auto.schema.groups

This configuration parameter specifies the Active Directory groups to include in the Auto Zone. When you specify one or more groups in this parameter, the groups specified are assigned a group ID on this computer.

The command syntax is:

auto.schema.groups: groupname [, groupname, groupname, ...]

By default all Active Directory groups are included.

If an Active Directory user specified in auto.schema.allow.users is a member of a group and that group is NOT specified in auto.schema.groups, that group is ignored.

Any groups listed under auto.schema.groups can be domain local, global or universal security groups. Distribution groups are not supported.

You specify each group by name or you can list the groups in a file. The group name can be specified in any of the following formats:

  • SAM account name: sAMAccountName@domain

    (specify the domain if the group is not in the current domain)

  • User Principal Name: name@domain

  • NTLM: DOMAIN/sAMAccountName

    Use the adclient.ntlm.separators parameter to specify different NTLM separators.

  • Full DN: CN=commonName,...,DC=domain_component,DC=domain_component

  • Canonical Name: domain/container/cn

adclient writes any name that is not recognized to the agent log file.

You can also define the groups using group policy.

Examples:

auto.schema.groups: finance_users
auto.schema.groups: “Mktg Users”
auto.schema.groups: ops@domain.com

You can specify multiple groups in a single command. Separate each group by a comma and use escape characters to include, for example, spaces, backslashes, or a comma in the group specification. For example,

auto.schema.allow.groups: server_users, "Domain Admins", Domain\ Users, \ group1, group2@domain.com, domain\\group3, domain+group4, \ domain/group5, CN=group6\,CN=Users\,DC=domain\,DC=com, \
domain/Users/group7

You can also use a file instead. The syntax is file:/path. For example,

auto.schema.allow.groups: file:/etc/centrifydc/auto_user_groups.allow

In the file, enter each group line by line. However, you do not need the escape characters. For example, the following list enters the same groups as the previous example:

server_users
"Domain Admins"
Domain Users
group1
group2@domain.com
domain\group3
domain+group4
domain/group5
CN=group6,CN=Users,DC=domain,DC=com
domain/Users/group7

In most cases, you set this configuration parameter using group policy. You can, however, set it manually in the configuration file if you are not using group policy or want to temporarily override group policy.