auto.schema.allow.users

This configuration parameter specifies which Active Directory users to include in the Auto Zone.

In most cases, you set this configuration parameter using group policy. You can, however, set it manually in the configuration file if you are not using group policy or want to temporarily override group policy.

Adding specific Active Directory users to Auto Zone

By default, all Active Directory users in a forest are included in the Auto Zone. If you specify one or more users using this parameter, however, only the specified users and members of the groups specified in the auto.schema.allow.groups parameter can log in using their Active Directory account.

For example, to specify that only the users jane and sai.wu should be allowed to log on to computers in Auto Zone:

auto.schema.allow.users: jane.doe sai.wu@ajax.org

You can separate each user name by a space or comma and use double quotes or escape characters to include spaces or special characters in group names. For example,

auto.schema.allow.groups: jane.doe, "Alex Adams", jae\ chin

Supported user name formats

You can specify users by name or you can list the user names in a file in any of the following formats:

• SAM account name: sAMAccountName@domain

• User Principal Name: name@domain

• NTLM: DOMAIN/sAMAccountName

• Full DN: CN=commonName,...,DC=domain_component,DC=domain_component

• Canonical Name: domain/container/cn

The adclient process writes any user name that is not recognized to the agent log file.

Specifying the parameter value in a separate file

To specify a file that contains a list of Active Directory user names, you can set the parameter value using the file: keyword and a file location. For example:

auto.schema.allow.users: file:/etc/centrifydc/auto_user_users.allow

In the /etc/centrifydc/auto_user_users.allow file, you would type each user name on its own line using any of the supported name formats. For example:

jane.doe
sai/wu@ajax.org
CN=Alex Adams,CN=Users,DC=ajax,DC=org