Group Policy Administration Guide

Likewise Enterprise empowers you to define group policies for computers running Linux, Unix, and Mac OS X. Likewise Enterprise includes more than 100 policies that are custom made for non-Windows computers. All the policies are integrated with the Microsoft Group Policy Object Editor.

For example, you can use a group policy to control who can use sudo for access to root-level privileges by specifying a common sudoers file for target computers. You could, for instance, create an Active Directory group called SudoUsers, add Active Directory users to the group, and then apply the sudo group policy to the container, giving those users sudo access on their Linux and Unix computers. In the sudoers file, you can specify Windows-style user names and identities. Using a group policy for sudo gives you a powerful method to remotely and uniformly audit and control access to Unix and Linux resources.

Likewise stores its Unix and Linux group policies in the same locations and in the same format as the default Windows group policies -- in the system volume (sysvol) shared directory. Unix and Linux computers that are joined to an Active Directory domain receive their group policies in the same way that a Windows system does:

To create or change a group policy, you must be logged on as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group. With the Microsoft Group Policy Management Console, you can grant users permission to create Group Policy Objects (GPOs).

Likewise gives you the option of creating and editing group policies with either the Group Policy Object Editor (GPOE) or the Group Policy Management Console (GPMC). When you use the Group Policy Management Console, you can view group policy settings.

In the Group Policy Object Editor, the Likewise group policies are in the UNIX and Linux Settings folder in the console tree under Computer Configuration; the Likewise user settings are under User Configuration:

User Settings

Likewise includes several hundred group policies for Linux user settings -- policies that are based on the Gnome GConf project to define desktop and application preferences such as the default web browser. You can apply the group policies for user settings only to Linux computers that are running the Gnome desktop.

For information about the group policies for user settings, see About Gnome User Settings.

Gnome Configuration Settings for Computers

You can set Gnome configurations for computers. There are several hundred group policies for Linux computer settings -- policies that are based on the Gnome GConf project to define desktop and application preferences such as the default web browser. You can apply the group policies for computer settings only to Linux computers that are running the Gnome desktop. If there is a conflict with Gnome user settings, Gnome computer settings take precedence.

The Gnome configuration policies for computers are set the same way as Gnome policies for users. To set a Gnome configuration policy for a computer, follow the instructions in Add Gnome Schemas and Example: Set the Default Web Browser for a Gnome Desktop, but apply the policy to the computer instead of the user by defining the policy under the Computer Configuration node in the Group Policy Object Editor:

The Group Policy Agent

The Likewise Group Policy Agent is automatically installed when you install the Likewise Agent on a Linux, Unix, or Mac OS X computer.

To apply group policies and enforce them on a computer, the Group Policy Agent runs continuously as a daemon. It processes both user policy and computer policy types. For computer policies, the agent traverses the computer's distinguished name (DN) path in Active Directory. For a user's policy processing, which occurs when a user logs on, the agent traverses the user's DN path in Active Directory. The Group Policy Agent uses the computer’s machine account credentials to securely retrieve policy template files over the network from the domain’s protected system volume shared directory. The Likewise Group Policy Agent, however, does not apply Windows policies.

The Group Policy Agent connects to Active Directory, retrieves changes, and applies them once every 30 minutes, when a computer boots or restarts, or when requested by the GPO refresh tool.

The GPO Refresh Tool

To force a Unix, Linux, or Mac OS X computer to pull the latest version of its group policies, you can run the GPO refresh tool at any time by executing the following command at the shell prompt:

/opt/likewise/bin/gporefresh

The command should return a result that looks like this:

20070731100621:0xb7f046c0:INFO:GPO Refresh succeeded

On target computers, Likewise stores its group policies in /var/lib/likewise/grouppolicy.

Inheritance

The Likewise group policies are of two general types: file based or property based. Most policies are property based. Property-based policies are inherited, meaning that the location of a GPO within the Active Directory hierarchy can affect its application. Property-based policies do not replace local policies -- they merge with them.

File-based policies -- such as sudo and automount -- typically replace the local file. File-based policies are not inherited and do not merge with the local file.

Filtering by Target Platform

You can set group policies to target all versions of the following platforms. Some group policies, however, apply only to specific platforms. For instance, some group polices apply only to Linux. For more information, see the Help topic for the group policy that you want to use.

Mac OS X
CentOS Linux
Debian Linux
Fedora Linux
Hewlett-Packard HP-UX
IBM AIX
OpenSUSE Linux
Red Hat Linux
Red Hat Enterprise Linux ( ES and AS)
Sun Solaris
SUSE Linux
SUSE Linux Enterprise Desktop
SUSE Linux Enterprise Server
Ubuntu Linux

To target a group policy at a platform, see Set Target Platforms.

1.2. Create or Edit a Group Policy

You can create or edit a group policy for computers running Linux, Unix, and Mac OS X by using either the Group Policy Object Editor (GPOE) or the Group Policy Management Console (GPMC).

Important: To create or edit a group policy, you must log on as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.

On your administrator workstation, start Active Directory Users and Computers.
In the tree, right-click the organizational unit that you want, and then click Properties.
Note: Make sure the organizational unit is associated with a Likewise cell. For more information, see Create a Cell.

Click the Group Policy tab. How you proceed depends on whether you have the Microsoft Group Policy Management Console (GPMC) installed:

If you do not have GPMC installed, do this:	If you have GPMC installed, do this:
1. Click New.	1. Click Open.
2. Type a name for your group policy object -- for example, message of the day.	2. In the Group Policy Management Console, right-click the organizational unit that you want, and then click Create and Link a GPO Here.
3. Click the group policy object that you created and then click Edit.	3. In the Name box, type a name for your group policy object.
	4. Right-click the group policy object that you created, and then click Edit.

In the Group Policy Object Editor, in the console tree under Computer Configuration or User Configuration, find the group policy category that you want, and then in the details pane, double-click the policy that you want to set.
In the console tree, the Likewise group policies are under Unix and Linux Settings. For instructions on how to configure a Likewise group policy, see the Help topic for the policy that you want to use.

Tip: You can download the Microsoft Group Policy Management Console at http://www.microsoft.com/downloads/.

1.3. Apply a Group Policy to a Cell

To apply a group policy to a cell, you must first associate the cell with an organizational unit. For more information, see Create a Cell.

In Active Directory Users and Computers, right-click the organizational unit that you want to apply a group policy to, and then click Properties.
Click the Group Policy tab, and then click New.
Enter a name for the group policy object.
In the list, click the GPO, and then click Edit.
In the Group Policy Object Editor, in the console tree under Computer Configuration, find the group policy category that you want, and then in the details pane, double-click the policy that you want to set.
In the console tree, the Likewise group policies are under UNIX and Linux Settings. For instructions on how to configure a Likewise group policy, see the Help topic for the policy that you want to use.

1.4. Set Target Platforms

By using Likewise, you can set the target platforms for a group policy. The policy's settings are applied only to the platforms that you choose.

You can set the target platforms by operating system, distribution, and version. For example, you can target a group policy only at computers running SUSE Linux Enterprise Server. Or, you can target the policy at a mixture of operating systems and distributions, such as Red Hat Linux, Sun Solaris, Ubuntu Desktop, and HP- UX. In addition, you can target some policies at computers running Mac OS X.

Note: Some group policies do not apply to all platforms or versions. For more information, see the Help topic for the group policy that you are configuring.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration or under User Configuration, expand Unix and Linux Settings, and then click Target Platform Filter:
In the details pane, double-click Target platforms.
To target all the platforms in the list, select All.
Or, to choose the platforms that you want to target, click Select from the List, and then in the list, select the platforms that you want.

1.5. View a Report on a Group Policy's Settings

If you have the Group Policy Management Console installed on your administrative workstation, you can view a report that shows the settings for a Likewise group policy. The Microsoft Group Policy Management Console can be downloaded for free at http://www.microsoft.com/downloads/.

In the Microsoft Group Policy Management Console, in the console tree, expand the domain that you want, expand Group Policy Objects, and then click the group policy object for which you want to view a report.
In the details pane, click the Settings tab. The console generates and displays the report. Here's an example:

Tip: To view other information about the group policy, click one of the other tabs -- for example, Scope.

1.6. Create and Test a Sudo Group Policy

By using the Group Policy Management Console (GPMC) and the Group Policy Object Editor (GPOE), you can define a group policy to specify a sudo configuration file for target computers running Linux, Unix, and Mac OS X.

Sudo, or superuser do, allows a user to run a command as root or as another user. You can use this policy to control sudo access in a centralized and uniform way.

The sudo configuration file is copied to the local machine and replaces the local sudoers file. A sudo file can reference Active Directory users and groups. For more information about sudo, see the man pages for your system.

When you define the policy, you can also set its target platforms. The policy's settings are applied only to the operating systems, distributions, and versions that you choose. For example, you can target the policy only at computers running SUSE Linux Enterprise Server. Or, you can target the policy at a mixture of operating systems and distributions, such as Mac OS X, Red Hat Linux, Sun Solaris, Ubuntu Desktop, and HP-UX.

Important: The Likewise entries in your sudoers file must conform to the rules set forth in the following topic in the Likewise Enterprise Installation and Administration Guide: Configure Entries in Your Sudoers Files.

Create a Sudo Group Policy

To create a group policy, you must log on your Windows administrative workstation as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.

On your Windows administrator workstation, start Active Directory Users and Computers.
In the tree, right-click the organizational unit that you want, and then click Properties.
Note: Make sure the organizational unit is associated with a Likewise cell. For more information, see Create a Cell.

Click the Group Policy tab. How you proceed depends on whether you have the Microsoft Group Policy Management Console (GPMC) installed:

If you do not have GPMC installed, do this:	If you have GPMC installed, do this:
1. Click New.	1. Click Open.
2. Type a name for your group policy object -- for example, message of the day.	2. In the Group Policy Management Console, right-click the organizational unit that you want, and then click Create and Link a GPO Here.
3. Click the group policy object that you created and then click Edit.	3. In the Name box, type a name for your group policy object.
	4. Right-click the group policy object that you created and then click Edit.

In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Security Settings, and then click SUDO command:
In the details pane, double-click Define Sudoer file, select the Define this Policy Setting check box, and then in the Current file content box, type your commands.
Or, to import a sudo configuration file, click Import, and then find the file that you want.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, and then click Target Platform Filter.
In the details pane, double-click Target platforms.
To target all the platforms in the list, select All.
Or, to choose the platforms that you want to target, click Select from the List, and then in the list, select the platforms that you want.

Test the Sudo Group Policy

After you set the sudo group policy, you can test it on a target computer. The target computer must be in a cell associated with the organizational unit that you set the sudoers policy for.

On a target Linux or Unix computer, log on as an administrator and execute the following command to force group policies to refresh:
/opt/likewise/bin/gporefresh
Check whether your sudoers file is on the computer:
cat /etc/sudoers
Note: The location of the sudoers file varies by platform. For example, on Solaris it is in /opt/sfw/etc or /opt/csw/etc. On other platforms, it is in /usr/local/etc.
Log on the Unix or Linux computer as a regular user who has sudo privileges as specified in the sudoers configuration file.
Try to access a system resource that requires root access using sudo. When prompted, use the password of the user you are logged on as, unless targetpw is set in the sudoers file.
Verify that the user was authenticated and that the user can access the system resource.

Test Sudo Security

Log on as a user who is not enabled with sudo in the sudoers file that you used to set the group policy.
Verify that the user cannot perform root functions using sudo with his or her Active Directory credentials.

Chapter 2. Setting Gnome Group Policies

Table of Contents

2.1. About Gnome User Settings

2.1.1. About Gnome Computer Settings

2.2. Add Gnome Schemas

2.3. Example: Set the Default Web Browser for a Gnome Desktop

2.4. Lock the Screen with the Screen Saver on RHEL4

2.1. About Gnome User Settings

Likewise lets you set Gnome group policies for Linux user settings -- policies based on the Gnome GConf project to define desktop and application preferences such as the default web browser.

Important: You can apply Gnome group policies for user settings only to Linux computers that are running the Gnome desktop.

To set the policies, use the Group Policy Object Editor. After you add the Gnome schemas for your Linux platform, the policies appear in the Unix and Linux User Settings folder under User Configuration:

There are several thousand Gnome-based group policies. They include user settings for applications like the browser, help viewer, and main menu. They also include settings for tailoring the keyboard for accessibility, specifying URL handlers, and configuring volume manager. For example, you can set a user policy to define whether the Gnome volume manager automatically mounts removable storage drives when they are inserted into a computer.

Note: Different Linux distributions with the same Gnome desktop version may contain different Gnome-based user settings. The Gnome-based group policies that are available for Red Hat, for example, might differ from those that are available for SUSE.

Because there are so many group policies for user settings, there is only one Help topics for them:

Example: Set the Default Web Browser for a Gnome Desktop

This topic shows you how to define a Gnome-based group policy. The procedure for defining the other policies is the same as or similar to that of the example topic -- it's just a matter of finding the policy that you want in the Group Policy Object Editor's console tree.

Storing Gnome GConf Preferences

GConf is a system for storing user preferences for applications that makes managing preferences easier for system administrators. On target computers with desktops running Gnome, the preferences that you set in the group policies are stored in a series of storage locations called configuration sources. The addresses of the sources are specified in a file called /etc/gconf/<version>/path -- for example, /etc/gconf/2/path. (The location of the sources can vary by platform.) Each configuration source has an XML backend that stores data in XML files.

Likewise uses GConf version 2. For more information, see the Gnome GConf project at http:// www.gnome.org/projects/gconf/.

GConf Per-User Daemon

The GConf implementation runs a daemon for each user: gconfd. The daemon notifies applications when a configuration value has changed. It also caches values so that each application doesn't have to parse XML files. The daemon typically quits a few minutes after the last application using it has stopped running.

You can force the GConf daemon to reload its cache by executing the following command at the shell prompt on a target Linux computer:

killall -HUP gconfd-2

GConf Tool

GConf includes a command-line tool, gconftool-2. You can use it to display some of the Gnome desktop settings. (Because Likewise provides group policies to manage Gnome desktop settings, you typically do not need to use the GConf command-line tool.)

gconftool-2 -R /desktop/gnome

Here's an example from Red Hat Enterprise Linux:

GConf Editor

You can use the GConf Editor to verify that a Gnome group policy is in effect on a target computer. Before using the editor to verify a change, run the following Likewise command as root to force your Gnome group policies to refresh:

/opt/likewise/bin/gporefresh

To invoke the GConf Editor, run the following command as root:

gconf-editor

In the GConf Editor, find the Gnome configuration setting that corresponds with the Gnome group policy that you set and then verify that the values for the setting are the same as those specified in the group policy.

Schema Files

A schema is a set of metainformation that describes a configuration setting. The metainformation includes the type of value, documentation on the setting, and the factory default for the value. On target computers running the Gnome desktop, the schema files are typically stored in /etc/gconf/schemas, but the location can vary by platform. When you define or change a user-setting group policy, the Likewise software on the target computer pulls the change and modifies the schema accordingly.

To use a schema, however, you must first load it. Likewise includes schema files for a number of common platforms, including Ubuntu, Fedora, Open SuSE, and Red Hat. The schema files are in the following directory on the Windows administrative workstation on which you installed the Likewise Management Console: \Program Files\Likewise\Enterprise\Resources\Group Policy\Gnome Schemas

If the schemas for your target platform are not included with Likewise, you must copy them from your Linux platform to a location that you can access from a Windows administrative desktop that runs the Likewise Console. For instructions on how to load Gnome schemas, see Add Gnome Schemas.

2.1.1. About Gnome Computer Settings

The Gnome configuration policies for computers are set the same way as Gnome policies for users. To set a Gnome configuration policy for a computer, follow the instructions in the Add Gnome Schemas section and in the example on how to set the default web browser for a Gnome desktop, but apply the policy to the computer instead of the user by defining the policy under the Computer Configuration node in the Group Policy Object Editor:

2.2. Add Gnome Schemas

Before you can apply group policies for Gnome-based user settings, you must add the schemas to the Gnome Configuration Settings folder in the Group Policy Object Editor (GPOE). You can obtain the schemas in two ways:

Use the schema files that Likewise includes for a number of common platforms: Fedora, Red Hat, Debian, CentOS, Ubuntu, and several versions of SUSE. The schema files are in the following directory on the Windows administrative workstation on which you installed the Likewise Management Console: \Program Files\Likewise\Enterprise\Resources\Group Policy\Gnome Schemas
Copy the Gnome schemas from a Linux computer to a directory that you can access from a Windows administrative workstation that is running the Likewise Management Console. On a Linux computer, the schema files are typically stored in /etc/gconf/schemas.

Likewise uses GConf version 2. For more information, see the Gnome GConf project at http:// www.gnome.org/projects/gconf/.

Important: To use the Gnome-based user settings, the target Linux computer must be running the Gnome desktop.

Add Gnome Schemas

On your Windows administrative workstation, in the Group Policy Object Editor, expand User Configuration, and then expand Unix and Linux User Settings.
Right-click Gnome Configuration Settings, and then click Add/Remove Gnome schemas:
Click Add, double-click the directory containing the schemas that you want to load, select the schemas you want, click Open, and then click OK:

Or, if the schema files for your target platform are not included with Likewise, use SCP or FTP to copy the Gnome schemas from /etc/gconf/schemas on the target Linux system to a directory, drive, or server that you can access from a Windows administrative workstation that is running the Likewise Console and that you use to apply group policies.
Note: The schema directory varies by platform; the path might be different on your system.
In the GPOE console tree, right-click Gnome Configuration Settings, and then click Refresh.
The policies appear under Gnome Configuration Settings:
Tip: Different Linux distributions with the same Gnome desktop version may contain different Gnome schema-based user settings. The Gnome group policies that are available for OpenSUSE, for example, differ from those that are available for SLED.
Because the user settings can be different for each platform, you must manage your Gnome group policies so that you can distinguish the platform to which the policy is applied. For example, you might want to set different group policy objects for each platform and include the name of the platform in the name of the GPO, like this: RHEL_url-handler_mailto.

2.3. Example: Set the Default Web Browser for a Gnome Desktop

You can use a group policy to set the default Web browser on target Gnome desktop-compatible Linux computers. The user policy is based on a Gnome GConf schema.

The procedure for setting other GConf schema-based group policies are similar to the following steps. In the console tree of the Group Policy Object Editor, all the GConf group policies are in the Unix and Linux Settings folder under User Configuration or Computer Configuration.

Important: You can apply group policies for user settings only to Linux computers that are running the Gnome desktop.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under User Configuration, expand Unix and Linux Settings, expand Gnome Configuration Settings, expand Desktop, expand Gnome, expand Applications, and then click Browser.
In the details pane, double-click exec, and then select the Define this policy setting check box.
In the String Value box, enter the name of the application for the browser that you want to set -- for example, firefox.

2.4. Lock the Screen with the Screen Saver on RHEL4

By using Likewise, you can define a group policy on target Unix and Linux computers that locks the screen when the screen saver comes on.

You can use this policy on Red Hat Enterprise Linux 4 computers running Gnome desktop 2.12 or later. The policy, which is inherited, adds the setting to the Gnome configuration registry. The user, however, might be able to override the lockdown or modify the lockdown interval by changing the screensaver preferences.

Lock the Screen with the Screen Saver on Red Hat Enterprise Linux

The following procedure uses Red Hat Enterprise Linux 4 as an example; the procedure is similar for other platforms that include the Gnome desktop -- it's just a matter of choosing the schemas for your platform.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the tree under Computer Configuration, expand Unix and Linux Settings.
Right-click Gnome Configuration Settings, and then and then click Add/Remove Gnome schemas:
Click Add, double-click the RedHatAS4_ES4 directory, double-click the RedHatES4-32bit directory, select apps_gnome_settings_daemon_screensaver.schemas, click Open, and then click OK.
In the console tree, expand Gnome Configuration Settings, expand apps, expand gnome_settings_daemon, and then click screensaver:
In the details pane, double-click start_screensaver and then select the Define this Policy Setting check box.
Under Setting, select True, and then click OK.

Chapter 3. Setting MCX Policies with Workgroup Manager

Table of Contents

3.1. Set MCX Policies with Workgroup Manager

Likewise Enterprise lets you set Managed Client Settings for Mac computers with Workgroup Manager, a free server administration tool from Apple for remotely managing user, group, and computer settings on Mac OS X machines. Likewise Enterprise integrates Workgroup Manager in Active Directory by saving Managed Client Settings (MCX) as standard Microsoft Active Directory group policy objects, or GPOs.

By integrating Managed Client Settings in Active Directory as configuration data in GPOs, Likewise preserves the familiar GPO model that makes it easy to review, back up, and copy policies. In short, Likewise lets you apply Managed Client Settings to Macs in the same way that you use GPOs to apply settings to Linux, Unix, and Windows computers.

In a typical deployment in which Mac computers have been integrated with Active Directory by using Apple's AD Directory Service plug-in, Workgroup Manager can be used to store settings for users, computers, and security groups in Active Directory, but only if the Active Directory schema is extended. With Apple's AD Directory Service plug-in, the AD schema must be extended to include both the RFC 2307 attributes and Apple's schema extensions for managed client settings (MCX).

The Likewise Enterprise solution integrates Mac computers with Active Directory and lets you use Workgroup Manager to apply MCX settings without having to modify your Active Directory schema, even if you are using a schema that does not comply with RFC 2307.

The Likewise Enterprise 5 group policy features for Mac OS X computers are the most comprehensive available. Likewise includes Unix settings for managing syslogs, crontabs, sudoers files, and many other configuration files on a Mac. Likewise also includes additional Mac-specific policies for setting Mac system preferences and configuring security options such as the built-in firewall.

Likewise Enterprise 5 supports Managed Client Settings for Mac computers running OS X 10.4 or later, including Leopard. The Mac OS X workstation on which you create and maintain group policies with Workgroup Manager must be an Intel-based Mac. Although you can apply the policies to PowerPC-based Macs, you cannot create or maintain the policies on a PowerPC-based Mac.

To use Workgroup Manager to apply GPOs to Macs, open the Group Policy Object Editor, define the Workgroup Manager group policy, and then use Workgroup Manager to configure the Managed Client Settings that you want.

You can download Workgroup Manager for free from www.Apple.com:

Version for Mac OS X 10.5 (Leopard):
http:// www.apple.com/downloads/ macosx/apple/ application_updates/serveradmintools1053.html
Version for Mac OS X 10.4 (Tiger):
http:// www.apple.com/support/downloads/serveradmintools10411.html

When you set MCX policies with Workgroup Manager, the GPMC summary shows a formatted version of the MCX settings. In the GPOE, the MCX data appears in plist format.

On a target computer, the MCX preferences are stored in /var/lib/likewise/grouppolicy; they remain in effect even when the computer is disconnected from Active Directory.

3.1. Set MCX Policies with Workgroup Manager

Supported Mac Versions

Mac computers running OS X 10.4 or later.

Requirements

Likewise Enterprise 5.0 or later installed on a Windows administrative workstation that can connect to your Active Directory domain controller.
An Active Directory account with rights sufficient to create and modify group policy objects -- for example, membership in the Group Policy Creator Owners security group. You must also be a member of the Domain Administrators or Enterprise Administrators security group, or have been delegated equivalent rights.
One Intel-based Mac OS X 10.4. (Tiger) or 10.5 or later (Leopard) administrative workstation that can connect to your Active Directory domain controller. The Mac OS X workstation on which you create and maintain group policies with Workgroup Manager must be an Intel-based Mac. Although you can apply the policies to PowerPC-based Macs, you cannot create or maintain the policies on a PowerPC-based Mac.

Mac Prerequisites

Install the Likewise Enterprise agent on your Mac OS X administrative workstation and join it to your Active Directory domain. See Install the Agent on a Mac Computer and Join Active Directory with the Command Line.
Make sure that your Mac OS X administrative workstation's AD computer account -- which is used to read the GPOs -- has Read permissions for delegation, as shown in the Delegation tab in the GPMC. Your workstation's computer account must either be included in a group with Read permissions, such as the Authenticated Users group, or you must add your computer account to the Delegation list.
Install the Likewise Enterprise agent on each Mac OS X computer that you want to manage with policies for Managed Client Settings (MCX) and then join the Macs to Active Directory.
Note: Likewise Open does not support MCX-based group policies.
In Active Directory, make sure you are provisioned with Unix access to the Mac with Workgroup Manager by adding an account to the default cell or to the cell in which the Mac resides; for more information see Provision a User with Linux or Unix Access.
Download Workgroup Manager for free from www.Apple.com and install it on an Intel-based Mac administrative workstation:

Version for Mac OS X 10.5 (Leopard):
http://www.apple.com/downloads/ macosx/apple/ application_updates/serveradmintools1053.html
Version for Mac OS X 10.4 (Tiger):
http://www.apple.com/support/downloads/serveradmintools10411.html

Windows Prerequisites

The following procedure also assumes that you have installed Likewise Enterprise 5.0 or later on a Windows administrative workstation that can connect to your Active Directory domain controller. The following standard Likewise Enterprise 5.0 components are required:

Likewise Management Console.
Likewise extensions for the Group Policy Management Console and the Group Policy Object Editor, both of which are typically installed when you install the Likewise Management Console. Or you can use the Likewise Administrative Console.

For more information, see Install the Likewise Console.

Set an MCX Policy with Workgroup Manager

You can use Likewise and Workgroup Manager to set MCX-based policies for either a user or a computer. To apply settings to local accounts, use the Computer Configuration group policy. User settings apply only to Active Directory user accounts. User settings override computer settings for Active Directory accounts but do not apply to local accounts.

On your Windows administrative workstation, in Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
Tip: Remember the name of the group policy object. You will need it later.
In the Group Policy Object Editor, in the console tree under Computer Configuration or under User Configuration, expand Unix and Linux Settings, expand Mac Settings, and then click Workgroup Manager Settings:
In the details pane, double-click Enable Workgroup Manager to configure settings for computers, select the Define this policy setting check box, and then click OK.
On your Intel-based Mac administrative workstation, start Workgroup Manager:
In Finder, on the Go menu, click Applications, double-click Server, and then double-click Workgroup Manager:
When the Workgroup Manager Connect dialog appears, click Cancel.
On the Workgroup Manager menu, click Server, and then click View Directories.
If a dialog appears saying you are working in the local configuration database, click OK.
Click to select a directory, click Other, select Likewise -- Active Directory, select your domain, select the name of the group policy object you created earlier, and then click OK.
Important: If no directory for a user or computer appears in the list, return to Step 2 of this procedure and define a Workgroup Manager Settings group policy object for either a user or a computer.
Or, if your directory or your GPOs do not appear in the list, make sure that your workstation's AD computer account -- which is used to read the GPOs -- has Read permissions for delegation, as shown in the Delegation tab in the GPMC. Your workstation's computer account must either be included in a group with Read permissions, such as the Authenticated Users group, or you must add your computer account to the Delegation list.
To apply policies to a group of users, click Group Name . Or, to apply policies to a group of computers, click Computer Group Name .
Click the Lock and enter the credentials for an Active Directory account that can log on the Mac you are using and has sufficient privileges to create and modify group policy objects -- for example, membership in the Group Policy Creator Owners security group.
Important: You must use an Active Directory account with rights sufficient to create and modify group policy objects.
On the menu bar, click Preferences :
Click the category of preferences that you want to set, make the changes that you want, and then click Done. For information about using Workgroup Manager to set preferences, see the Apple Workgroup Manager documentation.
The policies take effect after you run the gporefresh tool or after you restart the computer.

Check the Application of Your Preferences

Because MCX processing models of Leopard and Tiger differ, it can be useful to check which policies are in fact applied to a target Mac. There are four methods by which you can identify the applied policies, listed below in their recommended order:

By using the Microsoft Group Policy Management Console. You can view the precedence of your Likewise MCX GPOs in the same way that you view your other Active Directory GPOs.
By using Workgroup Manager on a target Mac; for more information, see the Apple Help documentation for Workgroup Manager and the following Mac OS X Server User Management manual:
http:// images.apple.com/server/ macosx/docs/User_Management_v10.5.mnl.pdf
By executing an MCX query at the command line as an AD user on a target Mac running Leopard or Snow Leopard. The command is as follows: mcxquery
By running a command-line utility known as dscl on a target Mac.

Your choice depends on the systems to which you have access, the operating system in use on the target Mac, and whether Workgroup Manager is installed on it.

Troubleshoot WGM Problems

To turn on logging for the Directory Service, open Terminal, run the following command, and then restart the computer:

sudo touch /Library/Preferences/DirectoryService/.DSLogDebugAtStart

To turn off logging for the Directory Service, open Terminal and execute the following command:

sudo killall -USR1 DirectoryService

The /Library/Logs/DirectoryService/ directory will then contain the file DirectoryService.debug.log. The file shows the activity as the system enumerates WGM GPOs, information that can help you troubleshoot problems applying group policy objects from Workgroup Manager.

If the log shows that there are errors in accessing the GPO information, make sure that your Mac OS X administrative workstation's AD computer account -- which is used to read the GPOs -- has Read permissions for delegation, as shown in the Delegation tab in the GPMC. Your workstation's computer account must either be included in a group with Read permissions, such as the Authenticated Users group, or you must add your computer account to the Delegation list.

How Likewise Applies Workgroup Manager Settings as GPOs

The method by which multiple group policy objects (GPOs) are applied to a Mac depends on the operating system's processing model. It is different for Leopard and Tiger.

Setting Category

Leopard

Tiger

Computer

For every GPO, Likewise creates a computer group and adds the target Mac as a member of each.

When there are multiple GPOs for a target computer, the Mac aggregates the settings from all the groups to which the target computer belongs.

GPOs are applied in the order shown in the Microsoft Group Policy Management Console.

Tiger uses the concept of computer lists. A computer can be a member of only one list. Likewise represents each GPO on Tiger as a computer list.

Because Likewise can apply only one computer list to a target computer, Likewise applies the GPO closest to the computer in the Active Directory hierarchy.

If there are settings in multiple GPOs, only the settings in the closest GPO are applied.

Tip: Place the settings you want applied to the target computer in the closest GPO.

User

The GPO closest to the user object in Active Directory is applied.

Settings from other user GPOs are not aggregated.

Behaves the same as Leopard.

Within a category, settings are applied in the same order as all other Active Directory GPOs, the order of which is shown in the Microsoft Group Policy Management Console.

When settings conflict, user settings override computer settings, computer group, and user group settings. Computer settings override computer group and group settings. Computer group settings override group settings. For more information, see Apple's Workgroup Manager documentation.

Chapter 4. Troubleshooting the Group Policy Agent

Table of Contents

4.1. Force Group Policies to Refresh
4.2. Check the Status of the Group Policy Daemon
4.3. Restart the Group Policy Daemon
4.4. Generate a Group Policy Agent Debug Log
4.5. Modify Group Policies from the Command Line
4.6. Verify Gnome Group Policy Settings

4.1. Force Group Policies to Refresh

The group policy agent, a component of Likewise Enterprise, connects to Active Directory, retrieves changes to policy objects, and applies the changes once every 30 minutes, when a computer boots or restarts, or when requested by the GPO refresh tool.

You can run the GPO refresh tool at any time on a Unix, Linux, or Mac OS X computer joined to a domain with the Likewise Enterprise agent. To run the GPO refresh tool, execute the following command at the shell prompt:

/opt/likewise/bin/gporefresh

The command should return a result that looks like this:

20070731100621:0xb7f046c0:INFO:GPO Refresh succeeded

On target computers, Likewise stores its group policies in /var/lib/likewise/grouppolicy.

Likewise Open includes neither the group policy agent nor the GPO refresh tool.

4.2. Check the Status of the Group Policy Daemon

On Linux and Unix

You can check the status of the group policy daemon on a Unix or Linux computer running the Likewise Agent by executing the following command at the shell prompt as the root user:

/ sbin/service gpagentd status

/etc/init.d/gpagentd status

(On HP-UX, the command is /sbin/init.d/gpagentd status.)

If all is well, the result should look like this:

gpagentd ( pid 2387) is running...

To start the daemon, see Restart the Group Policy Daemon.

On Mac OS X

On a Mac OS X computer, you cannot use the status command, but you can monitor the group policy daemon by using Activity Monitor:

In Finder, click Applications, click Utilities, and then click Activity Monitor.
In the Show drop-down list, click System Processes:
In the list under Process Name, make sure gpagent appears. If the process does not appear in the list, you might need to start it.
To monitor the status of the process, in the list under Process Name, click gpagent, and then click Inspect.

4.3. Restart the Group Policy Daemon

For a list of start-order dependencies, see About the Likewise Agent.

On Unix and Linux

You can restart the group policy daemon by executing the following command from the command line:

/etc/ init.d/ gpagentd restart

To stop the daemon, enter the following command:

/etc/ init.d/gpagentd stop

To start the daemon, enter the following command:

/etc/init.d/gpagentd start

Note: On Unix systems, the location of the daemon may vary.

On HP-UX

Restart: /sbin/init.d/gpagentd restart

Stop: /sbin/init.d/gpagentd stop

Start: /sbin/init.d/gpagentd start

On Mac OS X

On a Mac, use the following stop and start commands (you cannot use the restart command on a Mac):

sudo launchctl stop com.likewisesoftware.gpagentd

sudo launchctl start com.likewisesoftware.gpagentd

4.4. Generate a Group Policy Agent Debug Log

You can generate a group policy agent debug log on a Unix or Linux computer running the Likewise Agent.

Log on as root user.
Stop the group policy daemon by executing the following command at the shell prompt (On HP-UX, the path to the command is /sbin/init.d):
/sbin/service gpagentd stop
The command should return the following result:
Stopping gpagentd: [ OK ]
Note: The stop and start commands are different on a Ubuntu and Mac OS X computer; see Restart the Group Policy Daemon.
Start the group policy daemon in command-line debug mode and capture the output in a file:
/opt/likewise/sbin/gpagentd --loglevel 5 > foo.log
From a separate root session, execute the following command to force group policy objects to refresh:
/opt/likewise/bin/gporefresh

4.5. Modify Group Policies from the Command Line

The gp-admin command-line utility lets you modify the settings in a group policy object from a Linux, Unix, or Mac computer.

The location of the tool is as follows:

/opt/likewise/bin/lw-gp-admin

To view the tool's arguments, execute the following command on your Unix, Linux, or Mac computer:

/opt/likewise/bin/lw-gp-admin --help

For example, you can use the tool to specify a GPO, download the setting from Active Directory to a Unix folder, modify it, and then upload it back to Active Directory.

4.6. Verify Gnome Group Policy Settings

With the GConf Editor, you can verify that a Gnome group policy is in effect on a target computer. Before using the editor to verify a change, run the following Likewise command as root to force your Gnome group policies to refresh:

/opt/likewise/bin/gporefresh

To start the GConf Editor, run the following command as root:

gconf-editor

Chapter 5. Likewise Group Policies

Table of Contents

5.1. Likewise Settings

5.1.1. Acquire Kerberos Tickets on Logon
5.1.2. Allow Logon Rights
5.1.3. Allow Offline Logon Support
5.1.4. Allow Cached Logons
5.1.5. Turn Off Client LANMAN Authentication
5.1.6. Turn On Client NTLMv2 Authentication
5.1.7. Set the Computer Policy Refresh Interval
5.1.8. Copy Template Files When Creating a Home Directory
5.1.9. Create a .k5login File in a User's Home Directory
5.1.10. Create a Home Directory for a User Account at Logon
5.1.11. Set Permissions with a File Creation Mask
5.1.12. Digitally Sign Client Communications
5.1.13. Digitally Sign Server Communications
5.1.14. Allow Access to Samba Server Null-Password Accounts
5.1.15. Log PAM Debugging Information
5.1.16. Log on using Kerberos Authentication
5.1.17. Set the Maximum Tolerance for Kerberos Clock Skew
5.1.18. Monitor Sudoers File
5.1.19. Refresh Kerberos Tickets
5.1.20. Replace Spaces in Names with a Character
5.1.21. Set the Samba Hostname Resolver Cache Timeout
5.1.22. Set the Samba Server LDAP Connection Timeout
5.1.23. Send Encrypted Passwords to Third-Party SMB Servers
5.1.24. Set the Depth of Nested Group Expansion
5.1.25. Set the ID Mapping Cache Expiration Time
5.1.26. Set the ID Mapping Negative Cache Expiration Time
5.1.27. Set the Machine Account Password Expiration Time
5.1.28. Set the Cache Expiration Time
5.1.29. Show a Denied Logon Rights Message
5.1.30. Show a Password Expiration Warning
5.1.31. Set the User Policy Loopback Processing Mode
5.1.32. Set the User Policy Refresh Interval

5.2. Lsassd Settings

5.2.1. Turn Off Logging of Network Events
5.2.2. Turn Off System Time Synchronization with a GPO
5.2.3. Display a Message of the Day at Logon
5.2.4. Turn on Event Logging with a GPO
5.2.5. Prepend Domain Name for AD Users and Groups

5.3. File System Policies

5.3.1. Automount a File System
5.3.2. Create Directories, Files, and Links
5.3.3. Specify the File System Mounts (fstab)

5.4. Logging and Auditing Group Policies

5.4.1. Create a SysLog Policy
5.4.2. Secure Computers with an AppArmor Policy
5.4.3. Secure Computers with an SELinux Policy
5.4.4. Rotate Logs

5.5. Message Group Policies

5.5.1. Display a Message with a Login Prompt Policy
5.5.2. Display a Message of the Day

5.6. Security Group Policies

5.6.1. Define a Sudo Policy

5.7. Task Group Policies

5.7.1. Schedule Cron Jobs with a crontab or cron.d Policy
5.7.2. Run a Script File

5.8. Networking Group Policies

5.8.1. Set DNS Servers and Search Domains

5.9. Mac Group Policies

5.9.1. Automatically Restart a Mac After Losing Power
5.9.2. Start the Bluetooth Setup Assistant
5.9.3. Set the Disk Sleep Timer
5.9.4. Set the Display Sleep Timer
5.9.5. Block UDP Traffic on a Mac
5.9.6. Disable Automatic User Login on a Mac
5.9.7. Log Firewall Activity on a Mac
5.9.8. Secure System Preferences on a Mac
5.9.9. Use Firewall Stealth Mode on a Mac
5.9.10. Use Secure Virtual Memory on a Mac
5.9.11. Share an Internet Connection with Bluetooth Devices
5.9.12. Put the Computer to Sleep with the Power Button
5.9.13. Set the System Sleep Timer
5.9.14. Turn Bluetooth On or Off
5.9.15. Turn On AppleTalk
5.9.16. Wake Up the Computer for LAN Admin Access
5.9.17. Wake Up the Computer When the Modem Rings

5.10. Mac DS Plugin Settings

This chapter describes how to set each group policy included with Likewise Enterprise. The policies are organized into sections that match their location in the console tree of the Group Policy Object Editor.

5.1. Likewise Settings

5.1.1. Acquire Kerberos Tickets on Logon

Likewise Enterprise lets you define a group policy to set target Linux and Unix computers to obtain a Kerberos ticket when they log on the Windows NT domain using the Kerberos authentication protocol.

This policy works with Linux, Unix, or Mac OS X computers running Likewise Enterprise 4.X. The policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policies.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Logon:
In the details pane, double-click Acquire Kerberos tickets on logon (krb5_ccache_type), and then select the Define this Policy Setting check box.
In the String value box, do one of the following:

To	Do this
Store the Kerberos ticket in a Kerberos 5 credentials cache. (Kerberos uses the credentials cache to store tickets in memory.)	Type `FILE`
Authenticate using Kerberos without keeping a ticket cache	Leave the String value box empty.

Tip: On the target computer, you can see a list of tickets by executing the following Likewise Kerberos command at the shell prompt: /opt/likewise/bin/klist. The command lists the location of the credentials cache, the expiration time of each ticket, and the flags that apply to the tickets.

See Also

Set Target Platform

5.1.2. Allow Logon Rights

By using Likewise, you can create a group policy to specify the Active Directory users and groups allowed to log onto target Unix and Linux computers. Users and groups who have logon rights can log on the target computers either locally or remotely. You can also use this policy to enforce logon rules for local users and groups.

To use this policy, you must grant the users and groups access to the Likewise cell that contains the target computer object. By default, all Unix and Linux computers are joined to the default cell, and all members of the Domain Users group are allowed to access the default cell.

You can use this policy on computers running Linux, Unix, or Mac OS X. The policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policies.

Note: You can also define logon rights manually for a computer. For more information, see Restrict Logon Rights by Group.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Logon:
In the details pane, double-click Allow logon rights (require_membership_of), and then select the Define this Policy Setting check box.
Click and then locate the users or groups that you want to grant logon rights.
Or, in the Users and/or Groups box, type a comma-separated list of the users and groups that you want. In the list, you can use short domain names with Active Directory account names and group names. You can also use local account names and local user groups as well as security identifiers ( SIDs) in string format.
For example, you could enter the following comma-separated list:
CORP\johndoe, janedoe@corp.mycorp.com, CORP\domain^users, S-1-1-0
In the example, the entry s-1-1-0 is a SID in string format.
Note: To separate the domain name from the user name or the group name in the AD account logon syntax, you must use a backslash (\). Example: likewisedemo.com\steve.
Grant the users and groups access to the Likewise cell that contains the target computer object.

Hostname Substitution

This policy substitutes the hostname of the target computer for the variable %hostname when the variable is included in the list of users and groups. You can, for example, set a string with the hostname variable like this:

CORP\Domain Administrators,CORP\%hostname_Users

When the group policy object is applied to a target computer named test-machine, the variable is substituted as follows:

CORP\Domain Administrators,CORP\TEST-MACHINE_Users

5.1.3. Allow Offline Logon Support

By using Likewise, you can create a group policy to allow target Unix and Linux computers to log on domain accounts when the network or the domain controller is unavailable. This setting caches logon credentials and account information in the Likewise authentication daemon.

Important: If you enable this group policy, you must also enable the group policy for Allow Cached Logons, which is in the Logon folder in the Group Policy Object Editor console tree.

In Active Directory Users and Computers or in the Group Policy Management Console, edit or create a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Authorization and Identification.
In the details pane, double-click Allow offline logon support, and then select the Define this Policy Setting check box.
Select Enabled or Disabled.

5.1.4. Allow Cached Logons

You can create a group policy to allow target Unix and Linux computers running Likewise Enterprise 4.X to use cached credentials when they cannot connect to the network or the domain controller for authentication.

Important: If you enable this group policy, you must also enable the group policy for Allow Offline Logon Support, which is in the Authorization and Identification folder in the Group Policy Object Editor console tree.

You can use this policy on computers running Unix, Linux, and Mac OS X. The policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policies.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Logon.
In the details pane, double-click Allow cached logons (cached_login), and then select the Define this Policy Setting check box.
Select Enabled or Disabled.

5.1.5. Turn Off Client LANMAN Authentication

You can create a group policy to disable LANMAN authentication by an SMB client. LANMAN is an obsolete Windows authentication protocol that was replaced by NTLM. By default, LANMAN authentication is enabled, which might pose a security threat because of LANMAN's weak encryption.

This policy applies only to computers running Likewise Enterprise 4.X. The policy modifies lwiauthd_policy.conf on target Linux, Unix, and Mac OS X clients.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Authorization and Identification.
In the details pane, double-click Turn off client LANMAN authentication (client lanman auth), and then select the Define this policy setting check box.
Select Enabled or Disabled.
Note: If you disable LANMAN authentication, only servers that support NT password hashes will accept an SMB client's connection. For example, if the client's LANMAN authentication is disabled, the client will be unable to connect to Windows 95 or Windows 98 servers.

5.1.6. Turn On Client NTLMv2 Authentication

You can create a group policy to enable client NTLMv2 authentication. NTLM is a Microsoft challenge-response authentication protocol that is used with the SMB protocol. NTLMv2 is cryptographically stronger than NTLMv1. Without setting this group policy, the default is to not use NTLMv2.

This policy applies only to computers running Likewise Enterprise 4.X. The policy modifies lwiauthd_policy.conf on target Linux, Unix, and Mac OS X clients.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Authorization and Identification.
In the details pane, double-click Turn on client NTLMv2 authentication (client ntlmv2 auth), and then select the Define this policy setting check box.
Select either Enabled or Disabled, with the following results:

Policy Setting	Authentication Used	Authentication Disabled
Enabled	NTLMv2 or LMv2	NTLMv1, LANMAN, plain text (share-level authentication is disabled)
Disabled	NTLMv1 or LANMAN	NTLMv2, LMv2 Note: Some servers might allow only an NTLMv2 response, not an LMv2 response.

5.1.7. Set the Computer Policy Refresh Interval

By using Likewise, you can set a group policy that specifies how often a computer's group policies are updated while the computer is in use. The scope of this policy is the group policies in the Unix and Linux Settings folder under Computer Configuration in the Group Policy Object Editor console tree.

By default, when this policy is undefined, a computer's group policies are updated when the system starts and every 30 minutes while the computer is in use. The updates take place in the background without interrupting the user.

Note: Some settings might not take effect until after the computer restarts or the user logs off and logs back on.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Group Policy Agent:
In the details pane, double-click Computer policy refresh interval, and then select the Define this policy setting check box.
In the Refresh interval box, enter the time in minutes that you want to set.
You can set the refresh interval from 5 minutes to 9999 minutes, or about 7 days.

5.1.8. Copy Template Files When Creating a Home Directory

Likewise can add the contents of skel to the home directory created for a user account on target Linux and Unix computers. Using the skel directory ensures that all users begin with the same settings or environment.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Logon.
In the details pane, double-click Copy template files when creating home directory (skel), and then select the Define this Policy Setting check box.
In the Path to skeleton template directory box, type the path that you want -- for example, /etc/skel.

5.1.9. Create a .k5login File in a User's Home Directory

Likewise lets you define a group policy to create a .k5login file in the home directory of a user account on target Linux and Unix computers that log onto the Windows NT domain using the Kerberos authentication protocol.

The .k5login file contains the user's Kerberos principal, which uniquely identifies the user within the Kerberos authentication protocol. Kerberos can use the .k5login file to check whether a principal is allowed to log on as a user. A .k5login file is useful when your computers and your users are in different Kerberos realms or different Active Directory domains, which can occur when you use Active Directory trusts.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Logon.
In the details pane, double-click Create a .k5login file in user home directory (create_k5login), and then select the Define this Policy Setting check box.
Select Enabled or Disabled.
When enabled, Kerberos is allowed to create a .k5login file in the home directory of a given user account. When disabled, Kerberos is not allowed to create a .k5login file.

5.1.10. Create a Home Directory for a User Account at Logon

By using Likewise, you can automatically create a home directory for a user account on target Linux and Unix computers. When the user logs on the computer, the home directory is created if it does not exist. The location of the home directory is specified in the Likewise settings of the user account.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Logon.
In the details pane, double-click Create home directory for user account at logon (create_homedir), and then select the Define this Policy Setting check box.
Select Enabled or Disabled.

5.1.11. Set Permissions with a File Creation Mask

Likewise can set permissions for the home directory that is created when a user logs on target Linux and Unix computers. The home directory and all the files in the directory are preset with the ownership settings of the file creation mask, or umask.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Logon.
In the details pane, double-click File creation mask for the contents of the home directory (umask), and then select the Define this Policy Setting check box.
Under Default File Permissions and under Default Directory Permissions, select the options that you want.
Or, in the Umask value box, type a umask value for the permission level that you want, and then click Set.
For example, if you specify an umask value of 022, the file permissions are set as follows: Read-write access for files and read-write-search for directories you own. All others have read access only to your files and read-search access to your directories.

5.1.12. Digitally Sign Client Communications

You can create a group policy to enable, disable, or require SMB signing when a client communicates with a server. This policy applies only to computers running Likewise Enterprise 4.X.

To help prevent session-hijacking attacks, the Server Message Block (SMB) protocol supports mutual authentication by placing a digital signature into each Server Message Block. The signature is then verified by both the client and the server.

To use SMB signing, you must either offer it or require it on both the SMB client and the SMB server. If SMB signing is offered on a server, clients that are also enabled for SMB signing use the packet signing protocol during all subsequent sessions. If SMB signing is required on a server, a client cannot establish a session unless it is at least enabled for SMB signing. To set a server to use SMB signing, see Digitally Sign Server Communications.

This group policy adds the value that you specify to lwiauthd_policy.conf. When this policy is undefined or disabled, client signing is set to auto -- signing is turned on but not required, and the client does what the server supports.

Digitally Sign Client Communications

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Authorization and Identification.
In the details pane, double-click Digitally sign client communications (client signing), and then select the Define this policy setting check box.
In the drop-down list, click the option that you want. For example, to enable signing and to make it mandatory, click signing is mandatory.

5.1.13. Digitally Sign Server Communications

You can create a group policy to control whether a server offers or requires SMB signing. This policy modifies the following file on target Linux, Unix, and Mac OS X servers: /etc/samba/smb.conf.

To help prevent message attacks, the Server Message Block (SMB) protocol supports mutual authentication by placing a digital signature into each Server Message Block. The digital signature is then verified by both the client and the server.

To use SMB signing, you must either offer it or require it on both the SMB client and the SMB server. If SMB signing is offered on a server, clients that are also enabled for SMB signing use the packet signing protocol during all subsequent sessions. If SMB signing is required on a server, a client cannot establish a session unless it is at least enabled for SMB signing. To set clients to use SMB signing, see Digitally Sign Client Communications.

If this policy is disabled, the server does not require the SMB client to sign packets. The default is disabled.

Digitally Sign Server Communications

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Authorization and Identification.
In the details pane, double-click Digitally sign server communications (server signing), and then select the Define this policy setting check box.
In the drop-down list, click the option that you want. For example, to offer signing and to make it mandatory, click signing is required.

5.1.14. Allow Access to Samba Server Null-Password Accounts

You can create a group policy to allow clients to gain access to Samba server accounts with null passwords. This policy modifies the following file on target Samba servers: /etc/samba/smb.conf.

Warning: Enabling this policy poses significant security risks.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Authorization and Identification.
In the details pane, double-click Allow access to Samba server null-password accounts (null passwords), and then select the Define this policy setting check box.
Select Enabled or Disabled.

5.1.15. Log PAM Debugging Information

To monitor and troubleshoot the PAM module, you can define a Likewise group policy that logs debugging information for the Likewise agent on target computers running Linux, Unix, or Mac OS X.

This policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policies.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Logon.
In the details pane, double-click Log PAM debugging information, and then select the Define this Policy Setting check box.
Select either Enabled or Disabled.

5.1.16. Log on using Kerberos Authentication

Likewise lets you define a group policy to grant target Linux and Unix access to a Windows NT domain using the Kerberos authentication protocol. This policy applies only to computers running Likewise Enterprise 4.X.

After defining this policy, you can either enable or disable it. When enabled, users log on the Windows NT domain using Kerberos. When disabled, NT LAN Manager (NTLM) is used instead. NTLM is a Microsoft authentication protocol used with the SMB protocol. NTLM is also used if Kerberos is unavailable from the domain controller.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Logon.
In the details pane, double-click Log on using Kerberos authentication (krb5_auth), and then select the Define this Policy Setting check box.
Select Enabled or Disabled.

5.1.17. Set the Maximum Tolerance for Kerberos Clock Skew

You can create a group policy to set the maximum amount of time that the clock of the Kerberos Distribution Center (KDC) can deviate from the clock of target hosts. For security, a host rejects responses from any KDC whose clock is not within the maximum clock skew, as set in the host's krb5.conf file.

The default clock skew is 300 seconds, or 5 minutes. This policy changes the clock skew value in the krb5.conf file of target Linux, Unix, and Mac OS X hosts.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Authorization and Identification.
In the details pane, double-click Set the Maximum Tolerance for Kerberos Clock Skew (clockskew), and then select the Define this policy setting check box.
In the Maximum tolerance box, enter the maximum amount of time, in minutes, to allow for the clock skew.

5.1.18. Monitor Sudoers File

This group policy specifies whether to monitor a target computer's sudoers configuration file with the event log.

Note: To use this policy, you must enable the event log; see Turn on Event Logging with a GPO.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Group Policy Agent:
In the details pane, double-click Monitor sudoers file, and then select the Define this policy setting check box.
To monitor the sudoers file, select Enabled.

5.1.19. Refresh Kerberos Tickets

By using a Likewise group policy, you can automatically refresh Kerberos tickets on target Linux and Unix computers running Likewise Enterprise 4.X. The Kerberos authentication protocol grants tickets to prove the identity of users in a secure way. By automatically refreshing tickets, you can maintain a user's domain access.

After defining this policy, you can either enable or disable it. When it is enabled, the Likewise authentication daemon automatically refreshes Kerberos tickets that are retrieved using the pam_winbind module. When disabled, tickets are not automatically refreshed. It is recommended that you set the policy to enabled.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Authorization and Identification.
In the details pane, double-click Automatically refresh Kerberos tickets (winbind refresh tickets), and then select the Define this Policy Setting check box.
Select Enabled or Disabled.

5.1.20. Replace Spaces in Names with a Character

Likewise lets you define a group policy on target Unix and Linux computers to replace spaces in Active Directory user and group names with a character that you choose.

For example, when you set the replacement character to ^, the group DOMAIN\Domain Users in Active Directory appears as DOMAIN\domain^users on target Linux and Unix computers.

Note: The Likewise authentication daemon renders all names of Active Directory users and groups lowercase.

Replace Spaces in Names with a Character

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Authorization and Identification.
In the details pane, double-click Replacement character for names with spaces, and then select the Define this Policy Setting check box.
In the Character to replace spaces in names with box, type the character that you want -- for example, ^.

5.1.21. Set the Samba Hostname Resolver Cache Timeout

You can create a group policy to set Samba's hostname cache resolver timeout on target Linux, Unix, and Mac OS X servers. The policy specifies the number of minutes before entries in Samba's hostname resolver cache expire. If you define the policy and set the timeout to 0, caching is disabled.

The policy sets the time period you specify in /etc/samba/smb.conf.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Authorization and Identification.
In the details pane, double-click Samba hostname resolver cache timeout (name cache timeout), and then select the Define this policy setting check box.
In the name cache timeout box, enter the minutes that you want to set for the cache timeout.
Tip: To disable caching, enter 0.

5.1.22. Set the Samba Server LDAP Connection Timeout

You can create a group policy to set the time, in seconds, that a Samba server is to wait to connect to an LDAP server before the connection fails. This policy sets the time period in lwiauthd_policy.conf on target Linux, Unix, and Mac OS X computers running Likewise Enterprise 4.X.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Authorization and Identification.
In the details pane, double-click Server LDAP connection timeout (ldap timeout), and then select the Define this policy setting check box.
In the LDAP Timeout box, enter the seconds that you want to set for the LDAP timeout.

5.1.23. Send Encrypted Passwords to Third-Party SMB Servers

You can create a group policy to require a client to send encrypted passwords to a third-party SMB server when the server does not accept plain text passwords.

Important: Defining and then disabling this group policy requires the client to send an encrypted password to the SMB server. Defining and enabling this group policy allows the client to send a plain text password to the SMB server -- the default setting that is in effect before you define the group policy.

The setting that you specify is added to lwiauthd_policy.conf on target Unix, Linux, and Mac OS X computers.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Authorization and Identification.
In the details pane, double-click Send encrypted password to third-party SMB servers (client plaintext auth), and then select the Define this policy setting check box.
Select Enabled or Disabled.
Tip: To require the client to send an encrypted password, select Disabled.

5.1.24. Set the Depth of Nested Group Expansion

By using Likewise, you can define a group policy to set the level of nested group expansion on target Unix and Linux computers. The level of nested group expansion specifies how deep the Likewise authentication daemon traverses the tree when it expands nested groups into a membership list.

In Active Directory Users and Computers or in the Group Policy Management Console, edit or create a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Authorization and Identification.
In the details pane, double-click Depth of nested group expansion, and then select the Define this Policy Setting check box.
In the Depth of group expansion box, type a number to specify how many levels you want authentication daemon to process when it expands nested groups into a membership list.
For example, if you set the depth of group expansion to 0, group expansion is in effect disabled. If you set the depth of group expansion to 7 -- a typical setting -- the daemon processes nested groups as deep as 7 levels.

5.1.25. Set the ID Mapping Cache Expiration Time

Likewise lets you define a group policy to set the expiration time for the ID mapping cache on target Linux and Unix computers. After a user or group is mapped to its security identifier (SID) in Active Directory, the Likewise authentication daemon caches the entry for the time that you specify.

This policy can improve the performance of your system if, for example, you are making a lot of changes to your ID mapping.

You can use this policy on Linux, Unix, or Mac OS X computers running Likewise Enterprise 4.X. The policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policies.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Authorization and Identification.
In the details pane, double-click Winbind: ID mapping cache expiration time (ismap expire time), and then select the Define this Policy Setting check box.
In the Expiration time box, enter the time, in minutes, that you want.

5.1.26. Set the ID Mapping Negative Cache Expiration Time

Likewise lets you define a group policy to specify how long the Likewise authentication daemon caches the unmapped state for an unsuccessful security identifier (SID) mapping of an Active Directory user or group. This policy prevents repeated lookup requests that might degrade the performance of your system.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Authorization and Identification.
In the details pane, double-click Winbind: ID mapping negative cache expiration time ( idmap negative time), and then select the Define this Policy Setting check box.
In the Negative cache time box, enter the time, in minutes, that you want.

5.1.27. Set the Machine Account Password Expiration Time

By using Likewise, you can define a group policy to set the machine account password's expiration time on target Unix and Linux computers. The expiration time specifies when machine account passwords are reset in Active Directory.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Authorization and Identification.
In the details pane, double-click Machine account password expiration time (machine password timeout), and then select the Define this Policy Setting check box.
In the Expiration Time box, enter the time, in days, that you want.
Important: To avoid issues with Kerberos key tables and single sign-on, the value you set in the Expiration Time box must be at least twice the maximum lifetime for user tickets, plus a little more time to account for the permitted clock skew. The expiration time for a user ticket is set by using an Active Directory group policy called Maximum lifetime for user ticket. The default user ticket lifetime is 10 hours; the default Likewise machine password lifetime is 30 days.

Check the Maximum Lifetime for a User Ticket

Open the default domain policy in the Group Policy Object Editor.
In the console tree under Computer Configuration, expand Windows Settings, expand Security Settings, expand Account Policies, and then click Kerberos policy.
In the details pane, double-click Maximum lifetime for user ticket.
In the Ticket expires in box, make sure that the number of hours is no more than half that of the value you set in the Expiration Time box of the Likewise group policy for the machine account password expiration time.
For more information, see Fix a Key Table Entry-Ticket Mismatch.

5.1.28. Set the Cache Expiration Time

By using Likewise, you can specify how long the Likewise agent caches information about a user's home directory, logon shell, and the mapping between the user or group and the security identifier (SID) on target Unix and Linux computers. Features that are using offline cached credentials reattempt to log on the Active Directory domain controller at the interval that you set. When online, the Likewise agent also caches the information for the specified time period.

You can use this policy to improve the performance of your system by increasing the expiration time of the cache.

This policy works on computers running Linux, Unix, or Mac OS X. The policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policies.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Authorization and Identification.
In the details pane, double-click Cache expiration time, and then select the Define this Policy Setting check box.
In the Cache timeout box, enter the time, in minutes, that you want.

5.1.29. Show a Denied Logon Rights Message

This group policy displays a message when an Active Directory user cannot log on a target computer because the user is not in the list of the users or groups defined in the Allow Logon Rights (require_membership_of) group policy.

When you set the policy, you specify the message that is displayed for the not_a_member_error. This policy applies to computers running Linux, Unix, and Mac OS X.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Logon:
In the details pane, double-click Denied logon rights message (not_a_member_error), and then select the Define this policy setting check box.
In the Logon error message box, type the text that you want to display.

5.1.30. Show a Password Expiration Warning

This group policy sets the number of days to display a warning before a local account password expires on a target Linux computer. Setting the number of days to 0 disables the warning. Without setting this policy, the default warning time is 5 days.

This policy is only for computers running Linux.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Logon:
In the details pane, double-click Local account password expiration warning, and then select the Define this policy setting check box.
In the Password expiration warning box, enter the number of days that you want.
Tip: To turn off the warning on target Linux computers, enter 0.

5.1.31. Set the User Policy Loopback Processing Mode

By using Likewise, you can define a group policy that applies alternate user settings when a user logs on a computer affected by this setting. The policy applies the group policy objects that you specify to any user who logs on a computer affected by this setting. The policy is designed for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.

By default, the user's group policy objects determine which user settings apply. If this setting is enabled, when a user logs on this computer, the computer's group policy objects determine which set of group policy objects applies.

You can set the following modes for this policy:

Mode	Description
Replace	The user settings defined in the computer's group policy objects replace the user settings normally applied to the user.
Merge	The user settings defined in the computer's group policy objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's group policy objects take precedence over the user's normal settings.
Loopback disabled	If you disable this setting or do not configure it, the user's group policy objects determine which user settings apply.

Set the User Policy Loopback Processing Mode

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Group Policy Agent:
In the details pane, double-click User policy loopback processing mode, and then select the Define this policy setting check box.
In the list, click the loopback processing mode that you want to set.

5.1.32. Set the User Policy Refresh Interval

By using Likewise, you can define a group policy that specifies how often the user settings are updated while the user is logged on. The scope of this policy is the user policies in the Unix and Linux Settings folder under User Configuration in the Group Policy Object Editor console tree.

By default, when this policy is undefined, a user's settings are updated when the user logs on and every 30 minutes while the user is logged on. The updates take place in the background without interrupting the user.

Note: Some settings might not take effect until after the computer restarts or the user logs off and logs back on.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Group Policy Agent:
In the details pane, double-click User policy refresh interval, and then select the Define this policy setting check box.
In the Refresh interval box, enter the time in minutes that you want to set.
You can set the refresh interval from 5 minutes to 9999 minutes, or about 7 days.

5.2. Lsassd Settings

Lsassd is the Likewise authentication daemon. The following group policies manipulate the daemon's configuration file, lsassd.conf, on target computers. For more information, see About the Likewise Agent and About Configuring the Agent.

5.2.1. Turn Off Logging of Network Events

This group policy modifies the settings in /etc/likewise/lsassd.conf to turn off logging for network events on target Linux, Unix, and Mac OS X computers. You can apply this policy to laptop computers, computers with a wireless connection, or other computers whose network status might be influx so that you do not flood the event log with connectivity events.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Authorization and Identification:
In the details pane, double-click Lsassd: Disable logging of network connectivity events, and then select the Define this policy setting check box.
Select Enabled.

5.2.2. Turn Off System Time Synchronization with a GPO

This group policy changes the sync-system-time setting in /etc/likewise/lsassd.conf to no on target Linux, Unix, and Mac OS X computers.

This policy replaces the local setting, the default of which is yes: The Likewise authentication daemon, lsassd, synchronizes the system time of the client with that of the Active Directory domain controller. You can apply this policy when an alternative time synchronization process is in use.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Authorization and Identification:
In the details pane, double-click Lsassd: Disable system time synchronization, and then select the Define this policy setting check box.
Select Enabled.

5.2.3. Display a Message of the Day at Logon

This group policy configures the Likewise agent to display a message of the day on target Linux and Unix computers running Likewise Enterprise 5.0 or later. You must set the message of the day locally or with the Likewise group policy; see Display a Message of the Day.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Authorization and Identification:
In the details pane, double-click Lsassd: Enable MOTD display during logon, and then select the Define this policy setting check box.
Select Enabled.
In the console tree, find the Display a Message of the Day group policy, define it, and add your message to it; for more information, see Display a Message of the Day.
To locate the Display a Message of the Day group policy, in the console tree under Computer Configuration, expand Unix and Linux Settings, and then expand Message Settings.

5.2.4. Turn on Event Logging with a GPO

This group policy modifies the settings in /etc/likewise/lsassd.conf to turn on logging for events on target Linux, Unix, and Mac OS X computers. You can use this policy to improve security monitoring by logging authentication and authorization requests.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Authorization and Identification:
In the details pane, double-click Lsassd: Enable use of the event log, and then select the Define this policy setting check box.
Select Enabled.

5.2.5. Prepend Domain Name for AD Users and Groups

This group policy changes the assume-default-domain setting in /etc/likewise/lsassd.conf to yes, adding the default domain before the names of Active Directory users and groups on target Linux, Unix, and Mac OS X computers. You can use this policy to spare users from typing the name of their Active Directory domain each time they log on a computer or switch users.

This policy replaces the local setting, the default of which is no.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the console tree under Computer Configuration, expand Unix and Linux Settings, expand Likewise Settings, and then click Authorization and Identification:
In the details pane, double-click Lsassd: Prepend default domain name for AD users and groups, and then select the Define this policy setting check box.
Select Enabled.

5.3. File System Policies

5.3.1. Automount a File System

By using Likewise, you can create a group policy to start a daemon that automatically mounts a file system on target Unix, Linux, or Mac OS X computers. When a user attempts to access an unmounted file system, the file that you associate with this policy automatically mounts it.

Automount is typically configured with two or more files, auto_master and one or more files referenced by auto_master.

The Likewise group policy agent, gpagentd, copies files referenced by auto_master to a subdirectory of /var/lib/likewise/grouppolicy/ and copies the auto_master file to /etc. The daemon creates a link in /etc named lwi_automount to the appropriate subdirectory in /var/lib/likewise/grouppolicy/. (The subdirectory can vary by system.)

The purpose of /etc/lwi_automount is to specify one or more automap files in the group policy-specified auto_master file without interfering with files that already exist in /etc.

Here's a sample auto_master file:

# Likewise identity automount file
/test   /etc/lwi_automount/auto.test

Here's a sample auto.test file specifying two mounts:

# Likewise identity auto.test
test1   -ro,hard,vers=3,intr,tcp       10.10.1.123:/distro
test2   -rw,soft,vers=3,intr,tcp       10.10.1.123:/distro/software

Note: You can specify multiple autofs (/test) directories as well as multiple mount points in each directory

You can also reference existing files in /etc or another path by using the full path names in the auto_master file.

Example Usage

The automount group policy, which can be especially helpful in large networks, has several uses:

Automount NFS, Samba, and boot mounts or partitions.
Cross-mount file systems between a few machines, especially machines that are not always online.
Switch between a forced-on ASCII conversion mount of a DOS file system and a forced-off ASCII conversion mount of the same DOS file system.
Automount removable devices.

Inheritance and Backup

The automount policy replaces the local file. It is not inherited and does not merge with the local file. For more information, see About Group Policies.

The original auto_master file is backed up and stored in /var/lib/likewise/grouppolicy/systemfiles. The original is restored if the automount group policy is disabled or if the computer goes out of scope by, for example, being moved to another OU.

Automount a File System

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand File System Settings, and then click AutoMount:
In the details pane, double-click AutoMount, and then select the Define this Policy Setting check box.
Click Add, type the name of the file you want, or click Browse and then find the file you want.
If the file is executable, select the File is executable check box.
Click OK.

5.3.2. Create Directories, Files, and Links

By using Likewise, you can define a group policy to create directories, files, commands, and symbolic links on target Unix and Linux computers.

You can use this policy on computers running Linux, Unix, or Mac OS X. The policy, which is not inherited, does not concatenate a series of settings across multiple group policy objects in different locations within the Active Directory hierarchy. Instead, the closest local policy object is applied.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand File System Settings, and then click Files, Directories and Links.
In the details pane, double-click Create Directories, Install Files, Configure Links, and then select the Define this Policy Setting check box.
Click Add, click the type of object that you want, and then click OK.
Use the Object Editor that appears to set the object's paths and other file system properties.
Tip: To change an object's properties later, click the object in the list, and then click Edit.

5.3.3. Specify the File System Mounts (fstab)

With Likewise, you can create a group policy for the file systems table, or fstab, on target Unix and Linux computers and add mount entries to it by using a graphical user interface. Fstab, typically located in /etc/fstab, is a configuration file that specifies how a computer is to mount partitions and storage devices.

The mount entries in this policy are appended to the contents of /etc/fstab (/etc/vfstab on Solaris), but the file systems are not mounted until you explicitly mount them by using a command such as mount -a even though the group policy has been polled by the target computer. To mount the file systems specified in the policy, after you set the policy you must log on the target computer and execute the mount -a command (or a similar command, depending on your operating system) or restart the computer. Another option is to run a cron job that resets the mounts remotely or restarts the computer; see Schedule Cron Jobs with a crontab or cron.d Policy. It is recommended that you not reset the mounts while a user is logged on the computer.

This policy can add the following kinds of file systems to fstab:

Common Internet File System (cifs)
Linux Native File System (ext2)
New Linux Native File System (ext3)
ISO9660 CD-ROM (iso9660)
Network File System (NFS)
Network File System version 4 (NFS4)

Important: For cifs and iso9660 file systems, make sure the owner and group objects in Active Directory are enabled in a Likewise cell. Doing so defines UID and GID values for the objects on the systems where the policy setting is to take effect.

Specify File System Mounts

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand File System Settings, and then click File System Mounts (fstab).
In the details pane, double-click File System Mount, and then select the Define this Policy Setting check box.
Click Add, click the type of file system that you want to mount, and then click OK.
Use the Add New Mount Wizard to specify the mount details for the type of file system that you want to mount.
After you use the wizard to add a file system, you can edit the mount details and options by clicking the mount entry in the list and then clicking Edit.
To disable the mount, in the list of mount entries, under Status, double-click Enabled.

5.4. Logging and Auditing Group Policies

5.4.1. Create a SysLog Policy

By using Likewise, you can create a syslog group policy for target Unix and Linux computers. A syslog policy can help you manage, troubleshoot, and audit your systems.

Likewise provides a graphical user interface to configure and customize your syslog policies. You can log different facilities, such as cron, daemon, and auth, and you can use priority levels and filters to collect messages.

This policy works with computers running Linux, Unix, or Mac OS X. The policy replaces the local policies. It is not inherited and does not merge with the local settings. For more information, see About Group Policies.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Logging and Audit Settings, and then click SysLog:
In the details pane, double-click SysLog, and then select the Define this Policy Setting check box.
Click Add.
In the Syslog Policy Editor, in the Destination Type list, click the destination for the syslog.

The box below the Destination Type list changes depending on the destination type that you select:

For a Destination Type of	Do this
File	Enter the path to the file.
Named Pipe	Enter the path and name of the pipe file.
Remote Host	Enter the IP address or the server name of the remote host.
Local Users	Enter a comma-separated list of email addresses.
All Users	The box is unavailable.

Click in the Facilities box and then click to select the facilities that you want to log.
Select the facilities that you want. You can select All, or you can select Selected Items, and then select the check boxes for the facilities that you want in the list.
To enter a custom list of facilities, select Custom Entry, and then type a comma-separated list of the facilities that you want to use -- for example: cron, daemon, auth, kern
In the list under Priorities, click the priority level for which you want to log events.
In the list under Filter, click the filter that you want to apply to the priority level, and then click OK.
Tip: To change a log's options later, click a log in the list, and then click Edit.

5.4.2. Secure Computers with an AppArmor Policy

By using Likewise, you can create an AppArmor group policy to help secure target computers that are running SUSE Linux Enterprise.

AppArmor is a Linux Security Module implementation of name-based access controls. To help protect your operating system and applications from threats, AppArmor uses security policies, called profiles, that define the system resources and privileges that an application can use.

AppArmor is included with all SUSE distributions from SUSE Linux Enterprise Server 9, Service Pack 3 (SLES9 SP3) and later, including SLES10, SLED10, and openSUSE 10.0, 10.1, and 10.2.

Note: To configure this policy, you must have a file containing an AppArmor security profile. The SUSE Linux distribution contains default profiles that you can use. It also contains tools to build your own profiles. For information on how to obtain or create a security profile, see the AppArmor documentation.

This policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policies.

Secure Computers with an AppArmor Policy

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Logging and Audit Settings, and then click AppArmor.
In the details pane, double-click AppArmor, and then select the Define this Policy Setting check box.
Click Add, find the security profile that you want to use, and then click Open.
In the list under Profile Mode, do one of the following:

To

Click

Log events that would have been denied if the profile were set to enforce

complain

Enforce the polices defined by the security profile

enforce

5.4.3. Secure Computers with an SELinux Policy

With Likewise, you can create a Security-Enhanced Linux group policy to help secure target computers running Red Hat Enterprise Linux.

Security-Enhanced Linux, or SELinux, puts in place mandatory access control by using the Linux Security Modules, or LSM, in the Linux kernel. The security architecture, which is based on the principle of least privilege, provides fine-grained control over the users and processes that are allowed to access a system or execute commands on it.

SELinux can secure processes from each other. For example, if you have a public web server that is also acting as a DNS server, SELinux can isolate the two processes so that a vulnerability in the web server process does not expose access to the DNS server.

This policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policies.

Note: This policy applies the settings that you define in the procedure below to the /etc/ sysconfig/ selinux file on target computers running Red Hat Enterprise Linux. The /etc/ sysconfig/ selinux file is the primary configuration file for enabling or disabling SELinux and for setting which policy to enforce on the system and how to enforce it.

Secure Computers with an SELinux Policy

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Logging and Audit Settings, and then click SELinux.
In the details pane, double-click SELinux, and then select the Define this policy setting check box.

In the SE Linux list, do one of the following:

To define the top-level state of SELinux on the target computers as	Click
enforcing mode -- meaning that the SELinux security policy is enforced	enforcing
permissive mode -- meaning that SELinux prints warnings but does not enforce policy. You can use this setting for debugging and troubleshooting. In permissive mode, more denials are logged, as subjects can continue to execute actions that are denied in enforcing mode. For example, traversing a directory tree generates multiple `avc: denied` messages for every directory level read. In enforcing mode, a kernel would have stopped the initial traversal and not generated further denial messages.	permissive
disabled mode -- meaning that SELinux is fully disabled. SELinux hooks are disengaged from the kernel and the pseudo-file system is unregistered.	disabled

In the SE Linux Type list, click either targeted or strict.
Selecting targeted protects only targeted network daemons. The default targeted policy protects the following daemons on Red Hat Enterprise Linux 4: dhcpd, httpd (apache.te), named, nscd, ntpd, portmap, snmpd, squid, and syslogd. The rest of the system runs in the unconfined_t domain. The policy files for these daemons are in /etc/selinux/targeted/src/policy/domains/program and might vary depending on the version of Red Hat Enterprise Linux that you are using.
Selecting strict provides full SELinux protection for all daemons. The system defines security contexts for all objects and subjects, and the policy enforcement server processes every action.

5.4.4. Rotate Logs

To help you manage, troubleshoot, and archive your system's log files, you can create a group policy to configure and customize your log-rotation daemon. For example, you can choose to use either a logrotate or logrotate.d file, specify the maximum size before rotation, compress old log files, and set an address for emailing log files and error messages. You can also enter commands to run before and after rotation.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Logging and Audit Settings, and then click LogRotate.
In the details pane, double-click Rotate logs, and then select the Define this Policy Setting check box.
Click Add.
In the Log Rotate Policy Editor, under the General Options tab, set the options that you want.
Click the Log Options tab, and then set the options that you want.
Click the Mail/Script Options tab, and then set the options that you want.

5.5. Message Group Policies

5.5.1. Display a Message with a Login Prompt Policy

By using Likewise, you can use a group policy to set a message in the /etc/issue file on target Linux and Unix computers. The message, which appears before the login prompt, can display the name of the operating system, the kernel version, and other information that identifies the system.

In the message text, you can use characters, numbers, and special characters; there is no limit to the length of the message.

You can use this policy on computers running Linux, Unix, or Mac OS X. The policy replaces the /etc/issue file on target computers.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Message Settings, and then click Login Prompt.
In the details pane, double-click Login Prompt (/etc/issue), select the Define this Policy Setting check box, and then in the Text Value box, type your message.
In your message, you can use escape codes that getty (on Unix) or agetty (on Linux) recognizes. For example, if you write Welcome to \s \r \l, on a Linux computer, agetty replaces \s with the name of the operating system, \r with the kernel version, and \l with the name of the terminal device. For a list of escape codes, see the getty or agetty man pages for your system.

5.5.2. Display a Message of the Day

By using Likewise, you can use a group policy to set a message of the day in the /etc/motd file on target Linux and Unix computers.

The message of the day, which appears after a user logs in but before the logon script executes, can give users information about a computer. For example, the message can remind users of the next scheduled maintenance window.

You can use this policy on computers running Linux, Unix, or Mac OS X. The policy replaces the motd file on the target computer.

Important: If you are using this policy on target Linux and Unix computers running Likewise Enterprise 5.0 or later, you must first set an lsassd group policy; see Display a Message of the Day at Logon.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Message Settings, and then click Message of the Day:
In the details pane, double-click Message of the day (/etc/motd), select the Define this Policy Setting check box, and then in the Text Value box, type your message.
Tip: Limit the size of your message to one screen.

5.6. Security Group Policies

5.6.1. Define a Sudo Policy

By using Likewise, you can define a group policy to specify a sudo configuration file for target computers running Linux, Unix, and Mac OS X. The sudo configuration file is copied to the local machine and replaces the local sudoers file. A sudo file can reference local users and groups or Active Directory users and groups.

Sudo, or superuser do, allows a user to run a command as root or as another user. This policy can control sudo access in a centralized and uniform way. For more information about sudo, see the man pages for your system.

This policy is not inherited and does not merge with the local file. For more information, see About Group Policies.

Important: The Likewise entries in your sudoers file must conform to the rules set forth in the following topic: Configure Entries in Your Sudoers Files.

Define a Sudo Policy

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Security Settings, and then click SUDO command:
In the details pane, double-click Define Sudoer file, select the Define this Policy Setting check box, and then in the Current file content box, type your commands.
Or, to import a sudo configuration file, click Import, and then find the file that you want.

5.7. Task Group Policies

5.7.1. Schedule Cron Jobs with a crontab or cron.d Policy

You can use a group policy to schedule commands, or cron jobs, that are executed at a set time on target Linux and Unix computers.

When you set this policy, you must select a file type of /etc/cron.d or crontab. You can use cron.d only on Linux computers; crontab works on computers running Linux or Unix, including Mac OS X.

Using crontab overwrites the crontab file on target computers. Using cron.d adds your file to the /etc/cron.d directory on target Linux computers.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Task Settings, and then click Crontab/Cron.d.
In the details pane, double-click Crontab Settings, and then select the Define this Policy Setting check box.
To specify the crontab file type, click Change Type, select either /etc/cron.d or crontab, and then click OK.
Selecting /etc/cron.d -- which is not supported by the Sun Solaris, Mac OS X, or IBM AIX operating systems -- adds the file to the /etc/cron.d directory while preserving existing files and other files inherited from policy objects.
Selecting crontab -- which works with most systems, including Solaris, AIX, and Mac OS X -- uses the crontab utility to install the file in the root account, overriding the account's existing crontab settings and any files inherited from policy objects.
In the Current file content box, type your command. Example:

* * * * * echo "` date` Running Cronjob 1 ($0) " >> / tmp/ AD_GPO.log

Or, click Import, find the file that contains your commands, and then click Open.

5.7.2. Run a Script File

Likewise lets you use a group policy to execute a text-based script file on target Linux and Unix computers.

The script file runs under the root account when the target computer first receives the group policy object or when the policy object's version changes. When a target system is rebooted, the script runs again.

This policy replaces the local file. It is not inherited and does not merge with the local file. For more information, see About Group Policies.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Task Settings, and then click Run Script:
In the details pane, double-click Script file, and then select the Define this Policy Setting check box.
In the Current file content box, type your script. Example:

#!/bin/bash

echo "` date` Running AD Script 1 ($0)" >> / tmp/ AD_GPO.log

Or, click Import, find the file that contains your script, and then click Open.

5.8. Networking Group Policies

5.8.1. Set DNS Servers and Search Domains

You can create a group policy to specify the DNS servers and search domains on target Linux, Unix, and Mac OS X computers.

The search domains are automatically appended to names that are typed in Internet applications. For example, if you set campus.college.edu as a search domain, a user can type server1 in the Finder’s Connect To Server dialog to connect to server1.campus.college.edu.

Important: Setting this group policy can cause a conflict with the settings in the resolv.conf file on some target computers, especially those running newer versions of Linux. When the GPO is processed, a new resolv.conf file is generated and named resolv.conf.gp. The old resolv.conf file is saved as resolv.conf.lwidentity, and then the new resolv.conf.gp is renamed resolv.conf. When the network interface is restarted, however, the updated resolv.conf settings can be overwritten with values from other configuration repositories, even if NetworkManager is not configured. Therefore, it is recommended that you use a target platform filter to apply the policy only to Unix platforms or other systems on which resolv.conf is not dynamically modified.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, and then click Network Settings.
In the details pane, double-click DNS, and then select the Define this policy setting check box.
In the DNS Servers box, type the DNS address that you want to use. To enter more than one address, you must put each additional address on a new line.
In the Search Domains box, optionally type the search domain that you want.
To enter multiple search domains, separate each by a comma. Domains are searched in the order you list them. To include local as one of the search domains, the target computers must be running OS X 10.4 or later and local must be first. Example:
local, likewise.com, campus.college.edu

Tip: To stop a local user from changing a Mac OS X computer's network settings, see Secure System Preferences on a Mac.

5.9. Mac Group Policies

5.9.1. Automatically Restart a Mac After Losing Power

By using Likewise, you can define a group policy to automatically restart a target Mac OS X computer after it loses power. This policy can help recover a workstation or server after a power failure.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Mac Settings, expand Mac System Preferences, and then expand Energy Saver:
Click Options.
In the details pane, double-click Automatic restart on power loss, and then select the Define this Policy Setting check box.
Click Enabled or Disabled.

5.9.2. Start the Bluetooth Setup Assistant

You can define a group policy to open the Bluetooth Setup Assistant if an input device is not detected when the computer starts. This setting is helpful when you manage computers that use a Bluetooth keyboard or mouse. If the computer does not detect a keyboard or mouse on startup, this policy opens the setup assistant to connect the keyboard and mouse.

This setting works with computers running Mac OS X 10.5.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Mac Settings, expand Mac System Preferences, and then click Bluetooth:
In the details pane, double-click Open Bluetooth Setup Assistant at startup when no input device is present, and then select the Define this policy setting check box.
Select Enabled or Disabled.

5.9.3. Set the Disk Sleep Timer

By using Likewise, you can define a group policy to put the hard disk on a target Mac OS X computer to sleep when it is not in use. You can use this policy to help save energy.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Mac Settings, expand Mac System Preferences, and then expand Energy Saver:
Click Sleep.
In the details pane, double-click Disk Sleep Timer, and then select the Define this Policy Setting check box.
Click Enabled or Disabled.

5.9.4. Set the Display Sleep Timer

By using Likewise, you can define a group policy to put the screen of a target Mac OS X computer to sleep after it has been idle for a set period. This setting can help save energy.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Mac Settings, expand Mac System Preferences, and then expand Energy Saver:
Click Sleep.
In the details pane, double-click Display Sleep Timer, and then select the Define this Policy Setting check box.
In the Minutes box, enter the period of inactivity after which the policy is to put the computer to sleep.
Note: To set the screen to never sleep, enter 0.

5.9.5. Block UDP Traffic on a Mac

By using Likewise, you can create a group policy to set the built-in firewall on target computers running Mac OS X to block UDP traffic. Blocking User Datagram Protocol traffic can help secure target computers.

This policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policies.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Mac Settings, expand Mac System Preferences, and then click Firewall:
In the details pane, double-click Block UDP traffic usage, and then select the Define this Policy Setting check box.
Select Enabled or Disabled.

5.9.6. Disable Automatic User Login on a Mac

By using Likewise, you can create a group policy to disable automatic login on target computers running Mac OS X. This policy requires a user to log on every time the computer is turned on or restarted.

This policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policies.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Mac Settings, expand Mac System Preferences, and then click Security:
In the details pane, double-click Disable automatic user login, and then select the Define this Policy Setting check box.
Select Enabled or Disabled.

5.9.7. Log Firewall Activity on a Mac

By using Likewise, you can create a group policy to log firewall activity on target computers running Mac OS X 10.4 or later.

To help you monitor and audit Mac computers for security issues, this policy turns on firewall logging, which keeps a log of such events as blocked attempts, blocked sources, and blocked destinations.

The log is at /var/log/ipfw.log. Mac OS X resets and archives the log file every 7 days. An archived log file is deleted after about 30 days.

This policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policies.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Mac Settings, expand Mac System Preferences, and then click Firewall:
In the details pane, double-click Turn on firewall logging, and then select the Define this Policy Setting check box.
Select Enabled or Disabled.

5.9.8. Secure System Preferences on a Mac

By using Likewise, you can create a group policy to lock system preferences on target computers running Mac OS X so that only administrators with the password can change the preferences.

This policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policies.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Mac Settings, expand Mac System Preferences, and then click Security:
In the details pane, double-click Secure system preferences with password, and then select the Define this Policy Setting check box.
Select Enabled or Disabled.

5.9.9. Use Firewall Stealth Mode on a Mac

By using Likewise, you can create a group policy to set the built-in firewall on target computers running Mac OS X to operate in stealth mode.

Stealth mode cloaks the target computer behind its firewall: Uninvited traffic gets no response, and other computers that send traffic to the target computer get no information about it. Stealth mode can help protect the target computer's security.

This policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policies.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Mac Settings, expand Mac System Preferences, and then click Firewall:
In the details pane, double-click Use firewall stealth mode, and then select the Define this Policy Setting check box.
Select Enabled or Disabled.

5.9.10. Use Secure Virtual Memory on a Mac

Use Secure Virtual Memory on a Mac

By using Likewise, you can create a group policy to configure target computers running Mac OS X to store application data in secure virtual memory.

In case the computer's hard drive is accessed without authorization, this policy sets the target Mac to encrypt the data that it stores in virtual memory.

This policy, which is inherited, does not replace local policies; it merges with them. For more information, see About Group Policies.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Mac Settings, expand Mac System Preferences, and then click Security:
In the details pane, double-click Use secure virtual memory, and then select the Define this Policy Setting check box.
Select Enabled or Disabled.

5.9.11. Share an Internet Connection with Bluetooth Devices

You can define a group policy to share a computer's Internet connection with other Bluetooth devices by using a personal area network, or PAN. This setting works with computers running Mac OS X 10.5.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Mac Settings, expand Mac System Preferences, and then click Bluetooth:
In the details pane, double-click Share my Internet connection with other Bluetooth devices, and then select the Define this policy setting check box.
Select Enabled or Disabled. When Enabled is selected, Internet connection sharing is on; when Disabled is selected, sharing is off.

5.9.12. Put the Computer to Sleep with the Power Button

By using Likewise, you can define a group policy to set the power button to put a target Mac OS X computer to sleep. When the power button is pressed, the computer goes to sleep instead of shutting down.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Mac Settings, expand Mac System Preferences, and then expand Energy Saver:
Click Options.
In the details pane, double-click Sleep on power button, and then select the Define this Policy Setting check box.
Click Enabled or Disabled.

5.9.13. Set the System Sleep Timer

By using Likewise, you can define a group policy to put a target Mac OS X computer to sleep after it has been idle for a set period. You can use this policy to save energy.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Mac Settings, expand Mac System Preferences, and then expand Energy Saver:
Click Sleep.
In the details pane, double-click System Sleep Timer, and then select the Define this Policy Setting check box.
In the Minutes box, enter the period of inactivity after which the policy is to put the computer to sleep.
Note: To set the computer to never sleep, enter 0.

5.9.14. Turn Bluetooth On or Off

You can create a group policy to turn on or turn off Bluetooth power on target Mac OS X computers. When Bluetooth power is turned off, other Bluetooth devices, such as wireless keyboards and mobile phones, cannot connect to the computer.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Mac Settings, expand Mac System Preferences, and then click Bluetooth:
In the details pane, double-click Turn Bluetooth on or off, and then select the Define this policy setting check box.
Select Enabled or Disabled. When Enabled is selected, Bluetooth is on; when Disabled is selected, Bluetooth is off.

5.9.15. Turn On AppleTalk

You can create a group policy to make AppleTalk active on target Mac OS X computers. You can also use this policy to make AppleTalk inactive.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organizational unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Mac Settings, expand Mac System Preferences, and then click Internet and Network.
In the details pane, double-click AppleTalk, and then select the Define this policy setting check box.
In the list under Configure, click the option that you want. When Automatically is selected, AppleTalk is active. When Manually is selected, you must enter the Node ID and the Network ID.

Tip: To stop a local user from changing a Mac OS X computer's AppleTalk settings, see Secure System Preferences on a Mac.

5.9.16. Wake Up the Computer for LAN Admin Access

By using Likewise, you can define a group policy to wake up a target Mac OS X computer when a network administrator accesses it through a local area network Ethernet connection.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Mac Settings, expand Mac System Preferences, and then expand Energy Saver:
Click Options.
In the details pane, double-click Wake on LAN, and then select the Define this Policy Setting check box.
Click Enabled or Disabled.

5.9.17. Wake Up the Computer When the Modem Rings

By using Likewise, you can define a group policy to wake up a target Mac OS X computer when its modem rings.

In Active Directory Users and Computers or in the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Mac Settings, expand Mac System Preferences, and then expand Energy Saver:
Click Options.
In the details pane, double-click Wake on modem ring, and then select the Define this Policy Setting check box.
Click Enabled or Disabled.

See Also

Set Target Platforms

5.10. Mac DS Plugin Settings

Likewise Enterprise includes the following set of group policies for managing the directory services plugin on target Mac OS X computers.

DS Plugin Setting	Description
Use UNC path from Active Directory to create home location	Sets a computer to connect to the network share defined in the Active Directory user account. The UNC path is converted to SMB when the target share is running Windows or AFP when the target is running Mac OS X. If the policy for forcing the home directory on the startup disk is enabled, the UNC path is used to create a folder in the user's dock and the home directory is set to the user's local home directory path.
Force home directory on startup disk	Sets a computer to use a local home directory path. When a user with a home folder connection defined in Active Directory logs on, the connection is created in the dock under `/Network/Servers/homeFolderName`.
Merge Workgroup Manager MCX settings from all user GPOs	Sets a computer to combine the managed client settings (MCX) for all the user GPOs defined in Workgroup Manager. When this policy is disabled, the closest user GPO that has Workgroup Manager settings is applied. Workgroup Manager settings higher up the domain's distinguished name hierarchy are not applied. When this policy is enabled, a union of all Workgroup Manager settings found across the GPOs is applied to the user. If two GPOs have MCX settings defined, the result of combining them is applied to the Active Directory user account. When more than one GPO defines a common MCX setting area (example: com.apple.dock), only the settings of the precedent GPO are applied to the account.
Allow administration by	Specifies the administrators included the local admin group (GID: 80) on a target computer. The policy can specify Active Directory users or groups. Local entries are overwritten unless you also set the policy to allow local entries in the admins group.
Allow admins group local entries	Preserves members of the admin group who are defined locally but are not specified in the `allow administration by` policy.

In the Group Policy Management Console, create or edit a group policy for the organization unit that you want, and then open it with the Group Policy Object Editor.
In the Group Policy Object Editor, in the console tree under Computer Configuration, expand Unix and Linux Settings, expand Mac Settings, and then expand DS Plugin Settings:
In the details pane, double-click the DS plugin setting that you want, and then select the Define this Policy Setting check box.
Click Enabled or Disabled.

For two of the policies, you must make additional selections:

For This Policy	Do This
Use UNC path from Active Directory to create home location	Select SMB protocol when the target computer is running Windows or select AFP protocol when the target computer is running Mac OS X.
Allow administration by	Select the Active Directory users and groups to add to the list of those who can administer the Mac OS X computer. You can select users and groups or you can type a comma-separated list of short domain names with Active Directory account names or group names. (Remember: The users and groups that you select must be enabled in the Likewise cell containing the target computer.)

Chapter 6. Legal Disclaimer and Copyright Notice

The information contained in these documents represents the current view of Likewise Software on the issues discussed as of the date of publication. Because Likewise Software must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Likewise, and Likewise Software cannot guarantee the accuracy of any information presented after the date of publication.

These documents are for informational purposes only. LIKEWISE SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form, by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Likewise Software.

Likewise may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Likewise, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The Likewise Open software is free to download and use according to the terms of the Limited GPL 2.1 for client libraries and the GPL 2 for daemons. The licenses for Likewise Enterprise and for Likewise UID-GID Module are different. For complete information on the software licenses and terms of use for Likewise products, see www.likewise.com.

Likewise and the Likewise logos are either registered trademarks or trademarks of Likewise Software in the United States and/or other countries. All other trademarks are property of their respective owners.

Likewise Software
15395 SE 30th Place, Suite 140
Bellevue, WA 98007
USA

For more information, contact info@likewise.com or visit www.Likewise.com.

To	Click
Log events that would have been denied if the profile were set to enforce	complain
Enforce the polices defined by the security profile	enforce