Deploying Group Policies to UNIX Computers

Centrify provides group policy templates for managing UNIX and Linux computers. The group policies are centrally managed through the Group Policy Management Editor, but modify configuration settings on the managed computers where they are applied. This mechanism allows you to manage the group policy settings from a single location and have them applied on remote UNIX and Linux computers.

To illustrate how to configure and apply group policies, you will create a Group Policy Object for the Centrify organizational unit.

To load and apply group policies for UNIX and Linux computers

  1. Open the Group Policy Management utility (gpmc.msc) and expand your evaluation domain.

  2. Right-click the IBM Security organizational unit, and select Create a GPO in this domain, and Link it here.

  3. Type a name for the new GPO (UNIX policies), then click OK.

  4. Expand the IBM Security organizational unit, right-click the GPO, then select Edit.

  5. Expand the Computer Configuration > Policies node and select IBM Security Settings.

  6. Right-click and select Add/Remove Templates

  7. Click Add and select all of the templates listed, click Open, then click OK.

    This step adds both computer and user group policies under the IBM Security Settings node. Expand IBM Security Settings to explore the specific policiesavailable. You can click the Explain tab for any group policy to see moreinformation about what it does. The remainder of this section illustrateshow you would enable and configure a few simple policies forIBM Security-managed. You should note that all policies—including IBM Security group policies—are “Not configured” by default.

Configuring User Mapping by Group Policy

To illustrate how to configure a IBM Security group policy, you will enable the Set user mapping policy. This policy maps a UNIX user, for example root, to an Active Directory user account, for example Amy.Adams. After this policy is set, root attempts to log on must use the mapped Active Directory user’s credentials.

To configure a IBM Security group policy

  1. Expand IBM Security Settings > DirectControl Settings, scroll down and double-click the Set user mapping policy.

  2. Select Enabled, then click Add.

  3. Type the UNIX user account name (root).

  4. Click Browse to search for and select the Active Directory account to use, then click OK.

  5. Click OK to enable the policy.

If you enable this policy, the root user in the zone will not be able to log in to the managed computers in the zone.

Configuring Password Prompts

There are several group policies that enable you to customize the text displayed when a user attempts to log on to a managed computer. For example, you can customize the text displayed when a password is expiring in a certain number of days or when authentication fails. To illustrate how to configure the IBM Security group policies for password-related prompts, you will enable the Set login password prompt policy.

  1. Expand IBM Security Settings > DirectControl Settings > Password Prompts and double-click Set login password prompt.

  2. Select Enabled.

  3. Type the text string you want displayed, then click OK.