By default, all Active Directory users are included in the Auto Zone. If you specify one or more groups using this parameter the only users who can log in using their Active Directory account are members of the specified groups, members of nested groups, users whose primary group is set to one of the groups specified, and all users specified in auto.schema.allow.users.
For example, to specify that only the members of the sf-adms and sf-apps groups should be allowed to log on to computers in Auto Zone, you would enter the following:
auto.schema.allow.groups: sf-adms sf-apps
The groups you specify for the auto.schema.allow.groups parameter must be security groups, but can be domain local, global, or universal groups.Distribution groups are not supported.
You can separate each group by a space or a comma and you can use double quotes or escape characters to include spaces or special characters in group names. For example: in group names. For example,
auto.schema.allow.groups: centrify_users, "Domain Admins", Domain\ Users
You should note that this parameter does not add the Active Directory groups you specify to Auto Zone. It does not assign the groups a numeric identifier (GID) or make the groups available to use as a primary group for any of the users added to Auto Zone. This parameter simply enables UNIX profiles for the users that are members of the specified groups. You can use the auto.schema.groups parameter to specify the Active Directory groups to include an in the Auto Zone and assign it a GID. You can configure the primary group for users using the auto.schema.primary.gid parameter.