One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Add New User dialog

The Add New User dialog displays when you select the Add User toolbar button from the Users view of a host's properties. Use this view to add a new user to the selected host.

Table 29: Add New User dialog
Option Description
User Name

Enter the name of the user account that identifies the new user.

UID

The UID field is automatically populated with the next available UID number. This number will be used by the Unix operating system to refer to the new user. Default UID numbers start at 1000

Primary group name

Displays the primary group to which this user will become a member.

Click the Select Group button to display a list of all the local groups on the selected host. Use the control to search for and select the primary group. To find a particular group or to filter the list of groups displayed, enter one or more characters in the Search for groups box. This will then display the groups whose name matches (contains) the search expression entered. From this list, select the primary group to be used.

GID

The group identifier assigned to the selected user’s primary group.

NOTE: This is read-only field.

Click the Select Group browse button next to the GID box to select the primary group of the user from the Select Local Group dialog.

By default, the Select Local Group dialog displays all groups discovered on the host. You can filter the groups by entering text in the filter area or using the navigation buttons at the bottom of the list to find and select a group.

Comment (GECOS)

(Optional) Enter a description of the local Unix user.

Home directory

Enter the file system directory to be used for the new user’s personal data and files. The default home directory is /home/${username}. Where ${username} is the value entered in the User Name field.

Login shell

Displays the login shell to be used by the new user to login to the Unix system.

Click the Select Shell button to display a list of all the login shells available on the selected host from the Select local login shell dialog.

By default, the Select local login shell dialog displays all login shells discovered on the host. To find a particular login shell, or filter the list, enter one or more characters in the Search for login shell box. This will then display the login shells that match (contain) the search expression entered. From this list, select a login shell to be used.

Password

(Optional) Enter the password to be used by the new user to login to the Unix system.

Verify password

If you specified the initial password in the Password field, re-enter the password for verification.

Searching for users

Use the Search for users control to locate particular users on a host's Users tab or the All Local Users tab.

To search for users

  1. From the All Hosts view, double-click a host name to open its properties and select the Users tab.
  2. Place your cursor in the Search for users box and enter one or more characters. As you enter characters into the text box, the mangement console redisplays only the users whose Name, UID, GID, GECOS, Login Shell, or AD User matches (contains) the criteria entered.
  3. To clear the text box and redisplay the original list, select to the right of the Search for users box.
  4. To further filter the list by type of user, open the user type drop-down menu and choose one of the following:
    • All users
    • All non-system users
    • System user
    • Users requiring AD logon (requires Authentication Services 4.x)
    • Users not requiring AD logon (requires Authentication Services 4.x)

All Local Users tab

The All Local Users tab provides a consolidated view of all the users on all of the hosts that you manage with Management Console for Unix. From this view, you can see which users are not required to log onto the hosts using Active Directory credentials and if there are users that are present on multiple hosts.

From this view, with Quest Authentication Services 4.x installed and when you are logged on as an Active Directory account in the Manage Hosts role, you can also assign (or "map") a local user to an Active Directory user which requires the user to log onto the host using Active Directory credentials.

You can choose to display or hide columns from view. Open any column menu, navigate to Columns, and select the columns you want to see.

See Using the advanced search options for information about using the search boxes.

Note: The Local User Statistics and Require AD Logon panes only display if you have Authentication Services 4.x installed and when you are logged on as an Active Directory account in the Manage Hosts role.

All Local Users tab

By default, the All Local Users tab displays the following information for all users across all hosts:

Table 30: All Local Users tab
Option Description

The first column contains a selection check box which allows you to select or deselect a user.

To select a user, click a user entry or the selection check box. To select all users in the list, click the check box in the heading.

To deselect a user, clear the selected check box. To deselect all users, clear the check box in the heading.

The icons displayed in this column indicate the type of user:

  • - User does not require AD logon (requires Authentication Services 4.x)
  • - User requires AD logon (requires Authentication Services 4.x)
  • - system user
Name The name of the local users on the selected host system.
UID The user identifier assigned to a user.
Comment (GECOS) A description of the local Unix user.
Host The name of the host where the user resides.
Joined Domain Displays the Active Directory domain to which the host is joined.
AD User The name of the Active Directory user account to log on to the host when the "require AD logon to host" feature has been specified.

Note: Additional columns are available. Open the column drop-down menu, navigate to the Columns option and choose to view GID, Home Directory, and Login Shell columns.

All Local Users tab toolbar

Use the toolbar buttons across the top of the All Local Users tab to search for a user, perform an action against a user or to filter and refresh the list being displayed.

Table 31: All Local Users tab: Toolbar
Option Description
Use this text box to filter the users displayed on the Users list. As you enter characters into the Search for users box, the mangement console displays the users whose name matches (contains) the criteria entered. Click to remove the filtering and re-display the original user list.
User | Properties Displays the user's properties from which you can modify the general user properties, define the groups to which this user is a member and specify that a user is required to use Active Directory credentials to log onto the host (requires Authentication Services).
User | Set local user password

Allows you to reset a user's password.

NOTE: The Set Local User Password option is not available for users required to log in with Active Directory authentication because root does not have permission to change a password stored in Active Directory. The option is not available to change the password of a mapped user.

User | Find event logs Allows you to search keystroke logs (requires Privilege Manager).
User | Remove AD logon requirement Allows you to remove the Active Directory log on requirement from selected users.
User | Mark as system user Allows you to mark the selected users as a system user.
User | Unmark as system user Allows you to clear the selected users.
User | Mark system users Allows you to mark a range of users as a system user.
User | Unmark system users Allows you to clear a range of system users.
User | Delete User Allows you to delete a local user.

Use the user-type drop-down menu to filter the users displayed on the All Local Users view.

Choose one of the following options:

  • All users
  • All non-system users
  • System user
  • Users requiring AD logon (requires Authentication Services 4.x)
  • Users not requiring AD logon (requires Authentication Services 4.x)

NOTE: By default, all users display on the All Hosts Users tab.

Refreshes user information.
Rows to show Use the settings on this drop-down menu to select the number of rows you want to display.
Documents connexes