🪴 Quartz 4.0

Search

SearchSearch

AD - Linux -> Group policies for logon rights

Sep 02, 20242 min read

https://michaelwaterman.nl/2022/10/07/advanced-ubuntu-configuration-with-active-directory/

The basics

On a Windows machine, open up “Group Policy Management“, create a new policy with the scope of management applied to the Ubuntu machine. Open the policy for editing and go to:

Computer Configuration – Policies – Windows Settings – Security Settings – Local Policies – User Right Assignment

  • Allow logon locally: “Administrators”, “Water\Domain Admins”
  • Deny logon locally: “Water\Domain Users”

Reboot your machine or restart the sssd daemon. Try to logon with a regular user account, this will fail, however a subsequential logon with a domain admin account will be granted.

Controlling Group Policy processing

The processing of group policies can be configured in the /etc/sssd/sssd.conf file. Sometimes it could be beneficial to not have policies being processed for troubleshooting purposes, but it could be in violation with your companies policy. This is also another reminder why you should avoid handing out sudo privileges to users as they could potentially block the required configuration, but that’s another story.

Enter the following commands to open the file, enter the correct settings and block gpo processing:

sudo nano /etc/sssd/sssd.conf

Enter the following under [domain\domainname] section:

ad_gpo_access_control = disabled

Restart the sssd daemon or reboot and policies will no longer process.

Potential other values for the key “ad_gpo_access_control” are:

ValueDescription
disabledProcessing of Group Policies is disabled
enforcingProcessing of Group Policies is enabled and forcefully applied to the system
permissiveProcessing of Group Policies is being audited. Deny messages will be logged.

According to my findings, but I didn’t test them all, the following Group Policy Security settings will by default be processed:

  • Allow log on locally
  • Deny log on locally
  • Allow log on through Remote Desktop Services
  • Deny log on through Remote Desktop Services
  • Access this computer from the network
  • Deny access to this computer from the network
  • Allow log on as a batch job
  • Deny log on as a batch job
  • Allow log on as a service
  • Deny log on as a service

Graph View

Backlinks

  • No backlinks found