Centrify DirectControl 5.x on all versions of Mac OS X. Problem:
When using the Security Filtering to filter group policies by AD groups, User GPs do not get applied unless the computer object is also added into the Security Filter. Cause:
In Centrify DirectControl 4.4.3, the GP processor used user credentials to create a binding and fetch User GPs.
However in Centrify DirectControl 5.x, the GP processor gets its domain binding directly from the adclient, which uses machine credentials.
If the computer object is not granted access to the GPO, then the User GPs cannot retrieved. Workaround:
Add both the Computer Object and the User Object into Security Filtering in the Group Policy Management console.
(This can be done quickly by adding the target computer objects into a single AD group, (e.g. "Mac Computers") and then adding that group into the Security Filter.) Resolution:
As of Centrify Suite 2015 (Mac agent version 5.2.2), a new configuration parameter is available for use in /etc/centrifydc/centrifydc.conf
When this parameter is set to "true
", the Mac agent will be able to fetch User GPs with the logged in user's own AD credentials. (For backwards compatibility, the parameter is set to false
by default)Option 1:To set this via group policy, make sure the GPO templates on the AD side have been updated to at least Centrify Suite 2015 versions and then configure the following GP:
- Computer Configuration / Centrify Settings / DirectControl Settings / Group Policy Settings / "Use user credential to retrieve user policy"
To set the parameter manually on a single machine instead:
- Open the centrifydc.conf file on the Mac for editing and search for the following line:
- # gp.use.user.credential.for.user.policy: false
- Modify this line so it now shows as:
- gp.use.user.credential.for.user.policy: true
- Save and close the configuration file, then run the command:
- Logout and log back in as an AD user, the agent should now fetch their User GPs with the AD user's own credentials.
For further information on updating GPO templates, see the following KB: