PowerBroker Identity Services. Group Policy Guide

Transcription

1 PowerBroker Identity Services Group Policy Guide

2 Revision/Update Information: May 2014 Corporate Headquarters 5090 N. 40th Street Phoenix, AZ Phone: COPYRIGHT NOTICE Copyright 2014 BeyondTrust Software, Inc. All rights reserved. Use of this software and/or document, as and when applicable, is also subject to the terms and conditions of the license between the licensee and BeyondTrust Software, Inc. ( BeyondTrust ) or BeyondTrust s authorized remarketer, if and when applicable. TRADE SECRET NOTICE This software and/or documentation, as and when applicable, and the information and know-how they contain constitute the proprietary, confidential and valuable trade secret information of BeyondTrust and/or of the respective manufacturer or author, and may not be disclosed to others without the prior written permission of BeyondTrust. This software and/or documentation, as and when applicable, have been provided pursuant to an agreement that contains prohibitions against and/or restrictions on copying, modification and use. DISCLAIMER BeyondTrust makes no representations or warranties with respect to the contents hereof. Other than, any limited warranties expressly provided pursuant to a license agreement, NO OTHER WARRANTY IS EXPRESSED AND NONE SHALL BE IMPLIED, INCLUDING WITHOUT LIMITATION THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR USE OR FOR A PARTICULAR PURPOSE. LIMITED RIGHTS FARS NOTICE (If Applicable) If provided pursuant to FARS, this software and/or documentation, as and when applicable, are submitted with limited rights. This software and/or documentation, as and when applicable, may be reproduced and used by the Government with the express limitation that it will not, without the permission of BeyondTrust, be used outside the Government for the following purposes: manufacture, duplication, distribution or disclosure. (FAR (g)(2)(Alternate II)) LIMITED RIGHTS DFARS NOTICE (If Applicable) If provided pursuant to DFARS, use, duplication, or disclosure of this software and/or documentation by the Government is subject to limited rights and other restrictions, as set forth in the Rights in Technical Data Noncommercial Items clause at DFARS TRADEMARK NOTICES PowerBroker, PowerPassword, and PowerKeeper are registered trademarks of BeyondTrust. PowerSeries, PowerADvantage, PowerBroker Password Safe, PowerBroker Directory Integrator, PowerBroker Management Console, PowerBroker Desktops, PowerBroker Virtualization, PowerBroker Express, PowerBroker Databases, PowerBroker Windows Servers, PowerBroker Windows Desktops, and PowerBroker Identity Services are trademarks of BeyondTrust. ssh is a registered trademark of SSH Communications Security Corp in the United States and in certain other jurisdictions. The SSH logo, Tectia and tectia logo are trademarks of SSH Communications Security Corp and may be registered in certain jurisdictions. This application contains software powered by PKAIP, the leading solution for enabling efficient and secure data storage and transmission. PKAIP is provided by PKWARE, the inventor and continuing innovator of the ZIP file format. Used with permission. FICTITIOUS USE OF NAMES All names of persons mentioned in this document are used fictitiously. Any resemblance to actual persons, living or dead is entirely coincidental. OTHER NOTICES If and when applicable the following additional provisions are so noted: The PBISOpen software is free to download and use according to the terms of the Limited GPL 2.1 for client libraries and the GPL 2 for daemons. The licenses for PBISEnterprise and for PBISUID-GID Module are different. For complete information on the software licenses and terms of use for BeyondTrust products, see

3 Contents Contents Introduction 7 Conventions 7 Font Conventions 7 Linespacing Conventions 7 Where to Go Next? 7 Documentation for PBIS 8 Contacting Support 8 Telephone 8 Online 8 Working with PBIS Group Policy Settings 9 About Group Policy Settings 9 User Settings 9 PBIS Group Policy Agent 10 PBIS GPO Refresh Tool 10 Inheritance 10 Filtering by Target Platform 10 Managing GPOs 11 View a Report on a GPO's Policy Settings 12 Walkthrough: Creating a sudo GPO 13 Create a sudo GPO 13 Test the sudo GPO 16 Test sudo Security 16 PBIS Settings 17 Show a Password Expiration Warning 17 Authorization and Identification 18 Set the Cache Expiration Time 18 Set the Domain Separator Character 19 Set the Home Directory Template and Path Prefix 20 Set a Remote Directory Path for AD Accounts 22 Set the Login Shell 23 Set the Maximum Tolerance for Kerberos Clock Skew 24 Trust Enumeration Settings 24 Require Trust Enumeration Completion at Startup 26 Ignore User or Group Names 27 Prepend Domain Name for AD Users and Groups 28 Change NSS Membership and NSS Cache Settings 29 Turn On Event Logging with a GPO 31 Stop Refreshing User Credentials 31 Sign and Seal LDAP Traffic with a GPO 32 Force Authentication to Use Unprovisioned Mode 33 Turn Off Logging of Network Events 34 BeyondTrust May

4 Contents Turn Off System Time Synchronization with a GPO 34 Set the Machine Account Password Expiration Time 35 Replace Spaces in Names with a Character 36 Logon 36 Allow Logon Rights (RequireMembershipOf) 37 Create a.k5login File in a User's Home Directory 38 Create a Home Directory for a User Account at Logon 39 Set Permissions with a File Creation Mask 39 Show a Denied Logon Rights Message 40 Set the Local Account Password Lifespan 40 Log PAM Debugging Information 41 Copy Template Files When Creating a Home Directory 41 Smart Card 42 Reaper Syslog Settings 42 Group Policy Agent 42 Set the Computer Policy Refresh Interval 43 Set the User Policy Refresh Interval 43 Turn On Event Logging for the Group Policy Agent 44 Set the User Policy Loopback Processing Mode 45 Turn Off User Logon Group Policies 46 Event Log 47 Set Access Rights to Delete, Read, and Write Events 47 Set Maximums for Events, Disk Usage, and Lifespans 48 Event Forwarder 49 User Monitor 49 Enable Monitoring of Users and Groups 50 Monitoring Check Interval 51 SNMP Settings 51 PowerBroker Servers Settings 53 PowerBroker Policy Rules Data 53 Priority of Rules Within a GPO 53 PowerBroker Server Policy Rules Data 53 Create or Modify a PBUL Rule 55 Change the Priority of PBUL Rules 60 Disable or Enable PBUL Rules 60 Export, Manually Edit, and Import PBUL Rules 60 PBUL Configuration 61 Message Settings 64 Display a Message with a Login Prompt Policy 64 Display a Message of the Day 64 Logging and Audit Settings 66 Create a SysLog Policy 66 Secure Computers with an AppArmor Policy 67 BeyondTrust May

5 Contents Secure Computers with an SELinux Policy 68 Rotate Logs 69 File System Settings 71 Automount a File System 71 Example Usage 71 Inheritance and Backup 72 Automount a File System 72 Create Directories, Files, and Links 72 Specify the File System Mounts (fstab) 74 Task Settings 76 Schedule Cron Jobs with a crontab or cron.d Policy 76 Run a Script File 76 Security Group Policies 77 Network Settings 79 Set DNS Servers and Search Domains 79 Setting MCX Policy Settings with Workgroup Manager 82 How PBIS Applies Workgroup Manager Settings as GPOs 82 Requirements 83 Windows Requirements 83 Mac Prerequisites 83 Configure an MCX GPO With the Workgroup Manager 84 On Your Windows Computer 84 On Your Mac Workstation 85 Verify Preferences are Applied 87 Walkthrough: Configure a Network Directory with Workgroup Manager 88 Walkthrough: Apply a GPO to Password-Protect the Screen Saver 91 Troubleshooting Workgroup Manager 94 Turn on Directory Service Logging 94 Fix Unexpected Error of the Source Cache 95 Mac Settings 96 Mac System Preferences 96 Accessing Mac System Preferences 96 Security 96 Firewall 97 Bluetooth 97 Energy Saver 97 Mac DS Plugin Settings 98 Appendix A: Troubleshooting the PBIS Group Policy Agent 101 Force PBIS Group Policy Objects to Refresh 101 BeyondTrust May

6 Contents Check the Status of the PBIS Group Policy Daemon 101 Restart the PBIS Group Policy Daemon 101 Generate a PBIS Group Policy Agent Debug Log 101 Modify or Inspect GPOs from the gp-admin Command 102 BeyondTrust May

7 Introduction Introduction PowerBroker Identity Services (PBIS) joins Unix, Linux, and Mac OS X computers to Active Directory so that you can centrally manage all your computers from one source, authenticate users with the highly secure Kerberos 5 protocol, control access to resources, and apply group policies to non-windows computers. This guide describes how to manage Unix, Linux, and Mac OS X computers using Group Policy settings provided with PowerBroker Identity Services Enterprise Edition (PBIS Enterprise). Conventions Specific font and linespacing conventions are used to ensure readability and to highlight important information such as commands, syntax, and examples. Font Conventions The font conventions are: Courier New Font is used for program names, commands, command arguments, directory paths, variable names, text input, text output, configuration file listings, and source code. For example: /etc/powerbroker/product.cfg Courier New Bold Font is used for information that should be entered into the system exactly as shown. For example: pbcheck -v Courier New Italics Font is used for input variables that need to be replaced by actual values. In the following example, variable-name, must be replaced by an actual environment variable name. For example: result = getenv (variable-name); Bold is used for Windows buttons. For example: Click OK. Linespacing Conventions The linespacing of commands, syntax, examples, and computer code may vary from actual Windows and Unix/Linux usage because of space limitations. For example, if the number of characters required for a single line does not fit within the text margins for this book, the text is displayed on two lines with the second line indented as shown in the following sample: result = sprintf ("System administrator Ids: %s %s %s", "Adm1", "Adm2", "Adm3"); Where to Go Next? For more information, see the documentation and resources listed in the following sections. BeyondTrust May

8 Introduction Documentation for PBIS The PBIS documentation includes: PBIS Enterprise Installation Guide PBIS Enterprise Administration Guide PBIS Enterprise Linux Administration Guide PBIS Enterprise Auditing & Reporting Guide PBIS Enterprise Group Policy Administration Guide PBIS Release Notes Report Book Best Practices (go to the BeyondTrust web site) Contacting Support For support, go to our Customer Portal then follow the link to the product you need assistance with. The Customer Portal contains information regarding contacting Technical Support by telephone and chat, along with product downloads, product installers, license management, account, latest product releases, product documentation, webcasts and product demos. Telephone Privileged Account Management Support Within Continental United States: Outside Continental United States: Vulnerability Management Support North/South America: enter access code All other Regions: Standard Support: enter access code Platinum Support: enter access code Online BeyondTrust May

9 Working with PBIS Group Policy Settings Working with PBIS Group Policy Settings This section contains general information about PBIS Group Policy settings. About Group Policy Settings PBIS Enterprise enables you to configure Group Policy settings for computers running Linux, Unix, and Mac OS X. PBIS Enterprise includes more than 100 policy settings that are designed to manage non- Windows computers. All the policy settings are integrated with the Microsoft Group Policy Management Editor, part of the Microsoft Group Policy Management Console (GPMC). For example, you can use a Group Policy setting to control who can use sudo for access to root-level privileges by specifying a common sudoers file for target computers. You could create an Active Directory group called SudoUsers, add Active Directory users to the group, and then apply the sudo Group Policy setting to the container, giving those users sudo access on their Linux and Unix computers. In the sudoers file, you can specify Windows-style user names and identities. Using a Group Policy setting for sudo gives you a powerful method to remotely and uniformly audit and control access to Unix and Linux resources. PBIS stores its Unix and Linux policy settings in Group Policy Objects (GPOs) in the same location and in the same format as the default GPOs in Windows Server: in the system volume (sysvol) shared folder. Unix and Linux computers that are joined to an Active Directory domain receive GPOs in the same way that a Windows computer does: User Settings The following user settings are available: Several hundred Linux policy settings Mac system Workgroup Manager settings Files, Directories, Links, and Scripts policy setting BeyondTrust May

10 Working with PBIS Group Policy Settings PBIS Group Policy Agent The PBIS Group Policy Agent is automatically installed when you install the PBIS agent. To apply and enforce policy settings, the PBIS Group Policy Agent runs continuously as a daemon processing user policy and computer policy: Computer policy processing The agent traverses the computer's distinguished name (DN) path in Active Directory. User policy processing Occurs when a user logs on, the agent traverses the user's DN path in Active Directory. The PBIS Group Policy Agent connects to Active Directory, retrieves changes, and applies them once every 30 minutes, when a computer starts or restarts, or when requested by the GPO refresh tool. The PBIS Group Policy Agent uses the computer account credentials to securely retrieve policy template files over the network from the domain s protected system volume shared folder. The PBIS Group Policy Agent applies only PBIS Group Policy settings those in the Unix and Linux Settings collection in the Group Policy Management Editor; it does not apply any other Group Policy settings that may be specified in the GPOs. PBIS GPO Refresh Tool To force a computer to pull the latest version of its Group Policy settings, you can run the PBIS GPO refresh tool at any time by executing the following command at the shell prompt: /opt/pbis/bin/gporefresh On target computers, PBIS stores policy settings in /var/lib/pbis/grouppolicy. Inheritance There are two types of policy settings: File-based File-based policy settings, such as sudo and automount, typically replace the local file. File-based policy settings are not inherited and do not merge with the local file. Property-based Property-based policy settings are inherited, meaning that the location of a GPO in the Active Directory hierarchy can affect its application. Property-based settings merge with local policy settings. Local policy settings are not replaced by property-based settings. Most policy settings are based on properties. Filtering by Target Platform You can set the target platforms for a GPO. The GPO is applied only to the platforms that you select. You can select the target platforms by operating system, distribution, and version. For example, you can target a GPO at: Only computers running SUSE Linux Enterprise Server BeyondTrust May

11 Working with PBIS Group Policy Settings A mixture of operating systems and distributions, such as Red Hat Linux, Sun Solaris, Ubuntu Desktop, and HP-UX Computers running Mac OS X Some policy settings, however, apply only to specific platforms. For more information, see the Help for the policy setting that you want to use. Target Platforms Mac OS X CentOS Linux Debian Linux Fedora Linux Hewlett-Packard HP-UX IBM AIX OpenSUSE Linux Red Hat Linux Red Hat Enterprise Linux (ES and AS) Sun Solaris SUSE Linux SUSE Linux Enterprise Desktop SUSE Linux Enterprise Server Ubuntu Linux Go to the Target Platform Filter policy to select targets for the GPO: Managing GPOs You can create or edit Group Policy Objects (GPOs) and configure policy settings for computers running Linux, Unix, and Mac OS X by using the Group Policy Management Console (GPMC). Note: To manage a GPO, you must log on as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group. BeyondTrust May

12 Working with PBIS Group Policy Settings You can download the Microsoft Group Policy Management Console at To create a GPO using GPMC: 1. Click Start, Administrative Tools, and click Group Policy Management. 2. Right-click the organizational unit, and then select Create a GPO in this domain, and Link it here. 3. Type a name for your GPO. 4. Click OK. 5. Right-click the GPO that you created, and then click Edit. Note: The PBIS Group Policy settings are in the Unix and Linux Settings collection. For more information about each policy, see the Help for the policy setting that you want to use. View a Report on a GPO's Policy Settings In GPMC, you can view details on PBIS policy settings defined in a GPO. Go to the GPO and select the Settings tab. Here is an example: BeyondTrust May

13 Working with PBIS Group Policy Settings Walkthrough: Creating a sudo GPO You can create a GPO to specify a sudo configuration file for target computers. Sudo, or superuser do, allows a user to run a command as root or as another user. You can use this GPO to control sudo access in a centralized and uniform way. The sudo configuration file is copied to the local computer and replaces the local sudoers file. A sudo file can reference Active Directory users and groups. For more information about sudo, see the man pages for your system. When you define the GPO, you can also set its target platforms. The GPO settings are applied only to the operating systems, distributions, and versions that you choose. For more information, see Specify Target Platforms. Note: The PBIS entries in your sudoers file must conform to the rules set in "Configure Entries in Your Sudoers Files" in the PowerBroker Identity Services Enterprise Edition Administration Guide. Create a sudo GPO Note: To create or edit a GPO, you must log on as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group. To create sudo GPO: 1. In the Group Policy Management Editor, expand either Computer Configuration or User Configuration, expand Policies, Unix and Linux Settings. 2. Expand Security Settings, and then select SUDO command. 3. Double-click Define Sudoer file. BeyondTrust May

14 Working with PBIS Group Policy Settings 4. Select the Define this Policy Setting check box, and then in the Current file content box, type your commands. Or, to import a sudo configuration file, click Import. 5. Select Target Platform Filter. BeyondTrust May

15 Working with PBIS Group Policy Settings 6. Double-click Target platforms. 7. To target all the platforms, select All. To choose platforms, click Select from the List, and then select the platforms. BeyondTrust May

16 Working with PBIS Group Policy Settings Test the sudo GPO After you set the sudo GPO, you can test it on a target computer. The target computer must be in a cell associated with the organizational unit where you linked the sudo GPO. 1. On a target Linux or Unix computer, log on as an administrator and execute the following command to force PBIS Group Policy settings to refresh: /opt/pbis/bin/gporefresh 2. Check whether your sudoers file is on the computer: cat /etc/sudoers Note: The location of the sudoers file varies by platform. For example, on Solaris it is in /opt/sfw/etc or /opt/csw/etc. On other platforms, it is in /usr/local/etc. 3. Log on to the Unix or Linux computer as a regular user who has sudo privileges as specified in the sudoers configuration file. 4. Try to access a system resource that requires root access using sudo. When prompted, use the password of the user you are logged on as, unless targetpw is set in the sudoers file. Verify that the user was authenticated and that the user can access the system resource. Test sudo Security To test sudo security: 1. Log on as a user who is not enabled with sudo in the sudoers file that you used to set the Group Policy Object (GPO). 2. Verify that the user cannot perform root functions using sudo with his or her Active Directory credentials. BeyondTrust May

17 PBIS Settings PBIS Settings This section describes how to configure each policy setting included with PBIS Enterprise. The policy settings that follow are organized into sections that match their location in the console tree of the Group Policy Management Editor. Show a Password Expiration Warning This policy setting configures the number of days to display a warning before a local account password expires on a target Linux computer. By default, the warning message is displayed for 5 days. Set the value to 0 to disable the warning. This policy setting is only for computers running Linux. To configure a password expiration warning: 1. In GPMC, create or edit a GPO for the organizational unit that you want, and then edit it in the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Logon: 3. Double-click Local account password expiration warning, and then select the Define this policy setting check box. 4. Enter the number of days to display the warning message. BeyondTrust May

18 PBIS Settings Authorization and Identification The following group policies are in the Authorization and Identification folder located in the PBIS Settings folder. Set the Cache Expiration Time You can set how long the PBIS agent caches information about a user's home directory, logon shell, and the mapping between the user or group and the security identifier (SID) on target Unix and Linux computers. Features that are using offline cached credentials re-attempt to log on to the Active Directory domain controller at the interval that you set. When online, the PBIS agent also caches the information for the specified time period. You can use this policy to improve the performance of your system by increasing the expiration time of the cache. This policy works on computers running Linux, Unix, or Mac OS X. The policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policy Settings, page In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification: BeyondTrust May

19 PBIS Settings 3. In the details pane, double-click Cache expiration time, and then select the Define this Policy Setting check box. 4. In the Cache timeout box, enter the time, in minutes. Set the Domain Separator Character The default domain separator character is set to \.By default, the Active Directory group DOMAIN\Administrators appears as DOMAIN\administrators on target PBIS clients. The PBIS authentication daemon renders all names of Active Directory users and groups lowercase. You can, however, replace the slash that acts as the separator between an Active Directory domain name and the SAM account name with a character that you choose. The following characters cannot be used as the separator: alphanumeric characters - letters and # And not the character that you used for the space-replacement setting; for more information, see Replace Spaces in Names with a Character, page In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs. 2. In the Group Policy Management Editor, expand Computer Configuration, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification: BeyondTrust May

20 PBIS Settings 3. In the details pane, double-click Domain Separator Character, and then select the Define this Policy Setting check box. 4. In the String Value box, type the character that you want to use. For example, ~ Set the Home Directory Template and Path Prefix Use the home directory path template and path prefix policy settings together to customize the way that the home directory path is determined for a user account. In the Group Policy Management Editor, the policy settings are under Authorization and Identification: Home directory path template Set a home directory path template for target systems running lsassd. Note: Home directory settings configured at the Cell level (either using PowerBroker Cell Manager or the PowerBroker Cell Settings in ADUC), override the settings provided at the policy level. The Login Shell Template setting can affect a user's home directory when the home directory is not configured in the Cell. Two home directory path templates policies are available: Home directory path template use for an Active Directory account. Policy settings apply to users logging on to a computer using Active Directory domain credentials. BeyondTrust May

21 PBIS Settings Local home directory path template use for a local PBIS account. Policy settings apply to users logging on to a computer using PBIS local provider credentials. You can use the following variables when configuring the home directory path template policy: Variable Description %U Required. The default user name. %D Optional. The default domain name. %H Optional. The default home directory prefix. If set in the path prefix policy, it must be set as an absolute path. This value, if used, is typically the first variable in the sequence. %L Optional. The host name of the computer. The following example shows the default values for the Home directory path template policy. Note that the %H variable is not preceded by a slash. The slash is included when you configure the prefix. By default, the %H variable creates a home directory path compatible with the target OS. For example: Solaris Maps to /export/home On Solaris, you cannot create a local home directory in /home, because /home is used by autofs, Sun's automatic mounting service. The standard on Solaris is to create local home directories in /export/home. Mac OS X Maps to /Users On Mac OS X, to mount a remote home directory, you must first create the directory on the remote server as well as the folders for music, movies, and so forth. See Use the createhomedir Command to Create Home Directories and other information on Apple's website. Linux Maps to /home BeyondTrust May

22 PBIS Settings To configure home directories other than the defaults, however, you must explicitly configure the home directory path and prefix for each target operating system using PBIS's target platform filter; see Filtering by Target Platform, page 10. Home directory path prefix The prefix that you configure in the prefix policy replaces the %H variable if configured in the home directory path template policy. Two home directory path prefix policies are available: Home directory path prefix use for an Active Directory account. Local home directory path prefix use for a local PBIS account. The prefix must be an absolute path. Precede the entry with a slash, as the following default setting illustrates: Set a Remote Directory Path for AD Accounts You can use the Remote directory path template policy setting to automatically connect (mount) Linux and Unix computers to the share locations that are defined in each user's Active Directory account profile so that documents and settings specific to the user are available on any computer from which they log on to on your network. If the share path is represented as a DFS URL, PBIS translates these paths to SMB server\share\paths that the native CIFS mount support can use. In newer Linux distributions, the user's logon single sign-on, Kerberos credentials are used to connect to the shares. You can use these shares in either of the following ways: As a resource folder accessible to the user's local home directory. As the actual user home directory for a network-mounted user account profile. When the user logs off, the network mount connection is automatically removed. BeyondTrust May

23 PBIS Settings To use this policy setting to mount a remote file share specific to the user: Note: Before this policy setting can be effective, in Active Directory Users and Computers (ADUC), you must first configure the network share to be mounted. 1. In GPMC, create or edit a GPO for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification: 3. In the details pane, double-click Remote directory path template, and then select the Define this policy setting check box. 4. In the Path template box, enter the local folder to which the share should be mounted using the following variables, and then click OK. Variable Description %U Required. The default user name. %D Optional. The default domain name. %H Optional. The default home directory prefix. If set in path prefix policy, it must be set as an absolute path. This value, if used, is typically the first variable in the sequence. %L Optional. The host name of the computer. Example: If none of the defaults have been modified, the following command mounts the home folder specified in ADUC in the user's home folder as MyHome. %H/local/%D/%U/MyHome Set the Login Shell There are two policies available to set the login shell: Login shell template - used for an Active Directory account. Local account login shell template - used for a local PBIS account. Note: The login shell template policy defines the login shell for an AD account only when it is not set on the PowerBroker Cell Settings tab in Active Directory. BeyondTrust May

24 PBIS Settings 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Create or Edit a Group Policy. 2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification. 3. Double-click either Login shell template or Local account login shell template, and then select the Define this Policy Setting check box. 4. In the Shell box, type the shell you want; for example, /bin/bash. Set the Maximum Tolerance for Kerberos Clock Skew You can create a group policy to set the maximum amount of time that the clock of the Kerberos Distribution Center (KDC) can deviate from the clock of target hosts. For security, a host rejects responses from any KDC whose clock is not within the maximum clock skew, as set in the host's krb5.conf file. The default clock skew is 300 seconds, or 5 minutes. This policy changes the clock skew value in the krb5.conf file of target Linux, Unix, and Mac OS X hosts. 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs. 2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification. 3. Double-click Kerberos: Set the Maximum tolerance for Kerberos clock Skew (clockskew), and then select the Define this policy setting check box. 4. In the Maximum tolerance box, enter the maximum amount of time, in minutes, to allow for the clock skew. Trust Enumeration Settings PBIS Enterprise includes the following set of group policies for controlling how PBIS's domain manager enumerates trusts on target Linux, Unix, and Mac OS X computers. The policies can help improve performance of the authentication service in an extended AD topology. BeyondTrust May

25 PBIS Settings Note: The policy that specifies an include list is dependent on defining the policy for ignoring all trusts. To use the include list, you must first enable the policy to ignore all trusts. The include-list policy must explicitly contain every domain that you want to enumerate. It is insufficient to include only the forests that contain the domains. For a domain that is added to the include list, PBIS tries to discover its trust. If some of the domains are not included in the list, the resulting trust relationships might run counter to your intentions: The PBIS agent might process the trust as a one-way forest child trust when it is not. Here's an example. Suppose you have the following forests: FOREST-A with child DOMAIN-A FOREST-B with child DOMAIN-B Assume that FOREST-A and FOREST-B have a two-way trust and that the target computer is joined to DOMAIN-A. The include list contains DOMAIN-B but not DOMAIN-A. During the main trust enumeration, no trusts are added because the group policy to ignore all the trusts is enabled. The PBIS agent then adds DOMAIN-B because it is in the include list. Since the PBIS agent ignores DOMAIN-A, however, the agent adds DOMAIN-B as a 1-way forest child; its trust relationship is incorrectly recognized. If your intention is to add it with its 2-way trust relationship intact, you must make sure to put the other domain and forest in the include list -- in this case, both FOREST-A with child DOMAIN-A and FOREST-B with child DOMAIN-B. Tip: To check your trust relationships, use the Microsoft Active Directory Domains and Trusts MMC snap-in. In the snap-in, right-click a domain, click Properties, and then click the Trusts tab. Trust Enumeration Policy Description Lsass: Ignore all trusts during domain enumeration Lsass: Domain trust enumeration include list Lsass: Domain trust enumeration exclude list Determines whether the authentication service discovers domain trusts. In the default configuration of disabled, the service enumerates all the parent and child domains as well as forest trusts to other domains. For each domain, the service establishes a preferred domain controller by checking for site affinity and testing server responsiveness, a process that can be slowed by WAN links, subnet firewall blocks, stale AD site topology data, or invalid DNS information. When it is unnecessary to enumerate all the trusts -- for example, the intended users of the target computer are only from the forest that the computer is joined to -- turning on this setting can improve startup times of the authentication service. When the policy Lsass: Ignore all trusts during domain enumeration is enabled, only the domain names in the include list are enumerated for trusts and checked for server availability. When the policy Lsass: Ignore all trusts during domain enumeration is disabled (its default setting), the domain names in the exclude list are not enumerated for trusts and not checked for server availability. BeyondTrust May

26 PBIS Settings 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification. 3. Double-click the Lsass: Ignore all trusts during domain enumeration policy and select the Define this Policy Setting check box. 4. Select one of the following: Enabled - If you click Enabled, define the Lsass: Domain trust enumeration include list policy to add a comma-separated list of trusts that you want to include for enumeration. Disabled - If you click Disabled, you can optionally define the Lsass: Domain trust enumeration exclude list to specify a comma-separated list of trusts that you want to exclude from enumeration. 5. Click OK. The settings take effect when you restart either the target computer or the PBIS authentication service (lsass). Require Trust Enumeration Completion at Startup There are two policies that work together to control trust enumeration when a PBIS client starts up: Require trust enumeration to complete during startup: This policy sets the PBIS authentication service (Lsass) to finish enumerating all the domain trusts before the service indicates that it has started. You can use this policy to help sequence services, such as crond, that depend on Lsass for user and group object lookups. For quicker startup times, the setting's default is disabled. You should enable it when Lsass must be completely operational before subsequent services start. When enabled, Lsass finishes starting only after it finds all the domains and domain controllers that are available to log on users and look up identities. After trust enumeration completes, or the trust enumeration completion time is reached, Lsass signals its running status to the PBIS Service Manager, which then reports on the dependent PBIS services. Trust enumeration completion time: This policy determines how long Lsass waits for trust enumeration to finish during startup when the policy to require trust enumeration to complete during startup is enabled. The default is 0 -- which indicates an unlimited wait time. The policies can be applied to Linux, Unix, and Mac OS X computers. 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification: BeyondTrust May

27 PBIS Settings 3. Double-click Lsass: Require trust enumeration to complete during startup, and then select the Define this policy setting check box. 4. To require all trusts to enumerate before Lsass starts up, click Enabled, and then click OK. 5. In the details pane, double-click Lsass: Trust enumeration completion time and then select the Define this policy setting check box. 6. In the box, enter the time, in seconds, that you want Lsass to wait for trusts to enumerate before starting up. The default setting of 0 indicates an unlimited wait time. Ignore User or Group Names There are two policies that you can set to prevent PBIS's Active Directory provider from performing name service queries for entries that are not in Active Directory: group names to ignore Specifies the group names to ignore on target PBIS clients. The policy can contain a comma-separated list of group names. user names to ignore Specifies the user account names to ignore on target PBIS clients. The policy can contain a comma-separated list of account names. To set an ignore policy: 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification: BeyondTrust May

28 PBIS Settings 3. Double-click Lsass: User names to ignore or Lsass: Group names to ignore, and then select the Define this policy setting check box. 4. In the text box, type a comma-separated list of names that you want PBIS to ignore. Prepend Domain Name for AD Users and Groups This group policy changes the assume-default-domain setting for the PBIS agent to yes, adding the default domain before the names of Active Directory users and groups on target Linux, Unix, and Mac OS X computers. You can use this policy to spare users from typing the name of their Active Directory domain each time they log on to a computer or switch users. This policy replaces the local setting, the default of which is no. 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification: 3. Double-click Lsassd: Prepend default domain name for AD users and groups, and then select the Define this policy setting check box. 4. Select Enabled. BeyondTrust May

29 PBIS Settings Change NSS Membership and NSS Cache Settings To customize PBIS Enterprise to meet the performance needs of your network, you can set several group policies to specify how the PBIS agent parses and caches group and user membership information. The policies described in the table below populate the following value entries in the PBIS registry, shown here with their default values: [HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory] "TrimUserMembership"=dword: "NssGroupMembersQueryCacheOnly"=dword: "NssUserMembershipQueryCacheOnly"=dword: "NssEnumerationEnabled"=dword: Group Policy Lsass: Enable user group membership trimming Lsass: Enable cache only group membership enumeration for NSS Lsass: Enable cache only user membership enumeration for NSS Lsass: Enable NSS Enumeration Description Specifies whether to discard cached information from a Privilege Attribute Certificate (PAC) entry when it conflicts with new information retrieved through LDAP. Otherwise, PAC information, which does not expire, is updated the next time the user logs on. It is turned on by default. Specifies whether to return only cached information for the members of a group when queried through the name service switch, or nsswitch. The setting determines whether nsswitch-based group APIs obtain group membership information exclusively from the cache, or whether they search for additional group membership data through LDAP. The LDAP enumeration can be slow and can affect performance with a large amount of data. To improve performance for groups with more than 10,000 users, set this option to enabled. Without the LDAP enumeration, only when a user logs on can that user's complete group membership be retrieved based on the PAC. It is turned on by default. When set to enabled, enumerates the groups to which a user belongs using information based solely on the cache. When set to disabled, it checks the cache and searches for more information over LDAP. It is turned off by default. Controls whether all users or all groups can be incrementally listed through NSS. On Linux computers and Unix computers other than Mac, the default setting is set in the registry as 0, or turned off. On Mac OS X computers, the default setting is 1, or turned on. To allow third-party software to show Active Directory users and groups in lists, you can turn on this setting, but performance might be affected. BeyondTrust May

30 PBIS Settings Group Policy Description Note: When you run the id command for an Active Directory user other than the current user on some Linux systems, such as SLES 10 and SLED 10, the command returns only that user's primary group. The command enumerates all the groups and searches for the user in the groups' membership. To properly find another user's membership with the id command on SLES 10 and SLED 10, you must turn on NSS enumeration. BeyondTrust May

31 PBIS Settings Turn On Event Logging with a GPO This group policy turns on logging for events on target Linux, Unix, and Mac OS X computers. You can use this policy to improve security monitoring by logging authentication and authorization requests. 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification: 3. Double-click Lsassd: Enable use of the event log, and then select the Define this policy setting check box. 4. Select Enabled. Stop Refreshing User Credentials By default, PBIS automatically refreshes user credentials, but you can turn off automatic refreshes with a group policy. 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification: BeyondTrust May

32 PBIS Settings 3. Double-click Lsassd: Enable user credential refreshing, and then select the Define this policy setting check box. 4. Select Disabled to stop automatically refreshing user credentials. Sign and Seal LDAP Traffic with a GPO You can sign and seal LDAP traffic to certify it and to encrypt it so that others cannot see your LDAP traffic on your network as it travels between a PBIS client and a domain controller. This policy can help improve network security. 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification: 3. Double-click Lsassd: Enable signing and sealing for LDAP traffic, and then select the Define this policy setting check box. 4. Select Enabled. BeyondTrust May

33 PBIS Settings Force Authentication to Use Unprovisioned Mode To use the PBIS Enterprise agent to join a Linux, Unix, or Mac OS X computer to a domain that has not been configured with cell information, you must set this group policy to unprovisioned mode (PBIS Open). This setting, which applies only to PBIS Enterprise, forces the authentication service to ignore the following Unix information even though it is set in Active Directory: Home directory UID GID Unix shell Instead of using the information from Active Directory, the unprovisioned value sets the authentication service to hash the user's security identifier and use local settings for the Unix shell and the home directory. Note: The default is support cell mode, a setting that requires you to create a cell in Active Directory before you join a client running PBIS Enterprise to it. If you are using PBIS Enterprise with cells and you want to use the Unix settings in AD, it is recommended that you do not set this group policy or that you leave it set to its default value. 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification: 3. In the details pane, double-click Lsass: Force authentication to use unprovisioned mode, and then select the Define this policy setting check box. 4. Select Unprovisioned mode (PBIS Open). BeyondTrust May

34 PBIS Settings Turn Off Logging of Network Events This group policy turns off logging for network events on target Linux, Unix, and Mac OS X computers. You can apply this policy to laptop computers, computers with a wireless connection, or other computers whose network status might be influx so that you do not flood the event log with connectivity events. 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification: 3. Double-click Lsassd: Log network connectivity events, and then select the Define this policy setting check box. 4. Select Enabled. Turn Off System Time Synchronization with a GPO This group policy changes the sync-system-time setting of the PBIS agent to disabled or enabled on target Linux, Unix, and Mac OS X computers. This policy replaces the local setting, the default of which is enabled: The PBIS authentication daemon, lsassd, synchronizes the system time of the client with that of the Active Directory domain controller. You can apply this policy when an alternative time synchronization process is in use. 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification: BeyondTrust May

35 PBIS Settings 3. Double-click Lsassd: System time synchronizaton, and then select the Define this policy setting check box. 4. Select Enabled. Set the Machine Account Password Expiration Time You can define a group policy to set the machine account password's expiration time on target Unix and Linux computers. The expiration time specifies when machine account passwords are reset in Active Directory. You can use this policy on computers running Linux, Unix, or Mac OS X. The policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policy Settings, page In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification. 3. Double-click Machine account password expiration time (machine password timeout), and then select the Define this Policy Setting check box. 4. In the Expiration Time box, enter the time, in days, that you want. Note: To avoid issues with Kerberos key tables and single sign-on, the value you set in the Expiration Time box must be at least twice the maximum lifetime for user tickets, plus a little more time to account for the permitted clock skew. The expiration time for a user ticket is set using an Active Directory group policy called Maximum lifetime for user ticket. The default user ticket lifetime is 10 hours; the default PBISmachine password lifetime is 30 days. Check the Maximum Lifetime for a User Ticket 1. Open the default domain policy in the Group Policy Management Editor. 2. Expand Computer Configuration, Windows Settings, Security Settings, Account Policies, and then click Kerberos policy. BeyondTrust May

36 PBIS Settings 3. In the details pane, double-click Maximum lifetime for user ticket. 4. In the Ticket expires in box, make sure that the number of hours is no more than half that of the value you set in the Expiration Time box of the PBIS group policy for the machine account password expiration time. Replace Spaces in Names with a Character You can define a group policy on target Unix and Linux computers to replace spaces in Active Directory user and group names with a character that you choose. For example, when you set the replacement character to ^, the group DOMAIN\Domain Users in Active Directory appears as DOMAIN\domain^users on target Linux and Unix computers. Note: The PBIS authentication daemon renders all names of Active Directory users and groups lowercase. You can use this policy on computers running Linux, Unix, or Mac OS X. The policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policy Settings, page 9. To replace spaces in names with a character: 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification. 3. Double-click Replacement character for names with spaces, and then select the Define this Policy Setting check box. 4. In the Character to replace spaces in names with box, type the character that you want -- for example, ^. Logon The group policies that are described in this section are in the Logon folder located in the PBIS Settings folder: BeyondTrust May

37 PBIS Settings Allow Logon Rights (RequireMembershipOf) You can create a group policy to specify the Active Directory users and groups allowed to log on to target Unix and Linux computers. Users and groups who have logon rights can log on to the target computers either locally or remotely. You can also use this policy to enforce logon rules for local users and groups. To use this policy, you must grant the users access to the PBIS cell that contains the target computer object. By default, all Unix and Linux computers are joined to the default cell, and all members of the Domain Users group are allowed to access the default cell. PBIS checks requiremembershipof information in both the authentication phase and the account phase. You can use this policy on computers running Linux, Unix, or Mac OS X. The policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policy Settings, page 9. Note: You can also define logon rights manually for a computer. For more information, see Restrict Logon Rights by Group. 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Logon: 3. Double-click Allow logon rights, and then select the Define this Policy Setting check box. 4. Click and then locate the users or groups that you want to grant logon rights. BeyondTrust May

38 PBIS Settings Optionally, in the Users and/or Groups box, type a comma-separated list of the users and groups that you want. In the list, you can use short domain names with Active Directory account names and group names, that is, the NT4-style name. You can also use local account names and local user groups as well as security identifiers (SIDs) in string format. In addition, you can add a group that is not enabled in the cell to the list to give them access to the target computer. You cannot, however, use an alias for an AD group or user. If you have configured PBIS to assume the default domain, you must still use the NT4-style name. For example, you could enter the following comma-separated list: CORP\johndoe, janedoe@corp.mycorp.com, CORP\domain^users, S In the example, the entry s is a SID in string format. Note: To separate the domain name from the user name or the group name in the AD account logon syntax, you must use a backslash (\). Example: pbisdemo.com\steve. 5. Grant the users and groups access to the PBIS cell that contains the target computer object. Host Name Substitution This policy substitutes the host name of the target computer for the variable %hostname (or its shorthand version, %L) when the variable is included in the list of users and groups. You can, for example, set a string with the host name variable like this: CORP\Domain Administrators,CORP\%hostname_Users,CORP\%L_Testers When the group policy object is applied to a target computer named test-machine, the variables are substituted as follows: CORP\Domain Administrators,CORP\TEST-MACHINE_Users,CORP\TEST-MACHINE_Testers Create a.k5login File in a User's Home Directory You can define a group policy to create a.k5login file in the home directory of a user account on target Linux and Unix computers that log on to the Windows NT domain using the Kerberos authentication protocol. The.k5login file contains the user's Kerberos principal, which uniquely identifies the user within the Kerberos authentication protocol. Kerberos can use the.k5login file to check whether a principal is allowed to log on as a user. A.k5login file is useful when your computers and your users are in different Kerberos realms or different Active Directory domains, which can occur when you use Active Directory trusts. You can use this policy on computers running Linux, Unix, or Mac OS X. The policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policy Settings, page In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Logon. BeyondTrust May

39 PBIS Settings 3. Double-click Create a.k5login file in user home directory (create_k5login), and then select the Define this Policy Setting check box. 4. Select Enabled or Disabled. When enabled, Kerberos is allowed to create a.k5login file in the home directory of a given user account. When disabled, Kerberos is not allowed to create a.k5login file. Create a Home Directory for a User Account at Logon You can automatically create a home directory for an AD user account or a local PBIS user account on target PBIS clients. When the user logs on the computer, the home directory is created if it does not exist. For AD accounts, the location of the home directory is specified in the PBIS settings of the user account in Active Directory Users and Computers. You can use this policy on computers running Linux, Unix, or Mac OS X. The policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policy Settings, page In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Logon. 3. Double-click Create home directory at logon (AD user accounts) or Create home directory at logon (Local user accounts), and then select the Define this Policy Setting check box. 4. Select Enabled or Disabled. Set Permissions with a File Creation Mask PBIS can set permissions for the home directory that is created when a user logs on target PBIS clients. The home directory and all the files in the directory are preset with the ownership settings of the file creation mask, or umask. There is a umask policy for local accounts and a umask policy for AD accounts. You can use this policy on computers running Linux, Unix, or Mac OS X. The policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policy Settings, page In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Logon. 3. Double-click Home directory creation mask (Local user accounts) or Home directory creation mask (AD user accounts), which is for AD accounts, and then select the Define this Policy Setting check box. 4. Under Default File Permissions and under Default Directory Permissions, select the options that you want. Or, in the Umask value box, type a umask value for the permission level that you want, and then click Set. BeyondTrust May

40 PBIS Settings For example, if you specify an umask value of 022, the file permissions are set as follows: Read-write access for files and read-write-search for directories you own. All others have read access only to your files and read-search access to your directories. Show a Denied Logon Rights Message This group policy displays a message when an Active Directory user cannot log on a target computer because the user is not in the list of the users or groups defined in the Allow Logon Rights (requiremembershipof) group policy. When you set the policy, you specify the message that is displayed for the not_a_member_error. This policy applies to computers running Linux, Unix, and Mac OS X. 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Logon: 3. Double-click Denied logon rights message, and then select the Define this policy setting check box. 4. In the Logon error message box, type the text that you want to display. Set the Local Account Password Lifespan This policy specifies the number of days during which an account password is valid for local PBIS system accounts on Linux computers. This setting applies only to user accounts maintained by the PBIS local provider; it does not affect local passwd accounts. 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Logon: BeyondTrust May

41 PBIS Settings 3. Double-click Local account password lifespan, and then select the Define this policy setting check box. 4. In the Lifespan box, enter the number of days that a password is valid. Log PAM Debugging Information To monitor and troubleshoot the PAM module, you can define a PBIS group policy that logs debugging information for the PBIS agent on target computers running Linux, Unix, or Mac OS X. This policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policy Settings, page In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Logon. 3. Double-click Log PAM debugging information, and then select the Define this Policy Setting check box. 4. Select either Enabled or Disabled. Copy Template Files When Creating a Home Directory PBIS can add the contents of skel to the home directory created for an AD user account or a PBIS local user account on target PBIS clients. Using the skel directory ensures that all users begin with the same settings or environment. You can use this policy on computers running Linux, Unix, or Mac OS X. The policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policy Settings, page In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Logon. 3. Double-click one of the following: BeyondTrust May

42 PBIS Settings Template files for a new new user home directory(ad user accounts Template files for a new user home directory(local user accounts) 4. Select the Define this Policy Setting check box. 5. In the Path to skeleton template directory box, type the path that you want -- for example, /etc/skel. Smart Card You can set Smart Card policies to use Smart Card authentication for your target assets. To configure Smart Card policy settings: 1. In the Group Policy Management Console (GPMC), create or edit a Group Policy Object (GPO) for the organization unit that you want, and then open it with the Group Policy Management Editor. 2. Expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, Smart Card. 3. Turn on the following Smart Card policies: Smart card removal policy Specifies the action taken when a smart card is removed from a target computer. When smart card two-factor authentication is used to gain access to a computer, enforcement of logon security can be made stricter if the removal action is set to Lock or Logout. The default setting without this policy setting is No Action. Require smart card for login When smart card authentication is enabled, it is possible to log on only with a smart card and its PIN. When this setting is disabled, logon is possible by using either an account user name with a password or a smart card with its PIN. Reaper Syslog Settings The reaper syslog policies are discussed in the section on setting up the reporting database in the PBIS Enterprise Installation and Administration Guide. Group Policy Agent The group policies described in this section are in the Group Policy Agent folder, located in the PBIS Settings folder: BeyondTrust May

43 PBIS Settings Set the Computer Policy Refresh Interval You can set a group policy that specifies how often a computer's group policies are updated while the computer is in use. The scope of this policy is the group policies in the Unix and Linux Settings folder under Computer Configuration in the Group Policy Management Editor. By default, when this policy is undefined, a computer's group policies are updated when the system starts and every 30 minutes while the computer is in use. The updates take place in the background without interrupting the user. Note: Some settings might not take effect until the computer restarts or the user logs off and logs on again. 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Group Policy Agent: 3. Double-click Computer policy refresh interval, and then select the Define this policy setting check box. 4. In the Refresh interval box, enter the time in minutes that you want to set. You can set the refresh interval from 5 minutes to 9999 minutes, or about 7 days. Set the User Policy Refresh Interval You can define a group policy that specifies how often the user settings are updated while the user is logged on. The scope of this policy is the user policies in the Unix and Linux Settings folder under User Configuration in the Group Policy Management Editor. By default, when this policy is undefined, a user's settings are updated when the user logs on and every 30 minutes while the user is logged on. The updates take place in the background without interrupting the user. Note: Some settings might not take effect until the computer restarts or the user logs off and logs back on. BeyondTrust May

44 PBIS Settings 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Group Policy Agent: 3. Double-click User policy refresh interval, and then select the Define this policy setting check box. 4. In the Refresh interval box, enter the time in minutes that you want to set. You can set the refresh interval from 5 minutes to 9999 minutes, or about 7 days. Turn On Event Logging for the Group Policy Agent This group policy turns on logging for group policy events on target Linux, Unix, and Mac OS X computers. You can use this policy to help improve security and to troubleshoot group policies by capturing information in the PBIS event log about the application and processing of group policy objects, including such events as errors, adding a new GPO, updating a GPO for a new version, and removing a GPO that no longer applies to a user or computer. 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Group Policy Agent: 3. Double-click Enable use of event log, and then select the Define this policy setting check box. 4. Select Enabled. BeyondTrust May

45 PBIS Settings Set the User Policy Loopback Processing Mode You can define a group policy that applies alternate user settings when a user logs on to a computer affected by this setting. The policy applies the group policy objects that you specify to any user who logs on to a computer affected by this setting. The policy is designed for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used. By default, the user's group policy objects determine which user settings apply. If this setting is enabled, when a user logs on to this computer, the computer's group policy objects determine which set of group policy objects applies. You can set the following modes for this policy: Mode Replace Merge Loopback disabled Description The user settings defined in the computer's group policy objects replace the user settings normally applied to the user. The user settings defined in the computer's group policy objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's group policy objects take precedence over the user's normal settings. If you disable this setting or do not configure it, the user's group policy objects determine which user settings apply. To configure the user policy loopback processing mode: 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Group Policy Agent: 3. Double-click User policy loopback processing mode, and then select the Define this policy setting check box. 4. In the list, click the loopback processing mode that you want to set. BeyondTrust May

46 PBIS Settings Turn Off User Logon Group Policies By default, the PBIS group policy agent processes and applies user policies when a user logs on with an Active Directory account a process that can delay logon. If no user group policy objects apply to a target set of computers and the users who access them, defining this group policy and setting it to disabled stops the PBIS group policy agent from attempting to process user policies, resulting in faster logons. 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Group Policy Agent: 3. Double-click Enable user logon group policies, and then select the Define this policy setting check box. 4. Select Disabled. BeyondTrust May

47 PBIS Settings Event Log The following group policies to manage the event log are in the Event Log folder located in the PBIS Settings folder: Set Access Rights to Delete, Read, and Write Events The following policies specify the Active Directory users and groups who can read events in, delete events from, or write events to the PBIS event log: Allow delete-event access Allow read-event access Allow write-event access These policies can help manage the security of PBIS clients. Only users and groups who need to use the event log should be granted access to it. The users and groups that you specify must have access to the cell that contains the target computer. 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Event Log. 3. Double-click one of the following policies: Allow delete-event access, Allow read-event access, Allow write-event access. Select the Define this Policy Setting check box. 4. Click and then locate the users or groups that you want to grant logon rights. Optionally, in the Users and/or Groups box, type a comma-separated list of the users and groups that you want. You can use: Short domain names with Active Directory account names and group names, that is, the NT4- style name. Local account names and local user groups and security identifiers (SIDs) in string format. BeyondTrust May

48 PBIS Settings Add a group that is not enabled in the cell to give them access to the target computer. You cannot use an alias for an AD group or user. If you configure PBIS to assume the default domain, you must use the NT4-style name. For example, you could enter the following comma-separated list: CORP\johndoe, Ando@corp.mycorp.com, CORP\domain^users, S In the example, the entry S is a SID in string format. Note: To separate the domain name from the user name or the group name in the AD account logon syntax, you must use a backslash (\). Example: demo.com\steve. 5. Make sure the users and groups have access to the PBIS cell that contains the target computer object. Set Maximums for Events, Disk Usage, and Lifespans The following policies define the maximums for the following event log thresholds to help you manage the size of the event log database: Max disk usage Max event lifespan Max number of events To set threshold policies on the event log: 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click Event Log. 3. Double-click one of the policies, and then select the Define this Policy Setting check box. 4. Enter the maximum threshold that you want to set in the box: For This Policy Max disk usage Max event lifespan Max number of events Do This In the Max Log Size box, enter the size that you want to set, in KBs, for the maximum size of the event log. Note: To delete events when the maximum disk usage threshold is reached, you must turn on the policy Remove events as needed. In the Lifespan box, enter the period in days for how long you want to keep events. In the Max Number of Events box, enter the maximum number of events to save in the event log. BeyondTrust May

49 PBIS Settings Event Forwarder Configure the Event Forwarder group policy to improve security monitoring by logging authentication and authorization events. You can view event metrics later on the Operations Dashboard. To configure event forwarding: 1. Start GPMC, create or edit a group policy, and then open it in Group Policy Management Editor. 2. Expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, Event Forwarder. 3. Double-click Event log collector, and then select the Define this Policy Setting check box. 4. Enter the host name of the computer running BTCollector. Example: w2k3-r2.example.com User Monitor PBIS Enterprise includes a User Monitor service for entitlement reports. This feature is designed to support computers that are critical to regulatory compliance and for which restricted access by only essential staff is vital. A computer that is openly accessible to hundreds of users would be a source of unnecessary audit activity in such a situation and would significantly increase resource requirements, such as for Auditing Database sizing. Notes: For Active Directory (AD) users, the User Monitor only reports the users who have access to the computer due to the RequireMembershipOf setting. If RequireMembershipOf is not enabled, a special pseudo user is reported. If the computer is running in unprovisioned mode, the pseudo user is: All Users accessible from domain DomainName Otherwise the pseudo user is: All Users in cell CellName The User Monitor only reports the AD groups of which at least one of the reported AD users is a member. BeyondTrust May

50 PBIS Settings PBIS Enterprise includes the following Group Policy settings for fine-tuning the User Monitor. Enable Monitoring of Users and Groups This policy setting turns on the User Monitor service to monitor account and group changes. The service queries all local user accounts, local groups, and Active Directory users and groups. The service detects additions, deletions, and modifications that occur. Information is then sent to the Eventlog service for reporting purposes. To turn on monitoring of users and groups: 1. In GPMC, create or edit a GPO for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click User Monitor: 3. Double-click Enable monitoring of users and groups, and then select the Define this policy setting check box. 4. In the Setting box, select Enabled to turn on monitoring, and then click OK. BeyondTrust May

51 PBIS Settings Monitoring Check Interval This policy setting specifies the frequency with which the User Monitor service attempts to detect user and group changes on target computers. Default value: 1800 seconds (30 minutes) To configure the frequency of monitoring: 1. In GPMC, create or edit a GPO for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click User Monitor: 3. Double-click Monitoring check interval, and then select the Define this policy setting check box. 4. Enter, in seconds, the frequency that the User Monitor detects user and group changes, and then click OK. SNMP Settings The following groups of SNMP trap settings can be applied using a GPO: Account Domain Logon Authentication SUDO System Services Note: To use SNMP policies, you must also turn on Lsassd: Enable use of the event log in the Authorization and Identification group policy. BeyondTrust May

52 PBIS Settings To turn on SNMP traps: 1. In GPMC, create or edit a GPO for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS Settings, and then click SNMP Settings: 3. Double-click Configure SNMP. 4. Select the Define SNMP traps policy settings check box. 5. Enter the target IP address to apply the policy to. 6. Select the port number. 7. Enter the SNMP community string. 8. Select the Trap Groups check box to select all of the trap groups available. Alternatively, select only the trap group check boxes that meet your particular requirements. 9. Click OK. BeyondTrust May

53 PowerBroker Servers Settings PowerBroker Servers Settings This section describes how to use PBIS to configure policy settings to support PowerBroker Servers UNIX/Linux Edition (PBUL). Using the PBUL Rule Editor and the PBUL configuration file, you can create and change simple PBUL policy rules. Using the PBUL Rule Editor, you can enable or disable specific rules. PBUL policy data can be exported to a local file, edited manually, and imported to Active Directory from a local file. PowerBroker Policy Rules Data The PBUL policy data is saved to a.csv file. When the client-side agent applies the data from this Group Policy setting to a PB Master, the resulting collection of policy rules data will be at the following location: /etc/pb/policy.csv. If more than one Group Policy Object (GPO) has defined PowerBroker Policy Rules Data in the Active Directory policy hierarchy that applies to a given PB Master computer, the client-side agent determines which of all the policy settings should be applied based on targeting (filtering by host, system type), and precedence (link order and hierarchy). The resultant set of policy rules data is combined and written to the final /etc/pb/policy.csv file to represent the union of all rules. For more information, see Export, Manually Edit, and Import PBUL Policy Data. Priority of Rules Within a GPO Priority of rules within a single GPO is defined in the PBUL GPO Properties dialog. If multiple GPOs containing PBUL policy settings are applicable to a PBUL master, the GPOs' processing order is defined by their relative position in the Active Directory hierarchy. The closer a GPO is to the PBUL master, the higher priority it has. PowerBroker Server Policy Rules Data The process of defining a PBUL rule begins by creating a GPO in an Active Directory (AD) hierarchy leading to a pbmaster computer object. Note: Before PBUL rules can be deployed, a PBUL configuration file must be defined. For more information, see PBUL Configuration, page 61. To configure PowerBroker Servers policy rules data: 1. In GPMC, right-click an existing GPO and click Edit to open the Group Policy Management Editor. 2. In Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PowerBroker Servers, PowerBroker Policy Rules Data. BeyondTrust May

54 PowerBroker Servers Settings 3. Double-click the Create PowerBroker Server Policy Rules policy setting to open the Create PowerBroker Server Policy Rules Properties dialog. Tip: Displaying multiple items in a row If a rule includes multiple commands, submitters, or Submit Hosts, a summary of the number of each is displayed in the row. To display an itemized list of commands, submitters, or hosts in a tool tip, point to the Commands, Submitters, or Submit Hosts cell in the row for that rule. 4. Using this dialog, you can do the following: Create or modify a PBUL rule. Change the priority of PBUL rules. Disable or enable a PBUL rule. Export, manually edit, and import PBUL policy data. BeyondTrust May

55 PowerBroker Servers Settings Create or Modify a PBUL Rule Note: Before PBUL rules can be deployed, a PBUL configuration file must be defined. For more information, see PBUL Configuration, page 61. To create a PBUL rule or to modify an existing PBUL rule, do the following: 1. In the Create PowerBroker Server Policy Rules Properties dialog box: To create a new PBUL rule, click Add. To modify an existing PBUL rule, select the rule and then click Edit. 2. Enter a name for the rule. 3. Enter the following information on the Conditions tab. BeyondTrust May

56 PowerBroker Servers Settings a. Select the rule type: Accept or Reject. b. To add a user or group to be managed by the rule, click Add Submitter. Select a type of user or group to add. If adding an Active Directory user or group, click OK, enter the name of the user or group, and then click OK. If adding a local user or group, type the name in the box and click OK. c. Click Add Command and select from the following: Submit Command Enter the command as a submitter would type it. You can include arguments. If you want to allow the user to include additional arguments with the command at runtime, select the Allow Argument check box. Run Command Enter the command that runs when a submitter types the Submit Command. You can include arguments. Run Command the same as submit Select the check box when you want the command the same as Submit Command. BeyondTrust May

57 PowerBroker Servers Settings Note: If Run Command the same as Submit is not selected, you can effectively create an alias for a command for submitters. Save As User Command Select the check box to use the command with other PBUL rules. Click OK to add the command. You can remove commands that you add, but you cannot remove the default commands provided with PBIS. d. Select the commands that you want to run when the rule is activated. Click >> to move the command to the Current Active Commands list. To remove the command from the Current Active Commands list, click <<. e. Select the computers that will be Submit Hosts (commands in the rule are run by submitters) and Run Hosts (commands entered by submitters are run). Run Host is the same as Submit Host (Optional). The computer used as the Run Host must be the same computer used as the Submit Host, select the check box. Run Host pool is the same as Submit Host pool (Optional). The selected computers are used as both Submit Hosts and Run Hosts, select the check box. Submit Hosts and Run Hosts In the Submit Hosts or Run Hosts areas, click Add. Type a computer name or click ADD to search Active Directory for a computer. You can enter multiple computer names separated by commas. f. (Optional). You can limit when the rule is active to between specified dates or times of day, delay when a rule will become active, or specify an expiration for a rule. For example, to make the rule active only between 8:00AM and 7:00PM, select the Time Start check box and enter 8:00:00 AM, and select the Time End check box and enter 7:00:00 PM. 4. Optional. Click the Environment tab, and then enter information for the following. Run User Enter the user account to use to run the commands in this rule on the Run Host. The default account is root. If you change the account, ensure that the account has the permissions necessary to run the commands in the rule and that the account exists on the Run Hosts. For more information about the pbrun command, see the "pbrun" section in PB Servers System Administration Guide. BeyondTrust May

58 PowerBroker Servers Settings Preserve Environment (Optional). List any Unix or Linux environment variables that you want to remain unchanged by the effect of this rule when commands are run. Environment variables can alter which libraries are loaded for the session. Define Environment (Optional). Enter the names and values of any Unix or Linux environment variables that you want to explicitly define when this rule is used to run commands. Enable Keystroke Logging (Optional). To enable keystroke logging, select the check box. If selected, by default, keystrokes are logged to a separate log file for each command instance. BeyondTrust May

59 PowerBroker Servers Settings Advanced administrators can change the path and file name format of these log files by changing the pb.conf file. If the default pb.conf file is used, keystroke log files are saved to file names beginning with /var/adm/pb.iolog. For more information, see PBUL Configuration, page 61. Authenticate User (Optional). To display a password prompt to the user and authenticate the user before a command is run, select the check box. Select where authentication occurs: Submit Host, Run Host, the PowerBroker Master Server. This setting can provide additional protection against unauthorized users if an authorized user neglects to lock his computer before stepping away from it. For information about authentication in PBUL, see the following sections in the PB Servers System Administration Guide: "PowerBroker Servers Settings," "Receiving Task Requests from a Master Daemon," "Pluggable Authentication Modules," and "Kerberos Version 5." Idle Timeout (Optional). To force a timeout so that a long-running command cannot continue indefinitely, select the check box and enter the maximum number of minutes. For example, if you are configuring rules that allow users to create a shell session using pbsh or pbksh, you can use this setting to ensure that this elevated access eventually expires if idle. 5. Click OK. BeyondTrust May

60 PowerBroker Servers Settings Change the Priority of PBUL Rules The priority of PBUL rules within a GPO is determined by their order in the list on the Create PowerBroker Server Policy Rules Properties dialog. To change the priority of PBUL rules within a GPO, on the Create PowerBroker Server Policy Rules Properties dialog, select a rule and click one of the arrows to move the rule to a higher or lower priority. Disable or Enable PBUL Rules You can enable and disable PBUL rules from the Create PowerBroker Server Policy Rules Properties dialog. Select the Enable check box to enable the rules you want to be active. Clear the Enable check box to disable a rule. Export, Manually Edit, and Import PBUL Rules You can export PBUL rules from Active Directory to a local file, manually edit the rules, and then import the edited rules from a local file into Active Directory. Export PBUL Rules to a Local File You can export PBUL rules from Active Directory to a local file so that you can manually edit the rules or to archive the rules. To export PBUL rules from Active Directory to a local.csv file: 1. On the Create PowerBroker Server Policy Rules Properties dialog box, select the rules that you want to export. Use the CTRL key to select more than one rule. 2. Click the Export button. 3. Indicate where to save the.csv file and enter a name for the file and click Save. BeyondTrust May

61 PowerBroker Servers Settings Import PBUL Rules to Active Directory If you manually edited PBUL rules or previously saved PBUL rules to a.csv file, you can import those rules to Active Directory. To import PBUL rules from a local.csv file to Active Directory: 1. On the Create PowerBroker Server Policy Rules Properties dialog box, click the Import button. 2. Select a local.csv file from which to import data and click Open. 3. Click Apply to save the data to Active Directory. Tip: Replacing rules To ensure that rules are not inadvertently overwritten, rules in the.csv file that you import will not overwrite existing rules, even if the rule names are the same. If you want a rule that you imported to replace an existing rule, select the existing rule and click Remove. PBUL Configuration The PBUL Configuration policy setting is designed to install a pb.conf file on target computers that are running PBUL as a PowerBroker Master, enabling PBUL rules to function. The given computer's /etc/pb.settings file determines the placement of the PowerBroker configuration policy file by using the two settings policyfile and policydir. These values indicate the file and path that the given PowerBroker Master is configured to use for determining policy (typically /etc/pb.conf). If there is a previous file at the given location, it is backed up prior to being updated by the new policy configuration installed by Group Policy. Before PBUL rules can be deployed using Group Policy, you must define a PBUL configuration file (pb.conf) that will be deployed to PB Masters. There are several sources from which you can obtain a configuration file. If you are already using PBUL, you can import your existing configuration file. If you have not previously used PBUL or do not have a configuration file, you can import a copy of the default configuration file that is installed with PBIS Enterprise. It is recommended that you use this file without modification unless you are an advanced administrator of PBUL. If you are an advanced administrator of PBUL and familiar with PBUL syntax, you can import a copy of the default configuration file to serve as a template and modify it as needed to use advanced PBUL functionality. For information about the text used to write PBUL policy settings, see the PB Servers Policy Language Guide. Tip: Changing the keystroke log file location If keystroke logging is enabled in a PBUL rule, keystrokes are logged to a separate file for each command instance. The path and file name format for these files are specified in the pb.conf file. The path and file prefix are defined in the _iolog_file_ variable. The file name is defined by the iolog variable. BeyondTrust May

62 PowerBroker Servers Settings The default pb.conf file is installed in the PBIS software installation directory. This pb.conf file is designed to process the PBUL Policy Rules Data (/etc/pb/policy.csv) that is created and maintained by the Create PowerBroker Server Policy Rules policy setting. It will apply all of the fields that the PBUL Rule Editor supports when running on target PB Master computers. To import a copy of a PBUL configuration file so that you can deploy PBUL rules: 1. In GPMC, right-click an existing GPO and click Edit to open the Group Policy Management Editor. 2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PowerBroker Servers, PBUL Configuration. 3. Double-click the Define PBUL Configuration file policy setting to open the Define PBUL Configuration file Properties dialog. 4. Click Import to import a copy of a PBUL configuration file (pb.conf). The default pb.conf file is located in the PBIS software installation directory (typically C:\Program Files\BeyondTrust\ PBIS\Enterprise\Resources\Configuration\pb.conf). You do not need to make any changes to the file. However, if you are an advanced administrator of PBUL who is familiar with PBUL syntax, you can edit the imported file on this dialog box. BeyondTrust May

63 PowerBroker Servers Settings 5. Optional. To turn on monitoring for local pb.conf files, select the Monitor this policy setting check box. If the Group Policy agent detects local tampering of the pb.conf file, audit event warnings are logged and the local file is replaced by the pb.conf file specified in this policy setting. 6. Click OK. Tip: If you unintentionally alter the pb.conf file The pb.conf file that you have imported is a copy of the one installed in the PBIS software installation directory (typically C:\Program Files\BeyondTrust\PBIS\Enterprise\ Resources\Configuration\pb.conf). If an administrator inadvertently alters the pb.conf file that has been imported, you can replace it by repeating this procedure to import a new copy of the default pb.conf file. BeyondTrust May

64 Message Settings Message Settings This section describes message settings that you can display to your end users. Display a Message with a Login Prompt Policy By using PBIS, you can use a group policy to set a message in the /etc/issue file on target Linux and Unix computers. The message, which appears before the login prompt, can display the name of the operating system, the kernel version, and other information that identifies the system. In the message text, you can use characters, numbers, and special characters; there is no limit to the length of the message. You can use this policy on computers running Linux, Unix, or Mac OS X. The policy replaces the /etc/issue file on target computers. 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, Message Settings, and then click Login Prompt. 3. Double-click Login Prompt (/etc/issue), select the Define this Policy Setting check box, and then in the Text Value box, type your message. In your message, you can use escape codes that getty (on Unix) or agetty (on Linux) recognizes. For example, if you write Welcome to \s \r \l, on a Linux computer, agetty replaces \s with the name of the operating system, \r with the kernel version, and \l with the name of the terminal device. For a list of escape codes, see the getty or agetty man pages for your system. Display a Message of the Day By using PBIS, you can use a group policy to set a message of the day in the /etc/motd file on target Linux and Unix computers. The message of the day, which appears after a user logs in but before the logon script executes, can give users information about a computer. For example, the message can remind users of the next scheduled maintenance window. You can use this policy on computers running Linux, Unix, or Mac OS X. The policy replaces the motd file on the target computer. Note: If you are using this policy on target Linux and Unix computers running PBIS Enterprise 5.0 or later, you must first set an lsassd group policy; see Display a Message of the Day at Logon. 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, Message Settings, and then click Message of the Day: BeyondTrust May

65 Message Settings 3. Double-click Message of the day (/etc/motd), select the Define this Policy Setting check box, and then in the Text Value box, type your message. Tip: Limit the size of your message to one screen. BeyondTrust May

66 Logging and Audit Settings Logging and Audit Settings Logging and auditing settings enable you to manage various types of security logs and security methods. Create a SysLog Policy You can create a syslog group policy for target Unix and Linux computers. A syslog policy can help you manage, troubleshoot, and audit your systems. PBIS provides a graphical user interface to configure and customize your syslog policies. You can log different facilities, such as cron, daemon, and auth, and you can use priority levels and filters to collect messages. This policy works with computers running Linux, Unix, or Mac OS X. The policy replaces the local policies. It is not inherited and does not merge with the local settings. For more information, see About Group Policy Settings, page In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, Logging and Audit Settings, and then click SysLog: 3. Double-click SysLog, and then select the Define this Policy Setting check box. 4. Click Add. 5. In the Syslog Policy Editor, select the destination type for the syslog. The options in the box below the Destination Type list change depending on the destination type selected: For a Destination Type Of File Named Pipe Remote Host Local Users All Users Do This Enter the path to the file. Enter the path and name of the pipe file. Enter the IP address or the server name of the remote host. Enter a comma-separated list of addresses. The box is unavailable. BeyondTrust May

67 Logging and Audit Settings 6. Click in the Facilities box and then click to select the facilities that you want to log. All Adds all the facilities to the policy. Selected Items Select the check boxes for the facilities that you want in the list. Custom Entry Type a comma-separated list of the facilities that you want to use. For example: cron, daemon, auth, kern 7. From the Priorities list, select the priority level for the events that you want to log. 8. From the Filter list, select the filter that you want to apply to the priority level, and then click OK. Tip: To change a log's options later, click a log in the list, and then click Edit. Secure Computers with an AppArmor Policy You can create an AppArmor group policy to help secure target computers that are running SUSE Linux Enterprise. AppArmor is a Linux Security Module implementation of name-based access controls. To help protect your operating system and applications from threats, AppArmor uses security policies, called profiles, that define the system resources and privileges that an application can use. AppArmor is included with all SUSE distributions from SUSE Linux Enterprise Server 9, Service Pack 3 (SLES9 SP3) and later, including SLES10, SLED10, and opensuse 10.0, 10.1, and Note: To configure this policy, you must have a file containing an AppArmor security profile. The SUSE Linux distribution contains default profiles that you can use. It also contains tools to build your own profiles. For information on how to obtain or create a security profile, see the AppArmor documentation. This policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policy Settings, page 9. To secure computers with an AppArmor policy: 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, Logging and Audit Settings, and then click AppArmor. 3. Double-click AppArmor, and then select the Define this Policy Setting check box. 4. Click Add, find the security profile that you want to use, and then click Open. 5. In the list under Profile Mode, select one of the following: BeyondTrust May

68 Logging and Audit Settings complain Select to log events that would be denied if the profile were set to enforce. enforce Select to enforce the policies defined by the security profile. Secure Computers with an SELinux Policy You can create a Security-Enhanced Linux (SELinux) group policy to help secure target computers running Red Hat Enterprise Linux. SELinux puts in place mandatory access control using the Linux Security Modules, or LSM, in the Linux kernel. The security architecture, which is based on the principle of least privilege, provides fine-grained control over the users and processes that are allowed to access a system or execute commands on it. SELinux can secure processes from each other. For example, if you have a public web server that is also acting as a DNS server, SELinux can isolate the two processes so that a vulnerability in the web server process does not expose access to the DNS server. This policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policy Settings, page 9. Note: This policy applies the settings that you define in the procedure below to the /etc/sysconfig/selinux file on target computers running Red Hat Enterprise Linux. The /etc/sysconfig/selinux file is the primary configuration file for enabling or disabling SELinux and for setting which policy to enforce on the system and how to enforce it. To secure computers with an SELinux policy: 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, Logging and Audit Settings, and then click SELinux. 3. Double-click SELinux, and then select the Define this policy setting check box. 4. From the SE Linux list, select one of the following: enforcing The SELinux security policy is enforced. permissive SELinux prints warnings but does not enforce policy. You can use this setting for debugging and troubleshooting. BeyondTrust May

69 Logging and Audit Settings In permissive mode, more denials are logged, as subjects can continue to execute actions that are denied in enforcing mode. For example, traversing a directory tree generates multiple avc: denied messages for every directory level read. In enforcing mode, a kernel would have stopped the initial traversal and not generated further denial messages. disabled SELinux is fully disabled. SELinux hooks are disengaged from the kernel and the pseudo-file system is unregistered. 5. From the SE Linux Type list, select one of the following: targeted Protects only targeted network daemons. The default targeted policy protects the following daemons on Red Hat Enterprise Linux 4: dhcpd, httpd (apache.te), named, nscd, ntpd, portmap, snmpd, squid, and syslogd. The rest of the system runs in the unconfined_ t domain. The policy files for these daemons are in /etc/selinux/targeted/src/policy/domains/program and might vary depending on the version of Red Hat Enterprise Linux that you are using. strict Provides full SELinux protection for all daemons. The system defines security contexts for all objects and subjects, and the policy enforcement server processes every action. Rotate Logs To help you manage, troubleshoot, and archive your system's log files, you can create a group policy to configure and customize your log-rotation daemon. For example, you can choose to use either a logrotate or logrotate.d file, specify the maximum size before rotation, compress old log files, and set an address for ing log files and error messages. You can also enter commands to run before and after rotation. This policy works with computers running Linux, Unix, or Mac OS X. The policy replaces the local policies. It is not inherited and does not merge with the local settings. For more information, see About Group Policy Settings, page In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, Logging and Audit Settings, and then click LogRotate. 3. Double-click Rotate logs, and then select the Define this Policy Setting check box. 4. Click Add. 5. In the Log Rotate Policy Editor, under the General Options tab, set the options that you want. BeyondTrust May

70 Logging and Audit Settings 6. Click the Log Options tab, and then set the options that you want. 7. Click the Mail/Script Options tab, and then set the options that you want. BeyondTrust May

71 File System Settings File System Settings File system settings enable you to control various aspects of the computer's file system. Automount a File System You can create a group policy to start a daemon that automatically mounts a file system on target Unix, Linux, or Mac OS X computers. When a user attempts to access an unmounted file system, the file that you associate with this policy automatically mounts it. Since operating systems automatically mount a file system differently, create an automount group policy for each operating system. To automount a file system on Unix computers and on Mac OS X computers, for example, create two automount policies, one targeted at each operating system. To apply a policy to an operating system in a cell containing computers running different operating systems, see Filtering by Target Platform. Automount is typically configured with two or more files, auto_master and one or more files referenced by auto_master. The PBIS group policy agent, gpagentd, copies files referenced by auto_master to a subdirectory of /var/lib/pbis/grouppolicy/ and copies the auto_master file to /etc. The agent creates a link in /etc named lwi_automount to the appropriate subdirectory in /var/lib/pbis/grouppolicy/. (The subdirectory can vary by system.) The purpose of /etc/lwi_ automount is to specify one or more automap files in the group policy-specified auto_master file without interfering with files that already exist in /etc. Here is a sample auto_master file: # PBIS identity automount file /test /etc/lwi_automount/auto.test Here is a sample auto.test file specifying two mounts: # PBIS identity auto.test test1 -ro,hard,vers=3,intr,tcp :/distro test2 -rw,soft,vers=3,intr,tcp :/distro/software You can specify multiple autofs (/test) directories and multiple mount points in each directory. You can also reference existing files in /etc or another path using the full path names in the auto_ master file. Example Usage The automount group policy, which can be especially helpful in large networks, has several uses: Automount NFS, Samba, and boot mounts or partitions. Cross-mount file systems between a few machines, especially machines that are not always online. Switch between a forced-on ASCII conversion mount of a DOS file system and a forced-off ASCII conversion mount of the same DOS file system. Automount removable devices. BeyondTrust May

72 File System Settings Inheritance and Backup The automount policy replaces the local file. It is not inherited and does not merge with the local file. For more information, see About Group Policy Settings, page 9. The original auto_master file is backed up and stored in /var/lib/pbis/grouppolicy/systemfiles. The original is restored if the automount group policy is disabled or if the computer goes out of scope by, for example, being moved to another OU. Automount a File System 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs. 2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, File System Settings, and then click AutoMount: 3. Double-click AutoMount, and then select the Define this Policy Setting check box. 4. Click Add, type the file name, or click Browse to find the file. 5. If the file is an executable file, select the File is executable check box. 6. Click OK. Create Directories, Files, and Links You can define a group policy to create directories, files, commands, and symbolic links on target Unix and Linux computers. This policy can be applied to either computers or users. The policy works on computers running Linux, Unix, or Mac OS X. The policy, which is not inherited, does not concatenate a series of settings across multiple group policy objects in different locations in the Active Directory hierarchy. Instead, the closest local policy object is applied. Setting up a Script Policy You can add more than one script when setting up scripts using this policy setting. All scripts will automatically merge and run. Note that a script can be applied at the system level using the Run Scripts policy. See Run a Script File. BeyondTrust May

73 File System Settings For example, you might want to run a common script (for example, /etc/resolv.config) on all systems but then configure other scripts that are different depending on the system (for example, /etc/sysconfig/iptables). Configure the system specific policies using a Files, Directories and Links policy setting. Configure a Files, Directories and Links policy To configure the policy: 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand either Computer Configuration or User Configuration, Unix and Linux Settings, File System Settings, and then click Files, Directories and Links. 3. Double-click Create Directories, Install Files, Configure Links, and then select the Define this Policy Setting check box. 4. Click Add, and then select one of the following: File - On the File Object Editor dialog box, configure settings for the file path on the source and targets; configure permissions on the file; add a user or group. You can also delete the file on sources and targets when the policy is deleted. Directory - On the Directory Object Editor, configure the file path on the target; configure directory permissions; add a user or group. Symbolic Link - On the Link Object Editor, set the path information where the symbolic link will be created on the target. Command - On the Command Object Editor, enter the command that you want to run on the target. 5. Use the Object Editor that appears to set the object's paths and other file system properties. To change an object's properties later, click the object in the list, and then click Edit. Note: Configuring a User or Group using an ID When setting up the local user or local group, you can prefix the ID with a number sign (#). PBIS does not validate a user or group ID prefixed by a number sign; you must provide a valid user or a valid group. To use the ID of 0 for the root account, however, do not use the # prefix. BeyondTrust May

74 File System Settings Specify the File System Mounts (fstab) You can create a group policy for the file systems table, or fstab, on target Unix and Linux computers and add mount entries to it by using a graphical user interface. Fstab, typically located in /etc/fstab, is a configuration file that specifies how a computer is to mount partitions and storage devices. The mount entries in this policy are appended to the contents of /etc/fstab (/etc/vfstab on Solaris), but the file systems are not mounted until you explicitly mount them using a command such as mount -a even though the group policy has been polled by the target computer. To mount the file systems, you can do one of the following: Log on to the target computer and execute the mount -a command (or a similar command, depending on your operating system) or restart the computer. Run a cron job that resets the mounts remotely or restarts the computer; see Schedule Cron Jobs with a crontab or cron.d Policy. Note: It is recommended that you not reset the mounts while a user is logged on to the computer. To mount public-oriented Windows shares, you can use a general AD user account with no other rights. When you must use individual user accounts to mount the shares, consider using pam_mount instead. The policy can add the following kinds of file systems to fstab: Common Internet File System (cifs) Linux Native File System (ext2) BeyondTrust May

75 File System Settings New Linux Native File System (ext3) ISO9660 CD-ROM (iso9660) Network File System (NFS) Network File System version 4 (NFS4) Note: For cifs and iso9660 file systems, make sure the owner and group objects in Active Directory are enabled in a PBIS cell. Doing so defines UID and GID values for the objects on the systems where the policy setting is to take effect. To set file system mounts: 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, File System Settings, and then click File System Mounts (fstab). 3. In the details pane, double-click File System Mount, and then select the Define this Policy Setting check box. 4. Click Add, click the type of file system that you want to mount, and then click OK. 5. Use the Add New Mount Wizard to set the mount details for the type of file system that you want to mount. After you use the wizard to add a file system, you can edit the mount details and options by clicking the mount entry in the list and then clicking Edit. 6. To disable the mount, in the list of mount entries, under Status, double-click Enabled. BeyondTrust May

76 Task Settings Task Settings Using Task Settings policies, you can: Configure scripts to run Schedule cron jobs Copy sudoer file to targets Schedule Cron Jobs with a crontab or cron.d Policy You can use a GPO to schedule commands, or cron jobs, that are executed at a set time. When you set this policy, you must select a file type: /etc/cron.d - Use only on Linux computers. Using cron.d adds your file to the /etc/cron.d directory on target Linux computers. crontab - Use on Linux, Unix, Mac OS X computers. Using crontab overwrites the crontab file on target computers. 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, Task Settings, and then click Crontab/Cron.d. 3. Double-click Crontab Settings, and then select the Define this Policy Setting check box. 4. To set the crontab file type, click Change Type, select one of the following, and then click OK. /etc/cron.d Adds the file to the /etc/cron.d directory while preserving existing files and other files inherited from policy objects. Not supported by the Sun Solaris, Mac OS X, or IBM AIX operating systems. crontab Uses the crontab utility to install the file in the root account, overriding the account's existing crontab settings and any files inherited from policy objects. Supported by most systems including Solaris, AIX, and Mac OS X. 5. In the Current file content box, type your command. Example: * * * * * echo "` date` Running Cronjob 1 ($0) " >> /tmp/ad_gpo.log Or, click Import, find the file that contains your commands, and then click Open. Run a Script File You can use a GPO to execute a text-based script file on target Linux and Unix computers. The script file runs under the root account when the target computer first receives the GPO or when the policy object's version changes. When a target system is restarted, the script runs again. This policy replaces the local file. It is not inherited and does not merge with the local file. For more information, see About Group Policy Settings, page 9. BeyondTrust May

77 Task Settings Only one script can be applied at the system level. You can apply more than one script to targets using the File System Settings policies. See Create Files, Directories, and Links. The default ordering of the script policy is as follows: 1. Default domain policy 2. Higher-level OU policies 3. Current-level OU policies Within an OU, the ordering is from highest link number to the lowest link order number. To create a script file policy: 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, Task Settings, and then click Run Script: 3. Double-click Script file, and then select the Define this Policy Setting check box. 4. In the Current file content box, type your script. Example: #!/bin/bash echo "` date` Running AD Script 1 ($0)" >> /tmp/ad_gpo.log Or, click Import, find the file that contains your script, and then click Open. Security Group Policies You can define a GPO to specify a sudo configuration file for target computers running Linux, Unix, and Mac OS X. The sudo configuration file is copied to the local machine and replaces the local sudoers file. A sudo file can reference local users and groups or Active Directory users and groups. Sudo, or superuser do, allows a user to run a command as root or as another user. This policy can control sudo access in a centralized and uniform way. For more information about sudo, see the man pages for your system. This policy is not inherited and does not merge with the local file. For more information, see About Group Policy Settings, page 9. BeyondTrust May

78 Task Settings Note: The PBIS entries in your sudoers file must conform to the rules in "Configure Entries in Your Sudoers Files" in the PowerBroker Identity Services Enterprise Edition Administration Guide. As a best practice, it is recommended that you take a proven, working sudoers file from a computer and apply it only to other computers running the same operating system. For example, to apply a sudo policy to a set of Red Hat Enterprise Linux computers, select a working sudo configuration file from one of the RHEL computers and apply it only to the other RHEL computers. Proceeding in this way helps prevent overriding a system's default sudoers file with changes that might be unsuitable (especially on, for example, Ubuntu or Mac OS X) because they apply only in the context of another operating system. To create a sudo configuration file policy: 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, Security Settings, and then click SUDO command: 3. Double-click Define Sudoer file, select the Define this Policy Setting check box, and then in the Current file content box, type your commands. Or, to import a sudo configuration file, click Import, and then find the file that you want. BeyondTrust May

79 Network Settings Network Settings Using the Network Settings policy, you can configure resolv.conf settings and apply to target computers. You can merge with or replace the existing resolv.conf file on the target. Set DNS Servers and Search Domains You can create a GPO to specify the DNS servers and search domains on target Linux, Unix, and Mac OS X computers. The search domains are automatically appended to names that are typed in Internet applications. For example, if you set campus.college.edu as a search domain on a Mac computer, a user can type server1 in the Finder s Connect To Server dialog box to connect to server1.campus.college.edu. Note: Setting this group policy can lead to a conflict with the settings in the resolv.conf file on some target computers, especially those running newer versions of Linux that include NetworkManager. NetworkManager's dynamic maintenance of resolv.conf will likely conflict with this policy's resolver options. When turned on, NetworkManager typically leaves a comment in resolv.conf to indicate that it generated the file: [root@bvt-rad12-32 ~]# cat /etc/resolv.conf # Generated by NetworkManager search corpqa.pbisdemo.com corp.pbisdemo.com nameserver nameserver nameserver When the GPO is processed, a new resolv.conf file is generated and named resolv.conf.gp. The old resolv.conf file is saved as resolv.conf.lwidentity.orig, and then the new resolv.conf.gp is renamed resolv.conf. When the network interface is restarted, however, the updated resolv.conf settings can be overwritten with values from other configuration repositories, even if NetworkManager is not turned on. It is recommended that you use a target platform filter to apply the policy only to Unix platforms or other systems on which resolv.conf is not dynamically modified. To create a DNS server policy: 1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Management Editor. For more information, see Managing GPOs, page In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux Settings, and then click Network Settings. BeyondTrust May

80 Network Settings 3. Double-click DNS, and then select the Define this policy setting check box. BeyondTrust May

81 Network Settings 4. In the DNS Servers box, type the DNS address that you want to use. To enter more than one address, each address must be on a new line. 5. Optional. In the Search Domains box, type a search domain. To enter multiple search domains, separate each by a comma. Domains are searched in the order listed. To include local as one of the search domains, the target computers must be running OS X 10.4 or later and local must be first. Example: local, demo.com, campus.college.edu 6. Optional. Use a sortlist to sort addresses returned by gethostbyname. A sortlist is IP address and optional network pairs that are separated by slashes. See the man pages of your target platform for information about how to set up your sortlist. 7. Set the resolver options as needed. For information about each resolver option, see the man pages for your target platform. Setting Ignore Enable Disable How Option Is Applied The option is not applied to /etc/resolv.conf. When you also select to merge the selections with the local settings on the target computer and the option is specified in the local file, the option remains as specified in the local file. The option is added to /etc/resolv.conf. When you also select to merge the selections with the local settings, the option replaces the local version of the option. The option is not applied to /etc/resolv.conf. When you also select to merge the selections with the local settings, the option is removed from /etc/resolv.conf if it appears in the local file. 8. From the Apply settings by list, select either: Merging with local settings Adds the settings in the policy to /etc/resolv.conf. Replacing local settings Overwrites the local settings in /etc/resolv.conf with the settings of the policy. BeyondTrust May

82 Setting MCX Policy Settings with Workgroup Manager Setting MCX Policy Settings with Workgroup Manager You can set Managed Client Settings for Mac computers with Workgroup Manager, a free server administration tool from Apple for remotely managing user, group, and computer settings on Mac OS X computers. PBIS Enterprise integrates Workgroup Manager in Active Directory by saving Managed Client Settings (MCX) as GPOs. By integrating Managed Client Settings in Active Directory as configuration data in GPOs, PBIS preserves the familiar GPO model that makes it easy to review, back up, and copy GPOs. In short, PBIS enables you to apply Managed Client Settings to Macs in the same way that you use GPOs to apply settings to Linux, Unix, and Windows computers. In a typical deployment in which Mac computers have been integrated with Active Directory using Apple's AD Directory Service plug-in, Workgroup Manager can be used to store settings for users, computers, and security groups in Active Directory, but only if the Active Directory schema is extended. With Apple's AD Directory Service plug-in, the AD schema must be extended to include both the RFC 2307 attributes and Apple's schema extensions for managed client settings (MCX). The PBIS Enterprise solution integrates Mac computers with Active Directory and enables you to use Workgroup Manager to apply MCX settings without having to modify your Active Directory schema, even if you are using a schema that does not comply with RFC PBIS includes Unix settings for managing syslogs, crontabs, sudoers files, and many other configuration files on a Mac. How PBIS Applies Workgroup Manager Settings as GPOs The following table describes how PBIS applies Workgroup Manager settings as GPOs and how multiple GPOs are applied to a Mac. Setting Category Behavior Computer For every GPO, PBIS creates a computer group and adds the target Mac as a member of each. User When there are multiple GPOs for a target computer, the Mac aggregates the settings from all the groups to which the target computer belongs. GPOs are applied in the order shown in the Microsoft Group Policy Management Console (GPMC). The GPO closest to the user object in Active Directory is applied. Settings from other user GPOs are not aggregated. Within a category, settings are applied in the same order as all other Active Directory GPOs, the order of which is shown in the GPMC. When settings conflict: User settings override computer settings, computer group, and user group settings. BeyondTrust May

83 Setting MCX Policy Settings with Workgroup Manager Computer settings override computer group and group settings. Computer group settings override group settings. For more information, see Apple's Workgroup Manager documentation. Requirements PBIS supports setting MCX policy settings with the Workgroup Manager for Mac OS X versions 10.4 and later. Windows Requirements PBIS Enterprise 6.5 or later installed on a Windows administrative workstation that can connect to your Active Directory domain controller. BeyondTrust Management Console. PBIS extensions for the Group Policy Management Console (GPMC). You can install the PBIS extensions when you install the BeyondTrust Management Console. An Active Directory account with rights sufficient to create and modify group policy objects; for example, membership in the Group Policy Creator Owners security group. You must also be a member of the Domain Administrators or Enterprise Administrators security group, or have been delegated equivalent rights. One Intel-based Mac OS X 10.5 Mac OS X 10.8 administrative workstation that can connect to your Active Directory domain controller. The Mac OS X workstation where you create and maintain GPOs with Workgroup Manager must be an Intel-based Mac. Mac Prerequisites Install the PBIS agent on your Mac OS X administrative workstation and join it to your Active Directory domain. Make sure that your Mac OS X administrative workstation's AD computer account, which is used to read the GPOs, has Read permissions for delegation. Go to the Delegation tab in the Group Policy Management Console (GPMC). Your workstation's computer account must either be included in a group with Read permissions, such as the Authenticated Users group, or you must add your computer account to the Delegation list. Install the PBIS agent on each Mac OS X computer that you want to manage with policies for MCX and then join the Mac computers to Active Directory. In Active Directory, make sure you are provisioned with Unix access to the Mac with Workgroup Manager by adding an account to the default cell or to the cell where the Mac resides. Download Workgroup Manager for free from Apple.com and install it on an Intel-based Mac administrative workstation. BeyondTrust May

84 Setting MCX Policy Settings with Workgroup Manager Configure an MCX GPO With the Workgroup Manager You can use PBIS and Workgroup Manager to configure MCX-based policy settings for either a user or a computer. To apply settings to local accounts, use the Computer Configuration policy settings. Note: User Configuration settings apply only to Active Directory user accounts. User Configuration settings override Computer Configuration settings for Active Directory accounts but do not apply to local accounts. On a target computer, the MCX preferences are stored in /var/lib/pbis/grouppolicy; they remain in effect even when the computer is disconnected from Active Directory. On Your Windows Computer Go through the following procedure on your Windows computer. 1. Configure a trust on the Mac OS X workstation: a. In Active Directory Users and Computers, select Computers > <Mac hostname> > Properties > Delegation. b. Select Trust this computer for delegation to any service (Kerberos only). 2. Edit the GPO in Group Policy Management Editor. 3. Expand Computer Configuration or User Configuration, Unix and Linux Settings, Mac Settings, and then select Workgroup Manager Settings: After you configure a policy in Workgroup Manager, the MCX data is displayed in plist XML format in the Current file content box. 4. Double-click Enable Workgroup Manager to configure settings for computers, select the Define this policy setting check box, and then click OK. BeyondTrust May

85 Setting MCX Policy Settings with Workgroup Manager On Your Mac Workstation Go through the following procedure on your Mac. 1. Start Workgroup Manager: In Finder, on the Go menu, click Applications, double-click Server, and then double-click Workgroup Manager: 2. When the Workgroup Manager Connect dialog box appears, log on to the local host. 3. On the Workgroup Manager menu, click Server, and then click View Directories. If a dialog box appears saying you are working in the local configuration database, click OK. 4. Click to select a directory, click Other, select Likewise - Active Directory, select your domain, select the name of the GPO you created earlier, and then click OK. Note: If no directory for a user or computer appears in the list, return to Step 2 of this procedure and define a Workgroup Manager Settings GPO for either a user or a computer. BeyondTrust May

86 Setting MCX Policy Settings with Workgroup Manager Or, if your directory or your GPOs do not appear in the list, make sure that your workstation's AD computer account has Read permissions for delegation. See Mac Prerequisites. 5. To apply GPOs to a group of users, click Group Name. Or, to apply GPOs to a group of computers, click Computer Groups. 6. Click the Lock and specify the credentials for an Active Directory account that can log on to the Mac you are using. Note: You must use an Active Directory account with rights sufficient to create and modify GPOs. For example, membership in the Group Policy Creator Owners security group. BeyondTrust May

87 Setting MCX Policy Settings with Workgroup Manager 7. On the menu bar, click Preferences : 8. Click the category of preferences that you want to configure, make the changes that you want, and then click Done. For information about using Workgroup Manager to configure preferences, see the Apple Workgroup Manager documentation. The policy settings take effect after you run the gporefresh tool or after you restart the computer. Verify Preferences are Applied Because the MCX processing models of Leopard and Tiger differ, it can be useful to check which Group Policy Objects (GPOs) are applied to a target Mac. Use one of the following methods to verify GPOs are applied, listed in recommended order: Using the Microsoft Group Policy Management Console (GPMC). You can view the precedence of your PBIS MCX GPOs in the same way that you view your other Active Directory GPOs. Using Workgroup Manager on a target Mac. For more information, see the Apple Help documentation for Workgroup Manager. Running an MCX query at the command line as an AD user on a target Mac running Leopard or Snow Leopard. The command is as follows: mcxquery Running a command-line utility known as dscl on a target Mac. Your choice depends on the computers to which you have access, the operating system on the target Mac, and whether Workgroup Manager is installed on it. BeyondTrust May

88 Setting MCX Policy Settings with Workgroup Manager Walkthrough: Configure a Network Directory with Workgroup Manager This section provides an example of how to manage a Mac computer's preferences with an MCX Group Policy Object (GPO) in this case, by configuring a network directory for a group of computers. The procedure to configure other managed client settings is similar; see the Apple Workgroup Manager documentation or the Apple website for information about setting other preferences. The following procedure assumes that you configured PBIS Enterprise and Workgroup Manager to apply MCX settings as GPOs, as detailed earlier in this chapter. Note: The share point for the network directory can reside in any share point that the computer governed by the GPO can access, as long as the share point is automountable. The share point of the target server is to be AFP for a Mac OS X server, SMB for a Windows Server computer, or NFS for a Linux server. For information about using NFS, refer to the product documentation on the Apple support website. 1. You must mount the server. Select Go > Connect to Server to create the mount folder. 2. Make sure that the share point is created on the server where you want the network directory to reside and that the share point is configured to be accessible as a network directory. For information about how to configure a share point on a Mac OS X server, refer to the Mac OS X Server documentation on Apple's website. 3. Log on to your Intel-based Mac administrative workstation with an Active Directory account that has sufficient privileges to create and modify GPOs. 4. Start Workgroup Manager. 5. When the Workgroup Manager Connect dialog appears, log on to the local host. 6. On the Workgroup Manager menu, click Server, and then click View Directories. If a dialog appears saying you are working in the local configuration database, click OK. BeyondTrust May

89 Setting MCX Policy Settings with Workgroup Manager 7. Click to select a directory, click Other, select Likewise -- Active Directory, select your domain, select the name of a group policy object you created when you set up Workgroup Manager to work with PBIS, and then click OK. 8. To apply the GPO to a group of users, click Group Name. Or, to apply the GPO to a group of computers, click Computer Group Name. 9. Click the Lock and enter the credentials for an Active Directory account that can log on to the Mac you are using and has sufficient privileges to create and modify group policy objects. For example, membership in the Group Policy Creator Owners security group in Active Directory. BeyondTrust May

90 Setting MCX Policy Settings with Workgroup Manager 10. On the menu bar, click Preferences : 11. Click Login. 12. Click Items, click Always, and then click Add to add a location for a custom home directory. 13. In the list, locate and select the network directory that you want, and then click Add. When you browse to a network directory, you might need to click Connect As and enter an account with privileges to access the directory. 14. Click the directory in the list and then select Authenticate selected share point with user's login name and password. BeyondTrust May

91 Setting MCX Policy Settings with Workgroup Manager 15. Click Apply Now and then click Done. The GPO takes effect after you restart the computer governed by the GPO. Walkthrough: Apply a GPO to Password-Protect the Screen Saver With PBIS Enterprise and Workgroup Manager, you can apply an MCX Group Policy Object (GPO) to lock a Mac OS X computer with the screen saver. This section provides an example of how to manage a Mac OS X 10.6 computer by applying an MCX preference imported from /System/Library/CoreServices/ManagedClient.app. In this case, a preference will be defined to require a password to unlock the screen saver. Note: The procedure for setting other preferences based on the managed client application is similar. For more information, see the Apple Workgroup Manager documentation on the Apple website. The following procedure assumes that you configured PBIS Enterprise and Workgroup Manager to apply MCX settings as GPOs, as detailed earlier in this chapter. 1. Log on to your Intel-based Mac administrative workstation with an Active Directory account that has sufficient privileges to create and modify GPOs. 2. Start Workgroup Manager. 3. When the Workgroup Manager Connect dialog appears, log on to the local host. 4. On the Workgroup Manager menu, click Server, and then click View Directories. If a message is displayed indicating that you are working in the local configuration database, click OK. 5. Click to select a directory, click Other, select Likewise - Active Directory, select your domain, select the GPO you created when you set up Workgroup Manager to work with PBIS, and then click OK. 6. To apply the GPO to a group of computers, click Computer Groups. BeyondTrust May