Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2321: Using Security Filtering with Centrify Group Policies

Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:45 AM

Applies to: Centrify DirectControl 5.x on all versions of Mac OS X. 
 
Problem:
 
When using the Security Filtering to filter group policies by AD groups, User GPs do not get applied unless the computer object is also added into the Security Filter.
 

Cause:
 
In Centrify DirectControl 4.4.3, the GP processor used user credentials to create a binding and fetch User GPs. 

However in Centrify DirectControl 5.x, the GP processor gets its domain binding directly from the adclient, which uses machine credentials. 

If the computer object is not granted access to the GPO, then the User GPs cannot retrieved. 


Workaround:
 
Add both the Computer Object and the User Object into Security Filtering in the Group Policy Management console.

(This can be done quickly by adding the target computer objects into a single AD group, (e.g. "Mac Computers") and then adding that group into the Security Filter.)

 
Resolution:
 
As of Centrify Suite 2015 (Mac agent version 5.2.2), a new configuration parameter is available for use in /etc/centrifydc/centrifydc.conf:
  • gp.use.user.credential.for.user.policy
When this parameter is set to "true", the Mac agent will be able to fetch User GPs with the logged in user's own AD credentials. (For backwards compatibility, the parameter is set to false by default)


Option 1:
To set this via group policy, make sure the GPO templates on the AD side have been updated to at least Centrify Suite 2015 versions and then configure the following GP:
  • Computer Configuration / Centrify Settings / DirectControl Settings / Group Policy Settings / "Use user credential to retrieve user policy"


Option 2:
To set the parameter manually on a single machine instead:
  1. Open the centrifydc.conf file on the Mac for editing and search for the following line:
    • # gp.use.user.credential.for.user.policy: false
  2. Modify this line so it now shows as:
    • gp.use.user.credential.for.user.policy: true
  3. Save and close the configuration file, then run the command:
    • sudo adreload
  4. Logout and log back in as an AD user, the agent should now fetch their User GPs with the AD user's own credentials.


For further information on updating GPO templates, see the following KB:
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.