auto.schema.allow.groups
This configuration parameter specifies a list of Active Directory groups that define which Active Directory users are valid users in the Auto Zone. Members of the specified groups are considered valid users in the Auto Zone.
In most cases, you set this configuration parameter using group policy. You can, however, set it manually in the configuration file if you are not using group policy or want to temporarily override group policy.
Adding zone users based on group membership
By default, all Active Directory users are included in the Auto Zone. If you specify one or more groups using this parameter the only users who can log in using their Active Directory account are members of the specified groups, members of nested groups, users whose primary group is set to one of the groups specified, and all users specified in auto.schema.allow.users.
For example, to specify that only the members of the sf-adms and sf-apps groups should be allowed to log on to computers in Auto Zone, you would enter the following:
auto.schema.allow.groups: sf-adms sf-apps
The groups you specify for the auto.schema.allow.groups parameter must be security groups, but can be domain local, global, or universal groups.Distribution groups are not supported.
You can separate each group by a space or a comma and you can use double quotes or escape characters to include spaces or special characters in group names. For example: in group names. For example,
auto.schema.allow.groups: server_users, "Domain Admins", Domain\ Users
You should note that this parameter does not add the Active Directory groups you specify to Auto Zone. It does not assign the groups a numeric identifier (GID) or make the groups available to use as a primary group for any of the users added to Auto Zone. This parameter simply enables UNIX profiles for the users that are members of the specified groups. You can use the auto.schema.groups parameter to specify the Active Directory groups to include an in the Auto Zone and assign it a GID. You can configure the primary group for users using the auto.schema.primary.gid parameter.
Supported group name formats
You can specify groups by name or you can list the group names in a file using any of the following formats:
-
SAM account name: sAMAccountName@domain
-
User Principal Name: name@domain
-
NTLM: DOMAIN/sAMAccountName
-
Full DN: CN=commonName,...,DC=domain_component,DC=domain_component
-
Canonical Name: domain/container/cn
The adclient process writes any group name that is not recognized to the agent log file.
Specifying the parameter value in a separate file
To specify a file that contains a list of Active Directory group names, you can set the parameter value using the file: keyword and a file location. For example:
auto.schema.allow.groups: file:/etc/centrifydc/auto_user_groups.allow
In the /etc/centrifydc/auto_user_groups.allow file, you would type each group name on its own line using any of the supported name formats. For example:
server_users
"Domain Admins"
Domain Users
CN=group6,CN=Users,DC=domain,DC=com
Limitations of this parameter
Auto Zone does not support one-way trusts. If there are any users in a specified group who belong to a domain that has a one-way trust relationship to the joined domain, they will not become valid users on the computer.
If you set this parameter, you should be aware of search limit defined for the auto.schema.search.return.max parameter. The setting for that parameter will limit the number of users returned in search results and stored in the cache. For example, if the auto.schema.search.return.max parameter is set to 100, and you use this parameter to specify an Active Directory group with 200 members, a query would only return results for the first 100 users. The remaining members of the group will still be allowed to log on to computers in the Auto Zone, but the results of queries might be misleading.
If desired, you can disable the auto.schema.search.return.max parameter by setting the parameter value to 0. Disabling the search limit ensures that all of the users in the specified Active Directory groups are listed as valid zone users when you run queries whether the number of users exceeds or falls short of the number specified for the auto.schema.search.return.max parameter. If you are not concerned about whether search results accurately reflect the users in the Active Directory groups you have defined for the auto.schema.allow.groups parameter, however, you don’t need to modify the auto.schema.search.return.max parameter.
