When trying to create a custom script, the administrator would like to know which attribute is set when checking or unchecking the Unix Enabled checkbox in Active Directory Users & Computers (ADUC).
There isn't a specific user attribute that controls this. A user is "Unix-Enabled" and the checkbox has a tick when the following attributes of the user have been set.
uidNumber (Greater than 0)
gidNumber (Greater than 0)
loginShell (not /bin/false)
The ADUC Unix Enabled checkbox does the following:-
1) When there are no attributes, and its selected, it populates these attributes with the defaults.
2) When there are attributes, and its de-selected, the users shell is changed to /bin/false. The users identity will still be cached.
3) When there are attributes, but the shell is /bin/false, selecting the button will change the loginShell to a valid shell (using the default shell).
For group accounts, the "gidNumber" attribute is the only attribute that is set when the account is Unix enabled. When the Unix Enabled checkbox is de-selected then the "gidNumber" attribute is unset.
If using QAS 3.5 or below all users will require a User Principal Name (UPN) attribute.
To count the number of UnixEnabled users in AD from the UNIX client. run the following LDAP query:
To query all UnixEnabled users and/or to count the number of UnixEnabled users in AD from PowerShell, run one of the following two commands:
# /opt/quest/bin/vastool -qu host/ search '(&(uidNumber>=1)(gidNumber>=1)(unixHomeDirectory=*)(loginShell=*)(!(loginShell=/bin/false)))' dn
(Note: the following commands are to be run on PowerShell which is located on a Domain Controller running the Quest Authentication Services software)
To query all AD users who are UnixEnabled and output that list of users, run the following command from PowerShell:
get-qasunixuser * | Where-Object -Property UnixEnabled -eq -Value "True"
To query the number of AD users who are UnixEnabled and output that number, run the following command from PowerShell:
(get-qasunixuser * | Where-Object -Property UnixEnabled -eq -Value "True").count