Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Management Console for Unix Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix Hosts Working with Host Systems Managing Local Groups Managing Local Users Active Directory Integration Authentication Services Integration Privilege Manager Integration Reporting Setting Preferences Security Troubleshooting Tips
Auto Profile Issues Active Directory Issues Auditing and Compliance Cannot Create a Service Connection Point Check Authentication Services Agent Status Commands Not Available CSV or PDF Reports Do Not Open Database Port Number Is Already in Use Elevation Is Not Working Hosts Do Not Display Import File Lists Fakepath Information Does Not Display in the Console Java Applet Failures License Info in Report is not Accurate Out of Memory Error Post Install Configuration Fails on Unix or Mac Privilege Manager Feature Issues Profile Task Never Completes questusr Account was Deleted Readiness Check Failed Recovering From a Failed Upgrade Reports Are Slow Reset the Supervisor Password Running on a Windows 2008 R2 Domain Controller Service Account Login Fails Setting Custom Configuration Settings Single Sign-on (SSO) Issues JVM Memory Tuning Suggestions Start/Stop/Restart Management Console for Unix Service Tool Bar Buttons Are Not Enabled UID or GID Conflicts
System Maintenance Command Line Utilities Web Services Database Maintenance

Add an Active Directory User Account

Note: The following procedure instructs you to use ADUC (Active Directory Users and Computers) to set up an Active Directory user by the name of "ADuser" referred to by other examples in this guide.

To create an Active Directory user account

  1. In the Active Directory Users and Computers console, select the Users folder and click the New User button.

  2. On the New Object - User dialog, enter information to define a new user named ADuser and click Next.

    The New Object - User wizard guides you through the user setup process.

  3. When you enter a password, clear the User must change password at next logon option, before you click Next.

  4. Click Finish.

  5. Close Active Directory Users and Computers and return to the mangement console.

Search for Active Directory Objects

Using the controls at the top of the mangement console's Active Directory tab, you can search Active Directory for users, groups and computers. With proper credentials, you can also search for Unix-enabled users and groups (requires Authentication Services 4.x).

Note: The Active Directory tab is only available when you are logged onto the console as an Active Directory user. (See Active Directory Configuration for details.)

To search for Active Directory objects

  1. On the Active Directory tab of the mangement console, place your cursor in the Search by name box and enter a search expression to locate Active Directory objects. By default, when you click the button without entering any search criteria, Management Console for Unix searches for all users in the forest.

    Note: The mangement console uses Ambiguous Name Resolution (ANR) as the search algorithm to search Active Directory. This allows you to enter limited or partial input to find multiple objects in Active Directory. Use one of the following methods to enter your search expression:

    • Enter a partial string to return exact matches or a list of possible matches
    • Enter a string preceded by the equal sign to return only exact matches, for example, =Administrator

    (See Ambiguous Name Resolution for more information.)

  2. In the Find box, open the drop-down menu and select the type of Active Directory object to locate:
    1. Users (default)
    2. Groups
    3. Computers
    4. Users, Groups, Computers
    5. Unix-enabled Users
    6. Unix-enabled Groups
    7. Non Unix-enabled Users
    8. Non Unix-enabled Groups

    To search for all objects matching the object type you specify in the Find box, do not enter any characters in the Search by name field.

    For example, to search for all groups in the forest, do not enter anything in the Search by name box, select Groups from the Find box menu, and click .

  3. To narrow the search, select the container where you would like to start the search, by clicking the button next to the In box.

    By default, the mangement console searches the entire forest configured for Active Directory.

  4. Once you have defined your search expression, the type of objects to locate, and where you want to conduct your search, click the button to initiate the search.
  5. The mangement console displays the Active Directory objects whose names match (starts with) the characters you entered, are of the object type you specified, and are located in the directory or container you specified.

    Note: To clear the search criteria and results, click the button.

View or Modify Active Directory User Properties

When logged in with an Active Directory account in the Manage Hosts role, you can view the properties of Active Directory user accounts from the Active Directory tab. However, you must have permissions in Active Directory to modify Active Directory user properties.

To view or modify the properties of an Active Directory user

  1. From the Active Directory tab of the mangement console, use the search controls to locate an Active Directory user.
  2. Double-click the user name to open the Active Directory user's properties.

    You can also right-click the user name and choose Properties.

  3. Use the General tab to view or modify the following properties:
    • First Name
    • Initial
    • Last Name
    • Display Name
    • Description
  4. Use the Account tab to view or modify the following settings:
    • User logon name
    • User logon name (pre-Windows 2000)
    • Account is locked out option (view only)
    • Account options

    Note: Please review the following notes regarding the account options:

    • You cannot modify the User cannot change password option through the mangement console. Use Active Directory Users and Computers (ADUC) to enable/disable this option, as needed.
    • If the User cannot change password option is enabled in ADUC, you cannot require the user to change their password at next log on.
    • If the Password never expires option is enabled in ADUC, you cannot require the user to change their password at the next log on.

  5. Use the Member Of tab to view the groups of which this Active Directory user is a member.

    Note: You cannot make modifications to this view through the mangement console.

  6. Use the Unix Account tab to enable or disable Unix access of the Active Directory user.
  7. Use the Local User Accounts tab to display a list of all the local Unix users required to log on using the selected Active Directory user account.
  8. Click OK to save your changes and close the Active Directory user's properties.

View or Modify Active Directory Group Properties

When logged in with an Active Directory account in the Manage Hosts role, you can view the properties of Active Directory group accounts from the Active Directory tab. However, you must have permissions in Active Directory to modify Active Directory group properties.

To view or modify the properties of an Active Directory group

  1. From the Active Directory tab of the mangement console, use the search controls to locate an Active Directory group.
  2. Double-click the group name to open the Active Directory group's properties.

    You can also right-click the group name and choose Properties.

  3. Use the General tab to view or modify the following properties:
    • Group name
    • Description
  4. Use the Member tab to view the Active Directory objects (users, groups, computers) that are members of the group.

    Note: Searching for the members of an Active Directory group works most efficiently when there is a global catalog for the group's domain. If a global catalog for the group's domain cannot be found, the search may be slower.

    1. To add a member to the Active Directory group, click the Add Members... button.

      The Add Members To Group dialog displays.

      Use the search controls to display a list of Active Directory users and/or groups available to add to the Active Directory group.

      Select the users and/or groups you wish to add and click OK.

    2. To remove a member from the Active Directory group, select that member and click the Remove Members button.
  5. Use the Member Of tab to view the groups of which this Active Directory group is a member.

    Note: You cannot make modifications to this view through the mangement console.

  6. Use the Unix Account tab to enable or disable Unix access for the Active Directory group.
  7. Click OK to save your changes and close the Active Directory group's properties.
Related Documents