2.5. Group Policy Object Access Control
2.5.1. Configuring GPO-based Access Control
ad_gpo_access_controloption specifies the mode in which the GPO-based access control runs. It can be set to the following values:
ad_gpo_access_control = permissive
permissivevalue specifies that GPO-based access control is evaluated but not enforced; a
syslogmessage is recorded every time access would be denied. This is the default setting.
ad_gpo_access_control = enforcing
enforcingvalue specifies that GPO-based access control is evaluated and enforced.
ad_gpo_access_control = disabled
disabledvalue specifies that GPO-based access control is neither evaluated nor enforced.
ad_gpo_access_controlto enforcing mode, it is recommended to ensure that
ad_gpo_access_controlis set to permissive mode and examine the logs. By reviewing the
syslogmessages, you can test and adjust the current GPO settings as necessary before finally setting the enforcing mode.
ad_gpo_map_*options and the
ad_gpo_default_rightoption configure which PAM services are mapped to specific Windows logon rights.To move a service allowed by default to the deny list, remove it from the allow list. For example, to remove the
suservice from the allow list:
ad_gpo_map_interactive = -su
ad_gpo_cache_timeoutoption specifies the interval during which subsequent access control requests can reuse the files stored in the cache, instead of retrieving them from the DC anew.
2.5.2. Additional Resources
- For more details on configuring SSSD to work with GPOs, see Configure SSSD to respect Active Directory SSH or Console/GUI GPOs in Red Hat Knowledgebase.