This configuration parameter specifies the groups that cannot be prevalidated to access the local UNIX computer. If you allow any groups or users to be prevalidated, you can use this parameter to define exceptions for any groups that should be prevented from prevalidation. In most cases, you would use this parameter to exclude a subset of users that are in a member group of an allowed group. For example, to allow all users in the admins group to be prevalidated, except the users who are members of the outsource subgroup, you could set the adclient.prevalidate.allow.groups and adclient.prevalidate.deny.groups parameters like this:

adclient.prevalidate.allow.groups: admins
adclient.prevalidate.deny.groups: outsource

In most cases, you set this configuration parameter using group policy.

If you are manually setting this parameter, the parameter value must be a comma-separated list of UNIX group names. Enclose group names with spaces in double quotes, for example:

adclient.prevalidate.deny.groups: performx,qualtrak,"domain admins"