DirectControl Settings

The following table summarizes the group policies listed directly under Centrify Settings > DirectControl Settings. The full descriptions follow the table.

Select this group policy To do this

Add centrifydc.conf properties

Add configuration parameters to centrifydc.conf configuration file.

Maintain DirectControl 2.x compatibility

Maintain access for legacy users or computers.

Merge local group membership

Merge local group membership from /etc/group into the zone group membership for groups that have the same name and GID.

Prefer authentication credentials source

Instruct adclient to authenticate the user using the cached credentials.

Set LDAP fetch count

Specify the number of objects to obtain in a single LDAP request.

Set password cache

Control the caching of user passwords.

Set user mapping

Map a local user account to an Active Directory account.

Use FIPS 140-2 compliance algorithms

Select the algorithms used for the authentication protocols.

Additional group policies for DirectControl Settings are organized under the following sub‑nodes:

  • Account prevalidation—Contains policies to manage prevalidation of users and groups for disconnected systems.
  • Adclient settings—Contains policies to control certain aspects of the operation of the agent on managed computers.
  • Auto Zone group policies—Contains policies to control certain aspects of the operation of the agent on machines that are joined to Auto Zone.
  • Dzdo settings—Contains policies to control certain aspects of the operation of dzdo and sudo.
  • Group policy settings—Contains policies to manage the execution of the Centrify group policy mapping programs.
  • Kerberos settings—Contains policies to manage the Kerberos configuration. You can use these settings to control updates to the Kerberos configuration files and credential renewal.
  • Local account management settings—Contains policies to control agent management of local users and groups.
  • Logging settings—Contains policies to control logging policy settings. You can use these settings to specify the syslog facility to use for logging different adclient processes and to control the amount of memory to use to queue log messages.
  • Login settings—Contains policies to control login and local account access. You can use these settings to grant or deny access to specific users and groups or to ignore Active Directory authentication for some users and groups.
  • MFA Settings—Contains policies for configuring multi-factor authentication in classic zones and Auto Zones. You can use these settings to specify which users or groups require a two-step authentication procedure for login, define rescue users that can log in when multi-factor authentication is unavailable, and to specify a cloud URL to be used in multi-factor authentication.
  • Network and cache settings—Contains policies to specify the maximum period for client connection time-outs and object expiration intervals. You can use these settings to determine how long to wait for a response when connecting to Active Directory and how long objects should be kept in the local cache.
  • NIS daemon settings—Contains policies to control operation of the Centrify Network Information Service (adnisd) on the local host computer. The adnisd service provides a mechanism for the Centrify agent to respond to NIS client requests from other computers not managed by Centrify software.
  • NSS overrides—Contains policies to specify the passwd or group override entries you want to use in place of the entries in the local /etc/passwd or /etc/group files. You can use these settings to provide fine-grain control of the users and groups who can use the computer and to override the user ID, group ID, default shell, or home directory for specific login accounts or groups.
  • PAM settings—Contains policies to customize the behavior of the Centrify PAM module.
  • Password prompts—Contains policies to customize the prompts displayed when Active Directory users are prompted to provide their password. You can use these settings to change the text displayed when Active Directory users log in or change their password.
  • Sudo settings—Contains policies to control certain aspects of the operation of sudo.
  • User's initial group ID—Contains policies to control group numbers. You can use this setting to specify the default group identifier for new users.