Modifying users in RFC 2307-compliant zones

In a standard RFC 2307-compliant zone, modifying user account properties for a user with an Active Directory security group as the primary group requires the following permissions:

Select this target object	To apply these permissions
The serviceConnectionPoint object for the user account For example, if you are using classic zones and the UNIX user name is chris: domain/UNIX/Zones/Finance/Users/chris then select serviceConnectionPoint objects	Click the Properties tab and select Allow to apply the following properties to this object only: Read allowedAttributesEffective Write keywords Write uid Write uidNumber Write gidNumber Write loginShell Write unixHomeDirectory If you don’t see some of these attributes listed for serviceConnectionPoint objects, change the object selected to posixAccount objects, then click Allow for the additional properties. The GECOS field in a user’s UNIX profile is derived from the displayName attribute or the Name property (cn).

Select this target object

To apply these permissions

The serviceConnectionPoint object for the user account

For example, if you are using classic zones and the UNIX user name is chris:

domain/UNIX/Zones/Finance/Users/chris

then select

serviceConnectionPoint objects

Click the Properties tab and select Allow to apply the following properties to this object only:

Read allowedAttributesEffective
Write keywords
Write uid
Write uidNumber
Write gidNumber
Write loginShell
Write unixHomeDirectory

If you don’t see some of these attributes listed for serviceConnectionPoint objects, change the object selected to posixAccount objects, then click Allow for the additional properties.

The GECOS field in a user’s UNIX profile is derived from the displayName attribute or the Name property (cn).

Note: You can grant the required permissions to specific users or groups for any zone by selecting the Modify users task in the Zone Delegation Wizard.