How to use GPO with Ubuntu

As explained in previous chapter, there are 2 sets of Ubuntu specific settings in the Group Policy Management Editor:

  • [Policy Name] > Computer Configuration > Policies > Administrative Templates > Ubuntu for the machine policies.

  • [Policy Name] > User Configuration > Policies > Administrative Templates > Ubuntu for the user policies.

Your first Ubuntu GPO rule

For this example we will use a test domain called warthogs.biz with 2 separate OUs.

  • The machine is called adclient04 and belongs to warthogs.biz > MainOffice Main Office OU in Active Directory

  • The user is called bob and belongs to warthogs.biz > IT Dept > RnD IT Deps/RnD OU in Active Directory

In this example, we will demonstrate how to change dconf settings. We will first modify the greeter background image to illustrate how to enforce a computer setting and the list of preferred applications in the launcher for the user settings.

Modifying a computer setting

Launch the GPO Management editor and create a GPO in warthogs.biz > MainOffice

  1. Select GDM background picture setting in Computer Configuration > Policies > Administrative Templates > Ubuntu > Login Screen > Interface > Picture URI.

  2. Select Enabled to enable the modification of the Picture URI field.

  3. Enter a valid absolute path to a .png image on the client machine, e.g. /usr/share/backgrounds/ubuntu-default-greyscale-wallpaper.png.

  4. Refresh the GPO rule on the client by rebooting the machine or running adsysctl update -m (You may be prompted to enter your password to check if have enough privileges to run the command)

GDM Picture URI setting

The change is now visible on the greeter.

Greeter with custom background

Files are not copied by the Active Directory client and must already exist on the target system at this given path.

Modifying an user setting

  1. Let’s create another GPO in warthogs.biz > IT Dept > RnD.

  2. Select the list of favorite desktop applications setting in User Configuration > Policies > Administrative Templates > Ubuntu  > Desktop > Shell > List of desktop file IDs for favorite applications.

  3. Enter a list of valid .desktop file IDs, one per line, like the following:

libreoffice-writer.desktop
snap-store_ubuntu-software.desktop
yelp.desktop

Favorite applications settings

  1. Refresh the GPO rule applied to the user by logging in or running adsysctl update as your current user or adsysctl update --all to refresh the computer and all active users.

The list of applications showing up on the left side for your current Active Directory user should be updated.

Customized list of applications

There are other ways of defining a list in ADSys / Active Directory integration. Check the “Different types of widgets” section below.

General principles

There are multiple policy managers for different types of settings. As of now, only a dconf manager is available.

When settings are common to a machine and users, the machine settings will always take precedence over the user ones.

The workflow to update a setting in the GPO Management editor and to apply the setting to a target user or machine is similar to Windows clients. However, we will see below that there are slight differences when the GPO are applied and refreshed between Windows and Ubuntu.

When are GPO applied?

Any change to a GPO is applied:

  • On boot for the machine settings

  • On login for the user settings

  • A periodic refresh timer will update the GPOs of the machine and all active users.

Next section will detail how to configure this and what happens when the Active Directory controller is unreachable.

State of GPO settings

Most GPO rules can have 3 states: enabled, disabled, not configured. These states may have different meanings depending on the manager.

States

General information of a setting

The left pane of the GPO Management Editor contains the options that can be edited when a setting is enabled.

list of values for each release

There is a default value for all the releases and an override for each supported release of Ubuntu. More about multiple releases in the next section.

The right pane of the GPO Management editor contains the general information about the GPO including:

  • The description of the setting

  • The type of settings (e.g. dconf)

  • The path of the key in our schema

  • The default value of the key that is used if nothing is set on the left pane. Note that if defaults differ between releases, this will be a list per release.

  • The list of releases that support this setting.

General information of a setting

Different types of widgets

Text entry

The type Text represents a single line of text. If you don’t enclose a string with single quotes ' and the value is not a decimal, it will be done automatically and the entry will be sanitized (e.g. space, '…). If you want to force a decimal to be treated as a string, enclose the value with single quotes.

The default value will be already set.

Text field

Text list

A multiline text field is used for this case. A list can be:

Text list

  • One item per line: any end of line will be considered as a delimiter Example:

libreoffice.desktop
firefox.desktop
nautilus.desktop

  • Multiple items on one line: a coma , is the item delimiter:

libreoffice.desktop, firefox.desktop, nautilus.desktop

Note that spaces will be stripped automatically.

  • Both syntaxes can be combined:

libreoffice.desktop, firefox.desktop
nautilus.desktop

The type can be either text or numeric:

  • Text list:

libreoffice.desktop
firefox.desktop
nautilus.desktop

  • Decimal list:

42
300
10

Ensure that you enter the valid type of list, as expected by dconf setting. ADSys will do its best to try to match the entry with the right and expected dconf type.

String or decimal field ?

The type of the value will be detected automatically and interpreted as a number if it contains only digits and no quotes, everything else is considered a string. If you want to enforce a list to have string entries, enclose each entry with single quotes.

Text list:

'42'
'300'
'10'

Checkbox

A checkbox will correspond to set to true or false values for the corresponding setting. The default value will be already selected.

Checkbox field

Decimal

Decimal values are fields that allow only digits with optional upper and lower bounds. A spinner helps the user to increase or decrease the value.

Checkbox field

The limits, if any, will be specified in the right section, per release.

Multi-release support

ADSys supports setting different values for different releases of Ubuntu.

The top entry will set a common value between all clients, independently of the release it’s running on.

If you need to specify a per-release value for a set of clients, select the Override checkbox for the corresponding release and enter a value in the associated field. If the Override is checked, but no value is specified, the default value for this release will be used.

By definition, override takes precedence over the default value defined at the top for all the releases.

Finally, note that the help text on the right panel will list each default per release if they differ between themselves. In addition, it will list the supported releases for this setting.

Different defaults between releases

Multi-release overrides are only available when your Active Directory administrative templates defines more than one release. If this is not the case, you will only see the top entry to define your policy.