Using the zoneupdate program for controlled automation
You can use the zoneupdate.exe program with command line options to provision profiles in controlled way, allowing you to verify that profiles and access rights are defined correctly for subsets of users or groups without affecting the production environment.
At a minimum, you must specify the zone name or canonical name for the zone to use the zoneupdate.exe program. The command line options are similar to the options available on the Provisioning tab when you display a zone’s properties.
For example, to use the provisioning properties defined for a zone, you only need to specify the zone name at the command line:
zoneupdate default
If you use the canonical name for the zone, you specify the full path to the zone:
zoneupdate "centrify.com/program data/Centrify/zones/default"
You can override the default provisioning properties for a zone by specifying one or more of the following command line options.
Options are not case-sensitive. If you specify an option more than once, only the last value is used.
Use this option | To specify |
/z:ZoneName
or /SourceZone:ZoneName
|
The name of a source zone. If you do not specify a zone name and there’s not a source zone defined in the zone’s provisioning properties, you cannot use the zoneupdate command to copy user or group attributes from one zone to another. A source zone is required for classic zones. It is optional for parent hierarchical zones, but can be useful if you are migrating from classic to hierarchical zones. |
/d:DomainName
or /Domain:DomainName
|
The name of the domain to process. If you do not specify a domain name, the zoneupdate program processes the Active Directory domain to which the computer is joined. |
/dc:DCName
or /DomainController:DCName
|
The name of the target domain controller to connect. No option - This will use the default domain controller of target domain. |
/uu:Option
or /UserUid:Option
|
The method to use to set the user’s numeric identifier (UID) value. You can specify any one of the following values:
If you don’t use one of these values, you can set the UID to not have any value. For example: /uu:empty If you use this setting, users will have an incomplete profile in the zone. |
/un:Option
or /UserName:Option
|
The method to use to set the user’s name. You can specify any one of the following values:
If you don’t use one of these values, you can set the user name to an explicit value. For example: /un:hunter |
/us:Option
or /UserShell:Option
|
The method to use to specify the user’s default login shell. You can specify any one of the following values:
If you don’t use one of these values, you can set the login shell using an explicit value. For example: /us:/bin/bash |
/uh:Option
or /UserHomeDirectory:Option
|
The method to use to specify the user’s default home directory. You can specify any one of the following values:
If you don’t use one of these values, you can set the home directory to an explicit value. For example: /uh:/home/hunter |
/ug:Option
or /UserPrimaryGroup:Option
|
The method to use to specify the user’s primary group identifier. You can specify any one of the following values:
example: /ug:empty If you use this setting, users will have an incomplete profile in the zone.
If you don’t use one of these values, you can set the primary GID to not have any value.
|
/uc:Option
or /UserGecos:Option
|
The method to use to specify the user’s GECOS field. You can specify any one of the following values:
If you don’t use one of these values, you can set the primary GID value to an explicit value. For example: /uc:Thompson, Hunter S. |
/gg:Option
or /GroupGid:Option
|
The method to use to set the group numeric identifier (GID) value. You can specify any one of the following values:
If you don’t use one of these values, you can set the GID to not have any value. For example: /gg:empty If you use this setting, groups will have an incomplete profile in the zone. |
/gn:Option
or /GroupName:Option
|
The method to use to set the group name. You can specify any one of the following values:
If you don’t use one of these values, you can set the group name to an explicit value. For example: /gn:apps-lab |
/u:ADGroupName
or /UserSource:ADGroupName
|
An Active Directory group to use to populate a Centrify zone with users. Use the sAMAccountName and, optionally, the domain name to identify the group. For example, to use the Active Directory engineers group in the currently connected domain to populate users in the default zone: zoneupdate /u:engineers default To use the Active Directory engineers group in a specific domain, you can use the /d:DomainName option or group_name@domain_name. For example to use the Active Directory engineers group in the testdomain.org domain to populate users in the default zone: zoneupdate /u:engineers@testdomain.org default |
/g:ADGroupName
or /GroupSource:ADGroupName
|
An Active Directory group to use to populate a Centrify zone with groups. Use the sAMAccountName and, optionally, the domain name to identify the group. For example, to use the Active Directory employees group in the currently connected domain to populate groups in the default zone: zoneupdate /g:employees default |
/v or /Verbose |
Display detailed information about the provisioning of users and groups. When you use this option, the output format is: Group: groupname:gid User: uid:username:shell:home:primarygid |
/p or /Preview |
Preview the users or groups to be provisioned or removed. In preview mode, the zoneupdate.exe program does not create or remove any UNIX profiles. |
/el or /EventLog: Level |
Enable logging to the Event log. You can use the Event Viewer to check the log results. For the log level, you can specify any one of the following values:
|
/l or /Log:Level
|
Enable logging and set the level of detail recorded in the log file. For the log level, you can specify any one of the following values:
Logging is off by default. If you enable logging, the default file location for the log file is: C:\Users\user_name\AppData\Roaming\Centrify\Zone Provisioning Agent\Log
You can change the default log file path by modifying the following registry key: HKEY_LOCAL_MACHINE\Software\Centrify ZPA\LogLevel
|