Chat now with support
Chat with Support

Safeguard Authentication Services 5.1.3 - Administration Guide

Privileged Access Suite for UNIX Introducing One Identity Safeguard Authentication Services UNIX administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing UNIX hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts UNIX policies One Identity policies
Display specifiers Troubleshooting Glossary

Text Replacement Macros

The Text Replacement Macros tab allows policies to be dynamically adjusted as policy is being applied on the UNIX host. Any text specified in the policy either directly by the user or in files that are placed on the target system can be aliased to a command or environment variable.

For example, you might have a policy that uses the hostname as part of a policy setting. You can create a Text Replacement Macro called %%HOSTNAME%% and specify that this macro text be replaced by the output of the /bin/hostname command. This makes it possible for a single GPO to serve as a template on a wide range of UNIX systems.

Specifying a text replacement macro

To specify a text replacement macro

  1. Select the Text Replacement Macro tab.

  2. Click Add.

    The Text Replacement Settings dialog opens.

  3. In the Find Text field, type the text that you want to find.

  4. In the Replace With field, type an environment variable or command.

  5. Specify if you want to replace the text with a Command Result or the value of an Environment Variable.

    • Command Result: The replacement text specifies a UNIX command.

      NOTE: You must enter the full path to the file.

    • Environment Variable: The replacement text specifies an environment variable.

  6. Click OK to close the dialog and save the changes.

    Group Policy makes these replacements when it applies the policy.

    NOTE: Test the target systems to ensure that the commands and environment variables can resolve.

Dynamic File Copy policy

The Dynamic File Copy policy allows you to specify a network file that will be pulled down by Group Policy agents. In contrast to the Files policy, the Dynamic File Copy policy specifies network files that are not stored in the Group Policy Template on SYSVOL. This allows an administrator to set special permissions on the files in order for UNIX administrators to update the file contents without requiring full rights to Group Policy.

You can specify the target path, ownership, and permissions for each file. Each time the Group Policy agent applies policy, it copies the file from the specified source network share to the target location on the local host.

Dynamic File Copy policies provide all of the advantages of Group Policy's built-in undo mechanism. When you unlink or delete file policies, it deletes the associated files on the host or replaces it with the previous file contents, unless you select the Copy Files Permanently option. If no source is specified, the Group Policy agent searches for the target file and sets the specified ownership and permissions. The ownership and permissions are restored when the policy is un-applied.

Dynamic File Copy policy only supports Kerberos for authentication. Machine Dynamic File Copy policy always uses the host keytab credential. User Dynamic File Copy policy always uses the Kerberos credential of the user that is logging on. In order to use a CIFS share for Dynamic File Copy policy, you must configure it to support Kerberos authentication (GSSAPI/SPNEGO). Dynamic File Copy policy does not support NTLM.

Dynamic File Copy policies can be overridden. If there are multiple policies affecting the same file entry, the permissions, ownership, and contents of the file are dictated by the lowest policy in the hierarchy affecting that file or the highest enforced policy affecting that file in the hierarchy.

Dynamic File Copy supports non-tattooing, block inheritance, ACL filtering, and enforced settings. Multiple entries with the same target are resolved according to the Group Policy Conflict Resolution rules.

After you copy a file, you can customize it using the Text Replacement Macros tab which allows you to find and replace portions of the file's content.

Login Prompt policy

The Login Prompt policy allows administrators to configure the /etc/issue and /etc/issue.net files. These files define the welcome messages displayed to users logging in. Login Prompt policies can be overridden. If there are multiple Login Prompt policies, contents of /etc/issue is dictated by the lowest Login Prompt policy in the hierarchy or the highest enforced Login Prompt policy in the hierarchy.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating