Add and provision UNIX users

It is difficult to provision a lot of UNIX users and ensure that the UID is unique in the domain. To assist you with the process, Centrify provides a set of features called the Zone Provisioning Agent. The Zone Provisioning Agent includes a service that automatically assigns a unique UID and other UNIX profile attributes, such as the home directory, default shell, and primary GID, based on rules you define.

This script demonstrates how you could use the Zone Provisioning Agent to add and provision users. For this sample script, the list of UNIX users is defined in the source file named users.txt and the Active Directory source group is Unix Users.

Note:   To learn more about the Zone Provisioning Agent and automated provisioning, see the Planning and Deployment Guide.


You specify the names to be added in a text file in which each name is on a separate line. Be sure to use line feed only as the end-of-line; do not use CR-LF. The sample file in the distribution package contains the following names:



In the following script, you specify the file name with the user names in the command line. The script then prompts you for the additional information required. The target Active Directory group—Unix Users—is hard-coded into the script.

This script uses the Tcl catch command three times to control processing when an error occurs.

  • In the first case, it is used to exit gracefully if the specified file cannot be opened.
  • In the second case, catch is used to determine if the user already exists. An error here indicates that the user does not exist and, rather than exiting, the else statement creates the user. (If the user already existed, you would not want to create another Active Directory account.)
  • In the third case, catch is used to exit gracefully if the user is already a member of the Unix Users group.
#!/bin/env adedit
# This script creates an Active Directory account 
# for each user the specified 
# and adds the user to UNIX Users group. 
# This automatically fills in their UNIX profile. 
# Command line input: file name w/ user names in 
# format ffff.llll only 
# Prompted input: domain, administrator 
#name, default password
package require ade_lib
if { $argc != 1 } {
    puts "usage: $argv0 file"
    exit 1
if {[catch {set users [open [lindex $argv 0] r]} 
      errmsg]} { 
    puts "Cannot open [lindex $argv 0]."
    exit 1
# Get domain and bind
puts "Enter domain name"
gets stdin domain 
set domaindn [dn_from_domain $domain]
puts "Enter account name with administrator privileges"
gets stdin administrator
puts "Enter $administrator password"
gets stdin APWD
bind $domain $administrator "$APWD"
puts "
Define password to be used for all accounts"
gets stdin pwd
# Now start creating accounts from users 
# example: "cn=Ellen Edwards,cn=Users,$domaindn" 
# "Ellen.Edwards@$domain" ellen.edwards pwd
while {[gets $users sam] >= 0} {
    set name [split $sam .]
    set dn "cn=[lindex $name 0] [lindex $name 1],
    set upn $sam@$domain
    if { [catch { select_object $dn }] } {
        # If we fail to select the object, 
        # most probably it
        # does not exist. So we create it here.
        puts "Creating $dn"
        create_aduser $dn $upn $sam $pwd
    } else {
        puts "$dn exists. Skip creating."
# Because we already installed and started ZPA, 
# this provisions the 
# Active Directory account catch { add_user_to_group $sam@$domain "UNIX Users@$domain" } } close $users