#4099 [RFE] Make SSSD GPO code work with built-in AD group SIDs
Opened 4 months ago by mzidek. Modified 4 months ago

The SSSD code currently ignores AD built-in groups. There is no mapping
to POSIX IDs for these groups and there is no mapping because there are
no corresponding generic groups on the UNIX/Linux side.

For the most part this is OK, but in GPO code it would be good to not
ignore the built-in groups. It is common practice to include the built
in group Administrators to all "allow" GPO access control rules. With
SSSD not supporting it, the groups either need to specifically allow
the user Administrator or some other gorups such as Domain Admins.
This is not convenient and Active Directory actually prints a warning
if the Administrators built-in group is not member of some allow
access control rule (like Allow log on locally) so we should support
this use case.

Login to comment on this ticket.