How do you troubleshoot the Centrify Mac OS X group policies?
The following are the types of Group Policy (AD domain group policy setting interface):
A. Computer Configuration B. User Configuration
Below is the information on each type of group policy and the troubleshooting steps:
Computer Configurations are group policies that apply to the Mac machine (this means all users will experience the same settings). The effect of most of the computer group policies should show after the Centrify DirectControl command "adgpupdate" is called.
Troubleshooting steps for Computer Configuration group policies that do not apply:
- Confirm that the computer object in the GPO OU or container at the Group Policy Manager Editor. - Check the hostname matches the localhost name of the Mac system - Open Mac system where the GP should apply, open the MacDiagnostic Tool at /Library/Application Support/Centrify/MacDiagnosticTool.app and go to the Group Policy tab > Machine Policy. In the pane on the left hand-side, locate the name of the OU or Container of the GPO.
User Configurations are group policies that apply to the AD user. The corresponding group policy settings should apply to the specific user account at user login. The effect of most of the user group policies will need to run the Centrify DirectControl command "adgpupdate" and re-login the AD user account in order to show.
Troubleshooting steps for User Configuration group policies that do not apply:
- Confirm that the user object in the GPO OU or container at the Group Policy Manager Editor.
- At the Group Policy Management Editor, check the "Security Filtering" section of the OU or container to confirm if the user is specified in the security group. By default this section contains the "Authenticated Users” security group.
- Open Mac system where the GP should apply, open the MacDiagnostic Tool at /Library/Application Support/Centrify/MacDiagnosticTool.app and go to the Group Policy tab > User Policy. In the pane on the left hand-side, locate the name of the OU or Container of the GPO.
Terminal commands and definitions:
The adgpupdate command retrieves group policies from the Active Direc- tory domain controller and applies the policy settings to the local computer and current user immediately. Normally, group policies are updated automatically every 90 to 120 minutes. If you want a policy change to take effect immediately, however, you can force the group policy update by running the adgpupdate command. Upon updating the group policy, the adgpupdate command then resets the timer for the next automatic update to occur in the next 90 to 120 minutes.
NAME adgpresult - display group policy settings that are in effect.
DESCRIPTION The adgpresult command enables you to report the group policy settings that are in effect for the local computer, the current user, or a specified user. If you have configured and applied a Group Policy Object to a site, domain, or organizational unit that includes a Centrify-managed computer, you can use the adgpresult command to see the computer and user configuration policies that have been applied. The command displays a Resultant Set of Policies similar to the Microsoft Windows gpresult program.
OPTIONS You can use the following options with this command:
-a, --all The --all option displays both the computer and user group policy set- tings that are in effect for the local computer and the current user account.
-m, --machine The --machine option displays only the computer group policy settings that are currently in effect on the local computer.
-u, --user user_name The --user option displays only the user group policy settings that are in effect for the currently logged on user or for the user spec- ified by the user_name argument. EXAMPLES To display both computer and user group policy settings for the local computer and current user, type the following command:
To report only the computer configuration policies and save the results to a file, you could type a command similar this: