Enabling and configuring local account management

The local account management features described earlier in this guide require that local account management be enabled and configured.

Several configuration parameters and group policies let you control whether local account management is enabled in your environment, and how local account management is configured after it is enabled.

Local account management is disabled by default unless you are upgrading from a release in which local account management was enabled.

Follow these guidelines to determine whether you need to enable local account management:

  • If you perform a fresh installation of Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service, the Enable Local Account Management Feature group policy is set to Disabled, and the adclient.local.account.manage configuration parameter on each local (agent-managed) computer is set to false. To use the local account management features described in this guide, you must manually enable local account management by setting the Enable Local Account Management Feature group policy to Enabled, or by setting the adclient.local.account.manage configuration parameter to true.

    See the following sections, “Group Policies” and “Configuration Parameters,” for more information.

  • If you are upgrading from a previous release, you can check the Enable Local Account Management Feature group policy setting to enable or disable local account management.

The following information is a summary of how various parameters and group policies affect local account management enablement and configuration. For more details about these parameters and group policies, see the Configuration and Tuning Reference Guide and the Group Policy Guide.

Group Policies

  • Enable Local Account Management Feature: Use this group policy to control whether local accounts are managed by the UNIX agent and Access Manager. This group policy is disabled by default, unless you are upgrading from a previous release in which local account management was enabled.

    This group policy is located in Computer Configuration > Centrify Settings > DirectControl Settings > Local Account Management.

    This group policy controls the adclient.local.account.manage configuration parameter.

  • Notification Command Line: Use this group policy to define a command to process changes to local account profiles after the agent synchronizes local user and group profiles with profiles defined in Access Manager.

This group policy is located in Computer Configuration > Centrify Settings > DirectControl Settings > Local Account Management.

This group policy controls the adclient.local.account.notification.cli configuration parameter.

  • Set refresh interval for access control cache: Use this group policy to specify how often etc/group and etc/passwd are updated on UNIX and Linux computers, based on the local group and local user settings that you configure in Access Manager. This group policy also controls how often the authorization store cache is updated.

    This group policy is located in Computer Configuration > Centrify Settings > DirectControl Settings > Network and Cache Settings.

    This group policy controls the adclient.refresh.interval.dz configuration parameter.

Configuration Parameters

The following configuration parameters are located in the /etc/centrifydc/centrifydc.conf configuration file.

  • adclient.local.account.manage: Use this parameter to control whether local account management is enabled on an individual computer. This parameter has a value of false by default, unless you are upgrading from a previous release in which local account management was enabled.
  • adclient.local.account.notification.cli: Use this parameter to define a command to process changes to local account profiles after the agent synchronizes local user and group profiles with profiles defined in Access Manager.
  • adclient.local.account.notification.cli.arg.length.max: Use this parameter to specify the maximum argument length for the command that you define in the adclient.local.account.notification.cli parameter.
  • adclient.refresh.interval.dz: Use this parameter to specify how often etc/group and etc/passwd are updated on an individual computer based on the local group and local user settings that you configure in Access Manager. This parameter also controls how often the authorization store cache is updated.