Using Active Directory Users and Computers, scripts, or internal procedures, the basic work flow for a new user would be similar to this:
- A new Active Directory user requests access to UNIX computers.
You add the user principal name to the appropriate Active Directory group principal. If you want to allow the user to log on to computers in a child zone, you add the user to the Login role group childZoneName_Role_Login.
If the user should be recognized but not allowed to log on, you would add the Active Directory user to the childZoneName_Role_Listed. After you have created custom roles, you would search for and select groups based on the specific rights a user needs.
Run the Zone Provisioning Agent update command in preview mode to verify your changes. For example:
Check the results of the zoneupdate preview, then run the command without the preview option to execute the business rules for provisioning. For example: