nss.squash.root

This configuration parameter specifies whether you want to force root and wheel super-user accounts to be defined locally. If you set this parameter to true, Active Directory users with a UID of 0, a GID of 0, a user or group name of root, or a group name of wheel are not permitted to log on. Because the agent cannot prevent Active Directory users or groups from being assigned a UID or GID of 0, which would give those users or groups root-level access to the computers in a zone, you can use this parameter to prevent any Active Directory users with a UID or GID of 0 from logging on. Setting this parameter to true forces the privileged accounts to be defined as local accounts and not authenticated through Active Directory.

For example:

nss.squash.root: true

If you set this parameter to false, you should use other configuration parameters, such as pam.ignore.users or user.ignore to skip Active Directory authentication for system accounts so that Active Directory users cannot be granted root access on the computers in the zones they are permitted to access.

The default value for this parameter is true. It is possible, however, for an Active Directory administrator to override this setting through the use of group policy applied to a local computer, for example, by using the Sudo rights group policy. There is no way to effectively prevent the setting from being changed, except by disabling computer-based group policies in the local centrifydc.conf file or by strictly controlling who has permission to enable and apply group policies to computers that join an Active Directory domain. For information about disabling group policies using parameters in the local centrifydc.conf file, see gp.disable.all or gp.disable.machine in Customizing group policy configuration parameters