Linux Active Directory (AD) integration is historically one of the most requested functionalities by our corporate users, and with Ubuntu Desktop 22.04, we introduced ADsys, our new Active Directory client. This blog post is part 2 of a series where we will explore the new functionalities in more detail. (Part 1 – Introduction)
In this article we will focus on how Group Policy Objects (GPOs) can be used by ADsys to change dconf settings in Ubuntu after a client has been successfully joined to a domain.
In this area, as well as for all the other new features delivered by ADsys, we tried to offer a user experience as close as possible to the native one available in Microsoft Windows, with the aim of enabling IT admins to reuse the same knowledge and tools they acquired over the years to manage Ubuntu desktops.
Active
Directory Administrative Templates
Similar to Windows clients, the first step to tell AD to what features it can manage is to import an administrative template. We offer the choice of both the language-specific .adml files and the language-neutral .admx files.
The administrative templates need to be imported in the Central Store in the sysvol folder on a Windows domain controller. The Central Store is a file location that the Group Policy Tools check by default and that is replicated in all the domain controllers. If you want to learn more information Microsoft provides extensive documentation on how to create and manage a central store.
Once a device is joined to the domain, ADsys provides a command line interface which is able to download the relevant templates for the distribution that you are running. The administrative templates support different data types and the management consoles adapts the UI according to the property you are going to modify (e.g. boolean, lists, etc.)
We will continue supporting the tool and release updated templates compatible with newer versions of Ubuntu. You can see which templates are available by going to the relevant section of the project Github page.
Using Group Policy Objects
Group Policy Objects can be used to change any of the dconf settings. Compatibility to additional policy managers might be extended in the future based on usage and customer demand.
Similar to Windows we offer both user and computer policies, which can be accessed by navigating to the Ubuntu administrative template section of Active Directory. GPO rules can have the traditional enabled, disabled and not configured states and their precedence follows the same, default Active Directory constructs. (i.e. machine policies take precedence over user ones)
Similar to windows GPOs are applied:
- On boot for the computer policies
- On login for the user policies
- At a configurable time interval for active, connected clients (the default is set to the standard 90 minutes)
The settings are applied to the relevant users on the client and they can be overwritten only by local machine administrators.
SSSD and security policies
It is important to note that ADsys does not replace SSSD, rather it compliments it. The Active Directory Security Policies that are currently managed or partially supported by SSSD are not duplicated in ADsys.
SSSD is part of all versions of Ubuntu starting from 18.04 and you can find further information on our documentation or the upstream project page.
Additional resources and how to get the new features
The features described in this blog post are available for free for all Ubuntu users, however you need an Ubuntu Advantage subscription to take advantage of the privilege management and remote scripts execution features. You can get a personal license free of charge using your Ubuntu SSO account. ADSys is supported on Ubuntu starting from 20.04.2 LTS, and tested with Windows Server 2019.
We have recently updated the Active Directory integration whitepaper to include a practical step by step guide to help you take you full advantage of the new features. If you want to know more about the inner workings of ADsys you can head to its Github page or read the product documentation.
If you want to learn more about Ubuntu Desktop, Ubuntu Advantage or our advanced Active Directory integration features please do not hesitate to contact us to discuss your needs with one of our advisors.
Discover more from Ubuntu-Server.com
Subscribe to get the latest posts sent to your email.