On Mon, Apr 20, 2015 at 11:48:00AM -0400, Stephen Gallagher wrote:
When a user enrolls a system against Active Directory, the
expectation
is that the client will honor the centrally-managed settings. In the
past, we avoided changing the default (and left it in permissive mode,
to warn admins that the security policy wasn't being honored) in order
to avoid breaking existing Active Directory enrollments.
However, sufficient time has likely passed for users to become
accustomed to using GPOs to manage access-control for their systems.
This patch changes the default to enforcing and adds a configure flag
for distributions to use if they wish to provide a different default
value.
ACK, both the manpage value and the config.h value can be toggled with a
configure script.
but I would prefer to push the patch after review of "[PATCHES] Support
GPOs referred from other domains" is finished, simply to close the bugs
first and then enable the feature for everyone :-)