Safeguard Authentication Services includes PowerShell modules that provide a "scriptable" interface to many Safeguard Authentication Services management tasks.
Using Safeguard Authentication Services PowerShell commands you can Unix-enable, Unix-disable, modify, report on, and clear Unix attributes of Active Directory users.
Note: You can access a customized PowerShell console from Control Center | Tools. To add Safeguard Authentication Services cmdlets to an existing PowerShell session, run Import-Module Quest.AuthenticationServices. See PowerShell Cmdlets for a complete list of available commands.
To Unix-enable a user, use the Enable-QasUnixUser command. The following command Unix-enables the user, bsmith, in Active Directory:
Enable-QasUnixUser -Identity <domain>\bsmith
To disable a user for Unix access use the Disable-QasUnixUser command:
Disable-QasUnixUser -Identity <domain>\bsmith
To set a particular Unix attribute use the Set-QasUnixUser command. The following command sets the Comment (GECOS) field of the bsmith user to Bob Smith:
Set-QasUnixUser -Identity <domain>\bsmith -Gecos "Bob Smith"
To report on a user, use the Get-QASUnixUser command. The following command shows all users that start with "bsm".
Get-QasUnixUser -Identity bsm
The Safeguard Authentication Services PowerShell commands are designed to work with the Active Directory commands from Microsoft (Get-ADUser) and One Identity (Get-QADUser). You can pipe the output of these commands to any of the Safeguard Authentication Services PowerShell commands that operate on users. For example, the following command clears the Unix attributes from the bsmith user.
Get-QADUser -Identity <domain>\bsmith | Clear-QasUnixUser
The Safeguard Authentication Services PowerShell commands are aware of the options and schema settings configured in Control Center. Scripts written using the Safeguard Authentication Services PowerShell commands work without modification in any Safeguard Authentication Services environment.
Safeguard Authentication Services supports the flexible scripting capabilities of PowerShell to automate administrative, installation, and configuration tasks. A wide range of new PowerShell cmdlets are included in Safeguard Authentication Services.
Table 14: PowerShell cmdlets
Add-QasLicense |
Installs an Safeguard Authentication Services license file in Active Directory. Licenses installed this way are downloaded by all Unix clients. |
Clear-QasUnixGroup |
Clears the Unix identity information from group object in Active Directory. The group is no longer Unix-enabled and will be removed from the cache on the Safeguard Authentication Services Unix clients. |
Clear-QasUnixUser |
Clears the Unix identity information from a user object in Active Directory. The user is no longer Unix-enabled will be removed from the cache on the Safeguard Authentication Services Unix clients. |
Disable-QasUnixGroup |
Unix-disables a group and will be removed from the cache on the Safeguard Authentication Services Unix clients. Similar to Clear-QasUnixGroup except the Unix group name is retained. |
Disable-QasUnixUser |
Removes an Active Directory user‘s ability to log in on Unix hosts. (The user will still be cached on the Safeguard Authentication Services Unix clients.) |
Enable-QasUnixGroup |
Enables an Active Directory group for Unix by giving a Unix GID number. The GID number is automatically generated. |
Enable-QasUnixUser |
Enables an Active Directory user for Unix. The required account attributes UID number, primary GID number, GECOS, login shell, and home directory are generated automatically. |
Get-QasConfiguration |
Returns an object representing the Safeguard Authentication Services application configuration data stored in Active Directory. |
Get-QasGpo |
Returns a set of objects representing GPOs with Unix and/or macOS settings configured. This cmdlet is in the Quest.AuthenticationServices.GroupPolicy module. |
Get-QasLicense |
Returns objects representing the Safeguard Authentication Services product licenses stored in Active Directory. |
Get-QasOption |
Returns a set of configurable global options stored in Active Directory that affect the behavior of Safeguard Authentication Services. |
Get-QasSchema |
Returns the currently configured schema definition from the Safeguard Authentication Services application configuration. |
Get-QasSchemaDefinition |
Returns a set of schema templates that are supported by the current Active Directory forest. |
Get-QasUnixGroup |
Returns an object that represents an Active Directory group as a Unix group. The returned object can be piped into other cmdlets such as Clear-QasUnixGroup or Enable-QasUnixGroup. |
Get-QasUnixUser |
Returns an object that represents an Active Directory user as a Unix user. The returned object can be piped into other cmdlets such as Clear-QasUnixUser or Enable-QasUnixUser. |
Get-QasVersion |
Returns the version of Safeguard Authentication Services currently installed on the local host. |
Move-QasConfiguration |
Moves the Safeguard Authentication Services application configuration information from one container to another in Active Directory. |
New-QasAdConnection |
Creates an object that represents a connection to Active Directory using specified credentials. You can pass a connection object to most Safeguard Authentication Services cmdlets to execute commands using different credentials. |
New-QasArsConnection |
Creates an object that represents a connection to an Active Roles Server using the specified credentials. You can pass a connection object to most Safeguard Authentication Services cmdlets to execute commands using different credentials. |
New-QasConfiguration |
Creates a default Safeguard Authentication Services application configuration in Active Directory and returns an object representing the newly created configuration. |
Remove-QasConfiguration |
Accepts a Safeguard Authentication Services application configuration object as input and removes it from Active Directory. This cmdlet produces no output. |
Remove-QasLicense |
Accepts an Safeguard Authentication Services product license object as input and removes the license from Active Directory. This cmdlet produces no output. |
Set-QasOption |
Accepts an Safeguard Authentication Services options set as input and saves it to Active Directory. |
Set-QasSchema |
Accepts an Safeguard Authentication Services schema template as input and saves it to Active Directory as the schema template that will be used by all Safeguard Authentication Services Unix clients. |
Set-QasUnixGroup |
Accepts a Unix group object as input and saves it to Active Directory. You can also set specific attributes using command line options. |
Set-QasUnixUser |
Accepts a Unix user object as input and saves it to Active Directory. You can also set specific attributes using command line options. |
Safeguard Authentication Services PowerShell cmdlets are contained in PowerShell modules named Quest.AuthenticationServices and Quest.AuthenticationServices.GroupPolicy. Use the Import-Module command to import the Safeguard Authentication Services commands into an existing PowerShell session.
Safeguard Authentication Services supports and enforces all the Active Directory password policy concepts including minimum password length, age, complexity, lockout requirements and history. It also supports the fine grained password policies introduced in Windows 2008.
Unix users can change their Active Directory passwords using vastool or with PAM-enabled system password utilities such as passwd.