nss.program.ignore

This configuration parameter specifies one or more programs or commands that should not look up account information in Active Directory. The programs you specify for this parameter do not use the agent to contact Active Directory.

Setting this parameter helps to ensure that local programs that create, manage, or use local user and group information do not attempt to look up conflicting information in Active Directory. For example, you can specify programs such as adduser and addgroup to ensure those programs can still be used to create and update local accounts independent of Active Directory:

nss.program.ignore: addgroup,adduser

The specific programs you should include in the list vary by platform and the specific operating environment you are using. The default setting for this configuration parameter includes the most common program names that shouldn’t make calls to Active Directory through the agent.

If you have auditing enabled, the agent’s auditing service maintains a cache of user information for performance reasons. When you have auditing enabled, you can also use this parameter to circumvent the agent accessing its local cache when you use commands that manipulate local user information directly. For example, you would want the agent to skip checking its local cache when you use commands such as useradd, userdel, adduser, usermod, mkuser, rmuser, chuser, and any other programs that directly access the local /etc/passwd file.

You can also set this configuration parameter using group policy.

Considerations When Using This Parameter

  • This parameter blocks all NSS calls from the listed programs. This includes specific lookups (getpwnam, getgrnam), not just enumerations (getpwent, getgrent).

  • Setting this parameter does not affect the information returned when the nscd or pwgrd daemon is running on a system. The nscd and pwgrd daemons provide a cache for faster user and group lookups, but when the response comes from this cache, the agent cannot modify the response to skip the programs listed with this parameter.