Authentication Services 4.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting

Specify a text replacement macro

To specify a text replacement macro

  1. Select the Text Replacement Macro tab.
  2. Click Add.

    The Text Replacement Settings dialog opens.

  3. In the Find Text field, type the text that you want to find.
  4. In the Replace With field, type an environment variable or command.
  5. Specify if you want to replace the text with a Command Result or the value of an Environment Variable.
    • Command Result: The replacement text specifies a Unix command.

      Note: You must enter the full path to the file.

    • Environment Variable: The replacement text specifies an environment variable.
  6. Click OK to close the dialog and save the changes.

    Group Policy makes these replacements when it applies the policy.

    Note: You should test the target systems to ensure that the commands and environment variables can resolve.

Dynamic File Copy policy

The Dynamic File Copy policy allows you to specify a network file that will be pulled down by Group Policy agents. In contrast to the Files policy, the Dynamic File Copy policy specifies network files that are not stored in the Group Policy Template on SYSVOL. This allows an administrator to set special permissions on the files in order for Unix administrators to update the file contents without requiring full rights to Group Policy. You can specify the target path, ownership, and permissions for each file. Each time the Group Policy agent applies policy, it copies the file from the specified source network share to the target location on the local host. Dynamic File Copy policies provide all of the advantages of Group Policy's built-in undo mechanism. When you unlink or delete file policies, it deletes the associated files on the host or replaces it with the previous file contents, unless you select the Copy Files Permanently option. If no source is specified, the Group Policy agent searches for the target file and sets the specified ownership and permissions. The ownership and permissions are restored when the policy is un-applied.

Dynamic File Copy policy only supports Kerberos for authentication. Machine Dynamic File Copy policy always uses the host keytab credential. User Dynamic File Copy policy always uses the Kerberos credential of the user that is logging on. In order to use a CIFS share for Dynamic File Copy policy, you must configure it to support Kerberos authentication (GSSAPI/SPNEGO). Dynamic File Copy policy does not support NTLM.

Dynamic File Copy policies can be overridden. If there are multiple policies affecting the same file entry, the permissions, ownership, and contents of the file are dictated by the lowest policy in the hierarchy affecting that file or the highest enforced policy affecting that file in the hierarchy.

Dynamic File Copy supports non-tattooing, block inheritance, ACL filtering, and enforced settings. Multiple entries with the same target are resolved according to the Group Policy Conflict Resolution rules.

After you copy a file, you can customize it using the Text Replacement Macros tab which allows you to find and replace portions of the file's content.

Login Prompt policy

The Login Prompt policy allows administrators to configure the /etc/issue and /etc/issue.net files. These files define the welcome messages displayed to users logging in. Login Prompt policies can be overridden. If there are multiple Login Prompt policies, contents of /etc/issue is dictated by the lowest Login Prompt policy in the hierarchy or the highest enforced Login Prompt policy in the hierarchy.

Set the Login Prompt policy

To set the Login Prompt policy

  1. Start Group Policy Editor.
  2. Select Unix Settings | Quest Authentication Services | Client Configuration in the scope view.
  3. Double click Login Prompt (/etc/issue).

    The Login Prompt Properties dialog opens.

  4. Type the text of the message into the text box or click Import to import the contents of a local or remote file.
  5. Click OK.
Related Documents