Using Centrify Client commands

This section covers commands that you can use on systems where you have installed the Centrify Client. Most commands work the same on Windows and Linux; any differences for operating systems are noted. For details about each command, click the command name to go to the relevant section.

Note:    Each command generates a log file at /var/log/ (Linux) or C:\ProgramData\Centrify\Logs (Windows).

Command

Is root or administrator privilege needed?

Description

cdebug

YES

Use the cdebug command to control and check the logging detail level. You can also empty the log file as part of your log rotation process.

cdelaccount

YES

Use the cdelaccount to delete the domain, database, or local account from Centrify PAS. In order to use this command, the system must have the AAPM feature enabled.

cdiag

YES

Use the cdiag command to check configuration settings to diagnose any potential issues with the Centrify Client

cedit

YES if you're editing or resetting parameter values

Use the cedit command to view, edit, or reset specific Centrify Client configuration parameters.

cenroll

YES

Use the cenroll command to enroll the system into Centrify PAS and thereby add the new vaulted system to Centrify PAS.

cflush (Linux only)

YES

You use the cflush command on Linux systems to update the local cache of users and groups that have been authenticated by Centrify PAS.

cgetaccount

YES

Use the cgetaccount command to retrieve and use the stored password for a domain, database, or managed local account from Centrify PAS. In order to use this command, the system must have the AAPM feature enabled.

cinfo

YES only for the -H and
-t options

Use the cinfo command to display detailed and diagnostic information about the local system's configuration in Centrify PAS.

creload

YES

Use the creload command to force the client to reload configuration properties after you've changed them using cedit.

crotatepasswd

YES

Use the crotatepasswd command to rotate the password for the specified account, such as for a domain, database, or a system account. In order to use this command, the system must have the AAPM feature enabled.

csetaccount

YES

Use the csetaccount command to create or update a vaulted privilege account in Centrify PAS for the specified local account. In order to use this command, the system must have the AAPM feature enabled.

cunenroll

YES

Use the cunenroll command to un-enroll a vaulted system from Centrify PAS.

cdebug

Use this command to control and check the logging detail level. You can also empty the log file as part of your log rotation process.

Log files are located at /var/log/cagent.log (Linux) or C:\ProgramData\Centrify\Logs (Windows).

Root or Administrator privilege required? Yes

Usage:

Copy
cdebug [on | off | clear | status | set <debug_level>
<debug_level> can be TRACE, DEBUG, INFO, WARN, ERROR, DISABLED

 

Command option Description

on

Turns on detailed logging activity. Essentially, this is the same as setting the debug level to DEBUG.

off

Turns off detailed logging activity. Essentially, this is the same as setting the debug level to INFO.

clear

Empties the current log file and triggers log rotation for the cagent.log file. The client archives the existing log file as cagent-<timestamp>.log.gz and logging starts again from a newly empty cagent.log file.

The client also runs the clear command automatically in the background so that log files don't become too large.

status

Checks to see whether detailed logging activity is turned on or off

set <debug_level>

Sets the level of detail that the client outputs to the log. Your choices are:

TRACE: Includes trace level messages in addition to what's included with the DEBUG log level. Trace level messages are a step-by-step listing of every action taken; anything that can be logged is captured. Using this log level can help with troubleshooting, but be aware that the log file can get large quickly and system performance may be slower. Centrify recommends that you use this log level only when requested by Centrify Support.

DEBUG: Debug, informational, warning, and error messages. Use this log level for most troubleshooting situations. Be aware that the log file can get large. Centrify recommends that you use this log level only when requested by Centrify Support.

INFO: Informational, warning, and error messages. This is the default log level.

WARN: Warning and error messages

ERROR: Error messages only

DISABLED: This option turns off any client logging.

Examples:

Copy
PS C:\Users\administrator.cloud> cdebug set TRACE
Debug logging is on.  Verbose tracing is on.

PS C:\Users\administrator.cloud> cdebug status
Debug logging is on.  Verbose tracing is on.

 

cdelaccount

The cdelaccount command deletes the domain, database, or managed local account from Centrify PAS. The local account remains intact. After you remove an account from Centrify PAS, you can't check out the password or use Centrify PAS to rotate the password.

In order to use this command, the system must have the AAPM feature enabled.

Note:   If you delete an account from Centrify PAS, you must manage the password yourself for the local account. It's recommended that you either save or copy the password manually or change the password after you've deleted the account.

Root or Administrator privilege required? Yes

Usage:

cdelaccount [-hsVv] <account>

 

Command option Description

-h

--help

Displays the command help

-s

--silent

Specifies that no confirmation will be asked, and the account password will not be displayed.

-V

--verbose

Displays the debug information for each operation.

-v

--version

Displays the version information.

Examples:

Copy
# cdelaccount frodo
Caution: Deleting an account means we will no longer know the password. You must make note of it.
Continue to proceed will make the password available and commit the deletion.
Do you want to proceed? (y/n) [n]: y
Getting account password before deletion...
Password for frodo: OneRingToRuleThemAll%#
Account deleted. Save the password to avoid account lockout.

cdiag

Use the cdiag command to check configuration settings to diagnose any potential issues with the Centrify Client. The cdiag command checks the connection between the client and the platform and also checks if system settings such as PAM or NSS are configured correctly on Linux clients when corresponding features are enabled. You can run this command before, during, or after enrollment.

Run the cdiag command if the Centrify Client has any expected functionalities that aren't working, for example.

Note:   On Windows, this is a PowerShell script.

Root or Administrator privilege required? Yes

Usage:

cdiag -t tenanturl [-dpnV]

cdiag -t tenanturl -v

cdiag -t tenanturl -h

 

Command option Description

-t

--tenant url

Specifies the customer-specific URL of the Centrify PAS. If the system is currently enrolled, this option can be omitted; the URL specified during enrollment will automatically be used. If the system is not enrolled, this option is mandatory.

If the system isn't enrolled yet, this option is required.

-d

--deployment [cloud|on-premise]

Specifies the deployment type of Centrify PAS. The cdiag command does a different check and troubleshooting according to the deployment type. If you don't specify this option, cloud is the default.

-p

--http-proxy proxy-url

Specifies the HTTP proxy URL used by the machine.

-n

--noreport

Does not generate a report file.

-V

--verbose

Displays the debug information for each operation.

-v

--version

Displays the version information.

-h

--help

Displays the command help.

Examples:

Copy
cdiag -t abc1234.my.centrify.net

 

cedit

You can use the cedit command to view, edit, or reset specific Centrify Client configuration parameters. For details about which parameters you can edit, see Customizing Centrify Client parameters.

Root or Administrator privilege required? Yes if you're editing or resetting a parameter value.

Usage:

cedit [-hlqv] [-g <key>] [-r <key>] [-s <key>:<value>]

 

Command option Description

-g, --get=<key>

Gets the parameter value.

-h, --help

Displays the command help.

-l, --list

Lists parameters that are explicitly set.

-q, --quiet

Does not display any information.

-r, --reset=<key>

Resets the specified parameter value to the default value.

-s, --set=<key>:<value>

Sets a parameter value.

-v, --version

Displays version information

Examples:

Copy
PS C:\Users\administrator.cloud> cedit -l
FeatureAAPMEnabled: true
FeatureAgentAuthEnabled: true
FeatureDMCEnabled: true
LogLevel: TRACE
ProxyURL: http://xx.xx.xx.xx:8080
ServiceURI: https://abc1234.my.centrify.net/
agent.tcprelay.proxy: http://xx.xx.xx.xx:8080

PS C:\Users\administrator.cloud> cedit -s LogLevel:WARN
Parameter successfully updated.

PS C:\Users\administrator.cloud> cedit -g LogLevel
WARN

 

cenroll

Use the cenroll command to enroll the system into Centrify PAS and thereby add the new vaulted system to Centrify PAS. You can also use the cenroll command to update a profile of an existing system that's already enrolled.

In general, the required parameters are:

  • --features

  • --tenant

  • either --code or --username (an authentication mechanism — either an enrollment code or a user with the "System Enrollment" administrative right in Centrify PAS)

Parameters that you might use frequently are:

  • agentauth permission to be assigned to a role (-l)

  • Proxy configuration (-p)

  • Connector assignment (-S Connectors:value)

  • Suffix for the hostname in Centrify PAS (-x)

Root or Administrator privilege required? Yes

Usage:

Copy
cenroll [-fhVv] [-a <IP/DNS name>] [-c <code>] [-F value] [-l<role1>[,<role2>...,<roleN>]] [-n <name>] [-N <name>] [-O <key:value>] [-o <file>] [-p <proxyURL>] [-P [user:|role:]<name>:<right>[,<right2>,...,<rightN>]] [-S <key:value>] [-s <file>] [-t<url>] [-u <username>] [-w <role>] [-x <suffix>] [-Z <set1>[,<set2>...,<setN>]]

 

Command option Description

-a,

--address=<IP/DNS name> IP address or DNS name of this computer.

Specifies the value returned by the hostname command that is used if this argument is not supplied. If a system has multiple network adapters, you can use this option to specify where to direct network traffic from Centrify PAS.

By default, if a windows machine is domain joined, then it uses the fqdn (myhost.domain1.net). In some situations, you may want to specify an IP address instead of the hostname for security and network control purposes.

-c,

--code=<code>

Specifies the enrollment code to use to enroll this computer in the Centrify PAS

This option is required, or you must specify a user with "System Enrollment" permission.

If the enrollment code is assigned to a role, upon enrollment the service adds the computer into that role.

-d

--dmc-scope=<scopename:regex>,<scopename:regex>,...,<scopename:regex>

Specifies a delegated machine credential scope name and allowed APIs; you specify the allowed APIs as a regular expression.

-F,

--features=value <feature1>[,<feature2>,...,<featureN>]

Configures specific features for this system. You must specify a value for this option.

DMC: Specify this option to enabled delegated machine credentials. For details, see Using delegated machine credentials.

AAPM: Specify this option to enableapplication-to-application password management. For details, see Adding computers as systems.

AgentAuth: Specify this option to enable the Agent Auth permission, which is needed to allow Centrify PAS users who have the AgentAuth permission to log in. For details, see Enabling client-based login.

all: Enable all client-based features

none: Don't enable any client features

-f,

--force

Forces the enrollment operation. Use this option if the system already exists in Centrify PAS.

-h,

--help

Displays the command help.

-l, --agentauth=<role1>[,<role2>...,<roleN>]

Specifies the roles to which the AgentAuth/login permission is assigned.

-m,

--groupmap=<role name>:<local group>[,<local group 2>,...,<local group N>]

Configures a mapping between role and one or multiple local groups on the system as follows:

<role name>:<local group>[,<local group 2>,...,<local group N>] (for example: cenroll <standard enroll parameters> -m "System Administrator:Administrators, Power Users").

Note:   Local group mapping is for Windows systems only.

-n, --name=<name>

Specifies the login name to use for this computer in the Centrify PAS. The value returned by hostname is used if this argument is not supplied. If the --suffix argument is supplied, said suffix will be used to form the final login name. Otherwise, a default suffix will be used.

-N,

--resource-name=<name>

Specifies the name of this computer in Centrify PAS. The value returned by 'hostname' is used if this argument is not supplied. If the --tenant-suffix argument is supplied, the final name of the system will be in the form '<name>@<suffix>'. Otherwise, the final name will be in the form '<name>'.

-O,

--resource-policy=<key:value>

Specifies resource-specific policies in key-value pairs (can be used multiple times). If the same policy is configured by this parameter and the --resource-policy-file, the value in this parameter is applied.

-o,

--resource-policy-file=<file> and the --resource-setting-file,

Specifies resource-specific policies in key value pairs. If the same policy is configured by this parameter and resource-policy, the value in resources-policy is applied.

-p,

--http-proxy=<proxy URL>

Specifies the HTTP proxy to use while connecting to Centrify PAS.

-P, --resource-permission

For Active Directory groups:

cenroll -P group:"<ad_group@domain.suffix>":<PAS_permission>

For Centrify PAS roles:

cenroll -P <role_name>:<PAS_permission>

Specifies the permissions for the system, such as Grant, View, AgentAuth, Offline Rescue, and so forth. You can specify permissions for users or roles. For more details about permissions, see Assigning permissions.

It can be useful to specify permissions at the time of enrollment, but you can set them later in the Admin Portal too.

-S, --resource-setting=<key:value>

Specifies resource-specific settings in key-value pairs (can be used multiple times). If the same setting is configured by this parameter and the --resource-setting-file, the value in this parameter is applied. To set the domain information, you can specify DomainName:<domain> as a setting.

You can view the available resource settings here:

https://developer.centrify.com/reference#post_servermanage-updateresource

https://developer.centrify.com/reference#post_servermanage-addresource

-s,

--resource-setting-file=<file>

Specifies the plain-text file which contains resource-specific settings as key-value pairs.

If you specify the same parameter in this file and the --resource-setting parameter, the client uses the value specified in the --resource-setting parameter.

-t,

--tenant=<url> Customer-specific URL

Specifies the tenant to enroll into.

-u,

--username=<username>

Specifies the user who will enroll this system into the Centrify PAS

You must either specify this option or specify an enrollment code.

-V,

--verbose

Displays debug information for each operation.

-v,

--version

Displays version information.

-w,

--owner=<role>

Role used to manage this computer in the Centrify PAS.

-x,

--suffix=<suffix>

Specifies the suffix to use for the login and resource names for this system.

-Z,

--resource-set=<set1>[,<set2>...,<setN>]

Adds the system to the specified resource sets.

Examples:

Copy
[EXAMPLE: to enroll a system with all features enabled into the specified tenant using an enrollment code]
[root@mylinux ~]# cenroll --force --features=all --tenant=abc1234.my.centrify.net --code=PUTTHEENROLLMENTCODEHERE
Enrolling in https://abc1234.my.centrify.net/ ...
Centrify agent started.
Enabled features: AgentAuth, AAPM, DMC
Enrollment complete.

[EXAMPLE: To add a local computer to the Centrify Privileged Access Service using a specified user account]
[root@mylinux ~]# cenroll --tenant=abc1234.my.centrify.net  --user wily@acme --features aapm,agentauth --agentauth "Authorized Agent Login"


[EXAMPLE: To add the computer using a specific IP address and computer name]
[root@mylinux ~]# cenroll  -t abc1234.my.centrify.net  -u wily@acme -n rhel9.mydomain.com -a 123.45.67.890


[EXAMPLE: To add the computer and enable all features and use a web proxy]
[root@mylinux ~]# cenroll -F all -f -t abc1234.my.centrify.net -c PUTTHEENROLLMENTCODEHERE -l linuxadmins -p http://12.3.4.56:8080


[EXAMPLE: To add the computer and enable AAPM ]
[root@mylinux ~]# cenroll -F AAPM -f -t -abc1234.my.centrify.net -c PUTTHEENROLLMENTCODEHERE -l linuxadmins


[EXAMPLE: To enroll a computer with username and password instead of an enrollment code]
[root@mylinux ~]# 
cenroll -F all -f -t abc1234.my.centrify.net -u  -u pasadmin@example.com -l linuxadmins



[EXAMPLE: To allow the public network access for this computer and to perform periodic password rotation on the accounts associated with this
computer every 30 days, specify these policies on the command line]
[root@mylinux ~]# cenroll -O "AllowRemote:true" -O "AllowPasswordRotation:true" -O "PasswordRotateDuration:30"


[EXAMPLE: Alternatively, you could use a text editor to create a "policy.conf" file with settings:]
AllowRemote:true
AllowPasswordRotation:true
PasswordRotateDuration:30



[After defining the policies in the "policy.conf" file, run the cenroll command and refer to the policy.conf file:]
[root@mylinux ~]# cenroll --resource-policy-file /tmp/policy.conf


[EXAMPLE: enroll with Use My Account credentials]
cenroll -F agentauth -t tenant> -c <code> -l <agentauth_role> -S CertAuthEnable:true -S AllowRemote:true  -S Connectors:<name>

[NOTE: Using the cenroll command depends on the user in PAS being a member of a role with AgentAuth permission. Use My Account will be immediately accessible for Windows enrolled systems, and then accessible for Linux enrolled systems after MasterSSHKey download/configuration.]

 

cflush (Linux only)

You use the cflush command on Linux systems to update the local cache of users and groups that have been authenticated by Centrify PAS.

User and group information is stored in the local cache so that the client does not need to lookup the information for the next 60 minutes (after it is stored). This command invalidates the information in the local cache such that the client will request the information from Centrify PAS whenever any client application asks for such information.

Because most Linux applications need to look up user or group information, caching such information reduces the need to frequently request the same information from PAS. Caching this information improves performance.

Root or Administrator privilege required? Yes

Usage:

cflush [-eV]

cflush -v

cflush -h

 

Command option Description

-e

--expire

(Reserved for future use)

-V

--verbose

Displays detailed debug information for each operation.

-v, --version

Displays the client version information.

-h

--help

Displays the command help.

Examples:

Copy
[root@mylinux ~]# cflush
Flushed cagent cache

 

cgetaccount

Use the cgetaccount command to retrieve and use the stored password for a domain, database, or managed local account from Centrify PAS. (You can store accounts either from within the Admin Portal or by using the csetaccount command.) In order to use this command, the system must have the AAPM feature enabled.

Root or Administrator privilege required? Yes

Usage:

cgetaccount [-tTsvV] [-t, --lifetime minutes] [-T, --type type ] [-s, --silent] [-v, --version] [-V, --verbose] targetname / accountname

 

Command option Description

-t, --lifetime Minutes

Specifies the password checkout interval (duration), in minutes. The value that you specify must be less than or equal to the account checkout lifetime defined in the target policy. If you specify a value greater than the account checkout lifetime, and error is returned. If you do not specify a password checkout interval (that is, if you do not use this option), a default password checkout interval of one minute is used.

-T, --type Type

Specifies the type of the target to which the account belongs. Valid values are system, domain, or database.

-s, --silent

Retrieves the account password from Centrify PAS without asking for confirmation. The password is not printed to stdout.

This option is useful for scripts that need to set a local variable in order to store the returned password.

-v, --version

Displays version information about the installed software.

-V, --verbose

Displays information about each step in the password retrieval operation as it occurs. This option can be useful in diagnosing password retrieval problems.

-h, --help

Displays usage information for this command.

Examples:

Copy
[root@mylinux ~]# cgetaccount frodo
Password for account "frodo" will be checked out. The checkout will be logged and expire in 1 minute.
Do you want to continue and display the password? (y/n) [n]: y
Password for frodo: OneRingToRuleThemAll%#

 

cinfo

Use the cinfo command to display detailed and diagnostic information about the local system's configuration in Centrify PAS.

Root or Administrator privilege required? Yes if you're using the --support option

Usage:

cinfo [-aADhNoPtTVv] [-C <url>] [-p <proxy URL>]

 

Command option Description

-a

--address

Displays the IP address or DNS name for an enrolled instance in the Centrify PAS.

-A

--agent-status

Displays the status of the Centrify Client.. The possible values are as follows:

unknown: The cinfo command failed to check the client status or encountered an unknown error.

connected: The client is connected to the Centrify PAS and running well.

disconnected: The client is not connected to the Centrify PAS, most likely due to a network connectivity issue.

stopped: The client service has been stopped by a system management tool, such as systemctl.

starting: The client is in the process of starting and not yet ready for service.

disabled: The client has discovered that the related resource has been deleted in the backend, so the client cannot work anymore.

-B

--clientchannel-status

Confirms that the Centrify Client has a connection to Centrify PAS. For example, if the client is connected, the service allows password reconciliation to work. The possible status options are either online or offline.

 

-C

--connect=<url>

Verifies the availability of the Centrify PAS by connecting to the specified URL.

-D

--tenant-id

Displays the registered customer-specific identifier (tenant ID).

-H

--clientchannel-health

Performs a Centrify Client health check of the client channel, which is the connection between the Centrify Client and Centrify PAS.

This option requires Administrator or root privilege.

-h

--help

Displays the command help.

-N

--resource-name

Displays the resource name for a computer enrolled in the Centrify PAS.

-o

--owner

Displays the owner of a computer enrolled in the Centrify PAS.

-p

--http-proxy=<proxy url>

Specifies an HTTP proxy to use for the Centrify Client connection to Centrify PAS

When you specify this option, the client redirects all communication through the proxy address. If the proxy is unavailable, the client status is listed as "disconnected" from the network.

 

-P

--platform-version

Displays the version of Centrify PAS.

-t

--support

Generates a support file with diagnostic information. The file location is:

/var/centrify/tmp/cinfo_support.tar.gz (Linux)

C:\ProgramData\Centrify\support\cinfo_support.<timestamp>.zip (Windows)

This option requires Administrator or root privilege.

-T

--tenant

Displays the customer-specific URL for a computer enrolled in Centrify PAS.

-V

--verbose

Displays debug information for each operation.

-v

--version

Displays version information about the installed software.

Examples:

Copy
root@mylinux ~]# cinfo
Enrolled in:       https://abc1234.my.centrify.net/
Enrolled as:
    Service account:  mylinux$@acme.net
    Resource name:    mylinux
    IP/DNS name:      10.10.10.1
    Owner:            sysadmin (Type: Role)
Customer ID:        ABC1234
Enabled features:   AgentAuth, AAPM, DMC
Client Channel status: Online
Client status:      connected

 

creload

Use the creload command to force the client to reload configuration properties after you've changed them using cedit.

Root or Administrator privilege required? Yes

Usage:

creload [-hVv]

 

Command option Description

-h, --help

Displays the command help.

-V, --verbose

Displays debug information for each operation.

-v, --version

Displays version information.

Examples:

Copy
[root@mylinux ~]# creload 

 

crotatepasswd

Use the crotatepasswd command to rotate the password for the specified account, such as for an account for a domain, database, or a system. If you're rotating the password for a vaulted local account, the password is updated both locally and in the Admin Portal. If the password is currently checked out, you must use the --force option to force the password rotation. In order to use this command, the system must have the AAPM feature enabled.

Root or Administrator privilege required? Yes

Usage:

crotatepasswd [-fhVv] [-T value] [<target>/]<account>

 

Command option Description

-f, --force

Ignores any password checkouts and force a password rotation.

-h, --help

Displays the command help.

-T, --type=value

Specifies the type of the target to which the account belongs. Valid values are: system, domain, or database.

-V, --verbose

Displays debug information for each operation.

-v, --version

Displays version information.

Examples:

Copy
[root@mylinux ~]# crotatepasswd frodo
Rotating password for frodo...
Failed to rotate password for frodo: Failed to rotate password from Centrify identity platform: The password for this account is currently checked out
[root@mylinux ~]#
[root@mylinux ~]# crotatepasswd --force frodo
Rotating password for frodo...
Rotated Password for frodo

 

csetaccount

Use the csetaccount command to create or update a vaulted privilege account in Centrify PAS for the specified local account. In order to use this command, the system must have the AAPM feature enabled.

Root or Administrator privilege required? Yes

Usage:

Copy
csetaccount [-hPVv] [-a <name>|user:<name>|role:<name>] [-d <description>] [-m <true|false>] [--password <password>] [-p [user:|role:|group:]<name>:<right>[,<right2>,...,<rightN>]] [--stdin] [-w <enable|disable|default>] [-x <true|false>] <account>

 

Command option Description

--nopassword

Specifies to not require password input. Use this option to update the account settings without updating the stored password.

--password=<password>

Sets the account password.

If you don't specify this parameter, then you're prompted for the password.

-p, --permission=[user:|role:|group:]<name>:<right>[,<right2>,...,<rightN>]

Sets account permissions.

--stdin

Reads the user password from stdin instead of an interactive prompt.

-V, --verbose

Displays debug information for each operation.

-v, --version

Displays version information.

-w, --workflow=<enable|disable|default>

Specifies whether account workflow is enabled or not.

-x, --useproxy=<true|false>

Specifies the account to use a proxy account.

Examples:

Copy
[root@mylinux ~]# csetaccount -m true frodo
Password for frodo:
Account frodo has been successfully vaulted

 

cunenroll

Use the cunenroll command to un-enroll a vaulted system from Centrify PAS. Un-enrolling a system means the following:

  • Remove the system from Centrify PAS in such a way that any client-based features no longer work on the system (unless you re-enroll the system).

  • Unless you specify otherwise, un-enrolling does not completely remove the system from Centrify PAS. Vault functions such as remote access to the system still work. The system displays in Centrify PAS with an unenrolled status.

  • The Centrify Client software remains installed on the system. This way, you can re-enroll the system without having to reinstall anything.

If you specify the option -d, you will remove the system completely from Centrify PAS and any client-generated accounts.

Root or Administrator privilege required? Yes

Usage:

cunenroll [-CdfhmRtVv] [-u value]

 

Command option Description

-C, --noconf

(Linux only)

Specifies to not update the local configuration upon unenrolling from the Centrify PAS.

Note:   Please contact Centrify Support before you use this parameter.

-d, --delete

Deletes this computer account from the Centrify PAS, including all resource information and all associated accounts.

-f, --force

Forces an unenroll operation locally without connecting to the Centrify PAS.

-h, --help

Displays the command help.

-m, --machine

Use the machine credentials to unenroll from Centrify PAS.

-R, --restore

(Linux only)

Restores the configuration without unenrolling from Centrify PAS. The --restore option restores the PAM/NSS modules configuration so that the Centrify modules are not loaded anymore and the PAM/NSS state back to what it was like it was before enrollment.

Note:   Please contact Centrify Support before you use this parameter.

-t, --terminate-user-sessions

Use this option together with the 'delete' option. If there are any current sessions where user initiated the connection from within Centrify PAS, use this option to terminate all of the sessions. Sessions that were initiated from the command line are not terminated.

-u, --user=value

Specifies the administrative user used to unenroll from the Centrify PAS.

-V, --verbose

Displays debug information for each operation.

-v, --version

Displays version information.

Examples:

Copy
(This example uses the system's service account in Centrify PAS and deletes the system in Centrify PAS.
[root@mylinux ~]# cunenroll --delete --machine
Successfully Unenrolled.