Group Policy provides policies to manage the user-override and group-override files. The user-override file allows you to override certain user attributes such as the login shell or home directory. The group-override file allows you to override certain group attributes such as group name and group membership list.
Account Override policies support non-tattooing, blockinheritance, ACL filtering, and enforced settings. If an Account Override policy is enforced then entries in that policy cannot be overridden. When there are no Account Override policies associated with the Unix agent, a Group Policy refresh returns the local override files to their original states.
If there are multiple policies affecting the same override entry then the user or group override is dictated by the lowest policy in the hierarchy affecting that user or group or the highest enforced policy affecting that user or group in the hierarchy.
Group Policy creates the user-override and group-override files on the system if they do not already exist. It merges the policy-defined entries with the existing local entries and prunes the duplicates. The policy settings override local settings.
The User Account Override policy allows administrators to add users to the override list and selectively set account attributes for those users. This policy manages the Authentication Services user-override file which allows specified users to take on a different identity on a per-machine basis.
To add a user override entry
The User Account Override dialog opens initially with all fields disabled except the Apply To field.
Thus, only the Primary GID, Home Directory, and Login Shell fields are valid. All other fields are disabled.
The Select User or Group dialog opens.
The entry displays in the list of account override settings. Scroll the list or adjust column widths to view all of the account settings.
By using Group Account Override, you can add local users to Active Directory groups. The Group Account Override policy allows administrators to append a group membership list to the list stored in Active Directory. You can also override the group name and GID (group ID) fields.
To add a group override entry
The Select Group dialog displays.
Group Policy adds the local user name you specify to the group membership list.
The Host Access Control policies give you fine-grained control over which users are allowed to log into the Unix host.
Authentication Services supports host access control through the users.allow and users.deny files. Authentication Services consults these files to determine whether or not to allow access to a particular user. This is an effective way to restrict access to sensitive computers on the network when using decentralized user accounts such as Active Directory. Group Policy defines policies for management of the access control files.
Host access control entries are "append only" and cannot be overridden. However, if there is a duplicate entry, the entry is only added once to the access control files.