Questo contenuto non è disponibile nella lingua selezionata.

Chapter 23. Policy: Group Policy Object Access Control


Group Policy is a Microsoft Windows feature that enables administrators to centrally manage policies for users and computers in AD environments. A group policy object (GPO) is a collection of policy settings, such as name and value pairs, that are stored on a domain controller (DC) and can be applied to policy targets, such as computers and users.
GPO policy settings related to Windows logon rights are commonly used to manage computer-based access control in AD environments. SSSD can retrieve GPOs applicable to host systems and AD users; based on the retrieved GPO configuration, it determines if a user is allowed to log on to a particular host. Therefore, with the GPO-based access control provided by SSSD, the administrator can define login policies that are honored by both Red Hat Enterprise Linux and Windows clients centrally on the AD DC.

Note

SSSD only allows using GPO for the computer-based access control. Other GPO-related access control options are currently not supported.

Warning

Note that SSSD only handles rules that apply to a whole site, domain, or AD organizational unit (OU). If you want to apply the SSSD-supported GPO-based access control to a specific machine, you can create a new OU in the AD domain, move the machine to the OU, and then link the GPO to this OU.

23.1. Configuring GPO-Based Access Control

GPO-based access control can be configured in the /etc/sssd/sssd.conf file. The ad_gpo_access_control option specifies the mode in which the GPO-based access control runs. It can be set to the following values:
ad_gpo_access_control = permissive
The permissive value specifies that GPO-based access control is evaluated but not enforced; a syslog message is recorded every time access would be denied. This is the default setting.
ad_gpo_access_control = enforcing
The enforcing value specifies that GPO-based access control is evaluated and enforced.
ad_gpo_access_control = disabled
The disabled value specifies that GPO-based access control is neither evaluated nor enforced.

Important

Before starting to use the GPO-based access control and setting ad_gpo_access_control to enforcing mode, it is recommended to ensure that ad_gpo_access_control is set to permissive mode and examine the logs. By reviewing the syslog messages, you can test and adjust the current GPO settings as necessary before finally setting the enforcing mode.
The following parameters related to the GPO-based access control can also be specified in the sssd.conf file:
  • The ad_gpo_map_* options and the ad_gpo_default_right option configure which PAM services are mapped to specific Windows logon rights.
  • The ad_gpo_cache_timeout option specifies the interval during which subsequent access control requests can reuse the files stored in the cache, instead of retrieving them from the DC anew.
For a detailed list of available GPO parameters as well as their descriptions and default values, see the sssd-ad(5) man page.
Red Hat logoGithubRedditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita ilBlog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

© 2024 Red Hat, Inc.