Safeguard Authentication Services 5.0.5

From the Control Center, navigate to Tools | Safeguard Authentication Services.
Click Safeguard Authentication Services PowerShell Console.

Note: The first time you launch the PowerShell Console, it asks you if you want to run software from this untrusted publisher. Enter A at the PowerShell prompt to import the digital certificate to your system as a trusted entity. Once you have done this, you will never be asked this question again on this machine.

At the PowerShell prompt, enter the following:

Enable-QasUnixGroup UNIXusers | Set-QasUnixGroup -GidNumber 1234567

Note: You created the UNIXusers group in a previous exercise. See Adding an Active Directory group account.

Unix attributes are generated automatically based on the Default Unix Attributes settings that were configured earlier and look similar to the following:

ObjectClass              : group
DistinguishedName        : CN=UNIXusers,CN=Users,DC=example,DC=com
ObjectGuid               : 71aaa88-d164-43e4-a72a-459365e84a25
GroupName                : UNIXusers
UnixEnabled              : True
GidNumber                : 1234567
AdsPath                  : LDAP://windows.example.com/CN=UNIXusers,CN=Users,
                           DC=example,DC=com
CommonName               : UNIXusers

At the PowerShell prompt, to Unix-enable an Active Directory user using the default Unix attribute values, enter:

Enable-QasUnixUser ADuser | Seet-QasUnixUser -PrimaryGidNumber 1234567

The Unix properties of the user display:

ObjectClass              : user
DistinguishedName        : CN=ADuser,CN=Users,DC=example,DC=com
ObjectGuid               : 5f83687c-e29d-448f-9795-54d272cf9f25
UserName                 : ADuser
UnixEnabled              : True
UidNumber                : 80791532
PrimaryGidNumber         : 1234567
Gecos                    :
HomeDirectory            : /home/ADuser
LoginShell               : /bin/sh
AdsPath                  : LDAP://windows.example.com/CN=ADuser,CN=Users,
                           DC=example,DC=com
CommonName               : ADuser

To disable the ADuser user for Unix login, at the PowerShell prompt enter:
```
Disable-QasUnixUser ADuser
```
Note: To clear all Unix attribute information, enter:
```
Clear-QasUnixUser ADuser
```
Now that you have Unix-disabled the user, that user can no longer log in to systems running the Safeguard Authentication Services agent.
From the Control Center, under Login to remote host, enter:
- Host name: The Unix host name.
- User name: The Active Directory user name, ADuser.
Click Login to log in to the Unix host with your Active Directory user account.

A PuTTY window displays.

Note: PuTTY attempts to log in using Kerberos, but will fail over to password authentication if Kerberos is not enabled or properly configured for the remote SSH service.
Enter the password for the Active Directory user account.
You will receive a message that says Access denied.

PowerShell cmdlets

Getting started with Safeguard Authentication Services > Use Safeguard Authentication Services PowerShell > PowerShell cmdlets

Safeguard Authentication Services supports the flexible scripting capabilities of PowerShell to automate administrative, installation, and configuration tasks. A wide range of new PowerShell cmdlets are included in Safeguard Authentication Services.

Table 21: PowerShell cmdlets
cmdlet name	Description
Add-QasLicense	Installs an Safeguard Authentication Services license file in Active Directory. Licenses installed this way are downloaded by all Unix clients.
Clear-QasUnixGroup	Clears the Unix identity information from group object in Active Directory. The group is no longer Unix-enabled and will be removed from the cache on the Safeguard Authentication Services Unix clients.
Clear-QasUnixUser	Clears the Unix identity information from a user object in Active Directory. The user is no longer Unix-enabled will be removed from the cache on the Safeguard Authentication Services Unix clients.
Disable-QasUnixGroup	Unix-disables a group and will be removed from the cache on the Safeguard Authentication Services Unix clients. Similar to Clear-QasUnixGroup except the Unix group name is retained.
Disable-QasUnixUser	Removes an Active Directory user‘s ability to log in on Unix hosts. (The user will still be cached on the Safeguard Authentication Services Unix clients.)
Enable-QasUnixGroup	Enables an Active Directory group for Unix by giving a Unix GID number. The GID number is automatically generated.
Enable-QasUnixUser	Enables an Active Directory user for Unix. The required account attributes UID number, primary GID number, GECOS, login shell, and home directory are generated automatically.
Get-QasConfiguration	Returns an object representing the Safeguard Authentication Services application configuration data stored in Active Directory.
Get-QasGpo	Returns a set of objects representing GPOs with Unix and/or macOS settings configured. This cmdlet is in the Quest.AuthenticationServices.GroupPolicy module.
Get-QasLicense	Returns objects representing the Safeguard Authentication Services product licenses stored in Active Directory.
Get-QasOption	Returns a set of configurable global options stored in Active Directory that affect the behavior of Safeguard Authentication Services.
Get-QasSchema	Returns the currently configured schema definition from the Safeguard Authentication Services application configuration.
Get-QasSchemaDefinition	Returns a set of schema templates that are supported by the current Active Directory forest.
Get-QasUnixGroup	Returns an object that represents an Active Directory group as a Unix group. The returned object can be piped into other cmdlets such as Clear-QasUnixGroup or Enable-QasUnixGroup.
Get-QasUnixUser	Returns an object that represents an Active Directory user as a Unix user. The returned object can be piped into other cmdlets such as Clear-QasUnixUser or Enable-QasUnixUser.
Get-QasVersion	Returns the version of Safeguard Authentication Services currently installed on the local host.
Move-QasConfiguration	Moves the Safeguard Authentication Services application configuration information from one container to another in Active Directory.
New-QasAdConnection	Creates an object that represents a connection to Active Directory using specified credentials. You can pass a connection object to most Safeguard Authentication Services cmdlets to execute commands using different credentials.
New-QasArsConnection	Creates an object that represents a connection to an Active Roles Server using the specified credentials. You can pass a connection object to most Safeguard Authentication Services cmdlets to execute commands using different credentials.
New-QasConfiguration	Creates a default Safeguard Authentication Services application configuration in Active Directory and returns an object representing the newly created configuration.
Remove-QasConfiguration	Accepts a Safeguard Authentication Services application configuration object as input and removes it from Active Directory. This cmdlet produces no output.
Remove-QasLicense	Accepts an Safeguard Authentication Services product license object as input and removes the license from Active Directory. This cmdlet produces no output.
Set-QasOption	Accepts an Safeguard Authentication Services options set as input and saves it to Active Directory.
Set-QasSchema	Accepts an Safeguard Authentication Services schema template as input and saves it to Active Directory as the schema template that will be used by all Safeguard Authentication Services Unix clients.
Set-QasUnixGroup	Accepts a Unix group object as input and saves it to Active Directory. You can also set specific attributes using command line options.
Set-QasUnixUser	Accepts a Unix user object as input and saves it to Active Directory. You can also set specific attributes using command line options.

Safeguard Authentication Services PowerShell cmdlets are contained in PowerShell modules named Quest.AuthenticationServices and Quest.AuthenticationServices.GroupPolicy. Use the Import-Module command to import the Safeguard Authentication Services commands into an existing PowerShell session.

Change Auditor for Authentication Services

Getting started with Safeguard Authentication Services > Change Auditor for Authentication Services

Change Auditor for Authentication Services allows you to track changes and send alerts on:

Changes to Active Directory objects and attributes
Changes to Unix and macOS settings in Group Policy Objects
Changes to product settings and configuration

Installing Change Auditor for Authentication Services

Getting started with Safeguard Authentication Services > Change Auditor for Authentication Services > Installing Change Auditor for Authentication Services

The following steps outline the basic procedure for installing Change Auditor for Authentication Services. See the Change Auditor Installation Guide to obtain detailed steps for installing Change Auditor for Authentication Services.

To install Change Auditor for Authentication Services

Insert the Safeguard Authentication Services distribution media.
The Autorun Home page displays.

Note: If the Autorun Home page does not display, navigate to the root of the distribution media and double-click autorun.exe.
Click the Setup tab and select Change Auditor for Authentication Services.
The Change Auditor for Authentication Services for Active Directory web page opens.
Click Download on the left navigation panel.
Follow the online instructions to gain access to the Trial Download page.
From the Trial Download: Change Auditor for Active Directory page, click the Installation Guide link.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Safeguard Authentication Services 5.0.5 - Evaluation Guide

Unix-enabling a user and user group (PowerShell Console)

PowerShell cmdlets

Change Auditor for Authentication Services

Installing Change Auditor for Authentication Services