2.5. Group Policy Object Access Control
2.5.1. How SSSD Works with GPO Access Control
2.5.2. GPO Settings Supported by SSSD
Table 2.2. GPO access control options retrieved by SSSD
|GPO option [a]|| Corresponding |
Allow log on locally
Deny log on locally
Allow log on through Remote Desktop Services
Deny log on through Remote Desktop Services
Access this computer from the network
Deny access to this computer from the network
Allow log on as a batch job
Deny log on as a batch job
Allow log on as a service
Deny log on as a service
[a] As named in the Group Policy Management Editor on Windows.
[b] See the sssd-ad(5) man page for details about these options and for lists of pluggable authentication module (PAM) services to which the GPO options are mapped by default.
2.5.3. Configuring GPO-based Access Control for SSSD
ad_gpo_access_controloption specifies the mode in which the GPO-based access control runs. It can be set to the following values:
ad_gpo_access_control = permissive
permissivevalue specifies that GPO-based access control is evaluated but not enforced; a
syslogmessage is recorded every time access would be denied. This is the default setting.
ad_gpo_access_control = enforcing
enforcingvalue specifies that GPO-based access control is evaluated and enforced.
ad_gpo_access_control = disabled
disabledvalue specifies that GPO-based access control is neither evaluated nor enforced.
ad_gpo_access_controlto enforcing mode, it is recommended to ensure that
ad_gpo_access_controlis set to permissive mode and examine the logs. By reviewing the
syslogmessages, you can test and adjust the current GPO settings as necessary before finally setting the enforcing mode.
ad_gpo_map_*options and the
ad_gpo_default_rightoption configure which PAM services are mapped to specific Windows logon rights.To add a PAM service to the default list of PAM services mapped to a specific GPO setting, or to remove the service from the list, use the
ad_gpo_map_*options. For example, to remove the
suservice from the list of PAM services mapped to interactive login (GPO settings Allow log on locally and Deny log on locally):
ad_gpo_map_interactive = -su
ad_gpo_cache_timeoutoption specifies the interval during which subsequent access control requests can reuse the files stored in the cache, instead of retrieving them from the DC anew.
2.5.4. Additional Resources
- For more details on configuring SSSD to work with GPOs, see Configure SSSD to respect Active Directory SSH or Console/GUI GPOs in Red Hat Knowledgebase.