Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-9616: Troubleshooting Mac OS X Group Policies

Centrify Identity Service, Mac Edition ,  

28 December,17 at 10:34 PM

Question:

How do you troubleshoot the Centrify Mac OS X group policies?





Solution:

The following are the types of Group Policy (AD domain group policy setting interface):


A. Computer Configuration
B. User Configuration


Below is the information on each type of group policy and the troubleshooting steps: 


Computer Configuration


Computer Configurations are group policies that apply to the Mac machine (this means all users will experience the same settings). The effect of most of the computer group policies should show after the Centrify DirectControl command "adgpupdate" is called. 



Troubleshooting steps for Computer Configuration group policies that do not apply:

-  Confirm that the computer object in the GPO OU or container at the Group Policy Manager Editor. 
-  Check the hostname matches the localhost name of the Mac system
-  Open Mac system where the GP should apply, open the MacDiagnostic Tool at /Library/Application Support/Centrify/MacDiagnosticTool.app and go to the Group Policy tab > Machine Policy.  In the pane on the left hand-side, locate the name of the OU or Container of the GPO.





User Configuration

User Configurations are group policies that apply to the AD user. The corresponding group policy settings should apply to the specific user account at user login. The effect of most of the user group policies will need to run the Centrify DirectControl command "adgpupdate" and re-login the AD user account in order to show.



Troubleshooting steps for User Configuration group policies that do not apply:

-  Confirm that the user object in the GPO OU or container at the Group Policy Manager Editor. 

-  At the Group Policy Management Editor, check the "Security Filtering" section of the OU or container to confirm if the user is specified in the security group. By default this section contains the "Authenticated Users” security group.

-  Open Mac system where the GP should apply, open the MacDiagnostic Tool at /Library/Application Support/Centrify/MacDiagnosticTool.app and go to the Group Policy tab > User Policy.  In the pane on the left hand-side, locate the name of the OU or Container of the GPO.



Terminal commands and definitions:

i. adgpupdate

       The adgpupdate command retrieves group policies from the Active  Direc-
       tory  domain  controller  and  applies the policy settings to the local
       computer and current user immediately.  Normally,  group  policies  are
       updated  automatically  every  90  to 120 minutes. If you want a policy
       change to take effect immediately, however, you  can  force  the  group
       policy  update  by  running  the adgpupdate command.  Upon updating the
       group policy, the adgpupdate command then resets the timer for the next
       automatic update to occur in the next 90 to 120 minutes.

ii. adgpresult

NAME
       adgpresult - display group policy settings that are in effect.

SYNOPSIS
       adgpresult [--all] [--machine] [--user user_name ]

DESCRIPTION
       The  adgpresult  command  enables you to report the group policy settings that
       are in effect for the local computer, the current user, or a  specified  user.
       If you have configured and applied a Group Policy Object to a site, domain, or
       organizational unit that includes a Centrify-managed computer, you can use the
       adgpresult  command  to  see the computer and user configuration policies that
       have been applied. The command displays a Resultant Set of Policies similar to
       the Microsoft Windows gpresult program.

OPTIONS
       You can use the following options with this command:

       -a, --all
            The  --all  option  displays both the computer and user group policy set-
            tings that are in effect for the local  computer  and  the  current  user
            account.

       -m, --machine
            The  --machine  option  displays  only the computer group policy settings
            that are currently in effect on the local computer.

       -u, --user
            user_name The --user option displays only the user group policy  settings
            that are in effect for the currently logged on user or for the user spec-
            ified by the user_name argument.
EXAMPLES
       To display both computer and user group policy settings for the local computer
       and current user, type the following command:

       adgpresult

       To  report  only the computer configuration policies and save the results to a
       file, you could type a command similar this:

       adgpresult --machine > /tmp/unix-rsop-rhel6

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-2321: Using Security Filtering with Centrify Group Policies articleKB-3925: How to add Centrify parameter to a group policy articleKB-3001: Troubleshooting Group Policy issues on Mac systems. articleKB-5765: How to block OS X updates via Group Policy articleKB-2798: How to setup a workstation-authentication certificate for auto-enrollment for Mac OS X. articleKB-2148: How to set up FileVault 2 on Mac OS X articleKB-6642: Getting started with 802.1X for Mac - Configuration Overview articleKB-4275: How to setup a user-authentication certificate for auto-enrollment for Mac OS X. articleKB-3519: 802.1x GPs not creating the expected Profiles on Mac OS X