How to manage Ubuntu fleets using on-premises Active Directory and ADSys
The “hybrid fleet” is today’s reality: organizations diversify operating systems while Microsoft Active Directory (AD) remains the dominant identity “source of truth.” IT administrators must ensure Linux machines, like Ubuntu desktops and servers, behave as first-class citizens in this environment. Efficient Linux management demands unified identity and policy management, ensuring that local authentication mechanisms and system configuration on Ubuntu endpoints respect the central authority of AD.
AD and the System Security Services Daemon (SSSD)
For Ubuntu, the SSSD acts as the foundational technology for Active Directory integration. Instead of disparate config files or legacy LDAP scripts, SSSD has long provided a modular architecture that abstracts the complexities of backend providers.
When configured with the AD provider, SSSD communicates natively with domain controllers using standard protocols: Kerberos for authentication and LDAP for directory queries. SSSD automatically maps SID-to-UID/GID, translating Windows Security Identifiers (SIDs) into Linux-compatible numeric User IDs (UIDs) and Group IDs (GIDs) for file access. This eliminates the need to manually extend the AD schema with Portable Operating System Interface (POSIX) attributes, cutting deployment friction significantly.
Enterprise fleets, especially mobile workstations, need reliable offline access. SSSD delivers this by caching password hashes locally via cache_credentials and offline_credentials_expiration, keeping users authenticated – even when disconnected from the corporate network.
The power of Group Policy Objects (GPOs) with Active Directory System Services (ADSys)
SSSD handles identity (“who”), but historically couldn’t manage configuration (“what”) with the same depth as Windows clients. That gap is where ADSys becomes the core value proposition for the enterprise.
ADSys is a native Group Policy Object (GPO) client for Ubuntu, letting IT administrators use existing AD knowledge and infrastructure to manage Ubuntu fleets. Active Directory Policies apply at two points: computer policies at boot, and user policies at login. This mirrors the Windows management experience, ensuring interoperability between Linux and Windows, without requiring parallel infrastructure management tools.
Quick reference: ADSys capabilities
ADSys supports the following management capabilities:
| Feature | Description |
| Privileges management | Centrally grant or revoke sudo privileges for AD users and groups without manually editing local /etc/sudoers files on individual machines. |
| Script execution | Automate configuration by scheduling shell scripts to execute at system startup, shutdown, user login, or user logout to remediate configuration drift. |
| Desktop configuration | Enforce specific desktop settings (e.g., screen lock timeouts, wallpaper, application access) via. the dconf settings framework. |
| AppArmor management | Enforce custom AppArmor profiles to restrict application capabilities system-wide, enhancing the security posture of the endpoint. |
Learn more in our technical documentation.
Compliance and security with certificate auto-enrollment
Integrating local authentication with Active Directory is not only an enterprise compliance and security requirement, but also a convenience. Centralizing identity enforces security and governance policies, password complexity, and account lockout thresholds, consistently across the entire heterogeneous fleet.
ADSys also supports certificate auto-enrollment from Active Directory Certificate Services (AD CS). Clients enroll for machine certificates, which the certmonger daemon continuously monitors and refreshes, improving the security of communication and supporting compliance with encryption standards within legacy corporate networks.
The Ubuntu Pro advantage
All of ADSys features are provided by Ubuntu Pro. An Ubuntu Pro subscription provides access to the ADSys client and the administrative templates (.ADMX/.ADML) needed to expose Ubuntu-specific settings in the Windows Group Policy Management Console.
SSSD’s authentication combined with ADSys’s policy enforcement gives Canonical’s solution a decisive advantage: it maximizes existing AD infrastructure investment while putting Ubuntu systems on the path to compliance, backed by the long-term support (LTS) enterprise environments demand.
Learn more about identity management
In our newly released whitepaper we provide actionable blueprints and technical specifications to architect, define, and enforce robust identity management controls across your entire server and desktop fleet, regardless of operating system.
We provide a technical examination of modern identity paradigms, including detailed configurations for managing access to cloud and on-premise Linux infrastructure, and practical strategies for seamless and secure integration with legacy AD Domain Services. Furthermore, the paper offers a detailed analysis of the advantages and implementation steps for using SSH certificates for frictionless, auditable SSH authentication, moving beyond simple key management.
Read the Ubuntu Enterprise Identity Management whitepaper.
Further reading
- ADSys documentation
- Authd documentation
- Authd for Entra ID on Snapcraft
- Authd for Google IAM on Snapcraft
- Authd for OIDC on Snapcraft
