Chat now with support
Chat with Support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration Reporting Setting preferences Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance

Viewing or modifying Active Directory user properties

When logged in with an Active Directory account in the Manage Hosts role, you can view the properties of Active Directory user accounts from the Active Directory tab. However, you must have permissions in Active Directory to modify Active Directory user properties.

To view or modify the properties of an Active Directory user

  1. From the Active Directory tab of the mangement console, use the search controls to locate an Active Directory user.
  2. Double-click the user name to open the Active Directory user's properties.

    You can also right-click the user name and choose Properties.

  3. Use the General tab to view or modify the following properties:
    • First Name
    • Initial
    • Last Name
    • Display Name
    • Description
  4. Use the Account tab to view or modify the following settings:
    • User logon name
    • User logon name (pre-Windows 2000)
    • Account is locked out option (view only)
    • Account options

    Note: Please review the following notes regarding the account options:

    • You cannot modify the User cannot change password option through the mangement console. Use Active Directory Users and Computers (ADUC) to enable/disable this option, as needed.
    • If the User cannot change password option is enabled in ADUC, you cannot require the user to change their password at next log on.
    • If the Password never expires option is enabled in ADUC, you cannot require the user to change their password at the next log on.

  5. Use the Member Of tab to view the groups of which this Active Directory user is a member.

    Note: You cannot make modifications to this view through the mangement console.

  6. Use the Unix Account tab to enable or disable Unix access of the Active Directory user.
  7. Use the Local User Accounts tab to display a list of all the local Unix users required to log on using the selected Active Directory user account.
  8. Click OK to save your changes and close the Active Directory user's properties.

Viewing or modifying Active Directory group properties

When logged in with an Active Directory account in the Manage Hosts role, you can view the properties of Active Directory group accounts from the Active Directory tab. However, you must have permissions in Active Directory to modify Active Directory group properties.

To view or modify the properties of an Active Directory group

  1. From the Active Directory tab of the mangement console, use the search controls to locate an Active Directory group.
  2. Double-click the group name to open the Active Directory group's properties.

    You can also right-click the group name and choose Properties.

  3. Use the General tab to view or modify the following properties:
    • Group name
    • Description
  4. Use the Member tab to view the Active Directory objects (users, groups, computers) that are members of the group.

    Note: Searching for the members of an Active Directory group works most efficiently when there is a global catalog for the group's domain. If a global catalog for the group's domain cannot be found, the search may be slower.

    1. To add a member to the Active Directory group, click the Add Members button.

      The Add Members To Group dialog displays.

      Use the search controls to display a list of Active Directory users or groups available to add to the Active Directory group.

      Select the users or groups you wish to add and click OK.

    2. To remove a member from the Active Directory group, select that member and click the Remove Members button.
  5. Use the Member Of tab to view the groups of which this Active Directory group is a member.

    Note: You cannot make modifications to this view through the mangement console.

  6. Use the Unix Account tab to enable or disable Unix access for the Active Directory group.
  7. Click OK to save your changes and close the Active Directory group's properties.

Authentication Services integration

You can unlock these additional Active Directory features when you install Authentication Services 4.x on hosts you manage with the mangement console:

  • Join systems to Active Directory and implement AD-based authentication for Unix, Linux, and Mac systems.
  • Activate the Unix Account and Local User Accounts tabs on Active Directory user properties.
  • Activate the Unix Account tab on the Active directory group properties.
  • Map a Unix user to an Active Directory user.
  • Create reports about Unix-enabled Active Directory users and groups.
  • Create Logon Policy for AD User and Logon Policy for Unix Host reports that show which user is permitted to log into which Unix host.

Note: See Configure Active Directory for Authentication Services for more information about setting up the console for full Active Directory functionality.

After you install the core version of Management Console for Unix, add and profile at least one host, and enable the Active Directory features (as explained in Enabling Active Directory features), take these steps to configure the mangement console for Authentication Services:

  1. Install Authentication Services on the Active Directory domain for which the console is configured.
  2. Configure Active Directory for Authentication Services.
  3. Choose to view the Authentication Services information in the mangement console.
  4. Check for AD Readiness.
  5. Install Authentication Services Software Packages on Hosts.
  6. Discover the Authentication Services license in the mangement console.
  7. Join to Active Directory.
  8. Configure Host Access Control

The following topics walk you through these steps.

Installing Authentication Services

Install Authentication Services on each Windows workstation you plan to use to administer Unix data in Active Directory.

To install the Authentication Services Windows components

  1. Mount the distribution media.

    Autorun starts automatically.

    Note: To start the Autorun installation wizard, you can also navigate to the root of the distribution media and double-click autorun Application file.

  2. From the Autorun Setup tab, click Authentication Services to launch the Setup wizard.

    The Authentication Services Setup Wizard starts automatically.

  3. Click Next at the Welcome dialog and follow the wizard prompts.

    The wizard leads you through the following dialogs:

    • License Agreement
    • Choose Destination Location
    • Ready to Install the Program
    • InstallShield Wizard Complete
  4. Leave the Launch Authentication Services option selected on the InstallShield Wizard Complete dialog, and click Finish to automatically start the Control Center.

Note: The first time you install Authentication Services in your environment, the Authentication Services Active Directory Configuration Wizard starts automatically to walk you through the process of configuring Active Directory for Authentication Services. If the configuration has already been performed when you click Finish, the Control Center launches.

Related Documents