Specify groups of AD users allowed in Auto Zone

Specify which Active Directory users to include in the Auto Zone using group membership as the criteria.

By default, all Active Directory users are included in the Auto Zone. When you enable one or more groups using this group policy, only the users who are members of the groups specified, including members of any nested groups and the users whose primary group is set to one of the groups specified, plus the users specified in for the "Specify AD users allowed in Auto Zone" group policy are able to log on using their Active Directory account. [Note that the group you specify for this policy is not added to Auto Zone and not automatically assigned a GID. Use the "Specify groups of AD users allowed in Auto Zone" group policy if you want to include a group in the Auto Zone and assign it a GID.]

Note: Auto Zone does not support one-way trusts. Therefore, if there are users in a specified group who belong to a domain that has a one-way trust relationship to the joined domain, they do not become valid users on the computer.

Any groups listed in this group policy can be domain local, global, or universal groups. The groups must be security groups, however. Distribution groups are not supported.

You can specify groups by name or you can list the group names in a file. The group name can be specified in any of the following formats:
- SAM account name: [email protected]
(you must specify the domain if the group is not in the current domain)
- User Principal Name: [email protected]
- NTLM: DOMAIN+sAMAccountName
- Full DN: CN=commonName,...,DC=domain_component,DC=domain_component
- Canonical Name: domain.com/container/cn

If a name contains space characters, you can put the name in double quotes or escape the space characters using backslashes:
"Domain Admins", Domain\ Users

The adclient process writes any name that is not recognized to the Centrify agent log file.

You can enter the list of groups of users separated by commas, for example:
centrify_users, "Domain Admins", Domain\ Users, group1, [email protected], DOMAIN+group3, CN=group4\,CN=Users\,DC=domain\,DC=com, domain.com/Users/group5

You can also use a file to specify groups. In the file, enter each name line by line. You can mix name formats, for example:
"Domain Admins"
Domain Users
[email protected]

This policy modifies the auto.schema.allow.groups setting in the centrifydc.conf configuration file.

Supported on:

Skip items whose name is

Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Adclient
Value Name{number}
Default Value


Administrative Templates (Computers)

Administrative Templates (Users)