Authentication Services Group Policy is a built-in component of Authentication Services. After joining the domain, Unix hosts display as computer objects in Active Directory just like Windows servers and workstations. Group Policy Objects link to Unix computer objects in the same way as they link to Windows computer objects.
Group Policy allows Unix hosts to participate in the WindowsGroup Policy infrastructure. Group Policy uses the Kerberos and LDAP infrastructure provided by Authentication Services to implement Group Policy on Unix in a way that mirrors the Windows Group Policy implementation.
Group Policy consists of server-side extensions to the Group Policy Object Editor and Unix client-side software. Using the Group Policy extensions to the Group Policy Object Editor (GPOE), administrators can create and edit Unix policies. The Group Policy agent is responsible for reading policy configuration data and applying policies to Unix hosts.
Server-side extensions are software packages that extend the functionality of existing Microsoft Group Policy management tools. Group Policy provides one extension for the Group Policy Object Editor (GPOE):
Group Policy extends the namespace of the Group Policy Object Editor, that is, Group Policy adds several Unix-specific nodes to the scope and resultant views of the Group Policy Object Editor.
The vgptool command-line utility provides the same functionality as winlogon.exe. vgptool collects policy information by querying Active Directory for the SYSVOL path of GPOs, based on the location of the Unix host object in Active Directory. Once it collects the policy information, vgptool follows the same rules and standards of Group Policy application as Microsoft Group Policy, including enforced links, block inheritance, non-tattooing of policy settings, enabled or disabled links, link order, ACL filtering, and enabled/disabled GPOs. Authentication Services also supports loopback policy processing.
Like gpupdate.exe, vgptool invokes client-side extension plug-ins to apply policy settings. You can register new client-side extensions with vgptool (refer to the vgptool man page for details). vgptool runs only when invoked from the Unix command line or when it is run by the Authentication Services service as part of a policy refresh event.