organizational unit or domain. Click Add to link an existing Group Policy Object to the current organizational unit

or domain.

For example, if creating a new Group Policy Object, click New and type a name:

Once you have created or added a Group Policy Object for the current organizational unit or domain, click Edit to display the Group Policy Object Editor. For example:

Click New to create an newGPO linked to the current

Active Directory objectChapter 1 Understanding group policies and Active Directory 15

Viewing and editing a Group Policy Object4 In the Group Policy Object Editor, open policy folders to locate the individual policies you want to configure. For example, click Computer Configuration > Administrative Templates > System > Logon and locate the Run these programs at user logon.

5 Select the Run these programs at user logon policy, right-click, then click Properties.

6 Click Enabled to enable this group policy, then click Show to add the programs to run when users log on.

Selecting computer or user configuration settings

As noted previously, Group Policy Objects can consist of two types of group policy settings: Computer Configuration policies define the startup and shut down operations and

other computer-specific behavior. These configuration settings apply to the computer regardless of the user account that logs on to the computer.

User Configuration policies define log-on and log-off operations and other user-specific behavior. These configuration settings apply to the user account regardless of the computer the user logs on to. With these settings, users can move from computer to computer with a consistent profile.

Because the computer and user group policies contain different configuration settings, they dont affect each other directly. In planning how to implement group policies, however, you need to keep in mind which policies must be computer-based and which must be user-based. In many cases, the same group policy may be available as both a computer configuration policy and a user configuration policy. In those cases, you need to decide whether the policy is best applied to computers and all users who log on or to individual users when logging on, regardless of the computers they use. You should also keep in mind that, where applicable, the computer and user policies you set can affect the operation of Centrify Suite 2012-managed computers and the working environment for UNIX users.

Selecting the group policy console to work with

With Windows Server 2003, you can use the following MMC snap-ins to manage group policies: The Group Policy Object Editor allows you to enable, disable, and edit the

configuration settings within any single Group Policy Object. You use the Group Policy Object Editor to set the configuration options you want to use and to assign values to configuration settings. For example, you use the Group Policy Object Editor, and not the Group Policy Management Console, to define the specific policies for password complexity such as the Minimum password length and the Maximum password age.Group Policy Guide 16

Configuring group policies to be refreshed The Group Policy Management Console is an optional MMC snap-in you can use to create new Group Policy Objects, link Group Policy Objects to sites, domains, and organizational units, delegate group policy permissions to specific users and groups, model and report the effects of group policy inheritance, and backup, restore, import, and copy existing Group Policy Objects. If you install the Group Policy Management Console, it replaces the Group Policy tab in Active Directory MMC snap-ins. You cannot use the Group Policy Management Console to edit any of the configuration settings that make up a Group Policy Object.

If you dont install the Group Policy Management Console, you must use the Active Directory Sites and Services or the Active Directory Users and Computers MMC snap-in to link Group Policy Objects to Active Directory containers.

Configuring group policies to be refreshedThe computer portion of a Group Policy Object is normally applied any time you restart a computer that receives group policies. The user portion of a Group Policy Object is normally applied any time a user logs on to a computer. Both the computer and user portions of a Group Policy Object can also be configured to refresh automatically at a set interval.

To configure the refresh interval and the conditions for refreshing group policies, use the policies listed under Computer Configuration > Administrative Templates > System > Group Policy and User Configuration > Administrative Templates > System > Group Policy of a Group Policy Object.

If you configure your Group Policy Objects to refresh periodically, at the interval you specify, the computer contacts Active Directory to get the Group Policy Objects that apply and configures itself with the appropriate settings. If policies are refreshed at a set interval, users can change their configuration settings or their computers configuration settings, but the changes will be overridden when the group policies are refreshed at the next interval.

If you configure the refresh policy settings for users or computers, the refresh policy applies to both Windows and Centrify Suite 2012-managed computers and users.Chapter 1 Understanding group policies and Active Directory 17

Chapter 2on the Group Policy Objects applied for the current computer or user and create a virtual registry of those configuration settings on the local UNIX computer.

Runs local programs that map the configuration details in the virtual registry to the appropriate configuration file changes on the local UNIX computer. Understanding Centrify Suite 2012 group policies

This chapter describes how Centrify Suite 2012 maps the policy settings defined in a Group Policy Object to configuration settings for Centrify Suite 2012-managed computers and users.

The following topics are covered: Mapping configuration settings to a virtual registry

Configuring settings in administrative templates

Mapping computer configuration policies

Mapping user configuration policies

Using standard Windows group policies

Updating configuration policies manually

Reporting group policy settings

Mapping configuration settings to a virtual registryIn the Windows environment, most of the configuration settings defined in a Group Policy Object are implemented through entries in the local Windows registry. For UNIX computers and users, however, local configuration details are typically defined using a set of configuration files stored in the /etc directory. In addition, the Window and UNIX environments have different configuration requirements, and so require different settings to be available through group policy.

To address these differences, Centrify Suite 2012 provides its own group policies that allow administrators to use Group Policy Objects to configure settings for Centrify Suite 2012-managed computers and users. To enable you to use Group Policy Objects to configure settings for UNIX-based computers and users, Centrify Suite 2012: Provides its own administrative templates (.xml files) that define Centrify Suite

2012 and UNIX-specific configuration settings and describe how to display these settings in the Group Policy Object Editor on Windows.

Uses the adclient daemon to collect configuration details from Active Directory based 18

Mapping configuration settings to a virtual registryThe virtual registry is a collection of files that contain all of the group policy configuration settings from the group policies applied to the computer through the group policy hierarchy, including settings that apply only to Windows computers. Because the files that make up this virtual registry are not native to the UNIX environment, Centrify Suite 2012 then uses a set of mapping programs to read the files, determine the settings that are applicable to UNIX computers and users, and make the appropriate changes in the corresponding UNIX configuration files to implement the configuration specified. The mapping programs ignore any Windows-specific settings that have been applied and only map the settings that are appropriate for the UNIX environment.

Note The virtual registry only supports the group policies that are implemented through registry settings. Group policies that are implemented in other ways, for example, by running an executable script on each computer, arent supported.

The following figure provides a simplified view of the process.

As this figure suggests, the Centrify Suite 2012 daemon, adclient, retrieves policy settings from the Active Directory domain controller and starts the program runmappers (/usr/share/centrifydc/mappers/runmappers). The runmappers program runs the individual mapping programs that are stored in the /usr/share/centrifydc/mappers/machine and /usr/share/centrifydc/mappers/user directories. Those individual mapping programs read settings from the virtual registry and write them as the appropriate settings in application-specific configuration files.

The individual mapping programs also keep track of local changes that conflict with group policy settings, so those changes can be restored if the computer is removed from the domain, or if the configuration setting is removed from a Group Policy Object.

Active Directory

Group Policy Object with centrifydc_settings.xml, and other default .xml files

DirectControl-managed computer

xxxxxxxxxxxxxxxxxxxxxxxx

Virtual Registry: Configuration settings stored in files

adclient

Write changes to /etc/centrifydc/centrifydc.conf and other files

xxxxxxxxxxxxxxxxxxxxxxxx

runmappers

Mapping programs read the configuration settings for settings applicable to UNIXChapter 2 Understanding Centrify Suite 2012 group policies 19

Configuring settings in administrative templatesConfiguring settings in administrative templatesCentrify Suite 2012 administrative templates are stored as files with the.xml extension in the system volume and are used to define a specific set of configuration options and how those options are displayed in the Group Policy Object Editor.

Centrify Suite 2012 administrative templates fulfill the same role as Windows administrative templates, however, they are stored in XML format rather than ADM format. The XML format provides greater flexibility than the ADM format, specifically the ability to edit policy settings after setting them initially, which is critical for many of the Centrify Suite 2012 policies. In addition, the XML format enables template designers to include validation scripts for the policies implemented in a template.

For most of the configuration settings that apply to UNIX users or computers, you must use Centrify Suite 2012 group policy administrative templates, which are installed automatically on the local machine when you run the setup program on a Windows domain controller. To apply a group policy setting, you must add the template that defines the group policy to a Group Policy Object; see Adding DirectControl policies to a Group Policy Object on page 27.

In addition, every Group Policy Object includes a default set of Administrative Templates. The default administrative templates provide configuration options for Windows users and computers. In a few cases, however, settings you can configure in the default administrative templates do apply to Centrify Suite 2012-managed computers and users. For information about Windows settings that can be applied to UNIX users and computers, see Using standard Windows group policies on page 21.

Mapping computer configuration policiesThe Centrify Suite 2012 Agent, adclient, determines the group policies that apply to Centrify Suite 2012-managed computers using the same rules for inheritance and hierarchy that apply to Windows computers. When the UNIX computer starts or when the computer policies are refreshed, adclient: Contacts Active Directory.

Checks for the Group Policy Objects that are linked to each organizational unit of which the local computer is a member.

Determines all of the configuration settings that apply to the local computer, and retrieves those settings from the System Volume (SYSVOL).

Writes all of the configuration settings to a virtual registry on the local computer.

Starts the runmappers program to initiate the mapping of configuration settings using individual mapping programs for computer policies.

The mapping programs in the /usr/share/centrifydc/mappers/machine directory then read the virtual registry for the appropriate UNIX-specific computer configuration settings Group Policy Guide 20

Mapping user configuration policiesand locate the appropriate UNIX configuration files to change, then modify those files accordingly.

After the computer starts, the adclient daemon will periodically check with Active Directory to determine the current group policy settings for the computer unless you disable group policy updates.

Mapping user configuration policiesThe adclient daemon determines the group policies that apply to UNIX users using the same rules for inheritance and hierarchy that apply to Windows users. When a user logs into a DirectControl-managed computer, the adclient daemon detects the log-in and does the following: Contacts Active Directory.

Checks for the Group Policy Objects that are linked to each organizational unit the user is a member of.

Determines all of the configuration settings that apply to the user account, and retrieves those settings from the System Volume (SYSVOL).


Starts the runmappers program to initiate the mapping of configuration settings using individual mapping programs for user policies.

The mapping programs in the /usr/share/centrifydc/mappers/user directory then read the virtual registry for the appropriate UNIX-specific user configuration settings and locate the appropriate UNIX configuration files to change, then modify those files accordingly.

After the user has logged on, the adclient daemon will periodically check with Active Directory to determine the current group policy settings for the user unless you disable group policy updates.

Using standard Windows group policiesEvery Group Policy Object includes default administrative templates for user and computer configuration. Most of the settings in the default administrative templates only apply to Windows computers and Windows user accounts. However, there are a few of these common Windows configuration settings that can be applied to Centrify Suite 2012-managed computers and users. These configuration options are not duplicated in Centrify Suite 2012 administrative templates. Chapter 2 Understanding Centrify Suite 2012 group policies 21

Updating configuration policies manuallyYou can set the following standard Windows group policy options for Centrify Suite 2012-managed computers and users:

Updating configuration policies manuallyAlthough there are Windows group policy settings that control whether group policies should be refreshed in the background at a set interval, Centrify Suite 2012 also provides a command line program to manually refresh group policy settings at any time. This command line program, adgpupdate, forces the adclient daemon to contact Active Directory and collect group policy settings. With the adgpupdate command, you can specify whether you want to refresh computer configuration policies, user configuration policies, or both.

When you run the adgpupdate command, the adclient daemon does the following:

Select this Windows object To set this policy for UNIX

Computer Configuration > Administrative Templates > System > Group Policy

Turn off background refresh of Group Policy

Group Policy refresh interval for computers

Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers

Global Configuration Settings - MaxPollInterval

Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers

Enable Windows NTP Client

This policy specifies that adclient poll the domain NTP server to synchronize the clock of the local computer.

This policy modifies the adclient.sntp.enabled parameter in the Centrify Suite 2012 configuration file.

If you disable this policy, adclient does not attempt to synchronize the computer with the domain NTP server. The computer uses the local NTP policies, as defined in ntp.conf.

Whether you enable the policy or not, no settings are changed in the ntp.conf file.

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Interactive logon: Message text for users attempting to log on

Interactive logon: Prompt user to change password before expiration

Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy

Enforce password history

Maximum password age

Minimum password age

Minimum password length

Password must meet complexity requirements

Store passwords using reversible encryption

User Configuration > Administrative Templates > System > Group Policy

Group Policy refresh interval for usersGroup Policy Guide 22

Reporting group policy settings Contacts Active Directory for computer configuration policies, user configuration policies, or both. By default, adclient collects both computer and user configuration policies.

Determines all of the configuration settings that apply to the computer, the current user, or both, and retrieves those settings from the System Volume (SYSVOL).


Starts the runmappers program to initiate the mapping of configuration settings using individual mapping programs for user and computer policies.

Resets the clock for the next refresh interval.

For more information about using the adgpupdate command, see the adgpupdate man page or Using adgpupdate in the Centrify Suite 2012 Administrators Guide.

Reporting group policy settingsOn Windows computers, you can use the optional Group Policy Management Console to see the results of group policy settings for a specific computer or user, including Centrify Suite 2012-managed computers and users.

You can also review the results of group policy settings for a Centrify Suite 2012-managed computer or a specific user by viewing the gp.report file locally on the computer. This report is automatically updated at each group policy update interval. By default, the gp.report for computer configuration is located in the /var/centrifydc/reg/machine directory and the gp.report for user configuration is located in the /var/centrifydc/reg/users/username directory.Chapter 2 Understanding Centrify Suite 2012 group policies 23

Chapter 3

implement the DirectControl policies by adding the ADM template files as explained in

Adding DirectControl policies by using the ADM templates on page 30.

The ADM templates do not support extended ASCII code for locales that require double-byte characters. For these locales, you should use the XML templates.Working with Group Policies Objects and Centrify Suite 2012

This chapter describes how to create and link a Group Policy Object to an Active Directory organizational unit, how to add Centrify Suite 2012 group policies to an existing Group Policy Object, and how to set policies for Centrify Suite 2012-managed computers and groups.

The following topics are covered: Administrative templates and Group Policy Objects

Linking Group Policy Objects to Active Directory

Adding DirectControl policies to a Group Policy Object

Creating a new Group Policy Object for DirectControl

Enabling Centrify Suite 2012 policies

Administrative templates and Group Policy ObjectsA Group Policy Object (GPO) consists of configuration information that applies to computers, configuration information that applies to users, or sections of policy specifically devoted to each. You can extend the configuration options provided by any Group Policy Object by adding Centrify Suite 2012 or custom administrative templates to the object. For example, you can add Centrify Suite 2012 configuration settings to a Group Policy Object by adding the centrifydc_settings.xml administrative template. Other administrative templates can be added to control other settings, such as Macintosh system preferences, if they apply to your environment.

Notes DirectControl provides templates in both XML and ADM format. In most cases it is best to use the XML templates, which provide greater flexibility, such as the ability to edit settings after setting them initially, and in many cases contain validation scripts for the policies implemented in the template.

However, in certain cases, you may want to add templates by using the ADM files. For example, if you have implemented a set of custom tools for the Windows ADM-based policies, and want to extend those tools to work with the DirectControl policies, you can 24

Linking Group Policy Objects to Active DirectoryThere are two default Group Policy Objects when you install or promote a server to be a Windows domain controller: Default Domain Controllers Policy

Default Domain Policy

You can use these default Group Policy Objects to include settings for Centrify Suite 2012-managed computers and users, use any other existing Group Policy Object, or create a new Group Policy Object, if needed.

If you want to add Centrify Suite 2012 administrative templates to an existing Group Policy Object, see Adding DirectControl policies to a Group Policy Object on page 27.

If you want to create a new Group Policy Object specifically for Centrify Suite 2012 policies, see Creating a new Group Policy Object for DirectControl on page 32

Linking Group Policy Objects to Active DirectoryA Group Policy Object must be linked to an Active Directory organizational unit, domain, or site before you can add Centrify Suite 2012 group policies to the object. A Group Policy Object that includes Centrify Suite 2012 group policies can be linked to any organizational unit, domain, or sites, including ones that have both Windows and UNIX computers and users. The UNIX-specific policies are ignored for Windows computers and users, and Windows policies that are not applicable are ignored for UNIX computers and users.

You can link Group Policy Objects to organizational units, domains, and sites using an Active Directory MMC snap-in, such as Active Directory Users and Computers, or using the Group Policy Management Console.

Note Although you cannot link a Group Policy Object directly to a zone, you can move the zoned computer objects into their own organizational unit or use security filtering to insure that a policy only applies to the computers in that zone. To link a group policy to computers in a zone, see Linking a group policy object to computers in a zone.

Note To set group policy for a selected Active Directory site, domain, or organizational unit, you must have read and write permission to access the system volume of the domain controller and the right to modify the selected directory object.

To link a Group Policy Object to an organizational unit using Active Directory Users and Computers:

1 Start Active Directory Users and Computers and select an organizational unit, right-click, then select Properties.


3 Click New and type a name to create a new Group Policy Object and link it to the current organizational unit or click Add to add a link from an existing Group Policy Object to the current organizational unit.Chapter 3 Working with Group Policies Objects and Centrify Suite 2012 25

Linking a group policy object to computers in a zoneNote If your users and computers are in different organizational units, be certain to link the Group Policy Object to both OUs. Otherwise, if you link only to the computers OU, user policies will not be applied.

Linking a group policy object to computers in a zoneTo apply group policies to computers in a zone you can do either of the following: Place the computer objects in their own organizational unit and apply the group policy

to the organizational unit.

Use security filtering to apply a group policy only to the computers in a zone.

Using an organizational unit for zone computers

To place computer objects in an organizational unit and apply a group policy:

1 Start Active Directory Users and Computers and create an organizational unit at any level in the hierarchy.

For example, right click the domain and click New > Organizational Unit. Type a name for the OU and click OK.

2 Find the computer objects for the zoned computers in Active Directory at: domain\Computers

Then move the zoned computer objects to the new organizational unit.

3 Select the new organizational unit, right-click, then select Properties.


5 Click New and type a name to create a new Group Policy Object and link it to the current organizational unit or click Add to add a link from an existing Group Policy Object to the current organizational unit.

Using security group filtering for zone computers

To use filtering to restrict policies to a group of zoned computers:

1 Start Active Directory Users and Computers and create a new group.

For example, right click the domain and click New > Group. Type a name for the group. In Group scope, select Domain local. In Group type, select Security. Then click OK.

2 Right-click the new group and select Properties.

3 Click the Members tab and click Add. Then click the Object Types button and be certain that Computers is selected. Group Policy Guide 26

Adding DirectControl policies to a Group Policy Object4 Enter one or more names of zoned computers.

If you know the names of the computers, you can enter them separated by semi-colons; for example:madrid; valencia; barcelona

If you do not know the exact names, you can enter partial names separated by semi-colons; for example:mad; val; bar

Then click Check Names.

5 When you have added all computers from the zone, click OK.

6 Open the Group Policy Management Console and select the group policy to use.

7 In Security Filtering, click Add. Be certain that Group appears in Select this object type; if not, Click Object Types and select Groups.

8 Enter all or part of the name for the group you finished creating in Step 5. Click Check Names, then click OK to link the group of zoned computers to the group policy.

Adding DirectControl policies to a Group Policy ObjectIf you want to use an existing Group Policy Object, such as the Default Domain Policy, you can simply add Centrify Suite 2012 policies using an Active Directory MMC snap-in, such as Active Directory Users and Computers, or using the Group Policy Management Console.

DirectControl ships both XML and ADM files to define the DirectControl group policies. In most cases, it is best to add DirectControl group policies by using the XML templates files. However, in certain cases, such as maintaining compatibility with custom tools you are using with Windows ADM templates, you may want to implement the templates by adding ADM template files. This section covers both cases: See Adding group policies by adding the XML templates on page 27 for information

on enabling and configuring DirectControl settings when using the XML templates.

See Adding DirectControl policies by using the ADM templates on page 30 for information on enabling and configuring DirectControl settings when using the XML templates.

Note The ADM templates do not support extended ASCII code for locales that require double-byte characters. For these locales, you should use the XML templates.

Adding group policies by adding the XML templates

This section explains how to use the XML templates to add DirectControl group policies to a Group Policy Object. See the section, Adding DirectControl policies by using the ADM Chapter 3 Working with Group Policies Objects and Centrify Suite 2012 27

Adding DirectControl policies to a Group Policy Objecttemplates on page 30, if you intend to use the ADM template files to add DirectControl policies.

To add Centrify Suite 2012 policies to a Group Policy Object through Active Directory:

1 Open an Active Directory console, such as Active Directory Users and Computers.

If you have installed the Group Policy Management Console, you must use that console to access Group Policy Objects. Within the Group Policy Management Console, you can select the Default Domain Policy or any other existing Group Policy Object, right-click, then click Edit to open the Group Policy Object Editor. Once you have opened the Group Policy Object Editor, skip to Step 5.

2 In the console tree, select the site, domain, or organizational unit to which the existing Group Policy Object applies, right-click, then click Properties. For example, if you want to add Centrify Suite 2012 polices to the Default Domain Policy, select the domain, right-click, then click Properties.


4 Select the Group Policy Object to which you want to add Centrify Suite 2012 policies, then click Edit to open the Group Policy Object Editor. For example:

5 In the Group Policy Object Editor, expand Computer Configuration or User Configuration, select Centrify Settings, right-click, then click Add/Remove

Click the Group Policy tab

Select a Group Policy Object, then click EditGroup Policy Guide 28

Adding DirectControl policies to a Group Policy ObjectTemplates.

6 In the Add/Remove Templates dialog box, click Add.

7 Navigate to the directory that contains the Centrify Suite 2012 administrative templates. By default, administrative templates are located in the following local directory: C:\Program Files\Centrify\Centrify DirectControl\group policy\policy.

8 Select the administrative templates to add, then click Open to add the template to the list of Current Policy Templates, then click OK.

For example, the administrative template that controls Centrify Suite 2012 configuration settings is centrifydc_settings.xml. To add this template, select the centrifydc_settings.xml file, click Open to add this template to the list of Current Policy Templates, then click OK.

After you add specific Centrify Suite 2012 administrative templates, the Group Policy Object will include Centrify Suite 2012 configuration options set to Not configured. You can enable specific computer and user policies, as needed. For information about how to set Centrify Suite 2012 configuration policies, see Enabling Centrify Suite 2012 policies on page 34.Chapter 3 Working with Group Policies Objects and Centrify Suite 2012 29

Adding DirectControl policies to a Group Policy ObjectNote If you update Centrify Suite 2012 to a new version, new templates may be included with the installation. To make any new policies included in the templates available for use, you must reapply each template by following Step 5 - Step 8 in this section. If you see the message, The selected XML file already exists. Do you want to overwrite it?, click Yes. This action overwrites the template with any new or modified group policies. It does not affect any configuration in the template that has been applied; that is, any policies that you have enabled remain enabled.

Adding DirectControl policies by using the ADM templates

DirectControl ships both XML and ADM files to define the DirectControl group policies. In most cases, it is best to add DirectControl group policies by using the XML templates files. However, in certain cases, such as maintaining compatibility with custom tools you are using with Windows ADM templates, you may want to implement the templates by adding ADM template files. This section describes how to do this by adding the DirectControl ADM templates to an existing Group Policy Object, such as the Default Domain Policy. See the section, Adding group policies by adding the XML templates on page 27, if you intend to use the ADM template files to add DirectControl policies.

Note The ADM templates do not support extended ASCII code for locales that require double-byte characters. For these locales, you should use the XML templates.

To add Centrify Suite 2012 policies to a Group Policy Object by using ADM template files:


If you have installed the Group Policy Management Console, you must use that console to access Group Policy Objects. Within the Group Policy Management Console, you can select the Default Domain Policy or any other existing Group Policy Object, right-click, then click Edit to open the Group Policy Object Editor. Once you have opened the Group Policy Object Editor, skip to Step 5.

2 In the console tree, select the site, domain, or organizational unit to which the existing Group Policy Object applies, right-click, then click Properties. For example, if you want to add Centrify Suite 2012 polices to the Default Domain Policy, select the domain, right-click, then click Properties.


4 Select the Group Policy Object to which you want to add Centrify Suite 2012 policies, Group Policy Guide 30

Adding DirectControl policies to a Group Policy Objectthen click Edit to open the Group Policy Object Editor. For example:

5 In the Group Policy Object Editor, expand Computer Configuration or User Configuration, select Administrative Templates, right-click, then click Add/Remove Templates.

Click the Group Policy tab

Select a Group Policy Object, then click Edit

Select Administrative Templates, then right-click and select Add/Remove TemplatesChapter 3 Working with Group Policies Objects and Centrify Suite 2012 31

Creating a new Group Policy Object for DirectControl6 In the Add/Remove Templates dialog box, click Add.

7 Navigate to the directory that contains the Centrify Suite 2012 ADM administrative templates. By default, ADM templates are located in the following local directory: C:\Windows\inf

8 If necessary, scroll to see the DirectControl templates and select the templates to add, then click Open to add the template to the list of Current Policy Templates, then click OK.

For example, the administrative template that controls Centrify Suite 2012 configuration settings is centrifydc_settings.adm. To add this template, select the centrifydc_settings.adm file, click Open to add this template to the list of Current Policy Templates, then click OK.

After you add specific Centrify Suite 2012 administrative templates, the Group Policy Object will include Centrify Suite 2012 configuration options set to Not configured. You can enable specific computer and user policies, as needed. For information about how to set Centrify Suite 2012 configuration policies, see Enabling Centrify Suite 2012 policies on page 34.

Note If you update Centrify Suite 2012 to a new version, new templates may be included with the installation. To make any new policies included in the templates available for use, you must reapply each template by following Step 5 - Step 8 in this section. If you see the message, The selected ADM file already exists. Do you want to overwrite it?, click Yes. This action overwrites the template with any new or modified group policies. It does not affect any configuration in the template that has been applied; that is, any policies that you have enabled remain enabled.

Creating a new Group Policy Object for DirectControlDepending on the requirements of your organization and how you have linked existing Group Policy Objects to the sites, domains, and organizational units in your Active Directory forest, you may want to create a separate Group Policy Object for Centrify Suite 2012-managed users and computers. In deciding whether to create a new Group Policy Group Policy Guide 32

Creating a new Group Policy Object for DirectControlObject or use an existing Group Policy Object, you need to consider whether the Group Policy Object should be linked to a site, domain, or specific organizational unit, such as a zone.

If you want to create a new Group Policy Object specifically for Centrify Suite 2012 policies, the steps for creating it depend on whether you link it to a site, domain, or specific organizational unit and whether you have installed the optional Group Policy Management Console: If the Group Policy Object is linked to a site, you can use Active Directory Sites and

Services or the Group Policy Management Console to create a new Group Policy Object.

If the Group Policy Object is linked to a domain or organizational unit, you can use Active Directory Users and Computers or the Group Policy Management Console to create a new Group Policy Object.

Note There is no requirement to create a new Group Policy Object specifically for Centrify Suite 2012 settings. Group Policy Objects that contain Centrify Suite 2012 settings can be applied to organizational units that include Windows users and computers. If the Group Policy Object is linked to an organizational unit that includes Windows computers, the Windows computers simply ignore the Centrify Suite 2012 settings as unrecognized when they retrieve their configuration settings and the environment is configured normally.

Creating a GPO with Active Directory Users and Computers

To create a new Group Policy Object for Centrify Suite 2012 group policies using Active Directory Users and Computers:

1 Start Active Directory Users and Computers and select a domain or organizational unit, right-click, then select Properties.


3 Click New and type a name to create a new Group Policy Object.

4 Click Close or select the new Group Policy Object, then click Edit to open the Group Policy Object Editor.

5 In the Group Policy Object Editor, select Centrify Settings, and add Centrify Suite 2012 administrative templates, such as the centrifydc_settings.xml administrative template, as described in Adding DirectControl policies to a Group Policy Object on page 27.Chapter 3 Working with Group Policies Objects and Centrify Suite 2012 33

Enabling Centrify Suite 2012 policiesCreating a GPO with the Group Policy Management Console

To create a new Group Policy Object for Centrify Suite 2012 group policies using the Group Policy Management Console:

1 Open the Group Policy Management Console.

2 In the console tree, select a domain or an organizational unit to which you want to link the new Group Policy Object.

3 Right-click, then click Create and Link a GPO Here.

4 Type a name for the Group Policy Object, then click OK.

5 Select the new Group Policy Object, right-click, then click Edit to open the Group Policy Object Editor.

6 In the Group Policy Object Editor, select Centrify Settings, and add Centrify Suite 2012 administrative templates, such as the centrifydc_settings.xml administrative template, as described in Adding DirectControl policies to a Group Policy Object on page 27.

Note If you are adding ADM templates, see Adding DirectControl policies by using the ADM templates on page 30.

Enabling Centrify Suite 2012 policiesAs explained previously (Administrative templates and Group Policy Objects on page 24), you can add DirectControl settings to a group policy object by using XML template files, which is recommended in most cases, or by using ADM template files. This section covers both cases: See Enabling policies when using XML templates on page 34 for information on

enabling and configuring DirectControl settings when using the XML templates.

See Enabling policies when using ADM templates on page 36 for information on enabling and configuring DirectControl settings when using the XML templates.

Enabling policies when using XML templates

This section explains how to enable and configure settings when using the XML template files. If you are using the ADM templates, See the section, Enabling policies when using ADM templates on page 36.

To enable and configure Centrify Suite 2012 settings:


If you are using the Group Policy Management Console, you can select Group Policy Group Policy Guide 34

Enabling Centrify Suite 2012 policiesObjects directly. With this console, select a Group Policy Object right-click, then click Edit to open the Group Policy Object Editor. Once you have opened the Group Policy Object Editor, skip to Step 5.

2 In the console tree, select the site, domain, or organizational unit to which the Group Policy Object applies, right-click, then click Properties.


4 Select the Group Policy Object from the list of Group Policy Objects linked to the current site, domain, or organizational unit, then click Edit to open the Group Policy Object Editor. For example:

5 Select Computer Configuration > Centrify Settings and open the appropriate subfolders to view and set the computer-based configuration options you want to apply. For example, open DirectControl Settings and its subfolders to modify Centrify Suite 2012 configuration file settings for computers.

By default, all of the policies are Not configured.

6 Select a policy name, right-click, and select Properties.

7 Click Enabled to enable the policy.

For most policies, you also need to select values or provide other information to complete the configuration.ie

Centrify Suite 2012group policies for

Computer Configuration


User ConfigurationChapter 3 Working with Group Policies Objects and Centrify Suite 2012 35

Enabling Centrify Suite 2012 policiesFor more information about any policy while viewing its properties, click the Explain tab. For more information about the Centrify Suite 2012 policies, see Setting Centrify Suite 2012 configuration group policies on page 39.

8 Select User Configuration > Centrify Settings and open the appropriate subfolders to view and set the user-based configuration options you want to apply. For example, open Common Unix Settings to modify Unix configuration settings for users.

9 Select a policy name, right-click, and select Properties.


Depending on the specific policy, you may also need to select values or provide other information before you can complete the configuration.

For more information about any policy while viewing its properties, click the Explain tab. For more information about the Centrify Suite 2012 CentrifyDC Settings policies, see Setting Centrify Suite 2012 configuration group policies on page 39.

The policies you enable are applied when computers in the site, domain, or organizational units are rebooted, users next log on, or at the next update interval.

Enabling policies when using ADM templates

This section explains how to enable and configure settings when using the ADM template files. If you are using the XML templates, see the section, Enabling policies when using XML templates on page 34.

To enable and configure Centrify Suite 2012 settings:


If you are using the Group Policy Management Console, you can select Group Policy Objects directly. With this console, select a Group Policy Object right-click, then click Edit to open the Group Policy Object Editor. Once you have opened the Group Policy Object Editor, skip to Step 5.



4 Select the Group Policy Object from the list of Group Policy Objects linked to the current site, domain, or organizational unit, then click Edit to open the Group Policy Group Policy Guide 36

Enabling Centrify Suite 2012 policiesObject Editor. For example:

5 Select Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) and open the appropriate subfolders to view and set the computer-based configuration options you want to apply. For example, open CentrifyDirectControl Settings and its subfolders to modify Centrify Suite 2012 configuration file settings for computers.

By default, all of the policies are Not configured.

6 Select a policy name, right-click, and select Edit.


For most policies, you also need to select values or provide other information to complete the configuration.ie




User ConfigurationChapter 3 Working with Group Policies Objects and Centrify Suite 2012 37

Enabling Centrify Suite 2012 policiesFor more information about any policy while viewing its definition, see the Help text that is included in the policy definition. For more information about the Centrify Suite 2012 policies, see Setting Centrify Suite 2012 configuration group policies on page 39.

8 Select User Configuration > Administrative Templates > Classic Administrative Templates (ADM) and open the appropriate subfolders to view and set the user-based configuration options you want to apply. For example, open Common Unix Settings to modify Unix configuration settings for users.

9 Select a policy name, right-click, and select Edit.


Depending on the specific policy, you may also need to select values or provide other information before you can complete the configuration.

For more information about any policy while viewing its definition, see the Help text that is included in the policy definition. For more information about the Centrify Suite 2012 CentrifyDC Settings policies, see Setting Centrify Suite 2012 configuration group policies on page 39.

The policies you enable are applied when computers in the site, domain, or organizational units are rebooted, users next log on, or at the next update interval.Group Policy Guide 38

Chapter 4Setting Centrify Suite 2012 configuration group policies

This chapter describes the Centrify Suite 2012 group policies that affect the configuration of Centrify Suite 2012 parameters on the local host computer. The group policies described in this chapter can be added to any Group Policy Object by adding the centrifydc_settings.xml administrative template to the GPO.

The following topics are covered: Adding the centrifydc_settings file to a Group Policy Object

Configuring DirectControl policies for computers

Configuring common UNIX settings for computers

Editing DirectControl configuration options manually

Adding the centrifydc_settings file to a Group Policy ObjectCentrify Suite 2012 configuration settings can be added to any Group Policy Object. If the Group Policy Object that contains Centrify Suite 2012 settings is linked to an organizational unit or domain that includes Windows computers, the Windows computers simply ignore the Centrify Suite 2012-specific settings as unrecognized when they retrieve their configuration settings and the local environment is configured normally. Similarly, any Windows-specific settings in a Group Policy Object are ignored for Centrify Suite 2012-managed computers and users.

Note DirectControl provides templates in both XML and ADM format. In most cases it is best to use the XML templates. This section assumes that you are adding the XML template file, centrifydc_settings.xml. To add the ADM template file, centrifydc_settings.adm, which resides in an entirely different directory than the .xml file, see Adding DirectControl policies by using the ADM templates on page 30.

To add the Centrify Suite 2012 configuration settings in the centrifydc_settings.xml administrative template to a Group Policy Object:

1 Run the Centrify Suite 2012 setup program and select the Group Policy Editor 39

Adding the centrifydc_settings file to a Group Policy ObjectExtensions, if you have not already done so. For example:

2 Open Active Directory Users and Computers or the Group Policy Management Console.

If you are using Active Directory Users and Computers: Select the organizational unit or domain that is linked to the Group Policy Object to

which you want to add Centrify Suite 2012 policies. Right-click, then click Properties. Click the Group Policy tab, select the appropriate Group Policy Object, then click

Edit to open the Group Policy Object Editor. For example:

Run the setup programwith the Group Policy

Editor Extension optionselected

Select or create a GroupPolicy Object, then click EditGroup Policy Guide 40

Adding the centrifydc_settings file to a Group Policy ObjectIf you are using the Group Policy Management Console: Select the existing Group Policy Object to which you want to add Centrify Suite 2012

policies. Right-click, then click Edit to open the Group Policy Object Editor.

3 Open the Computer Configuration and select Centrify Settings.

4 Right-click, then click Add/Remove Templates.

5 In the Add/Remove Templates dialog box, click Add.

6 Navigate to the directory that contains the Centrify Suite 2012 centrifydc_settings.xml administrative template. By default, administrative templates are located in the following local directory: C:\Program Files\Centrify\Centrify DirectControl\group policy\policy.

7 Select the centrifydc_settings.xml file, click Open to add this template to the list of Current Policy Templates, then click Close.

Note When you add a template, such as centrifydc_settings.xml, if it includes both computer and user configuration policies, you can add it to Centrify Settings under Computer Configuration or under User Configuration, and both user and computer settings are added to Centrify Suite 2012. However, centrifydc_settings.xml Chapter 4 Setting Centrify Suite 2012 configuration group policies 41

Configuring DirectControl policies for computerscurrently does not have any user configuration settings. Other administrative templates can be added to control other settings, such as Macintosh system preferences (centrify_mac_settings.xml), if they apply to your environment.

After you add the Centrify Suite 2012 centrifydc_settings.xml administrative template to a Group Policy Object, the Centrify Suite 2012 (DirectControl Settings) group policies are displayed. For example:

Configuring DirectControl policies for computersTo enable and configure Centrify Suite 2012 settings in the Group Policy Object Editor:


If you are using the Group Policy Management Console, you can select Group Policy Objects directly. With this console, select a Group Policy Object right-click, then click Edit to open the Group Policy Object Editor. Once you have opened the Group Policy Object Editor, skip to Step 5.



4 Select the Group Policy Object from the list of Group Policy Objects linked to the current site, domain, or organizational unit, then click Edit to open the Group Policy Object Editor.

5 In the Group Policy Object Editor, select Computer Configuration > Centrify Settings > DirectControl Settings and open the appropriate sub-folders to view and set the computer-based configuration options you want to apply.

Centrify Suite 2012 grouppolicies for


Centrify Suite 2012 grouppolicies for

User ConfigurationGroup Policy Guide 42

Configuring DirectControl policies for computersNote If you added ADM templates instead of XML templates to define the DirectControl policies, the path to the settings is: Computer Configuration > Administrative Templates > Classic Administrative Templates > Centrify DirectControl Settings; see Enabling policies when using ADM templates on page 36 for more information.

The following table provides a summary of the Centrify Suite 2012 policies you can set for computers.

Use these policies To do this

Account Prevalidation Manage prevalidation of users and groups for disconnected systems.

Adclient Settings Control certain aspects of the operation of the Centrify Suite 2012 Agent on managed computers.

Auto Zone Settings Control certain aspects of the operation of the Centrify Suite 2012 Agent on machines that are joined to Auto Zone.

Group Policy Settings Manage the Centrify Suite 2012 group policy mapping programs. You can use these settings to control the execution of the Centrify Suite 2012 group policy mapping programs.

Kerberos Settings Manage the Kerberos configuration. You can use these settings to control updates to the Kerberos configuration files and credential renewal.

Logging Settings Control Logging policy settings. You can use these settings to specify the syslog facility to use for logging different adclient processes and to control the amount of memory to use to queue log messages.

Login Settings Control login and local account access. You can use these settings to grant or deny access to specific users and groups or to ignore Active Directory authentication for some users and groups.

Network and Cache Settings Specify the maximum period for client connection time-outs and object expiration intervals. You can use these settings to determine how long to wait for a response when connecting to Active Directory and how long objects should be kept in the local cache.

NIS daemon Settings Control operation of the Centrify Suite 2012 Network Information Service on the local host computer. The Centrify Suite 2012 Information Service provides a mechanism for DirectControl to respond to NIS client requests from other computers not managed by Centrify Suite 2012.

NSS Overrides Specify the passwd or group override entries you want to use in place of the entries in the local /etc/passwd or /etc/group files. You can use these settings to provide fine-grain control of the users and groups who can use the computer and to override the user ID, group ID, default shell, or home directory for specific login accounts or groups.

Pam Settings Control PAM policy settings. You can use these settings to customize the behavior of the Centrify Suite 2012 PAM modules.

Password Prompts Customize the prompts displayed when Active Directory users are prompted to provide their password. You can use these settings to change the text displayed when Active Directory users log in or change their password.Chapter 4 Setting Centrify Suite 2012 configuration group policies 43

Configuring DirectControl policies for computersBy default, all of the policies are Not configured.

To enable a policy, select a policy name, right-click, and select Properties, then click Enabled to enable the policy.

Date post:	24-Nov-2015
Category:	Documents
Upload:	david-hung-nguyen
View:	58 times
Download:	2 times

Group Policy

Documents