Chatta subito con l'assistenza
Chat con il supporto

Safeguard Authentication Services 6.0.1 - Administration Guide

Privileged Access Suite for UNIX Introducing One Identity Safeguard Authentication Services UNIX administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing UNIX hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts UNIX policies One Identity policies
Display specifiers Troubleshooting Glossary

Configure a User Deny Entry policy

The Configure a User Deny Entry policy manages the Safeguard Authentication Services users.deny file. This file dictates users and groups that are explicitly denied access to the machine. Deny rules take precedence over allow rules.

To setup a users deny policy

  1. Navigate to the UNIX Settings > Safeguard Authentication Services > Access Control node.

  2. Double-click users.deny Configuration in the result pane to open the users.deny Configuration Properties dialog.

    • Click Browse AD to add a container. All users under this container are denied access.

    • Click Add Group to add a group. All members of the specified group are denied access.

    • Click Add User to add a specific user. The specified user is denied access.

    • Click Add Domain to add a domain. All users in the specified domain are denied access.

    • Click Add Custom to add an item manually. You must specify the correct type for the item. All users associated with the item are denied access.

  3. Click OK to save settings and close the dialog.

Display specifiers

Display specifiers are Active Directory objects that provide information about how other objects in the directory display in client applications.

NOTE: The Register Display Specifiers link is only displayed in the Control Center when display specifiers are not already registered with Active Directory. If the display specifiers are registered, Control Center does not display the link.

Registering display specifiers

Because it is common to use the Find dialog in ADUC to manage users and groups, One Identity recommends that you register display specifiers with Active Directory. Registering display specifiers provides the following benefits:

  • UNIX Account properties appear in ADUC Find dialog results.

  • UNIX Personality objects are displayed correctly in ADUC. This only applies if the UNIX Personality schema has been installed.

NOTE: You must have Enterprise Administrator rights to register display specifiers.

You can inspect exactly which changes are made during the display specifier registration process by viewing the DsReg.vbs script found in the Safeguard Authentication Services installation directory. You can use this script to unregister display specifiers at a later time.

To register display specifiers with Active Directory

  1. From a Windows management workstation with Safeguard Authentication Services installed, navigate to Start > Quest Software > Safeguard Authentication Services > Control Center.

  2. Click Preferences on the left navigation panel.

  3. Expand the Display Specifiers section.

    NOTE: The Register Display Specifiers link is only displayed in the Control Center when display specifiers are not already registered with Active Directory. If the display specifiers are registered, Control Center does not display the link.

  4. Click the Register Display Specifiers link to register display specifiers with Active Directory.

    While it is registering the display specifiers with Active Directory, Control Center displays a progress indicator. When the process is complete, Control Center indicates that display specifiers are registered.

    Alternatively, you can register display specifiers from the command line, as follows:

    1. Log in as a user with Enterprise Administrator rights.

    2. Open a command prompt, navigate to the Safeguard Authentication Services installation directory, and run this command:

      DsReg.vbs /add

    NOTE: To register One Identity Active Directory display specifiers with One Identity Active Directory, navigate to the installed location for Safeguard Authentication Services and run the following command:

    DsReg.vbs /add /provider:EDMS

    You must install the One Identity Active Directory management package locally or DsReg.vbs returns an "Invalid Syntax" error.

    To see all the DsReg.vbs options, run the following command:

    DsReg.vbs /help

Unregistering display specifiers

If you want to unregister display specifiers, perform the following steps.

NOTE: You must have Enterprise Administrator rights to unregister display specifiers.

To unregister display specifiers in Active Directory

  1. Log in as a user with Enterprise Administrator rights.

  2. Open a command prompt and navigate to the Safeguard Authentication Services installation directory.

  3. Run the DsReg.vbs script with the /remove option:

    DsReg.vbs /remove

    NOTE: To unregister display specifiers with One Identity Active Roles, run the following command:

    DsReg.vbs /remove /provider:EDMS

    To see all the DsReg.vbs options, run the following command:

    DsReg.vbs /help

    A SUCCESS message appears indicating that the display specifiers were removed successfully.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione