Chat now with support
Chat with Support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Select AD User Dialog

Use the Select AD User dialog to search Active Directory to locate and select an Active Directory user account.

The Select AD User dialog displays when you:

  • Click the Select button on the AD Logon tab of a local user's properties.
  • Choose AD user from the Add menu on the Members tab of a local group's properties.

    Note: This dialog indicates that you must choose a Unix-enabled AD user.

  • Select the Select AD user option and click from the Logon Policy for AD User report parameters.

Use the controls at the top of this view to search for a user.

Table 39: Select AD User dialog
Option Description

In the search box, enter the name of an Active Directory user. After entering one or more characters, click the button to initiate the search and display the search results. The Active Directory users whose names match (starts with) the characters you enter display if they are located in the container (or subordinate container) specified in the Search In box.

NOTE: To search for all users in the forest, leave the Search by name box empty and click the button. It uses the ANR search algorithm to find matching objects. (See Ambiguous Name Resolution for more information.)

By default, the mangement console searches the forest where the default domain resides. However, to search a different container or domain, click the button to open the Browse for Container dialog.
Search results list The users found as a result of the search display in this list. Select users and click OK to save your selection and close the dialog.

Viewing or modifying Active Directory user properties

When logged in with an Active Directory account in the Manage Hosts role, you can view the properties of Active Directory user accounts from the Active Directory tab. However, you must have permissions in Active Directory to modify Active Directory user properties.

To view or modify the properties of an Active Directory user

  1. From the Active Directory tab of the mangement console, use the search controls to locate an Active Directory user.
  2. Double-click the user name to open the Active Directory user's properties.

    You can also right-click the user name and choose Properties.

  3. Use the General tab to view or modify the following properties:
    • First Name
    • Initial
    • Last Name
    • Display Name
    • Description
  4. Use the Account tab to view or modify the following settings:
    • User logon name
    • User logon name (pre-Windows 2000)
    • Account is locked out option (view only)
    • Account options

    Note: Please review the following notes regarding the account options:

    • You cannot modify the User cannot change password option through the mangement console. Use Active Directory Users and Computers (ADUC) to enable/disable this option, as needed.
    • If the User cannot change password option is enabled in ADUC, you cannot require the user to change their password at next log on.
    • If the Password never expires option is enabled in ADUC, you cannot require the user to change their password at the next log on.

  5. Use the Member Of tab to view the groups of which this Active Directory user is a member.

    Note: You cannot make modifications to this view through the mangement console.

  6. Use the Unix Account tab to enable or disable Unix access of the Active Directory user.
  7. Use the Local User Accounts tab to display a list of all the local Unix users required to log on using the selected Active Directory user account.
  8. Click OK to save your changes and close the Active Directory user's properties.

Active Directory User Properties

The properties for the selected Active Directory user displays when you double-click the user name or right-click the user name and choose Properties from the context menu. Properties also displays when you select the View AD User Properties button on the AD Logon tab of a local user's properties, if you have a licensed version of Authentication Services 4.x installed.

This dialog has the following tabs:

  • General
  • Account
  • Member Of
  • Unix Account
  • Local User Accounts
General tab

Use the General tab to review or modify the general properties for the selected Active Directory user.

Table 40: Active Directory User Properties: General tab
Option Description
First Name The user's first name.
Initial The user's middle initial.
Last Name The user's last name.
Display Name The user's display name.
Description Comments that describe the user.
Account tab

The Account tab displays the following information about the selected user:

Table 41: Active Directory User Properties: Account tab
Option Description
User logon name The user's logon name.
User logon name (pre-Windows 2000) The user's pre-Windows 2000 logon name.
Account is locked out Indicates whether the user account is currently locked out.
Account options

These options define the Active Directory security and access control rules that apply to the selected user.

NOTE: Review the following notes regarding the account options:

  • You cannot modify the User cannot change password option through themangement console. Use Active Directory Users and Computers (ADUC) to enable/disable this option, as needed.
  • If the User cannot change password option is enabled (by means of ADUC), you cannot require the user to change their password at next logon.
  • If the Password never expires option is enabled, you cannot require the user to change their password at the next logon.
Member Of tab

The Member Of tab displays the Active Directory groups of which the user is a member.

Unix Account tab

With the console configured to recognize Active Directory objects, you can use the Unix Account tab to enable Unix access for the selected Active Directory user. (See Configuring the console to recognize Unix attributes in AD for details.)

Table 42: Active Directory User Properties: Unix Account tab
Option Description
Unix-enabled

Select this option to Unix-enable the selected user. When you select this option, the mangement console enables the remaining fields. Use this tab to assign Unix identity attributes to the selected user.

NOTE: When enabled, the required fields are pre-populated with default values. Select OK to Unix-enable the user using these default settings.

User Name This is a read-only field that displays the sAMAccountName assigned to the selected user.
UID Number Enter an integer which enables the Unix operating system to refer to the new user.
Generate unique ID Select this button to generate a unique UID number for the user.
Primary GID Number Enter or select the primary GID number for the group to which this user is a member.
Select Use this button to search for and select a different primary GID number.
Primary Group Name Optionally, enter the name of the primary group.
Comment (GECOS) Optionally, enter a description for the user.
Home Directory Enter the file system directory for the user's personal data and files. The default is /home/.
Login Shell Enter the login shell for the user to log onto the Unix system.
Local User Accounts tab

With Authentication Services 4.x installed, you can use the Local User Accounts tab to display a list of all the local Unix users required to log on using the selected Active Directory user account. This tab displays the following information about these local user accounts:

  • Name
  • Host

Right-click a user in this list to perform the following tasks:

  • View local user properties: Opens the properties for the selected local user
  • View host properties: Displays the host properties where the selected local user resides

Viewing or modifying Active Directory group properties

When logged in with an Active Directory account in the Manage Hosts role, you can view the properties of Active Directory group accounts from the Active Directory tab. However, you must have permissions in Active Directory to modify Active Directory group properties.

To view or modify the properties of an Active Directory group

  1. From the Active Directory tab of the mangement console, use the search controls to locate an Active Directory group.
  2. Double-click the group name to open the Active Directory group's properties.

    You can also right-click the group name and choose Properties.

  3. Use the General tab to view or modify the following properties:
    • Group name
    • Description
  4. Use the Member tab to view the Active Directory objects (users, groups, computers) that are members of the group.

    Note: Searching for the members of an Active Directory group works most efficiently when there is a global catalog for the group's domain. If a global catalog for the group's domain cannot be found, the search may be slower.

    1. To add a member to the Active Directory group, click the Add Members button.

      The Add Members To Group dialog displays.

      Use the search controls to display a list of Active Directory users or groups available to add to the Active Directory group.

      Select the users or groups you wish to add and click OK.

    2. To remove a member from the Active Directory group, select that member and click the Remove Members button.
  5. Use the Member Of tab to view the groups of which this Active Directory group is a member.

    Note: You cannot make modifications to this view through the mangement console.

  6. Use the Unix Account tab to enable or disable Unix access for the Active Directory group.
  7. Click OK to save your changes and close the Active Directory group's properties.
Related Documents