Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Massimiliano Gori
on 17 June 2022

New Active Directory Integration features in Ubuntu 22.04 (part 3) – Privilege Management


Linux Active Directory (AD) integration is historically one of the most requested functionalities by our corporate users, and with Ubuntu Desktop 22.04, we introduced ADsys, our new Active Directory client. This blog post is part 3 of a series where we will explore the new functionalities in more detail.

The latest Verizon Data Breach report highlighted that leaked credential and phishing combined account for over 70% of the causes of cyberattacks. User management therefore plays a critical role in reducing your organisation attack surface. In this article we will focus on how Active Directory can be used to control and limit the privileges your users have on on their Ubuntu machines.

While there are significant differences between how Windows and Linux systems perform user management, with ADsys we tried to keep the IT administrators’ user experience as similar as possible to the one currently available for Windows machines.

You can find links to the other articles in the series below:

User management on Linux

Before discussing the new ADsys features it is important to understand the types of users available in Ubuntu and how privileges are managed in the operating system.

There are three types of users in Ubuntu:

  • SuperUser or Root User: the administrator of the Linux system who has elevated rights. The root user doesn’t need permission to run any command. In Ubuntu the root user is available but disabled by default. 
  • System User: the users created by installed software or applications. For example when we install Apache Kafka in the system, it will create the user account named “Apache” to perform application specific tasks.
  • Normal User: the accounts which are used by the users and have a limited set of permissions.

Normal users can use sudo to run programs with the administrative privileges which are normally reserved to the root user.

In order to guarantee the right balance between developer productivity and security it is important for IT administrators to have a centrally defined set of users who are able to execute privileges commands on a machine. A crucial step for this, and the primary driver behind the new feature, was the ability to remove local administrators and enable administrative rights based on Active Directory group membership.

Managing Ubuntu users with Active Directory

Active Directory Admin Center

As discussed in part 2 of this blog series you need to import in Active Directory the administrative templates generated by the ADsys command line or available on the project GitHub repository. Once done, the privilege management settings are globally enforced machine policies that are available at Computer Configuration > Policies > Administrative Templates > Ubuntu > Client management > Privilege Authorization in your Active Directory Admin Center.

By default members of the local sudo group are administrators on the machine. If the ocal User setting is set to  Disabled the sudo group members are not considered administrators on the client. This means that only valid Active Directory users are able to log in to the machine.

Similarly it is possible to grant administrator privileges to specific Active Directory users and groups, or a combination of both. Using groups is an essential feature to allow you to securely manage administrators across machines, as privileged access reviews will be reduced to reviewing membership to a single or a few Active Directory groups. 

Additional resources and how to get the new features

The features described in this blog post are available for free for all Ubuntu users, however you need an Ubuntu Pro subscription to take advantage of the privilege management and remote scripts execution features. You can get a personal license free of charge using your Ubuntu SSO account. ADSys is supported on Ubuntu starting from 20.04.2 LTS, and tested with Windows Server 2019.

We have recently updated the Active Directory integration whitepaper to include a practical step by step guide to help you take you full advantage of the new features. If you want to know more about the inner workings of ADsys you can head to its Github page or read the product documentation.

If you want to learn more about Ubuntu Desktop, Ubuntu Advantage or our advanced Active Directory integration features please do not hesitate to contact us to discuss your needs with one of our advisors.

Find out more

Related posts


Massimiliano Gori
16 September 2024

Announcing Authd: OIDC authentication for Ubuntu Desktop and Server

Ubuntu Article

Today we are announcing the general availability of Authd, a new authentication daemon for Ubuntu that allows direct integration with cloud-based identity providers for both Ubuntu Desktop and Server. Authd is available free of charge on Ubuntu 24.04 LTS. At launch, Authd supports Microsoft Entra ID (formerly Azure Active Directory) ident ...


Luci Stanescu
28 October 2024

Imagining the future of Cybersecurity

Ubuntu Security

October 2024 marks the 20th anniversary of Ubuntu. The cybersecurity landscape has significantly shifted since 2004. If you have been following the Ubuntu Security Team’s special three-part series podcast that we put out to mark Cybersecurity Awareness Month, you will have listened to us talk about significant moments that have shaped the ...


Canonical
10 October 2024

Canonical Releases Ubuntu 24.10 Oracular Oriole

Cloud and server Article

The latest release of Ubuntu delivers a cutting edge kernel and enhanced desktop security. 10 October 2024 Today Canonical announced the release of Ubuntu 24.10, codenamed “Oracular Oriole,” available to download and install from ubuntu.com/download. Ubuntu 24.10 delivers the latest kernel, toolchains and GNOME 47 desktop environment alon ...