Optional Join Commands
You can enter one or more of the following join commands on the Join Host to Active Directory dialog. Separate multiple commands with a single space.
| Option | Description | ||
|---|---|---|---|
| -I cache export filename | Load users and groups from the specified cache export file instead of from the network. | ||
| -c computer_name |
Specify a different name for the computer object than the one usually generated from your host name. Specify either the FQDN or NetBIOS name for the computer object.
| ||
| -c container |
Specify the LDAP DN of the container where the computer will be created.
| ||
| -l | Do not apply Group Policy Settings (if Authentication Services for Group Policy is installed). | ||
| -w | Enable workstation mode where users are not cached until they log on. | ||
| -U | Load all users from the global catalog. The mangement console loads all Unix-enabled users in the forest, regardless of location and domain. | ||
| -G | Load all groups from the global catalog. The mangement console loads all Unix-enabled groups in the forest, regardless of location and domain. | ||
| -r domain_list | Specify a comma-separated list of alternate authentication domains, used for resolving simple names. | ||
| -u search_path | Specify an alternate search path from which to populate the user's cache. You must specify a container object within your Active Directory forest in this search path. | ||
| -g search_path | Specify an alternate search path from which to populate the group's cache. You must specify a container object within your Active Directory forest in this search path. | ||
| -s siteName | Manually specify the site name for the selected host. | ||
| -p UPM_search_path | Specify the path of the Primary Personality Container. This command supersedes the -u and -g settings. If the specified UPM search path does not exist, the join command will fail. | ||
| --skip-config | Skip automatic system configuration of PAM, NSS, LAM and SIA subsystems. | ||
| --preload-nested-memberships | After loading users and/or groups, query tokenGroups for all cached users to process nested group membership information. | ||
| --site-only-usn | For USN queries, only use site servers. Use this command when non-site servers are unavailable, for example, blocked by a firewall. | ||
| --no-timesync | Skip automatic time synchronization. |
Unjoin Host from Active Directory
Unjoining a host from the mangement console removes the computer object from Active Directory, preventing further Active Directory user log on. This task does not remove the Authentication Services Agent software installed on the unjoined host.
|
|
Note: This task is only available when you are logged on as an Active Directory account in the Manage Hosts role. |
To unjoin host(s) from Active Directory
- Select one or more hosts from the list on the All Hosts view, open the Unjoin menu tool bar button and choose Unjoin from Active Directory.
Note: If unjoining multiple hosts, all hosts must be joined to the same domain.
- On the Unjoin Host from Active Directory dialog, enter the user credentials of an Active Directory user that has rights to delete computer objects from the Active Directory domain and click OK.
- On the Log on to Host dialog, enter the user credentials to access the selected host(s) and click OK.
Note: To unjoin the host from Active Directory, Authentication Services requires you to have elevated (root) credentials to complete the task on the host side.
A progress bar displays in the Task Progress pane. The final status of the task displays, including any failures or advisories encountered. If successfully unjoined, the Active Directory domain, previously listed in the Joined to Domain column, is replaced with the
Ready to join icon if you have previously run Check for AD readiness; otherwise the Joined to Domain column is left empty.
Configure Host Access Control
The mangement console allows you to modify Authentication Services access settings. You can add Active Directory users or groups to the users.allow file for a single host or a selected group of hosts. This allows you to control Active Directory user access on Authentication Services hosts.
|
|
Note: The mangement console does not allow you to view or modify the users.deny file. |
To view the users.allow file for a single host
- From the All Hosts view, right-click a host that is joined to an Active Directory domain.
- Select the Host Access Control option from the context menu.
The Host Access Control tab lists the content of the users.allow file.
Note: Users and Groups displayed in red text indicate that Authentication Services could not resolve the user/group in Active Directory.
To allow additional Active Directory users or groups to access a single host
- From the Host Access Control tab, click Manage Access.
- On the Host Access Control dialog, specify the name(s) you want to allow access to the selected host.
You can either:
- Type a name into the text box and click Add.
-OR-
- Click Select to browse for the Active Directory user or group name.
Clicking Select opens the Select AD Object dialog.
Once you have the name(s) listed on the Host Access Control dialog, click OK.
- Type a name into the text box and click Add.
- On the Log on to Host dialog, enter the user credentials to access the selected host and click OK.
The console updates the users.allow file and the database accordingly.
To add or remove access for Active Directory users or groups on multiple hosts
- From the All Hosts view, select and right-click multiple hosts that are joined to an Active Directory domain.
- Select the Host Access Control option from the context menu.
The Host Access Control dialog displays two list boxes: one in which to add users or groups, the other to specify users and groups to remove from the users.allow file.
- Specify or select names to add or remove and click OK.
- On the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.
The console updates the users.allow file and the database accordingly.
Check QAS Agent Status
You can either check the health status of Authentication Services agents manually, or you can configure the mangement console to automatically check the QAS agent status and report any warnings or failures to the console.
|
|
Note: Running the Check QAS Agent Status commands requires:
|
For more information, see Check QAS Agent Status Commands Not Available.