Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Integrating with GPMC
Display specifiers Troubleshooting

Managing User accounts from the Unix command line

Note: In the following examples, it is assumed that you have already logged in with a user that has sufficient permissions in Active Directory to perform the intended command. (See Authentication Services permissions matrix). If your present account is lacking necessary permissions, you may use either of the following methods to perform the desired administrative command:

  1. Use vastool kinit <elevated-permission-user> to obtain elevated permissions. For example, execute vastool kinit admin-user, and then perform the command as outlined in the examples.

    -OR-

  2. Use vastool -u <elevated-permission-user>. For example, vastool create user test-account becomes vastool -u admin-user create user test-account.

You can use the vastool command from the command line to create and delete users, as well as list user information.

To create a user, use the vastool create command. The following command creates a non-Unix-enabled user, bsmith, in Active Directory:

vastool create bsmith

To create a user that has its Unix account enabled, pass in an /etc/passwd formatted string using the -i option, as follows:

vastool create -i "bsmith:x:1003:1000:Bob:/home/bsmith:/bin/bash" bsmith 

By default, all users created with vastool create are created in the Users container. To create a user in a different organizational unit, use the -c command line option.

The following command creates a Unix-enabled user, bsmith, in the OU=sales,DC=example,DC=com organizational unit:

vastool create -i \ 
  "bsmith:x:1003:1000:Bob:/home/bsmith:/bin/bash" \ 
  -c "OU=sales,DC=example,DC=com" bsmith

To delete a user, use vastool delete. The following command deletes the bsmith user:

vastool delete bsmith

To list users, use vastool list users. The vastool list users command returns information from the local account cache. The following command lists all the users with Unix accounts enabled:

vastool list users

This command produces output similar to the following:

jdoe:VAS:1000:1000:John Doe:/home/jdoe:/bin/bash 
djones:VAS:1001:1000:Dave Jones:/home/djones:/bin/bash 
molsen:VAS:1002:1000:Mary Olsen:/home/molsen/bin/bash 
bsmith:VAS:1003:1000:Bob Smith:/home/bsmith:/bin/bash 

Managing users with Windows PowerShell

Authentication Services includes PowerShell modules which provide a "scriptable" interface to many Authentication Services management tasks.

Using Authentication Services PowerShell commands you can Unix-enable, Unix-disable, modify, report on, and clear Unix attributes of Active Directory users.

Note: You can access a customized PowerShell console from the Control Center Tools navigation link. To add Authentication Services cmdlets to an existing PowerShell session run Import-Module Quest.AuthenticationServices. (See PowerShell Cmdlets for a complete list of available commands.)

To Unix-enable a user, use the Enable-QasUnixUser command. The following command Unix-enables the user, bsmith, in Active Directory:

Enable-QasUnixUser -Identity <domain>\bsmith

To disable a user for Unix access use the Disable-QasUnixUser command:

Disable-QasUnixUser -Identity <domain>\bsmith

To set a particular Unix attribute use the Set-QasUnixUser command. The following command sets the Comment (GECOS) field of the bsmith user to Bob Smith:

Set-QasUnixUser -Identity <domain>\bsmith -Gecos "Bob Smith"

To report on a user, use the Get-QASUnixUser command. The following command shows all users that start with "bsm".

Get-QasUnixUser -Identity bsm

The Authentication Services PowerShell commands are designed to work with the Active Directory commands from Microsoft (Get-ADUser) and One Identity (Get-QADUser). You can pipe the output of these commands to any of the Authentication Services PowerShell commands that operate on users. For example, the following command clears the Unix attributes from the bsmith user.

Get-QADUser -Identity <domain>\bsmith | Clear-QasUnixUser

The Authentication Services PowerShell commands are aware of the options and schema settings configured in Control Center. Scripts written using the Authentication Services PowerShell commands work without modification in any Authentication Services environment.

PowerShell cmdlets

Authentication Services supports the flexible scripting capabilities of PowerShell to automate administrative, installation, and configuration tasks. A wide range of new PowerShell cmdlets are included in Authentication Services.

Table 14: PowerShell cmdlets
cmdlet Name Description

Add-QasLicense

Installs an Authentication Services license file in Active Directory. Licenses installed this way are downloaded by all Unix clients.

Clear-QasUnixGroup

Clears the Unix identity information from group object in Active Directory. The group is no longer Unix-enabled and will be removed from the cache on the Authentication Services Unix clients.

Clear-QasUnixUser

Clears the Unix identity information from a user object in Active Directory. The user is no longer Unix-enabled will be removed from the cache on the Authentication Services Unix clients.

Disable-QasUnixGroup

"Unix-disables" a group and will be removed from the cache on the Authentication Services Unix clients. Similar to Clear-QasUnixGroup except the Unix group name is retained.

Disable-QasUnixUser

Removes an Active Directory user‘s ability to log in on Unix hosts. (The user will still be cached on the Authentication Services Unix clients.)

Enable-QasUnixGroup

Enables an Active Directory group for Unix by giving a Unix GID number. The GID number is automatically generated.

Enable-QasUnixUser

Enables an Active Directory user for Unix. The required account attributes UID number, primary GID number, GECOS, login shell and home directory are generated automatically.

Get-QasConfiguration

Returns an object representing the Authentication Services application configuration data stored in Active Directory.

Get-QasGpo

Returns a set of objects representing GPOs with Unix and/or Mac OS X settings configured. This cmdlet is in the Quest.AuthenticationServices.GroupPolicy module.

Get-QasLicense

Returns objects representing the Authentication Services product licenses stored in Active Directory.

Get-QasOption

Returns a set of configurable global options stored in Active Directory that affect the behavior of Authentication Services.

Get-QasSchema

Returns the currently configured schema definition from the Authentication Services application configuration.

Get-QasSchemaDefinition

Returns a set of schema templates that are supported by the current Active Directory forest.

Get-QasUnixGroup

Returns an object that represents an Active Directory group as a Unix group. The returned object can be piped into other cmdlets such as Clear-QasUnixGroup or Enable-QasUnixGroup.

Get-QasUnixUser

Returns an object that represents an Active Directory user as a Unix user. The returned object can be piped into other cmdlets such as Clear-QasUnixUser or Enable-QasUnixUser.

Get-QasVersion

Returns the version of Authentication Services currently installed on the local host.

Move-QasConfiguration

Moves the Authentication Services application configuration information from one container to another in Active Directory.

New-QasAdConnection

Creates an object that represents a connection to Active Directory using specified credentials. You can pass a connection object to most Authentication Services cmdlets to execute commands using different credentials.

New-QasArsConnection

Creates an object that represents a connection to an Active Roles Server using the specified credentials. You can pass a connection object to most Authentication Services cmdlets to execute commands using different credentials.

New-QasConfiguration

Creates a default Authentication Services application configuration in Active Directory and returns an object representing the newly created configuration.

Remove-QasConfiguration

Accepts a Authentication Services application configuration object as input and removes it from Active Directory. This cmdlet produces no output.

Remove-QasLicense

Accepts an Authentication Services product license object as input and removes the license from Active Directory. This cmdlet produces no output.

Set-QasOption

Accepts an Authentication Services options set as input and saves it to Active Directory.

Set-QasSchema

Accepts an Authentication Services schema template as input and saves it to Active Directory as the schema template that will be used by all Authentication Services Unix clients.

Set-QasUnixGroup

Accepts a Unix group object as input and saves it to Active Directory. You can also set specific attributes using command line options.

Set-QasUnixUser

Accepts a Unix user object as input and saves it to Active Directory. You can also set specific attributes using command line options.

Authentication Services PowerShell cmdlets are contained in PowerShell modules named Quest.AuthenticationServices and Quest.AuthenticationServices.GroupPolicy. Use the Import-Module command to import the Authentication Services commands into an existing PowerShell session.

Password management

Authentication Services supports and enforces all the Active Directory password policy concepts including minimum password length, age, complexity, lockout requirements and history. It also supports the fine grained password policies introduced in Windows 2008.

Related Documents