Because it is common to use the Find dialog in ADUC to manage users and groups, One Identity recommends that you register display specifiers with Active Directory. Registering display specifiers provides the following benefits:
NOTE: You must have Enterprise Administrator rights to register display specifiers.
You can inspect exactly which changes are made during the display specifier registration process by viewing the DsReg.vbs script found in the Safeguard Authentication Services installation directory. You can use this script to unregister display specifiers at a later time.
To register display specifiers with Active Directory
-
From a Windows management workstation with Safeguard Authentication Services installed, navigate to Start > Quest Software > Safeguard Authentication Services > Control Center.
-
Click Preferences on the left navigation panel.
-
Expand the Display Specifiers section.
NOTE: The Register Display Specifiers link is only displayed in the Control Center when display specifiers are not already registered with Active Directory. If the display specifiers are registered, Control Center does not display the link.
-
Click the Register Display Specifiers link to register display specifiers with Active Directory.
While it is registering the display specifiers with Active Directory, Control Center displays a progress indicator. When the process is complete, Control Center indicates that display specifiers are registered.
Alternatively, you can register display specifiers from the command line, as follows:
-
Log in as a user with Enterprise Administrator rights.
-
Open a command prompt, navigate to the Safeguard Authentication Services installation directory, and run this command:
DsReg.vbs /add
NOTE: To register One Identity Active Directory display specifiers with One Identity Active Directory, navigate to the installed location for Safeguard Authentication Services and run the following command:
DsReg.vbs /add /provider:EDMS
You must install the One Identity Active Directory management package locally or DsReg.vbs returns an "Invalid Syntax" error.
To see all the DsReg.vbs options, run the following command:
DsReg.vbs /help
NOTE: You must have Enterprise Administrator rights to unregister display specifiers.
To unregister display specifiers in Active Directory
-
Log in as a user with Enterprise Administrator rights.
-
Open a command prompt and navigate to the Safeguard Authentication Services installation directory.
-
Run the DsReg.vbs script with the /remove option:
DsReg.vbs /remove
NOTE: To unregister display specifiers with One Identity Active Roles, run the following command:
DsReg.vbs /remove /provider:EDMS
To see all the DsReg.vbs options, run the following command:
DsReg.vbs /help
A SUCCESS message appears indicating that the display specifiers were removed successfully.
Display specifiers are stored in the Active Directory configuration partition under the DisplaySpecifiers container. The DisplaySpecifiers container has child containers named for a corresponding locale ID. US English display specifiers are in cn=409,cn=DisplaySpecifers,cn=Configuration,dc=domain. The following modifications are made for each locale by the display specifier registration script, DsReg.vbs.
Table 16: Object: User-Display
adminPropertyPages |
modify, insert |
10,{E399C9A2-E7ED-4DDF- 9C5A-BA4EACC34316} |
Registers the UNIX Account property page extension with User objects. |
adminPropertyPages |
modify, insert |
11,{53108A01-9B68-4DFB- A16D-4945D26A38A9} |
Registers the UNIX Personality property page extension with User objects. |
attributeDisplayNames |
modify, insert |
uidNumber, UID Number |
Provides a more user-friendly name for the UNIX user ID number attribute. Allows this attribute to display in the UNIX Object find dialog results. |
attributeDisplayNames |
modify, insert |
uid, Login Name |
Provides a more user-friendly name for the UNIX login name attribute. Allows this attribute to display in the UNIX Object find dialog results. |
attributeDisplayNames |
modify, insert |
gidNumber, GID Number |
Provides a more user-friendly name for the UNIX group ID number attribute. Allows this attribute to display in the UNIX Object find dialog results. |
attributeDisplayNames |
modify, insert |
canonicalName, Path |
Provides a more user-friendly name for the UNIX canonical name attribute. Allows this attribute to display in the UNIX Object find dialog results. |
Table 17: Object: Group-Display
adminPropertyPages |
modify, insert |
10,{E399C9A2-E7ED-4DDF- 9C5A-BA4EACC34316} |
Registers the UNIX Account property page extension with User objects. |
attributeDisplayNames |
modify, insert |
gidNumber, GID Number |
Provides a more user-friendly name for the UNIX group ID number attribute. Allows this attribute to display in the UNIX Object find dialog results. |
attributeDisplayNames |
modify, insert |
canonicalName, Path |
Provides a more user-friendly name for the UNIX canonical name attribute. Allows this attribute to display in the UNIX Object find dialog results. |
Table 18: Object: vintela-UnixUserPersonality-Display
cn |
create object |
vintela-UnixUserPersonality- Display |
The display specifier object is created. |
adminPropertyPages |
modify, insert |
10,{E399C9A2-E7ED-4DDF- 9C5A-BA4EACC34316} |
This registers the UNIX User Personality property page extension with user personality objects. |
classDisplayName |
modify, set |
UNIX User Personality |
Sets the friendly name of the object class. This is the text displayed in the New Object menu and elsewhere in ADUC. |
creationWizard |
modify, set |
{57AC8F6B-5EA8-4DC9- AB9A-C0ED6420C7F9} |
This registers the "New UNIX User Personality" object creation wizard. This creation wizard registration mechanism works in ADUC, but is not yet supported in Active Roles. To create personality objects in Active Roles, use the Advanced Create Wizard and select the UNIX User Personality object class. |
iconPath |
modify, insert |
0,vas_dua_user.ico |
This is the default personality icon. This icon is installed by Safeguard Authentication Services in the %SYSTEMROOT%\system32 folder so that it is available to all applications that might need it. |
iconPath |
modify, insert |
1,vas_dua_user_disabled.ico |
This icon is not currently used. |
iconPath |
modify, insert |
2,vas_dua_user_orphaned.ico |
This icon is not currently used. |
attributeDisplayNames |
modify, insert |
uidNumber, UID Number |
Provides a more user-friendly name for the UNIX user ID number attribute. Allows this attribute to display in the UNIX Object find dialog results. |
attributeDisplayNames |
modify, insert |
gidNumber, GID Number |
Provides a more user-friendly name for the UNIX group ID number attribute. Allows this attribute to display in the UNIX Object find dialog results. |
attributeDisplayNames |
modify, insert |
uid, UNIX Login Name |
Provides a more user-friendly name for the UNIX login name attribute. Allows this attribute to display in the UNIX Object find dialog results. |
attributeDisplayNames |
modify, insert |
description, Description |
Provides a more user-friendly name for the description attribute. Allows this attribute to display in the UNIX Object find dialog results. |
attributeDisplayNames |
modify, insert |
canonicalName, Path |
Provides a more user-friendly name for the UNIX canonical name attribute. Allows this attribute to display in the UNIX Object find dialog results. |
attributeDisplayNames |
modify, insert |
managedBy, Linked To |
Provides a more descriptive name for the managed by attribute to indicate how this attribute is used on personality objects. Allows this attribute to display in the UNIX Object find dialog results. |
Table 19: Object: vintela-UnixGroupPersonality-Display
cn |
create object |
vintela-UnixGroupPersonality- Display |
The display specifier object is created. |
adminPropertyPages |
modify, insert |
10,{E399C9A2-E7ED-4DDF- 9C5A-BA4EACC34316} |
This registers the UNIX User Personality property page extension with user personality objects. |
classDisplayName |
modify, set |
UNIX Group Personality |
Sets the friendly name of the object class. This is the text displayed in the New Object menu and elsewhere in ADUC. |
creationWizard |
modify, set |
{A7C4A545-C7C8-49C8- 8C96-8C665E166D0C} |
This registers the "New UNIX User Personality" object creation wizard. This creation wizard registration mechanism works in ADUC, but is not yet supported in ARS. To create personality objects in ARS, use the Advanced Create Wizard and select the UNIX User Personality object class. |
iconPath |
modify, insert |
0,vas_unix_group.ico |
This is the default personality icon. This icon is installed by Safeguard Authentication Services in the %SYSTEMROOT%\system32 folder so that it is available to all applications that might need it. |
attributeDisplayNames |
modify, insert |
gidNumber, GID Number |
Provides a more user-friendly name for the UNIX group ID number attribute. Allows this attribute to display in the UNIX Object find dialog results. |
attributeDisplayNames |
modify, insert |
cn, Name |
Provides a more user-friendly name for the UNIX login name attribute. Allows this attribute to display in the UNIX Object find dialog results. |
attributeDisplayNames |
modify, insert |
description, Description |
Provides a more user-friendly name for the description attribute. Allows this attribute to display in the UNIX Object find dialog results. |
attributeDisplayNames |
modify, insert |
canonicalName, Path |
Provides a more user-friendly name for the UNIX canonical name attribute. Allows this attribute to display in the UNIX Object find dialog results. |
attributeDisplayNames |
modify, insert |
managedBy, Linked To |
Provides a more descriptive name for the managed by attribute to indicate how this attribute is used on personality objects. |
The Global UNIX Options section displays the currently configured options for UNIX-enabling users and groups.
Click Modify Global UNIX Options to change these settings.
NOTE: Safeguard Authentication Services uses the Global UNIX Options when enabling users and groups for UNIX login.
Table 20: UNIX user defaults
Require unique User Names |
Select to require a unique user login name attribute within the forest. |
Require unique UID Numbers |
Select to require a unique user's UNIX ID (UID) number within the forest. |
Minimum UID Number |
Enter a minimum value for the UNIX User ID (UID) number.
Typically, you set this to a value higher than the highest UID among local UNIX users to avoid conflicts with users in Active Directory and local user accounts. |
Maximum UID Number |
Enter a maximum value for the UNIX User ID (UID) number.
Typically, you would not change this value unless you have a legacy UNIX platform that does not support the full 32-bit integer range for UID number. |
Default Primary GID Number |
Enter the default value for the Primary GID number when UNIX-enabling a user. |
Set primary GID to UID |
Select to set the primary GID number to the User ID number. |
Default Comments (GECOS) |
Enter any text in this box. |
Default Login Shell |
Enter the default value for the login shell used when UNIX-enabling a user. |
Default Home Directory |
Enter the default prefix used when generating the home directory attribute when UNIX-enabling a user.
The default value is /home/; use a different value if your UNIX user home directories are stored in another location on the file system. Safeguard Authentication Services uses the user's effective UNIX name when generating the full home directory path. |
Use lowercase User Name for Home Directory |
Select to use a lower-case representation of the user's effective UNIX name when generating the full home directory path as a user is UNIX-enabled. |
Table 21: UNIX group defaults
Require unique Group Names |
Select to require a unique UNIX group name attribute within the forest. |
Require unique GID Numbers |
Select to require a unique UNIX Group ID (GID) attribute within the forest. |
Minimum GID Number |
Enter the minimum value for the UNIX Group ID (GID).
Typically, this is set to a value higher than the highest GID among local UNIX groups to avoid conflicts with groups in Active Directory and local group accounts. |
Maximum GID Number |
Enter the maximum value for the UNIX Group ID (GID).
Typically, you would not change this value unless you have a legacy UNIX platform that does not support the full 32-bit integer range for GID. |
These options control the algorithms used to generate unique user and group IDs.
Table 22: Unique IDs
GUID Hash |
An ID generated from a hash of the user or group object GUID attribute.
This is a fast way to generate an ID that is usually unique. If the generated value conflicts with an existing value, the ID is re-generated by searching the forest. |
Samba Algorithm |
An ID generated from the SID of the domain and the RID of the user or group object.
This method works well when there are few domains in the forest. If the generated value conflicts with an existing value, the ID is re-generated by searching the forest. |
Legacy Search Algorithm |
An ID generated by searching for existing ID values in the forest. This method generates an ID that is not currently in use. |
Modifications you make to these Global UNIX Options take effect after you restart the Microsoft Management Console (MMC).
TIP: It is a best practice to either use the generated default IDs or set the ID manually. Mixing the two methods can lead to ID conflicts.