Khairul.Sufandi1.5330096474463677E12 (Customer) asked a question.
I am in the process of setting up agentless desktop SSO and following the below guide.
https://help.okta.com/en-us/Content/Topics/Directory/ad-dsso-create-service-account.htm
I have a question on step 9. Specifically this statement "The group policy can be created on the domain controller, or on the server where the Okta AD Agent is installed. The policy is applied to the entire domain and applies to all domain servers and workstations within the domain."
Does this mean I only need to create the group policy to enable the additional encryptions on just the member server where the OKTA AD agent is installed? Or does it need to be applied to all computers and domain controllers on the domain? I prefer to just do it on the OKTA AD Agent server.
Hi @Khairul.Sufandi1.5330096474463677E12 (Customer),
Thank you for posting on the Okta community page!
The group policy can be created just on the domain controller where the AD agent has been installed because it will apply to the domain joined machines as well.
I hope the above information is useful!
Step 9 is poorly worded, and hopefully no one is installing the AD agent on their domain controller. That's just very bad practice.
The policy must be applied to all machines in the domain. In many cases, the Group Policy Management Console is only installed on a domain controller, so that's where the policy would be created. But it is possible to install the add-in on a member server and create the policy there, but it's still a domain policy, not just local to the member server where the AD agent is installed.