You can enter one or more of the following join commands on the Join Host to Active Directory dialog. Separate multiple commands with a single space.
Option | Description | ||
---|---|---|---|
-I cache export filename | Load users and groups from the specified cache export file instead of from the network. | ||
-c computer_name |
Specify a different name for the computer object than the one usually generated from your host name. Specify either the FQDN or NetBIOS name for the computer object.
| ||
-c container |
Specify the LDAP DN of the container where the computer will be created.
| ||
-l | Do not apply Group Policy Settings (if Authentication Services for Group Policy is installed). | ||
-w | Enable workstation mode where users are not cached until they log on. | ||
-U | Load all users from the global catalog. The mangement console loads all Unix-enabled users in the forest, regardless of location and domain. | ||
-G | Load all groups from the global catalog. The mangement console loads all Unix-enabled groups in the forest, regardless of location and domain. | ||
-r domain_list | Specify a comma-separated list of alternate authentication domains, used for resolving simple names. | ||
-u search_path | Specify an alternate search path from which to populate the user's cache. You must specify a container object within your Active Directory forest in this search path. | ||
-g search_path | Specify an alternate search path from which to populate the group's cache. You must specify a container object within your Active Directory forest in this search path. | ||
-s siteName | Manually specify the site name for the selected host. | ||
-p UPM_search_path | Specify the path of the Primary Personality Container. This command supersedes the -u and -g settings. If the specified UPM search path does not exist, the join command will fail. | ||
--skip-config | Skip automatic system configuration of PAM, NSS, LAM and SIA subsystems. | ||
--preload-nested-memberships | After loading users and/or groups, query tokenGroups for all cached users to process nested group membership information. | ||
--site-only-usn | For USN queries, only use site servers. Use this command when non-site servers are unavailable, for example, blocked by a firewall. | ||
--no-timesync | Skip automatic time synchronization. |
Unjoining a host from the mangement console removes the computer object from Active Directory, preventing further Active Directory user log on. This task does not remove the Authentication Services Agent software installed on the unjoined host.
|
Note: This task is only available when you are logged on as an Active Directory account in the Manage Hosts role. |
To unjoin host(s) from Active Directory
|
Note: If unjoining multiple hosts, all hosts must be joined to the same domain. |
|
Note: To unjoin the host from Active Directory, Authentication Services requires you to have elevated (root) credentials to complete the task on the host side. |
A progress bar displays in the Task Progress pane. The final status of the task displays, including any failures or advisories encountered. If successfully unjoined, the Active Directory domain, previously listed in the Joined to Domain column, is replaced with the Ready to join icon if you have previously run Check for AD readiness; otherwise the Joined to Domain column is left empty.
The mangement console allows you to modify Authentication Services access settings. You can add Active Directory users or groups to the users.allow file for a single host or a selected group of hosts. This allows you to control Active Directory user access on Authentication Services hosts.
|
Note: The mangement console does not allow you to view or modify the users.deny file. |
To view the users.allow file for a single host
The Host Access Control tab lists the content of the users.allow file.
|
Note: Users and Groups displayed in red text indicate that Authentication Services could not resolve the user/group in Active Directory. |
To allow additional Active Directory users or groups to access a single host
You can either:
-OR-
Clicking Select opens the Select AD Object dialog.
Once you have the name(s) listed on the Host Access Control dialog, click OK.
The console updates the users.allow file and the database accordingly.
To add or remove access for Active Directory users or groups on multiple hosts
The Host Access Control dialog displays two list boxes: one in which to add users or groups, the other to specify users and groups to remove from the users.allow file.
The console updates the users.allow file and the database accordingly.
You can either check the health status of Authentication Services agents manually, or you can configure the mangement console to automatically check the QAS agent status and report any warnings or failures to the console.
|
Note: Running the Check QAS Agent Status commands requires:
|
For more information, see Check QAS Agent Status Commands Not Available.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy