University of Oregon Information Services. Likewise Enterprise 5.3 Administrator s Guide

University of Oregon Information Services Likewise Enterprise 5.3 Administrator s Guide Last Updated: March 2011 V7.1

Contents 1 - Preface... 4 2 - Definitions... 5 opt/likewise... 5 AD... 5 Domain... 5 DuckID... 5 GPO... 5 UNIX Attributes... 5 WGM... 5 3 - Prerequisites... 6 3.1 - Download the Likewise Enterprise media... 6 3.2 - Prepare a Windows Admin workstation... 6 3.3 - Prepare a Mac Admin workstation... 7 4 - Administrative Tasks... 8 4.1 - Install Likewise Enterprise on a Mac/Linux/Unix host... 8 4.2 - Pre-create a Mac/Linux/Unix computer object in Active Directory... 8 4.3 - Join a Mac 10.x computer to the domain using the GUI tools... 9 4.4 - Join a Mac 10.x computer to the domain using the terminal... 9 4.5 - Join a Linux computer to the domain using the shell... 10 4.6 - Remove a Likewise Enterprise client from the domain... 10 4.7 - Uninstall Likewise Enterprise\Open... 10 4.8 - Upgrade from Likewise Open to Likewise Enterprise... 11 4.9 - Check domain membership of a likewise installed system... 11 4.10 - Check Likewise version... 11 4.11 - Login to a Likewise Enterprise client with domain credentials... 11 4.12 - Force a group policy refresh (i.e. GPUPDATE /force)... 12 4.13 - Create a GPO for Likewise clients on a Windows Admin workstation... 12 4.14 - Mark a GPO for editing on a Mac Admin workstation... 12 4.15 - Edit a GPO with Workgroup Manager on a Mac Admin workstation... 13 4.16 - Migrate a local user profile into a domain user profile... 13 4.17 - Verify an object has UNIX attributes... 14 5 - Mac Policy Examples... 15 5.1 - Grant admin access to a user or group... 15 5.2 - Enable Mac firewall... 15 5.3 - Apply a Pre-logon warning message to a MacOS host... 15

5.4 - Show Hard Disks and Connected Servers on Desktop by default... 16 5.5 - Universal File Vault settings... 16 5.6 - Configure login options... 16 5.7 - Configure Energy Saver options... 17 6 - Universal Linux/Unix/Mac Policy Examples... 18 6.1 - Allow cached logins... 18 6.1 - Restrict login to a user or group... 18 6.2 - Grant a domain group sudo access to a Linux host... 18 6.3 - Deploy Sudoers file... 19 6.4 - Set Default Login Shell to /bin/bash... 19 6.5 - Target a specific non-windows platform... 20 6.6 - Enable Loopback processing on a GPO... 20 6.7 - Deploy a File... 20

1 - Preface This guide is intended for OU Admins in consolidated Active Directory domain at the University of Oregon and will cover aspects of non-windows computer administration through integration with Active Directory using Likewise Enterprise 5.3. Specifically, prerequisites, common administrative tasks, and example Mac/Linux/Unix policies are covered.

2 - Definitions /opt/likewise /opt/likewise refers to the folder path that the Likewise agent is installed by default. Likewise tools are generally found in /opt/likewise/bin/ AD AD refers to the consolidated ad.uoregon.edu Active Directory domain Domain Domain refers to an Active Directory domain in the uoregon.edu forest. DuckID DuckID refers to the user s UO username. This is used throughout the document as <duckid> and should be replaced with the actual username anywhere used. This document also uses adm-<duckid> to refer to an OU admin account. GPO GPO refers to an Active Directory Group Policy Object. UNIX Attributes 1. Refers to values for key RFC 2307 attributes on user and group objects. These attributes are a requirement on Users and Groups for use on a Likewise Enterprise client and in Likewise Enterprise policies. 2. Users: a. To login to a Likewise Enterprise client workstation or to be used in a Likewise Enterprise GPO, a user must have valid uid, uidnumber and gidnumber attributes. b. All managed user objects have these attributes mapped from the central campus LDAP service. c. Unmanaged accounts are generally unsupported beyond OU Admin accounts. OU Admin accounts have been populated with the required Unix Attributes. 3. Groups: a. To be used in a Likewise Enterprise GPO, a group must have a valid gidnumber UNIX attribute. b. All *.OU.ADMIN groups have been assigned values for gidnumber. c. Other groups may be provisioned on request by emailing adhelp@ithelp.uoregon.edu. WGM WGM refers to Apple s Workgroup Manager. This can be downloaded at no cost from apple and is required to inject Apple MCX policies into Active Directory Group Policy Objects.

3 - Prerequisites 3.1 - Download the Likewise Enterprise media 1. Description: This section describes the steps to download the current release of Likewise Enterprise 5.3. a. In a web browser, open: http://it.uoregon.edu/systems/services/ad/likewise/licensing b. This URL is the Likewise Enterprise Licensing, Support and Installers page that contains information on purchasing, receiving support, and downloading installation media. a. The Likewise Enterprise Licensing, Support and Installers site is only accessible to the UO Network. If accessing from off-campus, a VPN connection will be required. 3.2 - Prepare a Windows Admin workstation 1. Description: This section details the steps required to setup your Windows XP/7 Admin workstation to manage Likewise Enterprise clients. Note that this only differs from configuring a standard AD Admin workstation by installing the Likewise Enterprise extensions. Likewise Enterprise simply extends the Active Directory User and Computers and Group Policy Management Console MMCs. a. Identify a Windows workstation currently joined to the AD domain to run the AD Administrative tools with the Likewise add-on. b. Install the Active Directory User & Computers Console: i. Windows XP: 1. Download adminpak.msi from Microsoft: a. http://download.microsoft.com/download/c/7/5/c750f1af-8940-44b6-b9ebd74014e552cd/adminpak.exe ii. Windows 7 1. Download Remote Server Administration Tools for Windows 7 a. http://www.microsoft.com/downloads/en/details.aspx?familyid=7d2f6ad7-656b-4313- a005-4e344e43997d&displaylang=en 2. Enable Active Directory Users & Computers Console a. Open Control Panel b. Open Programs and Features c. Click Turn Windows Features on or off d. In the Windows Features window e. Expand Remote Server Administration Tools f. Expand Role Administration Tools g. Expand AD DS Tools h. Check Active Directory Administrative Center i. Check AD DS Snap-ins and Command-line Tools c. Install the Group Policy Management Console (gpmc.msc) i. Windows XP: 1. Download gpmc.msc from Microsoft: a. http://download.microsoft.com/download/a/d/b/adb5177d-01a7-4f04-bfcccb7cea8b5bb7/gpmc.msi ii. Windows 7: a. http://www.microsoft.com/downloads/en/details.aspx?familyid=7d2f6ad7-656b-4313- a005-4e344e43997d&displaylang=en 2. Enable Group Policy Management Console a. Open Control Panel b. Open Programs and Features c. Click Turn Windows Features on or off

d. In the Windows Features window, browse to Remote Server Administration Tools then Feature Administration Tools e. Check Group Policy Management Tools d. Install the appropriate Likewise Console on your Windows Admin workstation i. Double-click one of the following: 1. SetupLikewise-<version>.exe - for 32bit hosts 2. SetupLikewise64-<version>.exe - for 64bit hosts ii. At the Welcome to Likewise Enterprise screen, select Only Basic Management Components. iii. Accept the license agreement. iv. Click Next v. Click Start vi. After installation finishes, click Next. vii. At the Installation Complete final page, uncheck Run Enterprise Console and click Finish. a. IMPORTANT: Likewise Enterprise installs two visible applications: i. Enterprise Console: This is not used in our environment. In essence this only links you to other tools and provides information on the current LWE installation status. ii. Likewise Cell Manager: This is not generally use in our environment as we are using the default Cell in Schema mode. 3.3 - Prepare a Mac Admin workstation 1. Description: This section details the steps required to setup your Mac 10.6 Admin workstation to manage Likewise Enterprise clients with Workgroup Manager. a. Identify a Mac OS workstation to use as an Admin workstation with Apple Workgroup Manager. b. Follow the steps in section Join a Mac 10.x computer to the AD domain using the GUI tools c. Install the Mac Server admin tools from Apple. i. Server Admin Tools 10.6.5: http://support.apple.com/kb/dl1071 d. Login with credentials: i. Username: ad\adm-<duckid> ii. Password: (Your adm-<duckid> password) a. If you are unable to login with you adm-<duckid> account, it may not have UNIX attributes. Follow the steps in Verify an object has UNIX attributes to confirm. If it does not, submit a ticket to adhelp@ithelp.uoregon.edu to have this enabled. b. IMPORTANT: Do not attempt to setup Workgroup Manager after installation. Unlike using WGM in an OpenDirectory environment, you will not configure WGM to connect directly to one of the directory servers. The proper steps are covered in more depth in section Edit a GPO with Workgroup Manager on a Mac Admin workstation.

4 - Administrative Tasks 4.1 - Install Likewise Enterprise on a Mac/Linux/Unix host 1. Description: This section details the process of installing Likewise Enterprise on a Mac/Linux/Unix host. a. Follow the steps in Download the Likewise Enterprise Media. b. Mac: i. Run the dmg image. For most modern Mac systems, this will be: 1. LikewiseEntDpy-5\agents\darwin\x86_64\dmg\LikewiseIdentityServiceEnterprise-5.3.0.7838- OSX10.6-universal.dmg ii. From the mounted DMG, double-click LikewiseIdentityServiceEnterprise-5.3.0.7838-OSX10.6- universal.mpkg iii. In the Install Likewise Identity Server *Enterprise+ 5.3.0 window, click Continue. iv. Click Continue v. Click Continue, then click Agree vi. Select the installation location and click Continue vii. Click Install c. Linux/Unix: i. Insert the Likewise 5.3 installation media or mount a share containing the installation files and run install.sh 1. CIFS Share example: a. mkdir /mnt/likewise b. mount -t cifs //DEPT-SERVERNAME/SHARE /mnt/likewise -o username=ad\\<duckid> c. <Enter user password> d. sudo /mnt/likewise/install.sh 2. cdrom Example: a. sudo /mnt/cdrom/install.sh ii. Hit Enter to view License Agreement. iii. Continue hitting enter until Do you accept this license *y/n+ is shown. iv. Enter y, then hit Enter. v. If using a 64bit OS, enter 1, 2, or 3 at the 32-bit Compatibility Libraries prompt. Auto *1+ is default. vi. At the Setup is now ready to begin installing Likewise Identify prompt, select Y then hit Enter. a. Mac installation must use the DMG image from the GUI. Command-line installation will simply indicate the requirement to open the DMG. 4.2 - Pre-create a Mac/Linux/Unix computer object in Active Directory 1. Description: This section details the steps to pre-create a computer object in Active Directory. This is an optional step when using Likewise Enterprise to join a computer to the domain, though the most common method. a. On the Windows Admin workstation, open the Active Directory Users & Computers mmc console i. Start > Run > dsa.msc, or b. Browse to your unit s Computers OU i. Ad.uoregon.edu \ Units \ <unit> \ Computer c. Right-click > New > Computer d. Enter a name of the computer object i. ex: ad.uoregon.edu\units\is\computers\sys\is-mac-2385fh3 a. IMPORTANT: The computer name must begin with your departments prefix (ex: is-mac-2385fh3) and be 15 characters or less.

4.3 - Join a Mac 10.x computer to the domain using the GUI tools 1. Description: This section details the process of domain joining a Mac computer to the domain with the GUI Likewise Enterprise application. a. Follow the steps in Install Likewise Enterprise on a Mac/Linux/Unix host. b. Follow the steps in Pre-create a Mac/Linux/Unix computer object in Active Directory to create the computer object. c. Configure the Mac to use this computer name i. From the GUI: 1. Apple Menu > System Preferences > Sharing > Computer Name 2. Enter the name from step b in the Computer Name field. ii. From the command line 1. Sudo scutil --set HostName dept-wks-name.ad.uoregon.edu d. Open Directory Utility. i. Mac OS 10.6.x: 1. Open System Preferences 2. Open Accounts 3. Click Login Options 4. Click Join to the right of Network Account Server 5. Click Open Directory Utility ii. Mac OS 10.5.x: 1. Open Applications 2. Open Utilities 3. Open Directory Utility e. Double-click Likewise - Active Directory to open the Likewise Domain Join app. i. This will require you to unlock Directory Utility page and enter admin credentials. f. Enter the following in the Likewise Domain Join app: i. Computer name: (confirm this matches name set in step 1) ii. Domain to join: ad.uoregon.edu iii. At Specify an Organizational Unit, leave as Computers container or existing iv. Click Join v. Enter your adm-<duckid> username\password. g. Restart the Mac system. h. Follow the steps in Login to a Likewise Enterprise client with domain credentials to test login. a. When joining the Mac computer to the domain, enter your adm-<duckid> username (not ad\adm-<duckid>). b. When logging into the computer with domain credentials, the username entered must be in the format ad\<duckid>. The ad\ prefix is required. c. The user used to login must have valid Unix Attributes. d. In step 2c, the GUI method of setting the computer name may not always work as expected. In this case, use scutil. e. The default computer name displayed in step g may not match the name you set in step b. This is because Likewise performs a reverse DNS lookup for the workstation s IP address. If a DNS record is found, Likewise will default to this DNS name. You may either fix the DNS entry or ignore the incorrect DNS entry and change the Computer Name field in the Likewise Domain Join app to the correct name. f. If the computer object for the Mac workstation has not been pre-created or was misspelled, the domain join operation will fail. 4.4 - Join a Mac 10.x computer to the domain using the terminal 1. Description: This section details the steps to run the Likewise domain join command from the terminal after installation. a. Perform steps A through C from Join a Mac 10.x computer to the AD domain using the GUI tools b. Run the following from the terminal:

i. sudo /opt/likewise/bin/domainjoin-cli join ad.uoregon.edu adm-<duckid> c. Follow the steps in Login to a Likewise Enterprise client with domain credentials to test login. a. If the computer object has not been pre-created or does not match, the domain join operation will fail. 4.5 - Join a Linux computer to the domain using the shell 1. Description: This section details the steps to install Likewise Enterprise on a supported host and join the domain. a. Follow the steps in Pre-create a Mac/Linux/Unix computer object in Active Directory to create the computer object. b. Configure an appropriate hostname that follows the AD domain naming conventions i. RedHat: 1. /etc/sysconfig/network 2. Enter the short name of the host (IS-RH-NAME) 3. Reboot the system c. sudo domainjoin-cli join ad.uoregon.edu adm-<duckid> d. Enter the adm-<duckid> user password when prompted. e. Reboot f. Follow the steps in Login to a Likewise Enterprise client with domain credentials to test login. a. If the computer object has not been pre-created or does not match, the domain join operation will fail. 4.6 - Remove a Likewise Enterprise client from the domain 1. Description: This section details the steps to remove a domain-joined Likewise Enterprise client from the domain a. Login to the host with the local root / admin account. b. Leave the domain: i. sudo /opt/likewise/bin/domainjoin-cli leave (adm-<duckid>) a. The (adm-<duckid>) argument is optional. If you do not enter provide a username, the computer will simply drop from the domain. If you enter a username, you will be prompted for credentials. If the user has sufficient permissions to the computer object in AD, the object will be disabled as well. 4.7 - Uninstall Likewise Enterprise\Open 1. Description: This section details the steps to uninstall Likewise Enterprise from a workstation/server. a. Check for domain-joined status by following the steps in Check domain membership of a Likewise Enterprise client. b. If the workstation/server is domain-joined, follow the steps in Remove a Likewise Enterprise client from the domain. c. Run the Likewise Uninstaller: i. Likewise Enterprise 5.3: 1. Mac OS: sudo /opt/likewise/bin/macuninstall.sh 2. Other Linux/Unix: sudo /opt/likewise/setup/lwise/uninstall ii. Likewise Open 6.0: 1. Mac OS: sudo /opt/likewise/bin/macuninstall.sh 2. Other Linux/Unix: sudo /opt/likewise/bin/uninstall.sh uninstall

a. IMPORTANT: The uninstall process is different on a Mac than on other Linux/Unix systems. 4.8 - Upgrade from Likewise Open to Likewise Enterprise 1. Description: This section details the steps to upgrade an installation of Likewise Open, the free version of Likewise, to Likewise Enterprise. a. Login to the host with the local root / admin account. b. Follow the steps from Uninstall Likewise Enterprise\Open to remove the computer from the domain and uninstall Likewise Open. c. Follow the steps in Join a Linux Computer to the Domain using the Shell to install Likewise Enterprise and re-join the domain. a. In testing, a complete removal of the Likewise Open client prior to installation of Likewise Enterprise has been the most successful. 4.9 - Check domain membership of a likewise installed system 1. Description: This section shows the command to get a host s current domain status. This can be useful when troubleshooting failed login attempts. a. Run the following command: /opt/likewise/bin/lw-get-current-domain 3. NOTES: a. Result indicating the system is domain-joined: Current Domain = AD.UOREGON.EDU b. Result indicating the system is not domain-joined: Failed communication with the LWNET Agent. Error code 136 (ERROR_NOT_JOINED) 4.10 - Check Likewise version 1. Description: This section shows the command to find the Likewise Enterprise/Open version of a host. a. cat /opt/likewise/data/version 3. NOTES: a. Example output: VERSION=5.3.0 BUILD=7827 REVISION=51441 4.11 - Login to a Likewise Enterprise client with domain credentials 1. Description: This section provides the steps to login to a Likewise Enterprise client from the console and ssh. a. Console login: i. Username: AD\<duckid> ii. Password: <duckid password> b. SSH: i. Username: AD\\<duckid> ii. Password: <duckid password> 3. NOTES:

a. If unable to login to a host through a service with AD\<duckid> (other than direct console login), try entering AD\\<duckid>. 4.12 - Force a group policy refresh (i.e. GPUPDATE /force) 1. Description: This section shows the command to force a Likewise Enterprise client to update it s set of Group Policies. This is similar to the Windows command gpupdate /force a. Confirm Likewise Enterprise is installed by navigating to the Likewise installation directory (/opt/likewise). b. From the terminal, run the following command: sudo /opt/likewise /bin/gporefresh a. You must run this command with sudo privilege or as root or it will fail with the error This program requires superuser privileges Error: Access Denied b. Group Policy will automatically refresh at the default interval of 30 minutes unless otherwise set by GPO. c. Restarting a computer while plugged into the network will also prompt a GPO refresh on startup. 4.13 - Create a GPO for Likewise clients on a Windows Admin workstation 1. Description: This section details the steps to create a GPO from the Windows Admin workstation as well as where to look for Likewise-specific policies. a. Follow the steps in Windows Admin workstation to prepare your Windows Admin workstation. b. Open Group Policy Management Console i. Start Menu > Run > gpmc.msc ii. Or, Start > Administrative Tools > Group Policy Management c. Create a GPO for your unit and attach to the OU required. d. Name the GPO to include your department prefix, the user/comp target, and the purpose. i. E.g. IS-COMP-Linux_Sudoer_Access e. Edit the GPO. f. Expand Computer Configuration or User Configuration. g. Expand Policies. h. You will now see a new section named Unix and Linux Settings. a. All Likewise settings are stored under Unix and Linux Settings. 4.14 - Mark a GPO for editing on a Mac Admin workstation 1. Description: This section details the steps to mark an Active Directory GPO for management by a Mac admin workstation with Workgroup Manager. Workgroup Manager can only see GPOs that have been marked in this manner and can only embed User and/or Computer policies if the appropriate switch is set on the User and/or Computer policy side of the GPO. a. Follow the steps in Create a GPO for Likewise clients on a Windows Admin workstation b. Right-click > Edit c. Expand Computer Configuration or User Configuration d. Expand Unix and Linux Policies e. Expand Mac Settings f. Click Workgroup Manager Settings g. Double-click Enable Workgroup Manager to configure settings for computers. h. Check the box Define this policy setting. a. Workgroup Manager on the Admin Mac workstation is only able to see policies when the Enable Workgroup Manager. Option is selected from either the Computer Configuration or User Configuration node. b. Workgroup manager can only inject Computer policies into the GPO when the Computer Configuration option is enabled. Similarly, User policies may only be injected when the User Configuration option is enabled.

c. Once you have published a Mac policy to this GPO, the XML values of the policy will appear in the box Current file content. 4.15 - Edit a GPO with Workgroup Manager on a Mac Admin workstation 1. Description: This section provides the basic steps to edit a GPO with Workgroup manager. This assumes the policy has been properly tagged for editing per section Mark a GPO for editing on a Mac Admin workstation. a. Follow the steps in Mark a GPO for editing on a Mac Admin workstation to enable a GPO for policy injection. b. Open Workgroup Manager. i. Applications \ Server \ Workgroup Manager ii. Ignore initial popup window Workgroup Manager Connect c. Click the Server drop down, then View Directories. d. Click OK at the local configuration database warning prompt. e. Click on the left top where it says Viewing local directory: /Local/Default, this will popup several options. Select Other from this list. f. Select Likewise irectory > Select AD.UOREGON.EDU. You will see a list of Mac enabled policies in the 3rd column. g. Select the policy you wish to edit and click OK. h. At the top right, there should be a small picture of a lock. This may show as locked. Click this lock to authenticate against this policy. i. Enter ad\adm-<username> with the appropriate password. If successful, the lock will change to a picture of an opened lock. a. There are 4 icons on the top left of the Workgroup Manager window. These correspond to Users, User Groups, Computers and Computer Groups. The group icons are the only that are used for Likewise (Users and Computers). b. Depending on the purpose of the policy, click either the Users or Computers icon. You should see an entry show up for Group of Users/Computers managed by GPO. These groups are used by likewise to apply the GPO settings to any computer in the OU that the GPO is attached to. 4.16 - Migrate a local user profile into a domain user profile 1. Description: This section details the steps to migrate an existing local user profile on a Mac workstation or server into a domain user profile. This can simplify the transition of a user into a domain account. a. Follow the steps in Join a Mac 10.x computer to the AD domain using the GUI tools b. Once joined, re-open Directory Utility. c. Mac OS 10.6.x: i. Open System Preferences ii. Open Accounts iii. Click Login Options iv. Click Join to the right of Network Account Server v. Click Open Directory Utility d. Mac OS 10.5.x: i. Open Applications ii. Open Utilities iii. Open Directory Utility e. Double-click Likewise - Active Directory to open the Likewise Domain Join app. i. This will require you to unlock Directory Utility page and enter admin credentials. f. Click Migrate g. In the Source - Local Account section, click the dropdown list and find the local user account. h. Enter the DOMAIN\USERNAME of the user from the domain you wish to have this profile. (ex: ad\jdoe) i. Click the button shaped like a check mark. j. Select Copy Profile. k. Click Migrate. l. At the Likewise Migrate User Profile popup, click Yes.

a. This process will take up to several minutes to complete as the local user profile is copied to a new profile for the domain user. b. The log file for this migration can be found at /tmp/lw-migrate.<source_account_username>.log c. IMPORTANT: Make sure enough disk space is available on the OS drive to allow the copy operation to complete successfully. The Migration wizard does not report on a failure of this type. 4.17 - Verify an object has UNIX attributes 1. Description: This section details the steps to check a user or group object for valid UNIX attributes. a. From the Windows admin workstation, open the Active Directory Users and Computers console. b. Browse to the user or group object in your OU. i. Ex: AD\IS\Groups\IS.ALLUSERS c. Right-click > Properties d. Select the Likewise Settings tab e. Check the Cells section. If the (Default) box is selected, the object should have UNIX attributes specified in the fields beneath. a. Managed users should have UNIX attributes automatically populated from the central LDAP service. b. Unmanaged users will not have UNIX attributes assigned with the exception of OU Admin accounts. c. Groups will not have UNIX attributes by default, except for *.OU.ADMIN groups. Others may be requested by sending a request to adhelp@ithelp.uoregon.edu.

5 - Mac Policy Examples 5.1 - Grant admin access to a user or group 1. Description: This section details the steps to allow specified users or groups Administrator access to a Mac workstation or server. Without this policy, all domain users are only standard users. a. Follow the steps in Create/Edit GPOs for Likewise clients on a Windows Admin workstation b. Right-click > Edit c. Expand Computer Configuration d. Expand Unix and Linux Policies e. Expand Mac Settings f. Click DS Plugin Settings g. Double-click Allow administration by i. Add the group you would like to grant local admin access. h. Double-click Allow admins group local entries > Select True. a. *IMPORTANT*: The groups and users selected must have UNIX attributes to function. If you are intending to use a group that does not currently have UNIX attributes, contact Systems via the adhelp@ithelp.uoregon.edu RT queue to have this setup. 5.2 - Enable Mac firewall 1. Description: This section details the steps to enable and configure the Mac firewall. a. Follow the steps in Create a GPO for Likewise clients on a Windows Admin workstation b. Right-click > Edit c. Expand Computer Configuration d. Expand Unix and Linux Policies e. Expand Mac Settings f. Expand Mac System Preferences g. Click Firewall h. Double-click Use firewall protection i. Check Define this policy settings j. Select Enabled k. (Optional) Enable firewall logging i. Double-click Turn on firewall logging ii. Check Define this policy settings iii. Select Enabled l. (Optional) Block UDP traffic i. Double-click Block UDP traffic usage ii. Check Define this policy settings iii. Select Enabled m. (Optional) Enable firewall stealth mode i. Double-click Use firewall stealth mode ii. Check Define this policy settings iii. Select Enabled n. Click Apply Now. o. Any Mac in the OU that the GPO is attached will now receive these settings on next gpupdate. N/A 5.3 - Apply a Pre-logon warning message to a MacOS host

1. Description: This section details the steps to apply a pre-logon warning message to users of a workstation or server. A common warning would display Authorized use only along with any laws, regulation, and warnings about acceptable use as required. This is a recommended practice for both Windows and Mac hosts. a. Follow the steps in Using Workgroup Manager to edit tagged GPOs from your Mac Admin workstations. b. Select Group of Computers managed by GPO. c. At the top of the Workgroup Manager window, click Preferences. This will show you all of the Computer-related settings you may set in this policy by category. d. Select Login e. Select the Window tab. f. Choose Always at the top of the new Login settings window. g. Enter any text into the Message: field. h. Click Apply Now. i. Any Mac in the OU that the GPO is attached will now receive these settings on next gpupdate. N/A 5.4 - Show Hard Disks and Connected Servers on Desktop by default 1. Description: This section details the steps to force a Mac workstation or server to show network, external and local drives on the user s desktop. a. Follow the steps in Using Workgroup Manager to edit tagged GPOs from your Mac Admin workstations. b. Select Group of Computers managed by GPO. c. At the top of the Workgroup Manager window, click Preferences. This will show you all of the Computer-related settings you may set in this policy by category. d. Select Finder. e. Select the Preferences tab. f. Check Hard Disks, External Drives, CDs, DVDs, and ipods, and Connected Servers under Show these items on the Desktop. g. Click Apply Now. h. Any Mac in the OU that the GPO is attached will now receive this pre-logon message. N/A 5.5 - Universal File Vault settings 1. Description: This section provides an example usage of the Likewise file deployment mechanism to control FileVault settings across manages Mac workstations. This should be done with extreme caution and testing. a. On a Mac workstation without FileVault setup, setup the master FileVault password you intend to use on every system. b. Follow the steps in Deploy a File to a Mac workstation to deploy: i. /Library/Keychains/FileVaultMaster.cer ii. /Library/Keychains/FileVaultMaster.keychain c. Match the ACL settings on each file in the GPO to those set on the Mac. d. Uncheck Delete when policy is removed, or these files will be removed from the system if it removed from scope of the policy. a. Be sure to read the following article for more information on this strategy: http://www.mactech.com/articles/mactech/vol.24/24.07/2407macenterprise- FileVaultintheEnterprisePart1/index.html 5.6 - Configure login options 1. Description: This section details the steps to configure login options, such as Automatic login, Fast User Switching, Guest account, and screensaver timeouts.

a. Follow the steps in Edit a GPO with Workgroup Manager on the Mac Admin workstation. b. Select Group of Computers managed by GPO. c. At the top of the Workgroup Manager window, click Preferences. This will show you all of the Computer-related settings you may set in this policy by category. d. Select Login. e. Select the Options tab. f. Uncheck Enable automatic login. g. Uncheck Enable Fast User Switching. h. Uncheck Enable Guest Account. i. Check Start screen saver after XX minutes. j. Enter a number of minutes to start screen saver. k. Click the button to the right of Use module at path: l. Browse to the desired screensaver (/System/Library/Screen Savers/*.saver m. Click Apply Now. n. Any Mac in the OU that the GPO is attached will now receive these settings. a. Mac MCX policies are not as granular as many Windows GPO settings. In this example, you must decide what settings you want to use for *all* options in the Login\Options configuration section as all will be enforced. You cannot decide to set any as undefined as you would in a GPO (allowing local override). 5.7 - Configure Energy Saver options 1. Description: This section details the steps to apply managed Energy Saver options to Mac workstations. This is typically used to force workstation to sleep and disable displays after a fixed amount of time. a. Follow the steps in Edit a GPO with Workgroup Manager on the Mac Admin workstation. b. Select Group of Computers managed by GPO. c. At the top of the Workgroup Manager window, click Preferences. This will show you all of the Computer-related settings you may set in this policy by category. d. Select Energy Saver. e. Select Manage: Always f. Select Sleep from the Settings dropdown list. g. Select a time for Put the computer to sleep when it is inactive for: h. Select a time for Put the display(s) to sleep when the computer is inactive for: i. Check/Uncheck Put the hard disk(s) to sleep when possible. j. Select Options from the Settings dropdown list. k. Uncheck Wake when modem detects a ring l. Check Wake for Ethernet network administrator access m. Check/Uncheck Allow power button to sleep the computer n. Check/Uncheck Restart automatically after a power failure o. Click Apply Now. p. Any Mac in the OU that the GPO is attached will now receive these settings. N/A

6 - Universal Linux/Unix/Mac Policy Examples 6.1 - Allow cached logins 1. Description: This section details the steps to enable cached logins. Cached logins allows a user to login to a host even when it is offline, as long as a successful login event has occurred previously. This is common to set on workstations and laptops. a. Follow the steps in Create a GPO for Likewise clients on a Windows Admin workstation b. Expand Computer Configuration c. Expand Unix and Linux Policies d. Expand Likewise Settings e. Select Logon f. Double-click Allow cached logons (cached_login) g. Check Define this Policy Settings. h. Select Authorization and Identification i. Double-click Allow offline logon support j. Check Define this Policy Settings. k. Select Enable a. For this policy to be effective, a user must successfully logon at least one time after this policy is applied to the host. 6.1 - Restrict login to a user or group 4. Description: This section details the steps to restrict login to a workstation or server. Example of this usage would be to to only allow staff from a particular department to login to a workstation, or deny login to a server system by anyone other than an admin group/user. 5. Steps: a. Follow the steps in Create a GPO for Likewise clients on a Windows Admin workstation b. Right-click > Edit c. Expand Computer Configuration d. Expand Unix and Linux Policies e. Expand Likewise Settings f. Select Logon g. Double-click Allow logon rights h. Check Define this Policy Settings. i. Click the button resembling a pencil. j. Find the group you would like to grant local logon rights. k. (Optional): Enter a message to be displayed when logon is denied. l. Double-click Denied logon rights message Properties. m. Check Define this Policy Settings. n. Edit text in the Logon error message box as required. The default text may work for your purposes. 6. Notes: a. You may select multiple groups to grant logon rights. These must be entered in a comma separated list, though this is done automatically when searching and selecting a group. b. *IMPORTANT*: The groups and users selected must have UNIX attributes to function. If you are intending to use a group that does not currently have UNIX attributes, contact Systems via the adhelp@ithelp.uoregon.edu RT queue to have this setup. 6.2 - Grant a domain group sudo access to a Linux host 1. Description: This section details the steps to allow a domain group or user sudo privileges on a Linux host. These steps allow any member of the group specified to perform admin operations. a. Follow the steps in Join a Linux computer to the domain using the shell. b. Edit the sudoers file on the Linux system

i. sudo nano /etc/sudoers c. Look for the entry: root ALL=(ALL) ALL or root ALL=ALL d. Directly beneath this, enter the following: %AD\\GROUPNAME ALL=(ALL) ALL e. Reboot the system f. Login with a domain user that is a member of the group you added to the sudoers file. g. Confirm sudo access by running an elevated command a. GROUPNAME must be replaced with a valid domain group. All members of this group will be granted sudo access to the Linux host. b. The group selected must have valid UNIX attributes. 6.3 - Deploy Sudoers file 1. Description: This section details the steps to deploy a working sudoers file to Linux hosts in order to standardize your sudoers user list across managed servers. You may also create multiple GPO with different sudoers files as necessary. a. Follow the steps in section Grant a domain group sudo access to a Linux host b. Copy the sudoers file from this host to a network location. (e.g. \\fileserver\share\sudoers) c. Follow the steps in Create a GPO for Likewise clients on a Windows Admin workstation d. Right-click > Edit e. Expand Computer Configuration f. Expand Unix and Linux Policies g. Expand Security Settings h. Select SUDO command i. Double-click Define Sudoers file j. Check Define this Policy Settings. k. Click Import l. Browse to the network location (e.g. \\fileserver\share\sudoers) and select the file. m. Confirm the information imported into the Current file content is correct. n. Click OK. a. The sudoers file should be prepared for each class of host and thoroughly tested before mass deployment to protect against version or platform specific settings. 6.4 - Set Default Login Shell to /bin/bash 1. Description: This section details the steps required to set the default login shell on a Linux/Unix/Mac host. This is commonly used to set the default shell to /bin/bash as many platforms will default to /bin/sh. a. Follow the steps in Create a GPO for Likewise clients on a Windows Admin workstation b. Right-click > Edit c. Expand Computer Configuration d. Expand Unix and Linux Policies e. Expand Likewise Settings f. Select Authorization and Identification' g. Double-click Login shell template h. Check Define this policy setting i. In the Shell: field, enter /bin/bash j. Click OK. a. This policy should be put in place *before* a user logs in. If a user has already logged in and has another shell set, you may need to restart the host

6.5 - Target a specific non-windows platform 1. Description: This section details the steps to target a specific Linux/Unix/Mac platform. This is used to assign policies to only a particular platform, such as Mac OS or Redhat. In conjunction with OU structure, this can be used to define GPO assignment at a granular level. a. Follow the steps in Create a GPO for Likewise clients on a Windows Admin workstation b. Expand Computer Configuration c. Expand Unix and Linux Policies d. Select Target Platform Filter e. Double-click Target platforms f. Check Define this policy setting g. Select Select from the List h. Check all platforms to which this policy should apply. i. Click OK. a. N/A 6.6 - Enable Loopback processing on a GPO 1. Description: This section details the steps required to enable Loopback processing. This feature allows User GPO settings to be attached to Computer GPOs. Settings then merge into or replace the policy settings normally assigned by User GPOs. This is common when creating policies for kiosk stations where an admin intends to override and user GPO settings. Additionally, this is a common method to assign User GPOs in the campus Active Directory environment due to the architecture and IDM integration. a. Follow the steps in Create a GPO for Likewise clients on a Windows Admin workstation b. Expand Computer Configuration c. Expand Unix and Linux Policies d. Expand Likewise Settings e. Click Group Policy Agent f. Double-click User policy loopback processing mode g. Check Define this Policy Setting h. Select Replace or Merge as required. a. Standard loopback processing set for Windows workstations will not work on non-windows workstations. You must enable loopback processing for Likewise clients through the Unix and Linux Settings node. b. Merge is the most common setting for loopback processing in our environment. This enables any GPOs assigned to the workstation that contain user-specific settings to overwrite any conflicting settings, but leave others. c. Replace is typically used with kiosk systems that require the user-specific settings to be completely ignored. This setting overwrites and conflicts, but also removes any other settings set by any user GPOs. 6.7 - Deploy a File 1. Description: This section details the steps to deploy a file to managed Linux/Unix/Mac hosts. This is targeted at the deployment of small configuration files for applications and should not be used for large file deployment. a. Follow the steps in Create a GPO for Likewise clients on a Windows Admin workstation b. Expand Computer Configuration c. Expand Unix and Linux Policies d. Expand File System Settings e. Select Files, Directories and Links f. Double-click Create Directories, Install Files, Configure Links g. Check the Define this policy setting box h. Click Add i. Select File

j. Browse to the file location k. Enter the patch the file should be deployed to. l. Set file ACL values (read/write/execute for User/Group/Other) m. Select an AD User/Group if desired n. Check/Uncheck Delete when policy is removed as necessary o. Click OK a. IMPORTANT: This file deployment method is intended for small files. Do not deploy large files using this method as this can directly impact the performance of Active Directory. b. Deployed files are stored inside the GPO and distributed to clients from there. Unlike a GPO Preferences policy for Windows, the UNC path (e.g. \\server\shared\file.ext) is not used. 6.8 - Set AD domain as default for user logon 1. Description: This section details the steps to automatically set Likewise-enabled computers to automatically prepend the default domain (AD) to users for logon. a. Follow the steps in Create a GPO for Likewise clients on a Windows Admin workstation b. Expand Computer Configuration c. Expand Unix and Linux Policies d. Expand Likewise Settings e. Select Authorization and Identification f. Double-click Lsassd: Prepend default domain name for AD users and groups g. Check the Define this policy setting box h. Click Select Enabled i. Click OK a. After the next policy refresh, users will be able to logon to a machine affected by this policy with only their DuckID username. Adding AD\ will no longer required.