Using Active Directory attributes as variables
You can also use any Active Directory user attributes as variables by specifying the attribute name in the following format:
For example, if you want to populate the GECOS field of a user’s zone profile with the information from the user’s department attribute, you could specify the variable as follows:
By default, only a subset of common user object attributes can be retrieved and resolved by the adclient process. The default set of attributes you can use in a user profile are:
The most common format for the GECOS field in a user profile contains the user's full name, building number, and office phone number separated by commas. Depending on the operating system and desktop manager you are using, the information from the GECOS field might also be used to display the user name when logging on. If you specify an attribute for the GECOS field that includes a comma, you might see the first part of the attribute treated as the user's full name and displayed in the login screen. For example, if you are using the department attribute in the GECOS field and the attribute is defined as “Cendura, San Francisco, Engineering, 25th floor, office 202”, you might see Cendura listed as a user on the login screen.
Using other attributes in a profile
The default user attributes are recognized by adclient without requiring any modification to the managed computer or Active Directory. If you want to use any other attribute, whether it is a standard schema attribute like company or homePhone or a custom attribute that you have added to the Active Directory schema such as supervisorId, you must add an entry for the attribute to the adclient.custom.attributes.user parameter in centrifydc.conf file, then restart adclient and flush the cache.
For example, you might add the following attributes to the centrifydc.conf file:
adclient.custom.attributes.user: company supervisorId
After modifying the file, you would run the following commands to restart the agent and clear the cache:
For more information about defining custom attributes, see the Configuration and Tuning Reference Guide.
Attributes for users in a forest with a one-way trust
Keep in mind when using attribute variables that if you add users to a zone from a one‑way trusted forest, the Centrify agent will only be able to retrieve values for the userPrincipalName and samAccountName attributes. Therefore, at runtime, when the adclient process resolves variable definitions, fields that contain any other variables will be blank for a user from a one-way trusted forest.