Perform administrative tasks using commands

Most administrative tasks can be performed using Access Manager on a Windows computer or by using ADEdit commands or scripts from a Centrify-managed computer that has access to the Active Directory domain controller. In some cases, however, there are operations that you must or prefer to perform locally on a managed computer by executing command‑line programs.

The command line programs allow you to perform administrative tasks—such as join or leave a domain or generate diagnostic information—directly in a UNIX shell. Many of the command-line programs require administrative privileges or must run using root to perform privileged operations. You can define command rights for these programs to grant permission to run them to other users.

The following table provides a summary of the command-line programs for access control and privilege management that are installed with the Centrify UNIX agent. For complete information about the options you can specify for any command, see the man page for that command.

This command Enables you to do this

adcache

Clear the local cache on a computer. You can use this command to clear all cached information or a specific cache file. You can also use the command to check a cache file for a specific key value and to reclaim disk space.

adcheck

Check the operating system, network, and Active Directory connections to verify that a computer is ready to join an Active Directory domain.

adchzone

Move a joined computer from a classic zone to a hierarchical zone. Before moving a computer with this command, you must use admigrate to migrate the classic zone to a hierarchical zone.

adclient

Start, stop, or manage operations for the Centrify agent process on a local computer. In most cases, you should start and stop adclient using a startup script.

addebug

Start or stop detailed logging activity for the Centrify agent (adclient) process on a local computer. If you do not specify an option, the addebug command displays its current status, indicating whether logging is active or disabled. You must be logged in as root to run this command.

addbloader

Create a database file with zone information. You can then use the adreport command to generate reports from this file, or read it with standard tools.

addns

Update DNS records on an Active Directory-based DNS server in environments where the DHCP server cannot update DNS records automatically.

adfinddomain

Display the domain controller associated with the Active Directory domain you specify.

adfips

Enable or disable FIPS-compliant encryption. You must be logged in as root to run this command.

adfixid

Resolve UID and GID conflicts and change the ownership of a local user’s files to match the user and group IDs defined for the user in Active Directory.

adflush

Clear the cache on a local computer. Executing adflush with no options expires the domain controller and global catalog caches.

adgpupdate

Retrieve group policies from the Active Directory domain controller and apply the policy settings to the local computer and current user immediately.

adid

Display the real and effective UIDs and GIDs for the current user or a specified user.

adinfo

Display detailed Active Directory, network, and diagnostic information for a local computer. Options control the type of information and level of detail displayed.

adjoin

Add the local host computer to the specified Active Directory domain. You must log in as root to run the adjoin command.

adkeytab

Create and manage Kerberos key tables (*.keytab files) and coordinate changes with the Kerberos key distribution center (KDC) provided by Active Directory. The arguments required and options available depend on the operation you want to perform.

adleave

Remove the local host computer from its current Active Directory domain. You must log in as root to run the adleave command.

adlicense

Enable or disable licensed features on a local computer. You must log in as root to run the adlicense command.

admanagelocal

Display currently managed local accounts, status of local account management, and force a foreground sync of local accounts.

admigrate

Migrate information from a classic zone to a hierarchical zone. You can migrate a classic zone to a new peer hierarchical zone, or you can specify a parent zone for the migration.

adobfuscate

Obscure sensitive information, such as email addresses, host names, and user names, that might be recorded in a log file before sending the file to Centrify for analysis. You must create a pattern file to use with this command. The command reads the pattern file and replaces items matching the patterns specified with generic values.

adpasswd

Change the password of the user executing the command or change the password of another Active Directory user.

adquery

Query Active Directory for information about users and groups from the command line on a Centrify-managed computer.

This command is provided for backward compatibility. In most cases, you should use adedit commands or scripts to perform administrative tasks in Active Directory from Linux or UNIX computers.

adreload

Force the Centrify agent process (adclient) to reload the configuration properties in the /etc/centrifydc.conf file and in other files in the /etc/centrifydc directory.

adreport

Generate user, computer, command, and role assignment reports for a zone. You must run the addbloader command to create a database containing information about a zone before you can run this command to generate a report.

adrmlocal

Report and remove local user names that duplicate Active Directory user names.

adsendaudittrailevent

Specify where to send audit trail events. You can choose to send audit trail events to the syslog facility, the Centrify auditing service, or both.

adsetgroups

View or change the list of groups available for the current user.

adsmb

Perform file operations, such as get a file, write a file, or display the contents of a directory using the Centrify smb stack.

adupdate

Update user and group account information from the command line on Centrify‑managed computer.

This command is provided for backward compatibility. In most cases, you should use adedit commands or scripts to perform administrative tasks in Active Directory from Linux or UJNIX computers.

dzdo

Execute a privileged command as root or another specified user. You must be assigned a role that grants privileged command rights to use this command.

dzedit

Edit a file as root or another user.

dzinfo

Display detailed information about the configuration of rights and roles for one or more specified users on the local computer. If you do not specify a user, the command returns information for the currently logged on user.

dzsh

Run commands in a restricted environment shell. This shell is a customized Bourne shell that provides environment variables, job control, command history, and access to specific commands defined by roles.

ldapadd

Open a connection to the Active Directory domain controller or another LDAP server to add new entries.

ldapcompare

Open a connection to the specified Active Directory domain controller or another LDAP server to compare LDAP entries. You can use this command to determine whether a specified entry has a particular attribute-value combination. The only information returned is whether the comparison evaluated to true or false. No other information about the entry is provided.

ldapdelete

Open a connection to the specified Active Directory domain controller or another LDAP server using the provided distinguished name and password to delete the specified entry or entries.

ldapmodify

Open a connection to the specified Active Directory domain controller or another LDAP server using the provided distinguished name and password to modify the specified entry or entries.

ldapmodrdn

Open a connection to the specified Active Directory domain controller or another LDAP server using the provided distinguished name and password to move or rename the specified entry or entries.

ldapsearch

Open a connection to the specified Active Directory domain controller or another LDAP server using the provided distinguished name and password to locate and retrieve the specified entry or entries.

nisflush

Clear the Centrify Network Information Service cache on a local computer, or restart the service without flushing the cache. You must be logged in as the root user to run this command.