5. In the GPMC, run Group Policy Modeling to pinpoint the offending policy setting and then modify the policy setting to grant the
correct level of user right to the computer or user.
For more information, see Group Policy Modeling, at https://docs.microsoft.com/en-us/previous-versions/windows/it-
pro/windows-server-2003/cc781242(v=ws.10).
In the screen shot, for example, the cause of the problem is that the Deny
access to this computer from the network policy setting in the Default
Domain Policy GPO contains the domain computers group.
Fix Selective Authentication in a Trusted Domain
When you turn on selective authentication for a trusted domain, AD Bridge
can fail to look up users in the trusted domain because the machine
account is not allowed to authenticate with the domain controllers in the
trusted domain. Here is how to grant the machine account access to the
trusted domain:
1. In the domain the computer is joined to, create a global group and
add the computer's machine account to the group.
2. In the trusted domain, in Active Directory Users and Computers,
select the Domain Controllers container and open Properties.
3. On the Security tab, click Advanced, click Add, enter the global
group, and then click OK.
4. In the Permission Entry box, under Apply onto, check Computer objects. Under Permissions, find Allowed to Authenticate
and check it. Click OK and then click Apply in the Advanced Security Settings box.
5. If you have already joined the AD Bridge client computer to the domain, restart the AD Bridge authentication service:
/opt/pbis/bin/lwsm restart lsass
For more information, see Configuring Selective Authentication Settings, at https://docs.microsoft.com/en-us/previous-
versions/windows/it-pro/windows-server-2003/cc755844(v=ws.10).
Troubleshoot the AD Bridge Cache
If a cache becomes corrupted or if certain conditions occur, you may need to clear caches.
Clear the Authentication Cache
There are certain conditions under which you might need to clear the cache so that a user's ID is recognized on a target computer.
By default, the user's ID is cached for 4 hours. If you change a user's UID for an AD Bridge Cell with AD Bridge, during the 4 hours after
you change the UID you must clear the cache on a target computer in the cell before the user can log on. If you do not clear the cache after
changing the UID, the computer will find the old UID until the cache expires.
One AD Bridge Group Policy setting can affect the cache time: Cache Expiration Time. This policy setting stores UID-SID mappings, user
and group enumeration lists, getgrnam(), and getpwnam(). Its default expiration time is 4 hours.
SALES: www.beyondtrust.com/contact
SUPPORT: www.beyondtrust.com/support
DOCUMENTATION: www.beyondtrust.com/docs
32
©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
TC: 2/28/2024
AD BRIDGE
TROUBLESHOOTING GUIDE