Authentication Services 4.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting

Client-side extensions

Group Policy processes the policy settings information in GPOs by delegating to client-side extensions (CSEs). The /opt/quest/lib/cse_mod directory stores the client-side extensions to the Group Policy framework. Several default CSEs come ready to process GPOs immediately after installing Group Policy. Group Policy provides the following CSEs:

  • Licensing Extension

    Provides support for licensing policies.

  • Authentication Services Configuration Extension

    Provides support for the Authentication Services-related policies.

  • Microsoft Security Extension

    Provides support for some Windows security settings.

  • Macintosh Settings Extension

    Provides support for Mac OS X management settings.

  • Sudo Extension

    Provides support for sudo policy option.

  • Dynamic File Copy Extension

    Provides support for dynamic file copy.

  • Unix Settings Extension

    Provides support for the Unix file and script policies.

  • SSH Extension

    Provides support for OpenSSH.

  • Samba Extension

    Provides support for Samba.

  • One Identity Defender Extension

    Provides support for One Identity Defender policies.

  • One Identity Privilege Manager for Unix

    Provides support for One Identity Privilege Manager for Unix policies.

  • Administrative Templates Extension

    Provides support for Administrative Templates.

  • Group Policy Extension

    Provides support for the Group Policy-related policies.

Administrative templates on Unix

In Windows-only environments, administrators extend Group Policy through Administrative Templates. Administrative Templates provide policy description information as well as information used to build a graphical user interface to manage those policies. Group Policy stores this information in human-readable text-file format with an ADM extension. For more information, see Microsoft Knowledge Base article number 323639 - HOW TO: Create Custom Administrative Templates in Windows 2000.

Once you load the Administrative Templates into the Group Policy Object Editor (GPOE), the GPOE namespace is extended with new Unix-specific nodes.

On Unix, ADM policies are supported using Perl scripts that translate Windowsregistry.pol files into Unix configuration file settings. Group Policy refers to the translator scripts as xlators.

You can write custom xlator scripts in any language.

Apply Mode

Some policies support the concept of an Apply mode. The Apply mode affects the way settings defined by policy are combined with local settings. There are two possible Apply modes:

  • Replace

    Settings defined in policy replace all local settings or configuration files.

  • Merge

    Settings defined by policy are merged with settings defined locally. For any conflicting settings the policy settings take precedence. Merge is the default for most policies that support Apply mode.

Configured policies that support Apply mode display the mode in the Apply Mode column in the Group Policy Object Editor.

Setting Policy Apply Mode

To set the Group Policy Apply mode

  1. In Group Policy Object Editor, select a policy.
  2. To set the Apply Mode to Replace, open the Action menu and select the Remove local configuration option.

    Note: You can also right-click the policy to choose the Remove local configuration option from the context menu.

  3. To reset the Apply Mode to Merge, open the Action menu and select the Remove local configuration option again.

    Note: The policy must be configured in order to change the Apply mode. If the policy is not configured, the Remove local configuration option is not enabled on the Action menu.

    Note: Some policies, such as scripts, do not support Apply mode. If the policy does not support Apply mode, the Remove local configuration item in the Action menu is not available and the Apply Mode column in Group Policy Object Editor is blank.

Related Documents