Set dzdo validator

Specify the full path of the dzdo validator. The settings in this group policy are used only when the Require dzdo command validation check group policy is enabled.

The dzdo validator is a script that runs synchronously under the user’s Active Directory name. If the Require dzdo command validation check group policy is enabled, the dzdo validator runs when users attempt to execute dzdo commands. Command attempts that pass validation are allowed to run. Command attempts that fail validation are not allowed to run.

The default location of the dzdo validator is /usr/share/centrifydc/sbin/dzcheck. If you set this group policy to Not configured or Disabled, the validator located in this default location is used.

If you set this group policy to Enabled, the dzdo validator that you specify is used.

Note that the authentication, privilege elevation, and audit and monitoring services distribution package does not include a dzcheck script. Instead, a sample validator, /usr/share/centrifydc/sbin/dzcheck.sample, is provided for reference. To configure and enable the dzdo validator, modify the sample script or create a new script, then place that script in the default location (/usr/share/centrifydc/sbin/dzcheck) or use a location and script name of your choice that you specify in this group policy.

You do not need to create a dzcheck script to use dzdo. You only need to create a script if you want to modify dzdo behavior so that validation occurs when dzdo commands attempt to run.

This group policy modifies the dzdo.validator setting in the agent configuration file. For more information about configuring the dzdo validator, see the “dzdo.validator” section in the Configuration and Tuning Reference Guide.