Add security groups to the parent zone
The most common way to provision UNIX users is to use a private group identifier as the primary group. With this approach, every user has a unique primary GID that is the same as the UID.
Although not required, another common approach to provisioning UNIX users involves adding a small number of key security groups to the parent zone. For example, if you have a commonly-used group such as All US Employees to which you normally add valid Active Directory users as members, you could add that security group to the parent zone to assign all UNIX users the same primary GID in the parent zone. This approach makes provisioning UNIX users easier because you have already defined Active Directory users as members of that group. If you want to use an Active Directory group to set the primary GID for provisioned users, keep in mind that the size of the group membership can affect the performance of the Zone Provisioning Agent and how long it take to complete provisioning.
If you choose to have the user’s primary group defined by Active Directory group membership, the Active Directory group must be in the same Active Directory forest as the users being provisioned. If the Active Directory group is located in another forest, provisioning fails.
If you want to use this approach:
- Add the security group to the provisioning group for the parent zone (for example, parentZoneName_Zone_Groups).
Open the Properties for the parent zone, click the Provisioning tab, and define the business rules for the UNIX group profile provisioning associated with the security group.
At the next update interval, the Zone Provisioning Agent adds a profile for the group to the zone. You can also run the zoneupdate command to add the profile without waiting until the next update interval. For example:
- Click the User Defaults tab for the parent zone, select the ellipsis <...> option for the Primary Group and select the GID for the group profile that the Zone Provisioning Agent added to the zone.