2.5. Group Policy Object Access Control

Group Policy is a Microsoft Windows feature that enables administrators to centrally manage policies for users and computers in AD environments. A group policy object (GPO) is a collection of policy settings, such as name and value pairs, that are stored on a domain controller (DC) and can be applied to policy targets, such as computers and users.
GPO policy settings related to Windows logon rights are commonly used to manage computer-based access control in AD environments. SSSD can retrieve GPOs applicable to host systems and AD users; based on the retrieved GPO configuration, it determines if a user is allowed to log on to a particular host. Therefore, with the GPO-based access control provided by SSSD, the administrator can define login policies that are honored by both Red Hat Enterprise Linux and Windows clients centrally on the AD DC.

Note

SSSD only allows using GPO for the computer-based access control. Other GPO-related access control options are currently not supported.

Warning

Note that SSSD only handles rules that apply to a whole site, domain, or AD organizational unit (OU). If you want to apply the SSSD-supported GPO-based access control to a specific machine, you can create a new OU in the AD domain, move the machine to the OU, and then link the GPO to this OU.

2.5.1. Configuring GPO-based Access Control

GPO-based access control can be configured in the /etc/sssd/sssd.conf file. The ad_gpo_access_control option specifies the mode in which the GPO-based access control runs. It can be set to the following values:
ad_gpo_access_control = permissive
The permissive value specifies that GPO-based access control is evaluated but not enforced; a syslog message is recorded every time access would be denied. This is the default setting.
ad_gpo_access_control = enforcing
The enforcing value specifies that GPO-based access control is evaluated and enforced.
ad_gpo_access_control = disabled
The disabled value specifies that GPO-based access control is neither evaluated nor enforced.

Important

Before starting to use the GPO-based access control and setting ad_gpo_access_control to enforcing mode, it is recommended to ensure that ad_gpo_access_control is set to permissive mode and examine the logs. By reviewing the syslog messages, you can test and adjust the current GPO settings as necessary before finally setting the enforcing mode.
The following parameters related to the GPO-based access control can also be specified in the sssd.conf file:
  • The ad_gpo_map_* options and the ad_gpo_default_right option configure which PAM services are mapped to specific Windows logon rights.
    To move a service allowed by default to the deny list, remove it from the allow list. For example, to remove the su service from the allow list:
    ad_gpo_map_interactive = -su
  • The ad_gpo_cache_timeout option specifies the interval during which subsequent access control requests can reuse the files stored in the cache, instead of retrieving them from the DC anew.
For a detailed list of available GPO parameters as well as their descriptions and default values, see the sssd-ad(5) man page.