Applies to: Centrify Identity Service
What troubleshooting steps can be performed if group policies don't seem to be functioning correctly on Mac systems?
Note: It is very important to understand that due to the wide variety of different settings and configurations that group policies can touch - every policy will function in a different manner.
For example setting a policy to Enabled or Disabled on one GP will just toggle a True / False parameter, while the same Enabled / Disabled switch on another GP may actually be setting or removing the parameter entirely.
=== General GP Troubleshooting ===
The first step is to ensure that the GP is being correctly pushed out to the Mac.
Centrify follows the standard Active Directory Group Policy distribution rules as managed by the Group Policy Management console in Windows.
This means it uses all the same GPO > OU inheritance and filtering rules that Windows machines follows as well.
== A: Verifying that the GPO is being downloaded to the Mac
- Go to the following KB and download the Mac Diagnostic Tool to the target machine:
- Open the Tool and go to the "Group Policy" section, press the [ GP Update ] button and then either [ User Policy ] or [ Machine Policy ] to see the actual policies being received:
- The output of this screen can be interpreted as follows:
- The blue text at the beginning of each line is the name of the GPO that was successfully downloaded.
- The orange text are the internal names of the policy that was pushed
- The black text at the end will give an indication of the setting that was configured for that policy.
- If the target GPO appears in this list, then it means the policy has been successfully downloaded to the Mac.
- Note: The Mac Diagnostic Tool provides an easy-to-read method of viewing and confirming which GPs the Mac is actually receiving.
- If GUI access is not available or desired, then the data can also be read in plain text from the following locations:
/var/centrifydc/reg/users/ [username] /gp.report
== B: Security Filtering
- If Security Filtering is being used to filter GPOs based on AD groups, then the computer object will also need to be added into the scope of the filter. This is because the GP processor on the adclient uses machine credentials to retrieve the group policies.
- For more informaition, see:
== C: Loopback Processing
- If a GPO is active on an OU that only contains Computer objects, then only the Computer GPs from that GPO will apply.
- Any User GPs from that same GPO will be ignored, as no user objects are in that OU.
- If it is required for User policies to apply to any AD user logging into a specific machine (no matter which OU the user account is from), then loopback processing will need to be enabled:
Computer Configuration / Administrative Templates / System / Group Policy / "User Group Policy loopback processing mode"
- For more informaition, see:
== D: Group Policy Idiosyncrasies
- If the policy is confirmed to be reaching the Mac, but the setting is still not applying, then check that the GP is not dependent on another setting.
- For example, the GP at:
User Configuration / Centrify Settings / Mac OS X Settings / Mobility Settings / Mac OS X 10.8 Settings / "Configure mobile account creation"
Will not register unless the following GP is also Enabled:
User Configuration / Centrify Settings / Mac OS X Settings / Mobility Settings / "Use version specific settings"
- If the GP takes a string value then make sure the syntax is correct.
- Please see the following KBs for examples of where the formatting of text entries is important:
- Each GP has a description of its function and usage requirements in the "Explain" tab of the GP properties, check here to make sure that the policy is being used correctly:
== X: Contacting Support
- If the group policies are still not working after checking through the above steps, please send an email into firstname.lastname@example.org with the following information:
- A description of the GP being pushed and the expected behaviour vs actual behaviour
- On the AD side, open Group Policy Management and right-click on the relevant GPO with the applicable GPs.
Select "Save Report..." and then send in the saved HTML file.
- On the Mac side, open the Mac Diagnostic Tool and go to the to the "Debug / Logs" section
Press the [ Save Basic System Info... ] button and send in the Basic_Log_Pack.zip that gets saved to the Desktop.
- If the Mac Diagnostic Tool cannot be used, then login to the system as Local Admin, open the Terminal and run the command:
sudo adinfo -t
Send in the file at:
/var/centrify/tmp/adinfo_support.tar.gz (or /tmp/adinfo_support.tar.gz )
- It may be necessary to enable enhanced logging for certain group policy issues, see the following KB for more info:
For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help
or visit the Centrify Customer Portal at support.centrify.com