Using standard Windows group policies

Every Group Policy Object includes default administrative templates for user and computer configuration. Most of the settings in the default administrative templates only apply to Windows computers and Windows user accounts. However, there are a few of these common Windows configuration settings that can be applied to Centrify-managed computers and users. These configuration options are not duplicated in Centrify administrative templates.

You can set the following standard Windows group policy options for Centrify-managed computers and users:

Select this Windows object To set this policy

Computer Configuration > Policies > Administrative Templates > System > Group Policy

  • Turn off background refresh of Group Policy
  • Group Policy refresh interval for computers

Computer Configuration > Policies > Administrative Templates > System > Windows Time Service > Time Providers

  • Global Configuration Settings - MaxPollInterval

Computer Configuration > Policies > Administrative Templates > System > Windows Time Service > Time Providers

  • Enable Windows NTP Client

This policy specifies that adclient poll the domain NTP server to synchronize the clock of the local computer.

This policy modifies the adclient.sntp.enabled parameter in the centrifydc.conf configuration file.

If you disable this policy, adclient does not attempt to synchronize the computer with the domain NTP server. The computer uses the local NTP policies, as defined in ntp.conf.

Whether you enable the policy or not, no settings are changed in the ntp.conf file.

Computer Configuration > Policies > Administrative Templates > Windows Components > Smart Card > Allow certificates with no extended key usage certificate attribute

  • Allow sctool to obtain Kerberos credentials even though the certificate does not have the extended key usage attribute.

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

  • Interactive logon: Message text for users attempting to log on
  • Interactive logon: Prompt user to change password before expiration

Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy

  • Enforce password history
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Password must meet complexity requirements
  • Store passwords using reversible encryption

Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities

  • Specifies the trusted root CA certificate to use

User Configuration > Policies > Administrative Templates > System > Group Policy

  • Group Policy refresh interval for users