Specify the groups that cannot be prevalidated to access the local UNIX computer.
If you allow any groups or users to be prevalidated, you can use this policy to define exceptions for any groups that should be prevented from prevalidation. In most cases, you would use this policy to exclude a subset of users that are in a member group of an allowed group.
Enter a comma-separated list of users in Denied users to prevent prevalidation of specific users.
This group policy modifies the adclient.prevalidate.deny.groups setting in the Centrify DirectControl configuration file.
=== Specifying users and groups for prevalidation ===
Prevalidation enables a user or the members of a group to access the local UNIX computer using Active Directory credentials when the computer is offline even if the users has not previously logged onto the computer. Without prevalidation, only users who have previously logged on to a computer can be authenticated when the computer is disconnected from the network. For those users, authentication is based on the password hashes stored during the previous log-on. In some cases, however, you may require users who have never logged on to a particular computer to be authenticated when the computer is disconnected from the network. For example, you may have an administrative group that requires access to computers that are disconnected from the network but on which they have never previously logged in. To accommodate the users in that group, you can configure the group for prevalidation.
If you do not specify any users or groups with these policies, then no user or group accounts are prevalidated to access the local computer. If you enter names in either the "Specify allowed users for prevalidation" or "Specify allowed groups for prevalidation" policy, only those users and groups are prevalidated, with the exception of any users or groups you enter in either "Specify denied users for prevalidation" or "Specify denied groups for prevalidation" policy. For example, to allow all users in the admins group to be prevalidated, except the users who are also members of the outsource group, you could set the following policies:
Specify allowed groups for prevalidation: admins
Specify denied groups for prevalidation: outsource
To add more than one user or group, enter a comma-separated list. For example, to allow all users in the admins group and the users ali, kai, and tanya who are not members of the admins group to be prevalidated, but prevent the users jorge and maurice from being prevalidated, you could set the following policies:
Specify allowed groups for prevalidation: admins
Specify allowed users for prevalidation: ali,kai,tanya
Specify denied users for prevalidation: jorge,maurice
To allow prevalidation for all users in the zone without any exceptions, you can enter all@zone in "Specify allowed groups for prevalidation" policy.
For users or groups of users to be prevalidated, their accounts must be active accounts with permission to log on to the local computer and have a Service Principal Name (SPN) set in the form of:
Where user is the User Principal Name (UPN) of the user, and preval is the service name specified by the "Set prevalidation service name" policy.
To enable prevalidation for a user, you can use the Windows setspn.exe utility to add a Service Principal Name for the user. For example, to register the Service Principal Name for the user firstname.lastname@example.org using preval as the service name, you could type a command similar to the following in a Windows Command Prompt window:
setspn -A preval/kai kai
This setspn command registers the SPN in Active Directory for the preval service and the specified user account, for the Active Directory user kai. On the computers where this user is allowed to be prevalidated, the user can be authenticated without having logged on previously.
If you are allowing prevalidation for an administrative group, you must register a Service Principal Name for each member of the group. For example, if you are allowing prevalidation for the admins group and this group has five members, you would use the setspn.exe utility to register a Service Principal Name for each of those members.
To ensure their validity, the credentials for prevalidated users and groups are periodically retrieved from Active Directory. For example, the credentials are refreshed whenever you do the following:
- Reboot the local computer.
- Start or restart Centrify DirectControl Agent (adclient daemon).
- Run the adflush command to clear the cache.
- Change a password from the local system.
The credentials are also periodically refreshed at the interval defined by the "Set prevalidation update interval" policy to ensure that prevalidation will continue working after password changes.
These group policies enable the following settings in the Centrify DirectControl configuration file: