GPO Name Description
Lsassd: Enable NSS
enumeration
Controls whether all users or all groups can be incrementally listed through NSS. On Linux computers
and Unix computers, the default setting is set in the registry as 0, or turned off. To allow third-party
software to show Active Directory users and groups in lists, you can turn on this setting, but
performance might be affected.
Lsassd: Force authentication to
use unprovisioned mode
To use the AD Bridge agent to join a computer to a domain that has not been configured with cell
information, you must set this group policy to unprovisioned mode.
Lsass: User names to ignore User account names to ignore on target AD Bridge clients. The policy can contain a comma-
separated list of account names.
Note: If Apply Policy is set to Always (default), any changes to managed system files on
the agent system will be replaced when group policy is next applied. If a managed system
file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once,
any changes to managed system files on the agent system will only be replaced when the
policy is updated or gpagent is restarted.
Backups of existing system files are performed before initial policy application.
Lsass: Group names to ignore Group names to ignore on target AD Bridge clients. The policy can contain a comma-separated list of
group names.
Note: If Apply Policy is set to Always (default), any changes to managed system files on
the agent system will be replaced when group policy is next applied. If a managed system
file is edited or removed, gpupdate will recreate the file on policy refresh. If set to Once,
any changes to managed system files on the agent system will only be replaced when the
policy is updated or gpagent is restarted.
Backups of existing system files are performed before initial policy application.
Lsass: Ignore all trusts during
domain enumeration
Determines whether the authentication service discovers domain trusts. In the default configuration of
disabled, the service enumerates all the parent and child domains and forest trusts to other domains.
For each domain, the service establishes a preferred domain controller by checking for site affinity
and testing server responsiveness, a process that can be slowed by WAN links, subnet firewall
blocks, stale AD site topology data, or invalid DNS information. When it is unnecessary to enumerate
all the trusts – for example, the intended users of the target computer are only from the forest that the
computer is joined to – turning on this setting can improve startup times of the authentication service.
Lsass: Domain trust
enumeration include list
When turned on, only the domain names in the include list are enumerated for trusts and checked for
server availability.
Lsass: Domain trust
enumeration exclude list
When turned off (default setting), the domain names in the exclude list are not enumerated for trusts
and not checked for server availability.
Lsass: Require trust
enumeration to complete during
startup
Sets the AD Bridge authentication service (Lsass) to finish enumerating all the domain trusts before
the service indicates that it has started. You can use this policy to help sequence services, such as
crond, that depend on Lsass for user and group object lookups. Default is turned off.
Domain Separator Character Configures the domain separator used by the AD Bridge agent for user and group account name
lookups witha character that you choose.
Cache Expiration Time You can use this policy to improve the performance of your system by increasing the expiration time
of the cache.
SALES: www.beyondtrust.com/contact
SUPPORT: www.beyondtrust.com/support
DOCUMENTATION: www.beyondtrust.com/docs
13
©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
TC: 2/28/2024
AD BRIDGE
GROUP POLICY REFERENCE GUIDE