Group Policy Guide
Total Page:16
File Type:pdf, Size:1020Kb
Centrify Server Suite Group Policy Guide July 2021 (release 2021) Centrify Corporation • • • • • • Legal Notice This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document “as is” without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time. © 2004-2021 Centrify Corporation. All rights reserved. Portions of Centrify software are derived from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government’s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Centrify, DirectControl, DirectAuthorize, DirectAudit, DirectSecure, DirectControl Express, Centrify for Mobile, Centrify for SaaS, DirectManage, Centrify Express, DirectManage Express, Centrify Suite, Centrify User Suite, Centrify Identity Service, Centrify Privilege Service and Centrify Server Suite are registered trademarks of Centrify Corporation in the United States and other countries. Microsoft, Active Directory, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries. Centrify software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,442,962 and 9,378,391. The names of any other companies and products mentioned in this document may be the trademarks or registered trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies, organizations, domain names, people and events herein are fictitious. No association with any real company, organization, domain name, person, or event is intended or should be inferred. Group Policy Guide 2 • • • • • • Contents About this guide 18 Intended audience 18 Using this guide 18 Documentation conventions 19 Finding more information about Centrify products 20 Product names 20 Contacting Centrify 22 Getting additional support 23 Group policies in Active Directory 24 Configuring computer and user settings 24 How group policies are applied 25 Order in which policies are applied 26 How the resulting policy set is determined 27 Editing a Group Policy Object 29 Selecting computer or user settings 29 Applying policies in nested organizational units 30 Configuring group policies to be refreshed 31 Centrify Server Suite group policy overview 32 Mapping settings to a virtual registry 33 Configuring settings in administrative templates 34 Mapping computer configuration policies 34 Mapping user configuration policies 35 Editing configuration settings manually 36 Updating configuration policies manually 36 Using standard Windows group policies 37 Reporting group policy settings 38 Group Policy Guide 3 • • • • • • Generating a report of Centrify group policies 39 Adding Centrify settings to Group Policies Objects 40 Adding administrative templates to a Group Policy Object 40 Installing Centrify group policy templates 40 Template file formats 41 Selecting a Group Policy Object for Centrify settings 42 Linking a Group Policy Object to an organizational unit 43 Using security filtering for group policies 43 Adding Centrify policies from XML files 45 Adding templates after an upgrade 46 Enabling Centrify policies 46 Centrify policy limitations 47 DirectControl Settings 48 Add centrifydc.conf properties 50 Enable Active Directory PAM Privilege Escalation Feature 50 Maintain DirectControl 2.x compatibility 51 Merge local group membership 51 Prefer authentication credentials source 52 Set LDAP fetch count 52 Set password cache 53 Set user mapping 54 User's initial group ID 54 Use FIPS 140-2 compliance algorithms 55 Basic requirements 55 Enabling the policy 56 Related configuration parameters 57 Account prevalidation 58 Contents 4 • • • • • • Specify allowed groups for prevalidation 58 Specify allowed users for prevalidation 59 Specify denied groups for prevalidation 59 Specify denied users for prevalidation 59 Set prevalidation service name 60 Set prevalidation update interval 61 Adclient settings 62 Add attributes to cached objects 62 Auto Zone group policies 64 Configure /etc/nsswitch.conf (Solaris, HPUX, Linux) 68 Configure /etc/{pam.conf,pam.d} (AIX, Solaris, HPUX, Linux, Mac OS X) 68 Configure /etc/security/user (AIX) 69 Configure /usr/lib/security/methods.cfg (AIX) 69 Configure Directory Services (Apple OS/X) 69 Configure dump core setting 69 Disable multi-factor authentication (MFA) on Centrify-managed computers 70 Disable nscd group and passwd caching (Solaris, Linux) 70 Disable pwgrd (HPUX) 70 Enable core dump cleanup 70 Enable logon hours local enforcement 71 Encrypt adclient cache data 71 Force domains and forests to be one-way trusted 71 Force password salt lookup from KDC 72 Map /home to /User (Mac OS X) 73 Run adclient on all processors 73 Set cache cleanup interval 73 Set the connector refresh interval 73 Set the heartbeat interval (*NIX) 74 Set maximum number of threads 74 Group Policy Guide 5 • • • • • • Set the maximum simultaneous authentication requests allowed 74 Set minimum number of threads 74 Specify low disk space interval 75 Specify low disk space warning level 75 Specify a per machine (random) delay for cache refreshed background tasks76 Use the legal Kerberos type for cache encryption 76 Addns Settings group policies 78 Enable addns invoked by adclient 78 Set command line options used by adclient 78 Set DNS records update interval 79 Set wait response interval for update requests 79 Dzdo settings 80 Always add anchors to regex in dzdo and dzcmds 80 Enable logging of valid command execution in dzdo 80 Enable user command timeout 80 Force dzdo re-authentication when relogin 81 Force dzdo to set HOME environment variable 81 Force dzdo to set HOME environment variable when runs with ‘-s’ option 82 Force per tty authentication in dzdo 82 Prompt error message if command not found by dzdo 82 Replace sudo by dzdo 83 Require dzdo command validation check 83 Require runas user for dzdo 84 Require user is logged in to a real tty to run dzdo 84 Set directory to store user timestamp by dzdo 84 Set dzdo authentication timeout interval 85 Set dzdo password prompt timeout interval 85 Set dzdo validator 86 Set environment variables to be preserved by dzdo 86 Contents 6 • • • • • • Set environment variables to be removed by dzdo 87 Set environment variables to be removed by dzdo with characters % or / 87 Set error message when failed to authenticate in dzdo 88 Set lecture shown by dzdo before password prompt 88 Set password prompt for target user password in dzdo 89 Set paths for command searching in dzdo 89 Set secure paths for command execution in dzdo 90 Show lecture by dzdo before password prompt 91 Use realpath to canonicalize command paths in dzdo 91 Group policy settings 92 Enable user group policy 92 Set machine group policy mapper list 92 Set group policy mapper execution timeout 93 Set user group policy mapper list 93 Set total group policy mappers execution timeout 93 Use user credential to retrieve user policy 94 Kerberos settings 95 Allow PAM to create user Kerberos credential cache 95 Allow weak encryption types for Kerberos authentication 95 Alternative location for credential cache directory 96 Alternative location for user .k5login files 96 Disable Kerberos built-in ccselect plugins 97 Enable Kerberos clients to correct time difference 97 Force Kerberos to only use TCP 97 Generate the forwardable tickets 97 Generate Kerberos version numbers for Windows 2000 98 Manage Kerberos configuration