Match Block

You can use the Match Block group policy to add or edit match criteria so that you can match users using a variety of sub-directives.


For example, you can use this group policy if you want to set different kinds of combinations of key/value pairs to match conditions, such as the following general examples to set:

  • A key/value to match a condition (key/value)
  • Multiple keys/values to match a condition (key/value)
  • The same keys/values to match multiple conditions (keys/values)
  • Multiple keys/values to match multiple conditions (keys/values)
  • Multiple conditions (keys/values) (This has the same effect as setting the policies (keys/values) individually)

For example, you could use the Match Block group policy to fulfill the following use case:

"Any user with an account login ending with *-adm will not be able to use PubkeyAuthentication"

For this example, you would set "Match User *-adm" in the match directives and set "PubkeyAuthentication no" in it's sub-directives.

The arguments to Match are one or more criteria-pattern pairs or the single token All which matches all criteria. The available criteria are User, Group, Host, LocalAddress, LocalPort, and Address.

The match patterns may consist of single entries or comma-separated lists and may use the wildcard and negation operators.

The patterns in an Address criteria may additionally contain addresses to match in CIDR address/masklen format, such as "" or "3ffe:ffff::/32". Note that the mask length provided must be consistent with the address - it is an error to specify a mask length that is too long for the address or one with bits set in this host portion of the address. For example, “” and “” respectively.

Check the group policy explain text for details on which keywords can be used.