Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3001: Troubleshooting Group Policy issues on Mac systems.

Centrify Identity Service, Mac Edition ,  

20 March,17 at 09:02 PM

Applies to: Centrify Identity Service


 
Question:
 
What troubleshooting steps can be performed if group policies don't seem to be functioning correctly on Mac systems?
 

Answer:
 
Note: It is very important to understand that due to the wide variety of different settings and configurations that group policies can touch - every policy will function in a different manner. 
 
For example setting a policy to Enabled or Disabled on one GP will just toggle a True / False parameter, while the same Enabled / Disabled switch on another GP may actually be setting or removing the parameter entirely.
 
 
=== General GP Troubleshooting ===
 
The first step is to ensure that the GP is being correctly pushed out to the Mac.
 
Centrify follows the standard Active Directory Group Policy distribution rules as managed by the Group Policy Management console in Windows. 
This means it uses all the same GPO > OU inheritance and filtering rules that Windows machines follows as well.
 

 
== A: Verifying that the GPO is being downloaded to the Mac
  • Go to the following KB and download the Mac Diagnostic Tool to the target machine:
  • Open the Tool and go to the "Group Policy" section, press the [ GP Update ] button and then either [ User Policy ] or [ Machine Policy ] to see the actual policies being received:

    User-added image

     
  • The output of this screen can be interpreted as follows:
    • The blue text at the beginning of each line is the name of the GPO that was successfully downloaded.
    • The orange text are the internal names of the policy that was pushed
    • The black text at the end will give an indication of the setting that was configured for that policy.
       
  • If the target GPO appears in this list, then it means the policy has been successfully downloaded to the Mac.
     
  • Note: The Mac Diagnostic Tool provides an easy-to-read method of viewing and confirming which GPs the Mac is actually receiving. 
  • If GUI access is not available or desired, then the data can also be read in plain text from the following locations:

      /var/centrifydc/reg/users/ [username] /gp.report
      /var/centrifydc/reg/machine/gp.report
 
 
 
== B: Security Filtering
  • If Security Filtering is being used to filter GPOs based on AD groups, then the computer object will also need to be added into the scope of the filter. This is because the GP processor on the adclient uses machine credentials to retrieve the group policies. 
     
  • For more informaition, see:
 
 
 
== C: Loopback Processing
  • If a GPO is active on an OU that only contains Computer objects, then only the Computer GPs from that GPO will apply.
  • Any User GPs from that same GPO will be ignored, as no user objects are in that OU. 
     
  • If it is required for User policies to apply to any AD user logging into a specific machine (no matter which OU the user account is from), then loopback processing will need to be enabled:

      Computer Configuration / Administrative Templates / System / Group Policy / "User Group Policy loopback processing mode"

     
  • For more informaition, see:
 
 
 
== D: Group Policy Idiosyncrasies


 
== X: Contacting Support
  • If the group policies are still not working after checking through the above steps, please send an email into support@centrify.com with the following information:
    • A description of the GP being pushed and the expected behaviour vs actual behaviour
       
    • On the AD side, open Group Policy Management and right-click on the relevant GPO with the applicable GPs.
      Select "Save Report..." and then send in the saved HTML file.


      User-added image

       
    • On the Mac side, open the Mac Diagnostic Tool and go to the to the "Debug / Logs" section
      Press the [ Save Basic System Info... ] button and send in the Basic_Log_Pack.zip that gets saved to the Desktop.

       
    • If the Mac Diagnostic Tool cannot be used, then login to the system as Local Admin, open the Terminal and run the command:

        sudo adinfo -t

      Send in the file at:

        /var/centrify/tmp/adinfo_support.tar.gz (or /tmp/adinfo_support.tar.gz )
Note:


For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Centrify Customer Portal at support.centrify.com.​

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.