Authentication Services Group Policy extends Microsoft Group Policy functionality to Unix,Linux and Mac clients.Windows Administratorscan use Group Policy to set policies that apply across a given site, domain, or range of organizational units (OUs) in Active Directory. Group Policy allows administrators to use Microsoft Group Policy to manage configuration settings for non-Windows operating systems and applications.
Group Policy uses the same Group Policy object processing model that is used by the Windows winlogon service including scoping and filtering of Group Policy objects. Policy settings applied through Group Policy are "non-tattooing". The Group Policy agent also provides tools for calculating the Resultant Set of Policy (RSoP) before and after policy application.
Here is how the process works:
1. At the group policy refresh interval or when the /opt/quest/bin/vgptool apply command is run, VGP determines the location of GPOs in sysvol based on the gPCFileSysPath attribute in Active Directory.
2 - Next SMB protocol is used to connect to the share. The path could point to a specific server (not necessarily the server joined to), or just to a domain.
3 - The gpo files are copied to /var/opt/quest/vgp/gpt/ on the local machine.
4 - The client determines which group policies apply according GP processing rules. Group Policy uses the same Group Policy object processing model that is used by the Windows winlogon service including scoping and filtering of Group Policy objects.
5 - vgptool applies our group policies using Client Side Extensions (CSE). The CSEs determine how policies are applied.
USEFUL TIPS AND COMMANDS FOR TROUBLESHOOTING
1. Check the Result set of policy to see if the policy is applying to the machine:
2 - Try replying the policy
3 - If the policy is not applying make sure the GPO is linked and to the Organization Unit (OU) containing the computer for a machine policy or containing the user if it is a user policy. Ensure it is also enabled.
4 - Next, check the security filtering. Make sure that the computers or users needing the policy are in a group that is specified here. Remember that domain users includes all users, domain computers includes all computer, and authenticated users includes both users and computer. By default, a GPO will be scoped to Authenticated Users.
5 - Check sysvol to ensure data exist
6 - Run /opt/quest/bin/vgptool register
This will list the currently registered extensions. Also useful is doing a ls -l /var/opt/quest/vgp and checking date on the extensions file to see if it was changed when the issue began.
7- Ensure the AD & SYSVOL version numbers are the same for both User and Computer settings.
This can be seen in the Details tab for the GPO.