Using group policies, you can control which users and groups are allowed or denied to log in on Linux Agent computers in your Active Directory domain. This is accomplished by creating or modifying one or more GPOs and setting the login privileges for specified users or groups.
NOTE:For cloud AD logins, users or groups must be part of the MFPolicy-Users group.
For information about accessing or creating GPOs in Active Directory, see Accessing or Creating Group Policy Objects.
To configure and apply GPO login settings on Linux agents:
Right-click the applicable GPO or GPO link in an OU, and select Edit to open the GPO editor.
If needed, you can create a new GPO that is linked to the OU and then open the editor from the new object.
Expand Linux Settings in the GPO editor, and click the AD Login node.
Click the plus icon + and select AD login provider mode. Then select a mode in the pull-down menu.
For example, select Simple allow/deny list.
Click the plus icon + again, and select the desired rule.
For example, select Prevent these AD users from logging in.
IMPORTANT:When you configure a GPO to prevent users or groups from logging in, this in effect an exclusionary list for Active Directory objects. However, when you configure to “Allow AD users or groups” those objects will be the only AD users or groups that will be able to login on the Linux agents that have the GPO applied. You cannot have both Allow and Deny logins in the policy at the same time.
Click the browse button, and use the Select Users dialog box to (a) define if the rule is for users or groups, (b) choose the applicable domain, and (c) locate required users and or groups that are applicable to the policy.
Save the changes to apply the policy to applicable Linux agents.
NOTE:In order for the policy to be applied to Linux Agent computers, the Linux Agent Service must be running on those devices. If the service is not running, use one of the commands below, applicable to the platform, to start the service:
systemctl start adb-agent.service
service adb-agent start
You can manage AD objects with Active Directory Users and Computers (ADUC). An ADUC extension based tab AD Bridge allows you to manage User ID (UID) and Group ID (GID) for Linux users. The options available to manage are:
Override ID Mapping
UID
GID
You must follow the steps below to enable this tab:
Change directory to /etc/sssd/sssd.conf.
Edit sssd.conf and modify the value of the parameter ldap_id_mapping to False.
Restart the service with either of the commands, systemctl restart sssd or service sssd restart.
NOTE:You may need to wait for about 15 minutes to see changes take effect.