Creating user profiles for Active Directory users

You can create a user profile for any domain user you have defined in the Active Directory forest by adding the user to a zone, or by adding the user to a specific computer in a zone. Associating a user profile with an Active Directory user determines how the Active Directory user is identified on Linux and UNIX computers.

Note:   You can automate the provisioning of user profiles through the use of Active Directory groups. For information about configuring your environment for automated provisioning, see the Planning and Deployment Guide.

What to do before creating a new Active Directory user profile

Before you can create Active Directory user profiles, you must have created one or more Active Directory users, installed Access Manager, and run the Setup Wizard. You should also identify the computers where Active Directory users might require different profile attributes. For example, you might have some Active Directory users that require the default home directory attribute to be set the to /home for access to most computers, but require the attribute to be set to /Users when they log on to Mac OS X computers.

In most organizations, Active Directory users have one “dominant” profile with consistent attributes across multiple computers, but require “override” settings to some profile attributes on specific computers or groups of computers. Therefore, most user profiles are only added to parent zones and inherited in child zones.

Rights required for this task

You must have permission to add users to a zone. Zone administrators can grant this permission through the Zone Delegation Wizard. If the Active Directory administrator manually sets the permissions, your user account must be a domain user with the following permissions to create user profiles in a zone:

Select this target object To apply these permissions

Parent container object for the user profile

On the Object tab, select Allow to apply the following permission to this object only:

  • Create serviceConnectionPoint Objects

This permission is required for both standard zones and RFC 2307‑compliant zones.

For standard zones, you need to apply additional permissions. Click the Properties tab and select serviceConnectionPoint objects from the object list, then select Allow to apply the following properties to this object:

  • Read Name
  • Read name
  • Read displayName

User account object in Active Directory

For example:

domain/Users/user_name

Click the Properties tab and select Allow to apply the following properties to this object only:

  • Read objectCategory
  • Read objectClass
  • Read objectGUID
  • Read objectSid
  • Read userAccountControl

Parent container object for the individual zone

For example, if you are adding a user to the Finance zone:

domain/UNIX/Zones/Finance

Click the Properties tab and select Allow to apply the following properties to this object only:

  • Read objectGUID
  • Write Description

Who should perform this task

A Windows domain administrator performs this task, depending on your organization’s policies. In most organizations, this task is delegated to a specific user or group with administrative authority in the selected zone.

How often you should perform this task

In most cases, you create and remove user profiles frequently to address changes to your user population.

Steps for completing this task

The following instructions illustrate one way to create a new user profile using Access Manager. You can also add a user profile and assign a role to an Active Directory user with the Add User wizard. Examples of scripts that use ADEdit, Windows PowerShell, or the Windows API are available in other guides, the Centrify Software Developer’s Kit, or in community forums on the Centrify website.

To create a user profile for an Active Directory user using Access Manager:

  1. Open Access Manager.
  2. Expand Zones and any parent or child zones required to select the zone name to which you want to add the Active Directory group.

    In most cases, you should add user profiles to a parent zone.

  3. Expand UNIX Data and select Users, right-click, then click Add User to Zone.
  4. Type a search string to locate the user account, then click Find Now.

    For example, type “qa” to display the qa-lab, qa-hk and qaVenice1x users.

  5. Select one or more users in the results, then click OK.
  6. Review the default zone profile settings for the user and make any changes if needed, then click OK.

    You can deselect an attribute to change the default value or to create a partial user profile in the current zone. You can then complete the profile by providing a value for an attribute in a child zone of the current zone. For example, if you use the same login name but different numeric identifiers on two set of computers, you can inherit the login name from a parent zone and set the different numeric identifiers in the child zones.

    In the AIX Extended Attributes tab, you can view and set AIX attributes for the user's zone profile. Click Add to add an attribute and a value, click Edit to change an attribute, or click Remove to remove an attribute from the user's zone profile.

    If you selected more than one user, review the profile settings for the each user and modify the default settings, if necessary, then click OK.

Changing the default profile attributes

When you add Active Directory users to a zone, Access Manager displays a default new user profile. You can accept or change the default values for any of the profile attributes, as needed. The default attribute values are automatically generated based on a few simple rules and, in most cases, you can accept them as-is. The following table describes how the default values are populated.

This attribute Has the following default value

Login name

The Active Directory user logon name associated with the Active Directory account.

UID

A unique number automatically generated by an algorithm based on the security identifier (SID) for the Active Directory user.

Primary group

A unique numeric identifier that represents a private primary group and is the same as the user’s default UID. Private groups are not stored or managed in Active Directory.

GECOS

A runtime variable that resolves to the Active Directory displayName attribute associated with the Active Directory account.

Home directory

A runtime variable that specifies the default home directory when resolved locally on a computer.

Shell

A runtime variable that specifies the default login shell when resolved locally on a computer.

To set the user’s shell to the default shell defined for this computer in this zone.

Defining partial UNIX profiles

Access Manager allows you to create a partial profile by leaving any of the attributes blank. Partial profiles can be useful for defining a common set of attributes that are used in multiple zones, then defining specific attributes that vary from one child zone to another or that require different settings on specific computers. For example, you could leave the Shell attribute blank in a parent zone, define it as /bin/bash in a child zone, but override it with /usr/bin/ksh in a grandchild zone that only contains AIX computers. You could also leave the Home directory attribute blank in a parent zone, then set it to /home in one child zone and to /Users on an individual Mac OS X computer that joins the child zone.

If you intend to leave an attribute blank, deselect the attribute check box. However, you must provide a value for at least one attribute to add the user profile. Users must have a complete profile in a zone for any role assignments to be effective. Keep in mind, however, that users can have an incomplete profile in a parent zone as long as any missing attributes are defined in a child zone to allow role assignments in the child zone.

Defining valid login names

User profile login names can consist of letters, numbers, hyphens, underscores, periods and dashes. Some operating environments may have additional restrictions. For example, some operating environments do not support user names that are longer than 8 characters or require that the first character of the user name be alphabetic. Because UNIX user names typically use only lowercase characters, the default user profile name displayed follows this convention. If you modify the default profile name and include uppercase characters, keep in mind that the proper case must be used when entering the user name. For compatibility with Samba, the dollar sign ($) can also be used at the end of the user name. In general, other special characters, such as ! and &, are not supported.

If the Windows logon name includes unsupported special characters, Access Manager replaces them with underscores for the UNIX login name. For example, Access Manager converts a Windows logon name with special characters, such as qa:user2 into a valid UNIX login name of qa_user2.

Identifying a primary group

In most UNIX environments, a user’s primary group identifier (GID) is a “private” group that exists solely for that user. The user is not included as a “member” of the private primary group. You can follow this convention by using a UNIX-only “private” group that is not linked to an Active Directory group, which is the default when you create a new user profile.

If you keep the default private primary group, the primary group identifier (GID) setting in the user profile does not affect the user’s actual Active Directory group membership in any way, and there’s no need to manage primary groups for UNIX users through Active Directory.

In some cases, however, you might want to assign an Active Directory group that has a corresponding group profile as a user’s primary group. If you specify an Active Directory group as a user’s primary group, keep in mind that you must manage the membership of that group using Active Directory Users and Computers and that if you identify a group with a large number of members—such as Domain Users—it is likely to affect performance.

For more information about defining primary groups for users, see the Planning and Deployment Guide.