Using Centrify Client commands

This section covers commands that you can use on systems where you have installed the Centrify Client. Most commands work the same on Windows and Linux; any differences for operating systems are noted. For details about each command, click the command name to go to the relevant section.

Note:    Each command generates a log file at /var/log/ (Linux) or C:\ProgramData\Centrify\Logs (Windows).

Command

Is root or administrator privilege needed?

Description

cdebug

YES

Use the cdebug command to control and check the logging detail level. You can also empty the log file as part of your log rotation process.

cdelaccount

YES

Use the cdelaccount to delete the domain, database, or local account from Centrify PAS. In order to use this command, the system must have the AAPM feature enabled.

cdiag

YES

Use the cdiag command to check configuration settings to diagnose any potential issues with the Centrify Client

cedit

YES if you're editing or resetting parameter values

Use the cedit command to view, edit, or reset specific Centrify Client configuration parameters.

cenroll

YES

Use the cenroll command to enroll the system into Centrify PAS and thereby add the new vaulted system to Centrify PAS.

cflush (Linux only)

YES

You use the cflush command on Linux systems to update the local cache of users and groups that have been authenticated by Centrify PAS.

cgetaccount

YES

Use the cgetaccount command to retrieve and use the stored password for a domain, database, or managed local account from Centrify PAS. In order to use this command, the system must have the AAPM feature enabled.

cinfo

YES only for the -H and
-t options

Use the cinfo command to display detailed and diagnostic information about the local system's configuration in Centrify PAS.

creload

YES

Use the creload command to force the client to reload configuration properties after you've changed them using cedit.

crotatepasswd

YES

Use the crotatepasswd command to rotate the password for the specified account, such as for a domain, database, or a system account. In order to use this command, the system must have the AAPM feature enabled.

csetaccount

YES

Use the csetaccount command to create or update a vaulted privilege account in Centrify PAS for the specified local account. In order to use this command, the system must have the AAPM feature enabled.

cunenroll

YES

Use the cunenroll command to un-enroll a vaulted system from Centrify PAS.

cdebug

Use this command to control and check the logging detail level. You can also empty the log file as part of your log rotation process.

Log files are located at /var/log/cagent.log (Linux) or C:\ProgramData\Centrify\Logs (Windows).

Root or Administrator privilege required? Yes

Usage:

Copy
cdebug [on | off | clear | status | set <debug_level>
<debug_level> can be TRACE, DEBUG, INFO, WARN, ERROR, DISABLED

 

Command option Description

on

Turns on detailed logging activity. Essentially, this is the same as setting the debug level to DEBUG.

off

Turns off detailed logging activity. Essentially, this is the same as setting the debug level to INFO.

clear

Empties the current log file and triggers log rotation for the cagent.log file. The client archives the existing log file as cagent-<timestamp>.log.gz and logging starts again from a newly empty cagent.log file.

The client also runs the clear command automatically in the background so that log files don't become too large.

status

Checks to see whether detailed logging activity is turned on or off

set <debug_level>

Sets the level of detail that the client outputs to the log. Your choices are:

TRACE: Includes trace level messages in addition to what's included with the DEBUG log level. Trace level messages are a step-by-step listing of every action taken; anything that can be logged is captured. Using this log level can help with troubleshooting, but be aware that the log file can get large quickly and system performance may be slower. Centrify recommends that you use this log level only when requested by Centrify Support.

DEBUG: Debug, informational, warning, and error messages. Use this log level for most troubleshooting situations. Be aware that the log file can get large. Centrify recommends that you use this log level only when requested by Centrify Support.

INFO: Informational, warning, and error messages. This is the default log level.

WARN: Warning and error messages

ERROR: Error messages only

DISABLED: This option turns off any client logging.

Examples:

Copy
PS C:\Users\administrator.cloud> cdebug set TRACE
    Debug logging is on.  Verbose tracing is on.

PS C:\Users\administrator.cloud> cdebug status
    Debug logging is on.  Verbose tracing is on.

 

cdelaccount

The cdelaccount command deletes the domain, database, or managed local account from Centrify PAS. The local account remains intact. After you remove an account from Centrify PAS, you can't check out the password or use Centrify PAS to rotate the password.

In order to use this command, the system must have the AAPM feature enabled.

Note:   If you delete an account from Centrify PAS, you must manage the password yourself for the local account. It's recommended that you either save or copy the password manually or change the password after you've deleted the account.

Root or Administrator privilege required? Yes

Usage:

cdelaccount [-hsVv] [-u, --username username] <account>

 

Command option Description

-h

--help

Displays the command help

-s

--silent

Specifies that no confirmation will be asked, and the account password will not be displayed.

-u, --username

Specifies the administrative user that is used to delete an account . If you specify this parameter, you don't have to run this command as an administrative user. The service will prompt you to enter the password for the specified username.

-V

--verbose

Displays the debug information for each operation.

-v

--version

Displays the version information.

Examples:

Copy
# cdelaccount frodo
Caution: Deleting an account means we will no longer know the password. You must make note of it.
Continue to proceed will make the password available and commit the deletion.
Do you want to proceed? (y/n) [n]: y
Getting account password before deletion...
Password for frodo: OneRingToRuleThemAll%#
Account deleted. Save the password to avoid account lockout.

cdiag

Use the cdiag command to check configuration settings to diagnose any potential issues with the Centrify Client. The cdiag command checks the connection between the client and the platform and also checks if system settings such as PAM or NSS are configured correctly on Linux clients when corresponding features are enabled. You can run this command before, during, or after enrollment.

Run the cdiag command if the Centrify Client has any expected functionalities that aren't working, for example.

Note:   On Windows, this is a PowerShell script.

Root or Administrator privilege required? Yes

Usage:

cdiag -t tenanturl [-dpnV]

cdiag -t tenanturl -v

cdiag -t tenanturl -h

 

Command option Description

-t

--tenant url

Specifies the customer-specific URL of the Centrify PAS. If the system is currently enrolled, this option can be omitted; the URL specified during enrollment will automatically be used. If the system is not enrolled, this option is mandatory.

If the system isn't enrolled yet, this option is required.

-d

--deployment [cloud|on-premise]

Specifies the deployment type of Centrify PAS. The cdiag command does a different check and troubleshooting according to the deployment type. If you don't specify this option, cloud is the default.

-p

--http-proxy proxy-url

Specifies the HTTP proxy URL used by the machine.

-n

--noreport

Does not generate a report file.

-V

--verbose

Displays the debug information for each operation.

-v

--version

Displays the version information.

-h

--help

Displays the command help.

Examples:

Copy
cdiag -t abc1234.my.centrify.net

 

cedit

You can use the cedit command to view, edit, or reset specific Centrify Client configuration parameters. For details about which parameters you can edit, see Customizing Centrify Client parameters.

Root or Administrator privilege required? Yes if you're editing or resetting a parameter value.

Usage:

cedit [-hlqv] [-g <key>] [-r <key>] [-s <key>:<value>]

 

Command option Description

-g, --get=<key>

Gets the parameter value.

-h, --help

Displays the command help.

-l, --list

Lists parameters that are explicitly set.

-q, --quiet

Does not display any information.

-r, --reset=<key>

Resets the specified parameter value to the default value.

-s, --set=<key>:<value>

Sets a parameter value.

-v, --version

Displays the version information

Examples:

Copy
PS C:\Users\administrator.cloud> cedit -l
                FeatureAAPMEnabled: true
                FeatureAgentAuthEnabled: true
                FeatureDMCEnabled: true
                LogLevel: TRACE
                ProxyURL: http://xx.xx.xx.xx:8080
                ServiceURI: https://abc1234.my.centrify.net/
                agent.tcprelay.proxy: http://xx.xx.xx.xx:8080

PS C:\Users\administrator.cloud> cedit -s LogLevel:WARN
                Parameter successfully updated.
            
PS C:\Users\administrator.cloud> cedit -g LogLevel
                WARN

 

cenroll

Use the cenroll command to enroll the system into Centrify PAS and thereby add the new vaulted system to Centrify PAS. You can also use the cenroll command to update a profile of an existing system that's already enrolled.

In general, the required parameters are:

  • --features

  • --tenant

  • either --code or --username (an authentication mechanism — either an enrollment code or a user with the "System Enrollment" administrative right in Centrify PAS)

Parameters that you might use frequently are:

  • agentauth permission to be assigned to a role (-l)

  • Proxy configuration (-p)

  • Connector assignment (-S Connectors:value)

  • Suffix for the hostname in Centrify PAS (-x)

Root or Administrator privilege required? Yes

Usage:

Copy
cenroll [-fhVv] [-a <IP/DNS name>] [-c <code>] [-F value] [-l<role1>[,<role2>...,<roleN>]] [-n <name>] [-N <name>] [-O <key:value>] [-o <file>] [-p <proxyURL>] [-P [user:|role:]<name>:<right>[,<right2>,...,<rightN>]] [-S <key:value>] [-s <file>] [-t<url>] [-u <username>] [-w <role>] [-x <suffix>] [-Z <set1>[,<set2>...,<setN>]]

 

Command option Description

-a,

--address=<IP/DNS name> IP address or DNS name of this computer.

Specifies the IP address or DNS name of this computer. The value returned by hostname is used if this argument is not supplied. If a system has multiple network adapters, you can use this option to specify where to direct network traffic from Centrify PAS.

By default, if a windows machine is domain joined, then it uses the fqdn (myhost.domain1.net). In some situations, you may want to specify an IP address instead of the hostname for security and network control purposes.

-c,

--code=<code>

Specifies the enrollment code to use to enroll this computer in the Centrify PAS

This option is required, or you must specify a user with "System Enrollment" permission.

If the enrollment code is assigned to a role, upon enrollment the service adds the computer into that role.

-d

--dmc-scope=<scopename:regex>,<scopename:regex>,...,<scopename:regex>

Specifies a delegated machine credential scope name and allowed APIs; you specify the allowed APIs as a regular expression.

You can specify this option multiple times in a single command statement.

-F,

--features=value <feature1>[,<feature2>,...,<featureN>]

Configures specific features for this system. You must specify a value for this option.

DMC: Specify this option to enabled delegated machine credentials. For details, see Using delegated machine credentials.

AAPM: Specify this option to enable application-to-application password management. For details, see Adding computers as systems.

AgentAuth: Specify this option to enable the Agent Auth permission, which is needed to allow Centrify PAS users who have the AgentAuth permission to log in. For details, see Enabling client-based login.

all: Enable all client-based features

none: Don't enable any client features

-f,

--force

Forces the enrollment operation. Use this option if the system already exists in Centrify PAS.

-h,

--help

Displays the command help.

-l, --agentauth=<role1>[,<role2>...,<roleN>]

Specifies the roles to which the AgentAuth/login permission is assigned.

-m,

--groupmap=<role name>:<local group>[,<local group 2>,...,<local group N>]

Configures a mapping between role and one or multiple local groups on the system.

For example, the following maps the System Administrator role to two local groups Administrators and Power Users: 

cenroll <standard enroll parameters> -m "System Administrator:Administrators, Power Users"

You can specify this option multiple times in a single command statement.

Note:   Local group mapping is for Windows systems only.

-n, --name=<name>

Specifies the login name to use for this computer in the Centrify PAS. The value returned by hostname is used if this argument is not supplied. If the --suffix argument is supplied, said suffix will be used to form the final login name. Otherwise, a default suffix will be used.

-N,

--resource-name=<name>

Specifies the name of this computer in Centrify PAS. The value returned by 'hostname' is used if this argument is not supplied. If the --tenant-suffix argument is supplied, the final name of the system will be in the form '<name>@<suffix>'. Otherwise, the final name will be in the form '<name>'.

-O,

--resource-policy=<key:value>

Specifies resource-specific policies in key-value pairs. If the same policy is configured by this parameter and the --resource-policy-file, the value in this parameter is applied.

You can specify this option multiple times in a single command statement.

-o,

--resource-policy-file=<file> and the --resource-setting-file,

Specifies a plain text file that contains resource-specific policies stored as key-value pairs.

If the same policy is configured by this parameter and resource-policy, the value in resource-policy is applied.

-p,

--http-proxy=<proxy URL>

Specifies an HTTP proxy to use for the Centrify Client connection to Centrify PAS.

When you specify this option, the client redirects all communication through the proxy address. If the proxy is unavailable, the client status is listed as "disconnected" from the network.

-P, --resource-permission

For Active Directory or LDAP groups:

cenroll -P group:
"<group@domain.suffix>":<PAS_permission>

For Centrify PAS roles:

cenroll -P <role_name>:<PAS_permission>

Specifies the permissions for the system, such as Grant, View, AgentAuth, Offline Rescue, and so forth. You can specify permissions for users or roles. For more details about permissions, see Assigning permissions.

It can be useful to specify permissions at the time of enrollment, but you can set them later in the Admin Portal too.

You can specify this option multiple times in a single command statement— when you specify multiple permissions, surround each permission with \". For example:

-P \"bugs.bunny@acme.cloud:Grant,View\"

--resource-permission \"bugs.bunny@acme.cloud:Grant,View\"

-S, --resource-setting=<key:value>

Specifies resource-specific settings in key-value pairs. If the same setting is configured by this parameter and the --resource-setting-file, the value in this parameter is applied. To set the domain information, you can specify DomainName:<domain> as a setting.

You can specify this option multiple times in a single command statement

You can view the available resource settings here:

developer portal - post_servermanage-updateresource

developer portal - post_servermanage-addresource

Note:   When supplying a connector resource setting, specify just one connector. If you specify more than one, the last one you specify will be used. For example:
cenroll -f -F all -S Connectors:connector1

-s,

--resource-setting-file=<file>

Specifies a plain text file that contains resource-specific settings stored as key-value pairs.

If you specify the same parameter in this file and the --resource-setting parameter, the client uses the value specified in the --resource-setting parameter.

-t,

--tenant=<url> Customer-specific URL

Specifies the tenant to enroll into.

You can use either a space or = between the --tenant and the URL. Here are some examples of the ways you can specify a tenant URL:

--tenant=abc0123.my.centrify.net

--tenant abc0123.my.centrify.net

--tenant https://abc0123.my.centrify.net

--tenant=https://abc0123.my.centrify.net

 

Specifies the user who will enroll this system into the Centrify PAS

You must either specify this option or specify an enrollment code.

-V,

--verbose

Displays debug information for each operation.

-v,

--version

Displays the version information.

-w,

--owner=<role>

Role used to manage this computer in the Centrify PAS.

-x,

--suffix=<suffix>

Specifies the suffix to use for the login and resource names for this system.

-Z,

--resource-set=<set1>[,<set2>...,<setN>]

Adds the system to the specified resource sets.

Examples:

Copy
[EXAMPLE: to enroll a system with all features enabled into the specified tenant using an enrollment code]
[root@mylinux ~]# cenroll --force --features=all --tenant=abc1234.my.centrify.net --code=PUTTHEENROLLMENTCODEHERE
            Enrolling in https://abc1234.my.centrify.net/ ...
            Centrify agent started.
            Enabled features: AgentAuth, AAPM, DMC
            Enrollment complete.
            
[EXAMPLE: To add a local computer to the Centrify Privileged Access Service using a specified user account]
[root@mylinux ~]# cenroll --tenant=abc1234.my.centrify.net  --user wily@acme --features aapm,agentauth --agentauth "Authorized Agent Login"


[EXAMPLE: To add the computer using a specific IP address and computer name]
[root@mylinux ~]# cenroll  -t abc1234.my.centrify.net  -u wily@acme -n rhel9.mydomain.com -a 123.45.67.890


[EXAMPLE: To add the computer and enable all features and use a web proxy]
[root@mylinux ~]# cenroll -F all -f -t abc1234.my.centrify.net -c PUTTHEENROLLMENTCODEHERE -l linuxadmins -p http://12.3.4.56:8080


[EXAMPLE: To add the computer and enable AAPM ]
[root@mylinux ~]# cenroll -F AAPM -f -t -abc1234.my.centrify.net -c PUTTHEENROLLMENTCODEHERE -l linuxadmins


[EXAMPLE: To enroll a computer with username and password instead of an enrollment code]
[root@mylinux ~]# 
cenroll -F all -f -t abc1234.my.centrify.net -u  -u pasadmin@example.com -l linuxadmins



[EXAMPLE: To allow the public network access for this computer and to perform periodic password rotation on the accounts associated with this
computer every 30 days, specify these policies on the command line]
[root@mylinux ~]# cenroll -O "AllowRemote:true" -O "AllowPasswordRotation:true" -O "PasswordRotateDuration:30"


[EXAMPLE: Alternatively, you could use a text editor to create a "policy.conf" file with settings:]
AllowRemote:true
AllowPasswordRotation:true
PasswordRotateDuration:30



[After defining the policies in the "policy.conf" file, run the cenroll command and refer to the policy.conf file:]
[root@mylinux ~]# cenroll --resource-policy-file /tmp/policy.conf


[EXAMPLE: enroll with Use My Account credentials]
cenroll -F agentauth -t tenant> -c <code> -l <agentauth_role> -S CertAuthEnable:true -S AllowRemote:true  -S Connectors:<name>

[NOTE: Using the cenroll command depends on the user in PAS being a member of a role with AgentAuth permission. Use My Account will be immediately accessible for Windows enrolled systems, and then accessible for Linux enrolled systems after MasterSSHKey download/configuration.]

 

cflush (Linux only)

You use the cflush command on Linux systems to update the local cache of users and groups that have been authenticated by Centrify PAS.

User and group information is stored in the local cache so that the client does not need to lookup the information for the next 60 minutes (after it is stored). This command invalidates the information in the local cache such that the client will request the information from Centrify PAS whenever any client application asks for such information.

Because most Linux applications need to look up user or group information, caching such information reduces the need to frequently request the same information from PAS. Caching this information improves performance.

Root or Administrator privilege required? Yes

Usage:

cflush [-eV]

cflush -v

cflush -h

 

Command option Description

-e

--expire

(Reserved for future use)

-V

--verbose

Displays detailed debug information for each operation.

-v, --version

Displays the version information.

-h

--help

Displays the command help.

Examples:

Copy
[root@mylinux ~]# cflush
        Flushed cagent cache

 

cgetaccount

Use the cgetaccount command to retrieve and use the stored password for a domain, database, or managed local account from Centrify PAS. (You can store accounts either from within the Admin Portal or by using the csetaccount command.) In order to use this command, the system must have the AAPM feature enabled.

Root or Administrator privilege required? Yes

Usage:

cgetaccount [-tTsvV] [-t, --lifetime minutes] [-T, --type type ] [-s, --silent] [-u, --username username] [-v, --version] [-V, --verbose] targetname / accountname

 

Command option Description

-t, --lifetime Minutes

Specifies the password checkout interval (duration), in minutes. The value that you specify must be less than or equal to the account checkout lifetime defined in the target policy. If you specify a value greater than the account checkout lifetime, and error is returned. If you do not specify a password checkout interval (that is, if you do not use this option), a default password checkout interval of one minute is used.

-T, --type Type

Specifies the type of the target to which the account belongs. Valid values are system, domain, or database.

-s, --silent

Retrieves the account password from Centrify PAS without asking for confirmation. The password is not printed to stdout.

This option is useful for scripts that need to set a local variable in order to store the returned password.

-u, --username

Specifies the administrative user that is used to get an account . If you specify this parameter, you don't have to run this command as an administrative user. The service will prompt you to enter the password for the specified username.

-v, --version

Displays the version information.

-V, --verbose

Displays information about each step in the password retrieval operation as it occurs. This option can be useful in diagnosing password retrieval problems.

-h, --help

Displays usage information for this command.

Examples:

Copy
[root@mylinux ~]# cgetaccount frodo
            Password for account "frodo" will be checked out. The checkout will be logged and expire in 1 minute.
            Do you want to continue and display the password? (y/n) [n]: y
            Password for frodo: OneRingToRuleThemAll%#

 

cinfo

Use the cinfo command to display detailed and diagnostic information about the local system's configuration in Centrify PAS.

Root or Administrator privilege required? Yes if you're using the --support option

Usage:

cinfo [-aADhNoPtTVv] [-C <url>] [-p <proxy URL>]

 

Command option Description

-a

--address

Displays the IP address or DNS name for an enrolled instance in the Centrify PAS.

-A

--agent-status

Displays the status of the Centrify Client. The possible values are as follows:

unknown: The cinfo command failed to check the client status or encountered an unknown error.

connected: The client is connected to the Centrify PAS and running well.

disconnected: The client is not connected to the Centrify PAS, most likely due to a network connectivity issue.

stopped: The client service has been stopped by a system management tool, such as systemctl.

starting: The client is in the process of starting and not yet ready for service.

disabled: The client has discovered that the related resource has been deleted in the backend, so the client cannot work anymore.

-B

--clientchannel-status

Confirms that the Centrify Client has a connection to Centrify PAS. For example, if the client is connected, the service allows password reconciliation to work. The possible status options are either online or offline.

 

-C

--connect=<url>

Verifies the availability of the Centrify PAS by connecting to the specified URL.

-D

--tenant-id

Displays the registered customer-specific identifier (tenant ID).

-H

--clientchannel-health

Performs a Centrify Client health check of the client channel, which is the connection between the Centrify Client and Centrify PAS.

This option requires Administrator or root privilege.

-h

--help

Displays the command help.

-N

--resource-name

Displays the resource name for a computer enrolled in the Centrify PAS.

-o

--owner

Displays the owner of a computer enrolled in the Centrify PAS.

-p

--http-proxy=<proxy url>

Specifies the HTTP proxy to use in conjunction with the --connect option.

 

 

-P

--platform-version

Displays the version of Centrify PAS.

-t

--support

Generates a support file with diagnostic information. The file location is:

/var/centrify/tmp/cinfo_support.tar.gz (Linux)

C:\ProgramData\Centrify\support\cinfo_support.<timestamp>.zip (Windows)

This option requires Administrator or root privilege.

-T

--tenant

Displays the customer-specific URL for a computer enrolled in Centrify PAS.

-V

--verbose

Displays debug information for each operation.

-v

--version

Displays the version information.

Examples:

Copy
root@mylinux ~]# cinfo
                Enrolled in:       https://abc1234.my.centrify.net/
                Enrolled as:
                    Service account:  mylinux$@acme.net
                    Resource name:    mylinux
                    IP/DNS name:      10.10.10.1
                    Owner:            sysadmin (Type: Role)
                Customer ID:        ABC1234
                Enabled features:   AgentAuth, AAPM, DMC
                Client Channel status: Online
                Client status:      connected

 

creload

Use the creload command to force the client to reload configuration properties after you've changed them using cedit.

Root or Administrator privilege required? Yes

Usage:

creload [-hVv]

 

Command option Description

-h, --help

Displays the command help.

-V, --verbose

Displays debug information for each operation.

-v, --version

Displays the version information.

Examples:

Copy
[root@mylinux ~]# creload 

 

crotatepasswd

Use the crotatepasswd command to rotate the password for the specified account, such as for an account for a domain, database, or a system. If you're rotating the password for a vaulted local account, the password is updated both locally and in the Admin Portal. If the password is currently checked out, you must use the --force option to force the password rotation. In order to use this command, the system must have the AAPM feature enabled.

Root or Administrator privilege required? Yes

Usage:

crotatepasswd [-fhVv] [-T value] [<target>/]<account>

 

Command option Description

-f, --force

Ignores any password checkouts and force a password rotation.

-h, --help

Displays the command help.

-T, --type=value

Specifies the type of the target to which the account belongs. Valid values are: system, domain, or database.

-V, --verbose

Displays debug information for each operation.

-v, --version

Displays the version information.

Examples:

Copy
[root@mylinux ~]# crotatepasswd frodo
            Rotating password for frodo...
            Failed to rotate password for frodo: Failed to rotate password from Centrify identity platform: The password for this account is currently checked out
[root@mylinux ~]#
[root@mylinux ~]# crotatepasswd --force frodo
            Rotating password for frodo...
            Rotated Password for frodo

 

csetaccount

Use the csetaccount command to create or update a vaulted privilege account in Centrify PAS for the specified local account. In order to use this command, the system must have the AAPM feature enabled.

Root or Administrator privilege required? Yes

Usage:

Copy
csetaccount.exe [-hPVv] [-a <name>|user:<name>|role:<name>] [-d <description>] [-m <true|false>] [--password <password>] [-p [user:|role:|group:]<name>:<right>[,<right2>,...,<rightN>]] [-s <set1>[,<set2>...,<setN>]] [--stdin] [-u, --username username] [-w <enable|disable|default>] [-x <true|false>] <account>

 

Command option Description

-a, --approver=<name>|user:<name>|role:<name>

Specifies the approver for the account. This parameter applies if privileged account workflow is enabled.

-d, --description=<description>

Specifies the account description.

-h, --help

Displays the command help.

-m, --managed=<true|false>

Specifies whether the account password is managed.

-P, --nopassword

Specifies to not require password input. Use this option to update the account settings without updating the stored password.

--password=<password>

Specifies the account password.

If you don't specify this parameter, then you're prompted for the password.

-p, --permission=[user:|role:|group:]<name>:<right>[,<right2>,...,<rightN>]

Specifies the account permissions.

-s, --set=<set1>[,<set2>...,<setN>]

Specifies one or more sets to add the account to.

--stdin

Reads the user password from stdin instead of an interactive prompt.

-u, --username

Specifies the administrative user that is used to add or update an account. If you specify this parameter, you don't have to run this command as an administrative user. The service will prompt you to enter the password for the specified username.

-V, --verbose

Displays debug information for each operation.

-v, --version

Displays the version information.

-w, --workflow=<enable|disable|default>

Specifies whether privileged account workflow is enabled.

-x, --useproxy=<true|false>

Specifies the account to use as a proxy account.

Examples:

Copy
[root@mylinux ~]# csetaccount -m true frodo
            Password for frodo:
            Account frodo has been successfully vaulted

 

cunenroll

Use the cunenroll command to un-enroll a vaulted system from Centrify PAS. Un-enrolling a system means the following:

  • Remove the system from Centrify PAS in such a way that any client-based features no longer work on the system (unless you re-enroll the system).

  • Unless you specify otherwise, un-enrolling does not completely remove the system from Centrify PAS. Vault functions such as remote access to the system still work. The system displays in Centrify PAS with an unenrolled status.

  • The Centrify Client software remains installed on the system. This way, you can re-enroll the system without having to reinstall anything.

To unenroll a system using the cunenroll command, you must specify one of the following options:

  • -m machine credential

  • -u user credentials (the user account must have Grant permission on the system)

To completely remove the system from Centrify PAS, you specify the option -d. Using the -d option removes the system completely from Centrify PAS and any client-generated accounts. To remove a system from Centrify PAS, you must have the View and Delete permissions.

Root or Administrator privilege required? Yes

Usage:

cunenroll [-CdfhmRtVv] [-u value]

 

Command option Description

-C, --noconf

(Linux only)

Specifies to not update the local configuration upon unenrolling from the Centrify PAS.

Note:   Please contact Centrify Support before you use this parameter.

-d, --delete

Deletes this computer account from the Centrify PAS, including all resource information and all associated accounts.

-f, --force

Forces an unenroll operation locally without connecting to the Centrify PAS.

-h, --help

Displays the command help.

-m, --machine

Uses the machine credential to unenroll from Centrify PAS.

-R, --restore

(Linux only)

Restores the configuration without unenrolling from Centrify PAS. The --restore option restores the PAM/NSS modules configuration so that the Centrify modules are not loaded anymore and the PAM/NSS state back to what it was like it was before enrollment.

Note:   Please contact Centrify Support before you use this parameter.

-t, --terminate-user-sessions

Use this option together with the 'delete' option. If there are any current sessions where user initiated the connection from within Centrify PAS, use this option to terminate all of the sessions. Sessions that were initiated from the command line are not terminated.

-u, --user=value

Specifies the administrative user used to unenroll from the Centrify PAS.

-V, --verbose

Displays debug information for each operation.

-v, --version

Displays version information.

Examples:

Copy
(This example uses the system's service account in Centrify PAS and deletes the system in Centrify PAS.
            [root@mylinux ~]# cunenroll --delete --machine
            Successfully Unenrolled.