You can install specific Safeguard Authentication Services components from the Windows command line using Msiexec.exe, the Microsoft Windows Installer program, which processes product installation files in the .MSI format. You can either double-click the individual Safeguard Authentication Services component .msi files or you can run msiexec.exe to install, modify, and perform other operations from the Windows command line.
The individual Safeguard Authentication Services component .msi files, located on the distribution media in the windows folder, are:
You can use the following properties on the command line when installing the individual Safeguard Authentication Services components.
MSI property | Description |
---|---|
INSTALLFOLDER | Specifies the directory where you want to install the package. (Core X86 only.)
Default: %PROGRAMFILES(X86)%\Quest Software\Authentication Services |
INSTALLDESKTOPSHORTCUTS | Specifies whether or not to install desktop shortcuts.
Default: 0 (Do not install desktop shortcuts.) |
INSTALLSTARTMENUSHORTCUTS | Specifies whether or not to install Start menu shortcuts.
Default: 0 (Do not install Start menu shortcuts.) |
ARPSYSTEMCOMPONENT | Specifies whether or not to add an entry in the Uninstall or change a program interface (Add/Remove Programs) for each individual component (ADUC, Group Policy, and Control Center).
Default: 0 (Add entry in Add/Remove Programs.) |
NOCHANGEPSPOLICY | Specifies whether or not to allow PowerShell execution policy modifications. (Core X86 only.)
Default: 0 (Allow PowerShell policy modifications.) |
The following procedures show examples of using the MSI Properties from the Windows command line.
To install Safeguard Authentication Services Windows components using Msiexec.exe
msiexec /i cc.msi
Note: Run msiexec -help to see the full command syntax.
msiexec INSTALLFOLDER=%SystemDrive%:\<Directory> /i coreX86.msi
Note: By default, the installation directory is:
%SystemDrive%:\Program Files\Quest Software\Authentication Services
%SystemDrive%:\Program Files (x86)\Quest Software\Authentication Services
msiexec INSTALLDESKTOPSHORTCUTS=1 /i cc.msi
msiexec INSTALLSTARTMENUSHORTCUTS=1 /i cc.msi
msiexec ARPSYSTEMCOMPONET=0 /i aducX64.msi
Note: Setting ARPSYSTEMCOMPONET to 1 prevents the application from displaying in the Uninstall or change a program interface (Add/Remove Programs).
Msiexec.exe INSTALLFOLDER=C:\foo INSTALLDESKTOPSHORTCUTS=1 INSTALLSTARTMENUSHORTCUTS=0 ARPSYSTEMCOMPONENT=1 NOCHANGEPSPOLICY=1 /i corex86.msi
If you run this command line, the Core X86 package will be installed into C:\foo, icons will be added to the Desktop, but no Start menu shortcut will be added. Furthermore, this package will not be listed in the Uninstall or change a program interface (Add/Remove Programs) and the PowerShell Execution Policy will not be updated.
To uninstall Safeguard Authentication Services components from the Windows command line
msiexec /uninstall cc.msi
Notes:
You can specify either /uninstall or /x.
If you manually install MSI files, take care to uninstall them in the reverse order that they are installed. For example if you install CoreX86 and AducExtensionsx86 remove them in this order: AducExtensionsx86, then Corex86.
About Active Directory configuration
Join the host to AD without the Safeguard Authentication Services application configuration
To utilize full Active Directory functionality, when you install Safeguard Authentication Services in your environment, One Identity recommends that you prepare Active Directory to store the configuration settings that it uses. Safeguard Authentication Services adds the Unix properties of Active Directory users and groups to Active Directory and allows you to map a Unix user to an Active Directory user. This is a one-time process that creates the Safeguard Authentication Services application configuration in your forest.
Note: To use the Safeguard Authentication Services Active Directory Configuration Wizard, you must have rights to create and delete all child objects in the Active Directory container.
If you do not configure Active Directory for Safeguard Authentication Services, you can run your Safeguard Authentication Services client agent in Version 3 Compatibility Mode, which allows you to join a host to an Active Directory domain.
For more information, see Version 3 Compatibility Mode in the Safeguard Authentication Services Installation Guide.
For more information, see Version 3 Compatibility Mode.
When running Safeguard Authentication Services client agent in Version 3 Compatibility Mode, you have the option in One Identity Management Console for Unix to set the schema configuration to use Windows 2003 R2. See Configure Windows 2003 R2 Schema in the management console online help for details. The Windows 2003 R2 schema option extends the schema to support the direct look up of Unix identities in Active Directory domain servers.
You can also create the Safeguard Authentication Services application configuration from the Unix command line, if you prefer. For more information, see Creating the application configuration from the Unix command line.
The first time you install Safeguard Authentication Services in your environment, One Identity recommends that you perform this one-time Active Directory configuration step to utilize full Safeguard Authentication Services functionality.
Note: If you do not configure Active Directory for Safeguard Authentication Services, you can run your Safeguard Authentication Services client agent in Version 3 Compatibility Mode, which allows you to join a host to an Active Directory domain.
For more information, see Version 3 Compatibility Mode in the Safeguard Authentication Services Installation Guide.
To configure Active Directory for Safeguard Authentication Services
Note: The wizard does not save these credentials; it only uses them for this setup task.
Select whether to connect to an Active Directory Domain Controller or One Identity Active Roles Server.
Note: If you have not installed the One Identity Active Roles Server MMC Console on your computer, the ActiveRoles Server option is not available.
Refer to About licenses for more information about licensing requirements.
Note: You can add additional licenses later from Safeguard Authentication Services Control Center | Preferences | Licensing.
Note: You must have rights to create and delete all child objects in the selected location. For more information on the structure and rights required see Windows permissions.
The Control Center opens. You are now ready to configure your Unix Agent Components.
Proceed to Configure Unix agent components
The first time you install or upgrade the Safeguard Authentication ServicesWindows components in your environment, One Identity recommends that you configure Active Directory for Safeguard Authentication Services to utilize full functionality. This is a one-time Active Directory configuration step that creates the application configuration in your forest. Safeguard Authentication Services uses the information found in the application configuration to maintain consistency across the enterprise. Without the application configuration, store UNIX attributes in the RFC2307 standard attributes to achieve the most functionality.
Note: If you do not configure Active Directory for Safeguard Authentication Services, you can run your client agent in Version 3 Compatibility Mode, which allows you to join a host to an Active Directory domain.
See Version 3 Compatibility Mode in the Safeguard Authentication Services Installation Guide for details.
The Safeguard Authentication Services application configuration stores the following information in Active Directory:
The Unix agents use the Active Directory configuration to validate license information and determine schema mappings. Windows management tools read this information to determine the schema mappings and the default values it uses when Unix-enabling new users and groups.
The Safeguard Authentication Services application configuration information is stored inside a container object with the specific naming of: cn={786E0064-A470-46B9-83FB-C7539C9FA27C}. The default location for this container is cn=Program Data,cn=Quest Software,cn=Authentication Services,dc=<your domain>. This location is configurable.
There can only be one Active Directory configuration per forest. If Safeguard Authentication Services finds multiple configurations, it uses the one created first as determined by reading the whenCreated attribute. The only time this would be a problem is if different groups were using different schema mappings for Unix attributes in Active Directory. In that case, standardize on one schema and use local override files to resolve conflicts. You can use the Set-QasUnixUser and Set-QasUnixGroup PowerShell commands to migrate Unix attributes from one schema configuration to another. Refer to the PowerShell help for more information.
The first time you run the Control Center, the Safeguard Authentication Services Active Directory Configuration Wizard walks you through the setup.
Note: You can also create the Safeguard Authentication Services application configuration from the Unix command line, if you prefer.
For more information, see Creating the application configuration from the Unix command line.
You can modify the settings using Safeguard Authentication ServicesControl Center| Preferences. To change Active Directory configuration settings, you must have rights to Create Child Object (container) and Write Attribute for cn, displayName, description, showInAdvancedViewOnly for the Active Directory configuration root container and all child objects.
In order for Unix clients to read the configuration, authenticated users must have rights to read cn, displayName, description, and whenCreated attributes for container objects in the application configuration. For most Active Directory configurations, this does not require any change.
The following table summarizes the required rights.
Rights required | For user | Object class | Attributes |
---|---|---|---|
Create Child Object | Safeguard Authentication Services Administrators Only | Container | cn, displayName, description, showInAdvancedViewOnly |
Write Attribute | Safeguard Authentication Services Administrators Only | Container | |
Read Attribute | Authenticated Users | Container | cn, displayName, description, whenCreated |
At any time you can completely remove the Safeguard Authentication Services application configuration using the Remove-QasConfiguration cmdlet. However, without the application configuration, Safeguard Authentication Services Active Directory-based management tools do not function.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center