Wednesday, September 24, 2014

Utilities: The powerful "copy files" GPO


As you know, Centrified systems can process group policies (basics here).  However, did you know that there is a group policy object named "Copy files" that can be used to:

  • Distribute files
  • Make sure config files stay consistent
  • Deploy software
  • and many many more creative uses.
The copy files GPO
It's located under Computer Configuration > Centrify Settings > Common UNIX Settings 

How does it work?

The copy-file GPO uses the Centrify agent's GP engine along with adsmb and the computer credentials to connect to the AD SYSVOL (or an alternate share) and obtain the files and it will place it in the target folder of the Unix/Linux or Mac system.

Copy-file GPO options

Because adclient is a privileged process the destination file can be manipulated (permissions, ownership, etc.).  The file gets copied under two conditions:
  • If enabled, when the group policy refresh interval is met (every 90 minutes by default with a random offset of 30 minutes.
  • When the adgpupdate command is triggered.
Considerations when using this GPO (and group policies in general):
  • Perl needs to be installed.  (5.8 minimum as of 9/2014)
  • The sysvol or alternate share have to be reachable, therefore the requirements to make a CIFS connection are in play.  This may be undesirable in firewall scenarios.
  • When writing to sysvol, an appropriate AD account needs to be used.
  • Group Policy Objects for users are not enabled on *NIX by default, they are on the Mac.

File Copy GPO in action

No comments:

Post a Comment