Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

New Active Directory Integration features in Ubuntu 22.04 (part 3) – Privilege Management

This article was last updated 1 year ago.


Linux Active Directory (AD) integration is historically one of the most requested functionalities by our corporate users, and with Ubuntu Desktop 22.04, we introduced ADsys, our new Active Directory client. This blog post is part 3 of a series where we will explore the new functionalities in more detail.

The latest Verizon Data Breach report highlighted that leaked credential and phishing combined account for over 70% of the causes of cyberattacks. User management therefore plays a critical role in reducing your organisation attack surface. In this article we will focus on how Active Directory can be used to control and limit the privileges your users have on on their Ubuntu machines.

While there are significant differences between how Windows and Linux systems perform user management, with ADsys we tried to keep the IT administrators’ user experience as similar as possible to the one currently available for Windows machines.

You can find links to the other articles in the series below:

User management on Linux

Before discussing the new ADsys features it is important to understand the types of users available in Ubuntu and how privileges are managed in the operating system.

There are three types of users in Ubuntu:

  • SuperUser or Root User: the administrator of the Linux system who has elevated rights. The root user doesn’t need permission to run any command. In Ubuntu the root user is available but disabled by default. 
  • System User: the users created by installed software or applications. For example when we install Apache Kafka in the system, it will create the user account named “Apache” to perform application specific tasks.
  • Normal User: the accounts which are used by the users and have a limited set of permissions.

Normal users can use sudo to run programs with the administrative privileges which are normally reserved to the root user.

In order to guarantee the right balance between developer productivity and security it is important for IT administrators to have a centrally defined set of users who are able to execute privileges commands on a machine. A crucial step for this, and the primary driver behind the new feature, was the ability to remove local administrators and enable administrative rights based on Active Directory group membership.

Managing Ubuntu users with Active Directory

Active Directory Admin Center

As discussed in part 2 of this blog series you need to import in Active Directory the administrative templates generated by the ADsys command line or available on the project GitHub repository. Once done, the privilege management settings are globally enforced machine policies that are available at Computer Configuration > Policies > Administrative Templates > Ubuntu > Client management > Privilege Authorization in your Active Directory Admin Center.

By default members of the local sudo group are administrators on the machine. If the ocal User setting is set to  Disabled the sudo group members are not considered administrators on the client. This means that only valid Active Directory users are able to log in to the machine.

Similarly it is possible to grant administrator privileges to specific Active Directory users and groups, or a combination of both. Using groups is an essential feature to allow you to securely manage administrators across machines, as privileged access reviews will be reduced to reviewing membership to a single or a few Active Directory groups. 

Additional resources and how to get the new features

The features described in this blog post are available for free for all Ubuntu users, however you need an Ubuntu Pro subscription to take advantage of the privilege management and remote scripts execution features. You can get a personal license free of charge using your Ubuntu SSO account. ADSys is supported on Ubuntu starting from 20.04.2 LTS, and tested with Windows Server 2019.

We have recently updated the Active Directory integration whitepaper to include a practical step by step guide to help you take you full advantage of the new features. If you want to know more about the inner workings of ADsys you can head to its Github page or read the product documentation.

If you want to learn more about Ubuntu Desktop, Ubuntu Advantage or our advanced Active Directory integration features please do not hesitate to contact us to discuss your needs with one of our advisors.

Find out more

Ubuntu desktop

Learn how the Ubuntu desktop operating system powers millions of PCs and laptops around the world.

Newsletter signup

Get the latest Ubuntu news and updates in your inbox.

By submitting this form, I confirm that I have read and agree to Canonical's Privacy Policy.

Related posts

Announcing Authd: OIDC authentication for Ubuntu Desktop and Server

Today we are announcing the general availability of Authd, a new authentication daemon for Ubuntu that allows direct integration with cloud-based identity...

Entra ID authentication on Ubuntu at scale with Landscape

Authd allows Entra ID authentication on both Ubuntu Desktop and Server. Learn how to configure Authd at scale using Landscape and Cloud-init

Imagining the future of Cybersecurity

October 2024 marks the 20th anniversary of Ubuntu. The cybersecurity landscape has significantly shifted since 2004. If you have been following the Ubuntu...