Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.3 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Integrating with GPMC
Display specifiers Troubleshooting

Configure a User Allow Entry policy

The Configure a User Allow Entry policy manages the Authentication Services users.allow file. This file controls which users are allowed to log in to the host machine. If any allow rules are set, then a user must be allowed access through one of the configured allow rules or the user is denied.

To set up an allow entry

  1. Navigate to the Unix Settings | Quest Authentication Services | Access Control | node.
  2. Double-click users.allow Configuration in the result pane to open the users.allow Configuration Properties dialog.
    • Click Browse AD to add a container. All users under the specified container are allowed to log in unless a deny rule prevents it. All other users are denied login access unless another allow rule allows it.
    • Click Add Group to add a group. All group members are allowed to log in unless a deny rule prevents it. All other users are denied log in unless another allow rule allows it.
    • Click Add User to add a specific user. The specified user is allowed to log in unless a deny rule prevents it. All other users are denied log in unless another allow rule allows it.
    • Click Add Domain to add a domain. All users in the domain are allowed to log in unless a deny rule prevents it. All other users are denied log in unless another allow rule allows it.
    • Click Add Custom to add an item manually. You must specify the correct type for the item. All users associated with the specified item are allowed to log in unless a deny rule prevents it. All other users are denied log in unless another allow rule allows it.
  3. Click OK to save settings and close the dialog.

Configure a User Deny Entry policy

The Configure a User Deny Entry policy manages the Authentication Services users.deny file. This file dictates users and groups that are explicitly denied access to the machine. Deny rules take precedence over allow rules.

To setup a users deny policy

  1. Navigate to the Unix Settings | Quest Authentication Services | Access Control | node.
  2. Double-click users.deny Configuration in the result pane to open the users.deny Configuration Properties dialog.
    • Click Browse AD to add a container. All users under this container are denied access.
    • Click Add Group to add a group. All members of the specified group are denied access.
    • Click Add User to add a specific user. The specified user is denied access.
    • Click Add Domain to add a domain. All users in the specified domain are denied access.
    • Click Add Custom to add an item manually. You must specify the correct type for the item. All users associated with the item are denied access.
  3. Click OK to save settings and close the dialog.

Integrating with GPMC

The Microsoft Group Policy Management Console (GPMC) allows you to backup, restore, import and copy group policy objects. On Windows versions prior to Windows Vista, the Group Policy extensions must be registered with GPMC so that it can properly handle Unix and Mac OS X settings.

Beginning with Windows Vista and following versions, that registration is not required.

If you are installing Authentication Services on Windows versions prior to Windows Vista and the GPMC is already installed, the Authentication Services installer automatically performs the registration. However, if GPMC is not installed, you must install GPMC and then perform the registration manually, as follows:

To register Authentication Services GPO extensions with GPMC

C:\Program Files\Quest Software\Authentication Services\gpmcreg.exe /register

Display specifiers

Display specifiers are Active Directory objects which provide information about how other objects in the directory display in client applications.

Related Documents