Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Integrating with GPMC
Display specifiers Troubleshooting

Register display specifiers

Because it is common to use the Find dialog in ADUC to manage users and groups, One Identity recommends that you register display specifiers with Active Directory. Registering display specifiers provides the following benefits:

  • Unix Account properties appear in ADUC Find dialog results.
  • Unix Personality objects are displayed correctly in ADUC. This only applies if the Unix Personality schema has been installed.

Note: You must have Enterprise Administrator rights to register display specifiers.

You can inspect exactly what changes are made during the display specifier registration process by viewing the DsReg.vbs script found in the Authentication Services installation directory. You can use this script to unregister display specifiers at a later time.

To register display specifiers with Active Directory

  1. From a Windows management workstation with Authentication Services installed, navigate to Start | Quest Software | Authentication Services | Control Center.
  2. Click Preferences on the left navigation panel.
  3. Expand the Display Specifiers section.

    Note: The Register Display Specifiers link displays only when display specifiers are not already registered with Active Directory. If the display specifiers are registered, Control Center does not display the link.

  4. Click the Register Display Specifiers link to register display specifiers with Active Directory.

    While it is registering the display specifiers with Active Directory, Control Center displays a progress indicator. When the process is complete Control Center indicates that display specifiers are registered.

    Alternatively, you can register display specifiers from the command line, as follows:

    1. Log in as a user with Enterprise Administrator rights.
    2. Open a command prompt, navigate to the Authentication Services installation directory, and run this command:
      DsReg.vbs /add

    Note: To register One Identity Active Roles Server display specifiers with One Identity Active Roles Server, navigate to the installed location for Authentication Services and run the following command:

    DsReg.vbs /add /provider:EDMS

    You must install the One Identity Active Roles Server management package locally or DsReg.vbs returns an "Invalid Syntax" error.

    To see all the DsReg.vbs options, run the following command:

    DsReg.vbs /help

Unregistering display specifiers

Note: You must have Enterprise Administrator rights to unregister display specifiers.

To unregister display specifiers in Active Directory

  1. Log in as a user with Enterprise Administrator rights.
  2. Open a command prompt and navigate to the Authentication Services installation directory.
  3. Run the DsReg.vbs script with the /remove option:
     DsReg.vbs /remove

    Note: To unregister display specifiers with One Identity Active Role, run the following command:

    DsReg.vbs /remove /provider:EDMS 

    To see all the DsReg.vbs options, run the following command:

    DsReg.vbs /help

    A SUCCESS message appears indicating that the display specifiers were removed successfully.

Display specifier registration tables

Display specifiers are stored in the Active Directory configuration partition under the DisplaySpecifiers container. The DisplaySpecifiers container has child containers named for a corresponding locale ID. US English display specifiers are in cn=409,cn=DisplaySpecifers,cn=Configuration,dc=domain. The following modifications are made for each locale by the display specifier registration script, DsReg.vbs.

Table 24: Object: User-Display
Attribute Change Type Value Description
adminPropertyPages modify, insert 10,{E399C9A2-E7ED-4DDF- 9C5A-BA4EACC34316} Registers the Unix Account property page extension with User objects.
adminPropertyPages modify, insert 11,{53108A01-9B68-4DFB- A16D-4945D26A38A9} Registers the Unix Personality property page extension with User objects.
attributeDisplayNames modify, insert uidNumber, UID Number Provides a more user-friendly name for the Unix user ID number attribute. Allows this attribute to display in the Unix Object find dialog results.
attributeDisplayNames modify, insert uid, Login Name Provides a more user-friendly name for the Unix login name attribute. Allows this attribute to display in the Unix Object find dialog results.
attributeDisplayNames modify, insert gidNumber, GID Number Provides a more user-friendly name for the Unix group ID number attribute. Allows this attribute to display in the Unix Object find dialog results.
attributeDisplayNames modify, insert canonicalName, Path Provides a more user-friendly name for the Unix canonical name attribute. Allows this attribute to display in the Unix Object find dialog results.
Table 25: Object: Group-Display
Attribute Change Type Value Description
adminPropertyPages modify, insert 10,{E399C9A2-E7ED-4DDF- 9C5A-BA4EACC34316} Registers the Unix Account property page extension with User objects.
attributeDisplayNames modify, insert gidNumber, GID Number Provides a more user-friendly name for the Unix group ID number attribute. Allows this attribute to display in the Unix Object find dialog results.
attributeDisplayNames modify, insert canonicalName, Path Provides a more user-friendly name for the Unix canonical name attribute. Allows this attribute to display in the Unix Object find dialog results.
Table 26: Object: vintela-UnixUserPersonality-Display
Attribute Change Type Value Description
cn create object vintela-UnixUserPersonality- Display The display specifier object is created.
adminPropertyPages modify, insert 10,{E399C9A2-E7ED-4DDF- 9C5A-BA4EACC34316} This registers the Unix User Personality property page extension with user personality objects.
classDisplayName modify, set Unix User Personality Sets the friendly name of the object class. This is the text displayed in the New Object menu and elsewhere in ADUC.
creationWizard modify, set {57AC8F6B-5EA8-4DC9- AB9A-C0ED6420C7F9} This registers the "New Unix User Personality" object creation wizard. This creation wizard registration mechanism works in ADUC, but is not yet supported in ARS. To create personality objects in ARS, use the Advanced Create Wizard and select the Unix User Personality object class.
iconPath modify, insert 0,vas_dua_user.ico This is the default personality icon. This icon is installed by Authentication Services in the %SYSTEMROOT%\system32 folder so that it is available to all applications that might need it.
iconPath modify, insert 1,vas_dua_user_disabled.ico This icon is not currently used.
iconPath modify, insert 2,vas_dua_user_orphaned.ico This icon is not currently used.
attributeDisplayNames modify, insert uidNumber, UID Number Provides a more user-friendly name for the Unix user ID number attribute. Allows this attribute to display in the Unix Object find dialog results.
attributeDisplayNames modify, insert gidNumber, GID Number Provides a more user-friendly name for the Unix group ID number attribute. Allows this attribute to display in the Unix Object find dialog results.
attributeDisplayNames modify, insert uid, Unix Login Name Provides a more user-friendly name for the Unix login name attribute. Allows this attribute to display in the Unix Object find dialog results.
attributeDisplayNames modify, insert description, Description Provides a more user-friendly name for the description attribute. Allows this attribute to display in the Unix Object find dialog results.
attributeDisplayNames modify, insert canonicalName, Path Provides a more user-friendly name for the Unix canonical name attribute. Allows this attribute to display in the Unix Object find dialog results.
attributeDisplayNames modify, insert managedBy, Linked To Provides a more descriptive name for the managed by attribute to indicate how this attribute is used on personality objects. Allows this attribute to display in the Unix Object find dialog results.
Table 27: Object: vintela-UnixGroupPersonality-Display
Attribute Change Type Value Description
cn create object vintela-UnixGroupPersonality- Display The display specifier object is created.
adminPropertyPages modify, insert 10,{E399C9A2-E7ED-4DDF- 9C5A-BA4EACC34316} This registers the Unix User Personality property page extension with user personality objects.
classDisplayName modify, set Unix Group Personality Sets the friendly name of the object class. This is the text displayed in the New Object menu and elsewhere in ADUC.
creationWizard modify, set {A7C4A545-C7C8-49C8- 8C96-8C665E166D0C} This registers the "New Unix User Personality" object creation wizard. This creation wizard registration mechanism works in ADUC, but is not yet supported in ARS. To create personality objects in ARS, use the Advanced Create Wizard and select the Unix User Personality object class.
iconPath modify, insert 0,vas_unix_group.ico This is the default personality icon. This icon is installed by Authentication Services in the %SYSTEMROOT%\system32 folder so that it is available to all applications that might need it.
attributeDisplayNames modify, insert gidNumber, GID Number Provides a more user-friendly name for the Unix group ID number attribute. Allows this attribute to display in the Unix Object find dialog results.
attributeDisplayNames modify, insert cn, Name Provides a more user-friendly name for the Unix login name attribute. Allows this attribute to display in the Unix Object find dialog results.
attributeDisplayNames modify, insert description, Description Provides a more user-friendly name for the description attribute. Allows this attribute to display in the Unix Object find dialog results.
attributeDisplayNames modify, insert canonicalName, Path Provides a more user-friendly name for the Unix canonical name attribute. Allows this attribute to display in the Unix Object find dialog results.
attributeDisplayNames modify, insert managedBy, Linked To Provides a more descriptive name for the managed by attribute to indicate how this attribute is used on personality objects.

Troubleshooting

To help you troubleshoot, One Identity recommends the following resolutions to some of the common problems you might encounter as you deploy and use Authentication Services.

Related Documents