Using Cloud Client Commands

This section covers commands that you can use on systems where you have installed the Cloud Client. Most commands work the same on Windows and Linux; any differences for operating systems are noted. For details about each command, click the command name to go to the relevant section.

Each command generates a log file at /var/log/ (Linux) or C:\ProgramData\Centrify\Logs (Windows).

Command	Is root or administrator privilege needed?	Description
cdebug	YES	Use the `cdebug` command to control and check the logging detail level. You can also empty the log file as part of your log rotation process.
cdelaccount	YES	Use the `cdelaccount` to delete the domain, database, or local account from Delinea PAS. In order to use this command, the system must have the AAPM feature enabled.
cdiag	YES	Use the `cdiag` command to check configuration settings to diagnose any potential issues with the Cloud Client
cedit	YES if you're editing or resetting parameter values	Use the `cedit` command to view, edit, or reset specific Cloud Client configuration parameters.
cenroll	YES	Use the `cenroll` command to enroll the system into Delinea PAS and thereby add the new vaulted system to Delinea PAS.
cflush (Linux only)	YES	You use the `cflush` command on Linux systems to update the local cache of users and groups that have been authenticated by Delinea PAS.
cgetaccount	YES	Use the `cgetaccount` command to retrieve and use the stored password for a domain, database, or managed local account from Delinea PAS. In order to use this command, the system must have the AAPM feature enabled.
cinfo	YES only for the `-H` and `-t` options	Use the `cinfo` command to display detailed and diagnostic information about the local system's configuration in Delinea PAS.
creload	YES	Use the `creload` command to force the client to reload configuration properties after you've changed them using cedit.
crotatepasswd	YES	Use the `crotatepasswd` command to rotate the password for the specified account, such as for a domain, database, or a system account. In order to use this command, the system must have the AAPM feature enabled.
csetaccount	YES	Use the `csetaccount` command to create or update a vaulted privilege account in Delinea PAS for the specified local account. In order to use this command, the system must have the AAPM feature enabled.
cunenroll	YES	Use the `cunenroll` command to un-enroll a vaulted system from Delinea PAS.

cdebug

Use this command to control and check the logging detail level. You can also empty the log file as part of your log rotation process.

Log files are located at /var/log/cagent.log (Linux) or C:\ProgramData\Centrify\Logs (Windows).

Root or Administrator privilege required? Yes

Usage:

Copy

cdebug [on | off | clear | status | set <debug_level>
<debug_level> can be TRACE, DEBUG, INFO, WARN, ERROR, DISABLED

Command option	Description
`on`	Turns on detailed logging activity. Essentially, this is the same as setting the debug level to DEBUG.
`off`	Turns off detailed logging activity. Essentially, this is the same as setting the debug level to INFO.
`clear`	Empties the current log file and triggers log rotation for the cagent.log file. The client archives the existing log file as cagent-<timestamp>.log.gz and logging starts again from a newly empty cagent.log file. The client also runs the clear command automatically in the background so that log files don't become too large.
`status`	Checks to see whether detailed logging activity is turned on or off
`set <debug_level>`	Sets the level of detail that the client outputs to the log. Your choices are: `TRACE`: Includes trace level messages in addition to what's included with the DEBUG log level. Trace level messages are a step-by-step listing of every action taken; anything that can be logged is captured. Using this log level can help with troubleshooting, but be aware that the log file can get large quickly and system performance may be slower. Delinea recommends that you use this log level only when requested by Delinea Support. `DEBUG`: Debug, informational, warning, and error messages. Use this log level for most troubleshooting situations. Be aware that the log file can get large. Delinea recommends that you use this log level only when requested by Delinea Support. `INFO`: Informational, warning, and error messages. This is the default log level. `WARN`: Warning and error messages `ERROR`: Error messages only `DISABLED`: This option turns off any client logging.

Examples:

Copy

PS C:\Users\administrator.cloud> cdebug set TRACE
    Debug logging is on. Verbose tracing is on.

PS C:\Users\administrator.cloud> cdebug status
    Debug logging is on. Verbose tracing is on.

cdelaccount

The cdelaccount command deletes the domain, database, or managed local account from Delinea PAS. The local account remains intact. After you remove an account from Delinea PAS, you can't check out the password or use Delinea PAS to rotate the password.

In order to use this command, the system must have the AAPM feature enabled.

If you delete an account from Delinea PAS, you must manage the password yourself for the local account. It's recommended that you either save or copy the password manually or change the password after you've deleted the account.

Root or Administrator privilege required? Yes

Usage:

cdelaccount [-hsVv] [-u, --username __username__] \<account\>

Command option	Description
`-h` `--help`	Displays the command help
`-s`, `--silent`	Specifies that no confirmation will be asked, and the account password will not be displayed.
`-u`, `--username`	Specifies the administrative user that is used to delete an account . If you specify this parameter, you don't have to run this command as an administrative user. The service will prompt you to enter the password for the specified username.
`-V`, `--verbose`	Displays the debug information for each operation.
`-v`, `--version`	Displays the version information.

Examples:

Copy

# cdelaccount frodo
Caution: Deleting an account means we will no longer know the password. You must make note of it.
Continue to proceed will make the password available and commit the deletion.
Do you want to proceed? (y/n) [n]: y
Getting account password before deletion...
Password for frodo: OneRingToRuleThemAll%#
Account deleted. Save the password to avoid account lockout.

cdiag

Use the cdiag command to check configuration settings to diagnose any potential issues with the Cloud Client. The cdiag command checks the connection between the client and the platform and also checks if system settings such as PAM or NSS are configured correctly on Linux clients when corresponding features are enabled. You can run this command before, during, or after enrollment.

Run the cdiag command if the Cloud Client has any expected functionalities that aren't working, for example.

On Windows, this is a PowerShell script.

Root or Administrator privilege required? Yes

Usage:

Copy

cdiag -t __tenanturl__ [-dpnV]

cdiag -t __tenanturl__ -v

cdiag -t __tenanturl__ -h

Command option	Description
`-t`, `--tenant url`	Specifies the customer-specific URL of the Delinea PAS. If the system is currently enrolled, this option can be omitted; the URL specified during enrollment will automatically be used. If the system is not enrolled, this option is mandatory. If the system isn't enrolled yet, this option is required.
`-d`, `--deployment [cloud\|on-premise]`	Specifies the deployment type of Delinea PAS. The cdiag command does a different check and troubleshooting according to the deployment type. If you don't specify this option, cloud is the default.
`-p`, `--http-proxy proxy-url`	Specifies the HTTP proxy URL used by the machine.
`-n`, `--noreport`	Does not generate a report file.
`-V`, `--verbose`	Displays the debug information for each operation.
`-v`, `--version`	Displays the version information.
`-h`, `--help`	Displays the command help.

Examples: cdiag -t abc1234.my.centrify.net

cedit

You can use the cedit command to view, edit, or reset specific Cloud Client configuration parameters. For details about which parameters you can edit, see Customizing Cloud Client Parameters.

Root or Administrator privilege required? Yes if you're editing or resetting a parameter value.

Usage:

cedit [-hlqv] [-g <key>] [-r <key>] [-s <key>:<value>]

Command option	Description
`-g`, `--get=<key>`	Gets the parameter value.
`-h`, `--help`	Displays the command help.
`-l`, `--list`	Lists parameters that are explicitly set.
`-q`, `--quiet`	Does not display any information.
`-r`, `--reset=<key>`	Resets the specified parameter value to the default value.
`-s`, `--set=<key>:<value>`	Sets a parameter value.
`-v`, `--version`	Displays the version information

Examples:

Copy

PS C:\Users\administrator.cloud> cedit -l
                FeatureAAPMEnabled: true
                FeatureAgentAuthEnabled: true
                FeatureDMCEnabled: true
                LogLevel: TRACE
                ProxyURL: http://xx.xx.xx.xx:8080
                ServiceURI: https://abc1234.my.centrify.net/
                agent.tcprelay.proxy: http://xx.xx.xx.xx:8080

PS C:\Users\administrator.cloud> cedit -s LogLevel:WARN
                Parameter successfully updated.
            
PS C:\Users\administrator.cloud> cedit -g LogLevel
                WARN

cenroll

Use the cenroll command to enroll the system into Delinea PAS and thereby add the new vaulted system to Delinea PAS. You can also use the cenroll command to update a profile of an existing system that's already enrolled.

In general, the required parameters are:

--features
--tenant
either --code or --username (an authentication mechanism —- either an enrollment code or a user with the "System Enrollment" administrative right in Delinea PAS)

Parameters that you might use frequently are:

agentauth permission to be assigned to a role (-l)
Proxy configuration (-p)
Connector assignment (-S Connectors:value)
Suffix for the hostname in Delinea PAS (-x)

Root or Administrator privilege required? Yes

Usage:

Copy

cenroll [-fhVv] [-a <IP/DNS name>] [-C] [-c <code>] [-F value] [-l<role1>[,<role2>...,<roleN>]] [-n <name>] [-N <name>] [-O <key:value>] [-o <file>] [-p <proxyURL>] [-P [user:|role:]<name>:<right>[,<right2>,...,<rightN>]] [-S <key:value>] [-s <file>] [-t<url>] [-u <username>] [-w <role>] [-x <suffix>] [-Z <set1>[,<set2>...,<setN>]]

Command option	Description
`-a`, `--address=<IP/DNS name>` IP address or DNS name of this computer.	Specifies the IP address or DNS name of this computer. The value returned by hostname is used if this argument is not supplied. If a system has multiple network adapters, you can use this option to specify where to direct network traffic from Delinea PAS. By default, if a windows machine is domain joined, then it uses the fqdn (myhost.domain1.net). In some situations, you may want to specify an IP address instead of the hostname for security and network control purposes.
`-C`, `--css`	Enables the CSS Extension for the Cloud Client. By enabling this extension, you can make sure that workflow requests aren't delayed due to Active Directory synchronization schedules. This extension works for Server Suite Agent versions 5.8.0 and later.
`-c`, `--code=<code>`	Specifies the enrollment code to use to enroll this computer in the Delinea PAS This option is required, or you must specify a user with "System Enrollment" permission. If the enrollment code is assigned to a role, upon enrollment the service adds the computer into that role.
`-d--dmc-scope=<scopename:regex>,<scopename:regex>,...,<scopename:regex>`	Specifies a delegated machine credential scope name and allowed APIs; you specify the allowed APIs as a regular expression. You can specify this option multiple times in a single command statement.
`-F`, `--features=value <feature1>[,<feature2>,...,<featureN>]`	Configures specific features for this system. You must specify a value for this option. DMC: Specify this option to enabled delegated machine credentials. For details, see Using Delegated Machine Credentials. `AAPM`: Specify this option to enable application-to-application password management. For details, see "Adding computers as systems". `AgentAuth`: Specify this option to enable the Agent Auth permission, which is needed to allow Delinea PAS users who have the AgentAuth permission to log in. For details, see Enabling Client-Based Login. `all`: Enable all client-based features `none`: Don't enable any client features
`-f`, `--force`	Forces the enrollment operation. Use this option if the system already exists in Delinea PAS. Forcing an enrollment overwrites all settings, including any AAPM settings, made during csetaccount. If you force an enrollment you will need to run csetaccount again to return to the same AAPM setting as before the enrollment.
`-h`, `--help`	Displays the command help.
`-l`, `--agentauth=<role1>[,<role2>...,<roleN>]`	Specifies the roles to which the AgentAuth/login permission is assigned.
`-m`, `--groupmap=<role name>:<local group>[,<local group 2>,...,<local group N>`]	Configures a mapping between role and one or multiple local groups on the system. For example, the following maps the System Administrator role to two local groups Administrators and Power Users: `cenroll <standard enroll parameters> -m "System Administrator:Administrators, Power Users"` You can specify this option multiple times in a single command statement. >Note: Local group mapping is for Windows systems only.
`-n`, `--name=<name>`	Specifies the login name to use for this computer in the Delinea PAS. The value returned by 'hostname' is used if this argument is not supplied. If the `--tenant--suffix` argument is supplied, the final name of the system will be in the form `<name>@<suffix>`. Otherwise, the final name will be the form `<name>`. The value specified here will appear in `Resources > Systems` in PAS.
`-N`, `--resource-name=<name>`	Specifies the name of this computer in Delinea PAS. The value returned by 'hostname' is used if this argument is not supplied. If the --tenant-suffix argument is supplied, the final name of the system will be in the form `<name>@<suffix>`. Otherwise, the final name will be in the form `<name>`.
`-O`, `--resource-policy=<key:value>`	Specifies resource-specific policies in key-value pairs. If the same policy is configured by this parameter and the --resource-policy-file, the value in this parameter is applied. You can specify this option multiple times in a single command statement.
`-o`, `--resource-policy-file=<file>` and the --resource-setting-file,	Specifies a plain text file that contains resource-specific policies stored as key-value pairs. If the same policy is configured by this parameter and resource-policy, the value in resource-policy is applied.
`-p`, `--http-proxy=<proxy URL>`	Specifies an HTTP proxy to use for the Cloud Client connection to Delinea PAS. When you specify this option, the client redirects all communication through the proxy address. If the proxy is unavailable, the client status is listed as "disconnected" from the network.
`-P`, `--resource-permission` For Active Directory or LDAP groups: `cenroll -P group: "<group@domain.suffix>":<PAS_permission>` For Delinea PAS roles: `cenroll -P <role_name>:<PAS_permission>`	Specifies the permissions for the system, such as Grant, View, AgentAuth, Offline Rescue, and so forth. You can specify permissions for users or roles. For more details about permissions, see Assigning permissions. It can be useful to specify permissions at the time of enrollment, but you can set them later in the Admin Portal too. You can specify this option multiple times in a single command statement —- when you specify multiple permissions, surround each permission with \". For example: `-P \"bugs.bunny@acme.cloud:Grant,View\"` `--resource-permission "bugs.bunny@acme.cloud:Grant,View"`
`-S`, `--resource-setting=<key:value>`	Specifies resource-specific settings in key-value pairs. If the same setting is configured by this parameter and the `--resource-setting-file`, the value in this parameter is applied. To set the domain information, you can specify `DomainName:<domain>` as a setting. You can specify this option multiple times in a single command statement You can view the available resource settings here: developer portal - post_servermanage-updateresource developer portal - post_servermanage-addresource >Note: When supplying a connector resource setting, specify just one connector. If you specify more than one, the last one you specify will be used. For example: `cenroll -f -F all -S Connectors:connector1`
`-s`, `--resource-setting-file=<file>`	Specifies a plain text file that contains resource-specific settings stored as key-value pairs. If you specify the same parameter in this file and the `--resource-setting` parameter, the client uses the value specified in the `--resource-setting` parameter.
`-t`, `--tenant=<url>` Customer-specific URL	Specifies the tenant to enroll into. You can use either a space or = between the --tenant and the URL. Here are some examples of the ways you can specify a tenant URL: `--tenant=abc0123.my.centrify.net --tenant abc0123.my.centrify.net --tenant https://abc0123.my.centrify.net --tenant=https://abc0123.my.centrify`.net
`-u`, `--username=<username>`	Specifies the user who will enroll this system into the Delinea PAS You must either specify this option or specify an enrollment code.
`-V`, `--verbose`	Displays debug information for each operation.
`-v`, `--version`	Displays the version information.
`-w`, `--owner=<role>`	Role used to manage this computer in the Delinea PAS.
`-x`, `--suffix=<suffix>`	Specifies the suffix to use for the login and resource names for this system.
`-Z`, `--resource-set=<set1>[,<set2>...,<setN>]`	Adds the system to the specified resource sets.

Examples:

Copy

[EXAMPLE: to enroll a system with all features enabled into the specified tenant using an enrollment code]
[root@mylinux ~]# cenroll --force --features=all --tenant=abc1234.my.centrify.net --code=PUTTHEENROLLMENTCODEHERE
            Enrolling in https://abc1234.my.centrify.net/ ...
            Centrify agent started.
            Enabled features: AgentAuth, AAPM, DMC
            Enrollment complete.
            
[EXAMPLE: To add a local computer to the Privileged Access Service using a specified user account]
[root@mylinux ~]# cenroll --tenant=abc1234.my.centrify.net --user wily@acme --features aapm,agentauth --agentauth "Authorized Agent Login"


[EXAMPLE: To add the computer using a specific IP address and computer name]
[root@mylinux ~]# cenroll -t abc1234.my.centrify.net -u wily@acme -n rhel9.mydomain.com -a 123.45.67.890


[EXAMPLE: To add the computer and enable all features and use a web proxy]
[root@mylinux ~]# cenroll -F all -f -t abc1234.my.centrify.net -c PUTTHEENROLLMENTCODEHERE -l linuxadmins -p http://12.3.4.56:8080


[EXAMPLE: To add the computer and enable AAPM ]
[root@mylinux ~]# cenroll -F AAPM -f -t -abc1234.my.centrify.net -c PUTTHEENROLLMENTCODEHERE -l linuxadmins


[EXAMPLE: To enroll a computer with username and password instead of an enrollment code]
[root@mylinux ~]# 
cenroll -F all -f -t abc1234.my.centrify.net -u  -u pasadmin@example.com -l linuxadmins



[EXAMPLE: To allow the public network access for this computer and to perform periodic password rotation on the accounts associated with this
computer every 30 days, specify these policies on the command line]
[root@mylinux ~]# cenroll -O "AllowRemote:true" -O "AllowPasswordRotation:true" -O "PasswordRotateDuration:30"


[EXAMPLE: Alternatively, you could use a text editor to create a "policy.conf" file with settings:]
AllowRemote:true
AllowPasswordRotation:true
PasswordRotateDuration:30



[After defining the policies in the "policy.conf" file, run the cenroll command and refer to the policy.conf file:]
[root@mylinux ~]# cenroll --resource-policy-file /tmp/policy.conf


[EXAMPLE: enroll with Use My Account credentials]
cenroll -F agentauth -t tenant> -c <code> -l <agentauth_role> -S CertAuthEnable:true -S AllowRemote:true  -S Connectors:<name>

[NOTE: Using the cenroll command depends on the user in PAS being a member of a role with AgentAuth permission. Use My Account will be immediately accessible for Windows enrolled systems, and then accessible for Linux enrolled systems after MasterSSHKey download/configuration.]

cflush (Linux only)

You use the cflush command on Linux systems to update the local cache of users and groups that have been authenticated by Delinea PAS.

User and group information is stored in the local cache so that the client does not need to lookup the information for the next 60 minutes (after it is stored). This command invalidates the information in the local cache such that the client will request the information from Delinea PAS whenever any client application asks for such information.

Because most Linux applications need to look up user or group information, caching such information reduces the need to frequently request the same information from PAS. Caching this information improves performance.

Root or Administrator privilege required? Yes

Usage:

Copy

cflush [-eV]

cflush -v

cflush -h

Command option	Description
`-e`, `--expire`	(Reserved for future use)
`-V`, `--verbose`	Displays detailed debug information for each operation.
`-v`, `--version`	Displays the version information.
`-h`, `--help`	Displays the command help.

Examples:

Copy

[root@mylinux ~]# cflush
        Flushed cagent cache

cgetaccount

Use the cgetaccount command to retrieve and use the stored password for a domain, database, or managed local account from Delinea PAS. (You can store accounts either from within the Admin Portal or by using the csetaccount command.) In order to use this command, the system must have the AAPM feature enabled.

Root or Administrator privilege required? Yes

Usage:

cgetaccount [-tTsvV] [-t, --lifetime minutes] [-T, --type type ] [-s, --silent] [-u, --username username] [-v, --version] [-V, --verbose] targetname / accountname

Command option	Description
`-t`, `--lifetime Minutes`	Specifies the password checkout interval (duration), in minutes. The value that you specify must be less than or equal to the account checkout lifetime defined in the target policy. If you specify a value greater than the account checkout lifetime, and error is returned. If you do not specify a password checkout interval (that is, if you do not use this option), a default password checkout interval of one minute is used.
`-T`, `--type Type`	Specifies the type of the target to which the account belongs. Valid values are system, domain, or database.
`-s`, `--silent`	Retrieves the account password from Delinea PAS without asking for confirmation. The password is not printed to stdout. This option is useful for scripts that need to set a local variable in order to store the returned password.
`-u`, `--username`	Specifies the administrative user that is used to get an account . If you specify this parameter, you don't have to run this command as an administrative user. The service will prompt you to enter the password for the specified username.
`-v`, `--version`	Displays the version information.
`-V`, `--verbose`	Displays information about each step in the password retrieval operation as it occurs. This option can be useful in diagnosing password retrieval problems.
`-h`, `--help`	Displays usage information for this command.

Examples:

Copy

[root@mylinux ~]# cgetaccount frodo
            Password for account "frodo" will be checked out. The checkout will be logged and expire in 1 minute.
            Do you want to continue and display the password? (y/n) [n]: y
            Password for frodo: OneRingToRuleThemAll%#

cinfo

Use the cinfo command to display detailed and diagnostic information about the local system's configuration in Delinea PAS.

Root or Administrator privilege required? Yes if you're using the --support option

Usage:

cinfo [-aADhNoPtTVv] [-C <url>] [-p <proxy URL>]

Command option	Description
`-a`, `--address`	Displays the IP address or DNS name for an enrolled instance in the Delinea PAS.
`-A`, `--agent-status`	Displays the status of the Cloud Client. The possible values are as follows: unknown: The cinfo command failed to check the client status or encountered an unknown error. connected: The client is connected to the Delinea PAS and running well. disconnected: The client is not connected to the Delinea PAS, most likely due to a network connectivity issue. stopped: The client service has been stopped by a system management tool, such as systemctl. starting: The client is in the process of starting and not yet ready for service. disabled: The client has discovered that the related resource has been deleted in the backend, so the client cannot work anymore.
`-B`, `--clientchannel-status`	Confirms that the Cloud Client has a connection to Delinea PAS. For example, if the client is connected, the service allows password reconciliation to work. The possible status options are either online or offline.
`-C`, `--connect=<url>`	Verifies the availability of the Delinea PAS by connecting to the specified URL.
`-D`, `--tenant-id`	Displays the registered customer-specific identifier (tenant ID).
`-H`, `--clientchannel-health`	Performs a Cloud Client health check of the client channel, which is the connection between the Cloud Client and Delinea PAS. This option requires Administrator or root privilege.
`-h--help`	Displays the command help.
`-N--resource-name`	Displays the resource name for a computer enrolled in the Delinea PAS.
`-o--owner`	Displays the owner of a computer enrolled in the Delinea PAS.
`-p`, `--http-proxy=<proxy url>`	Specifies the HTTP proxy to use in conjunction with the --connect option.
`-P`, `--platform-version`	Displays the version of Delinea PAS.
`-t`, `--support`	Generates a support file with diagnostic information. The file location is: `/var/centrify/tmp/cinfo_support.tar.gz` (Linux) `C:\ProgramData\Centrify\support\cinfo_support.<timestamp>.zip` (Windows) This option requires Administrator or root privilege.
`-T`, `--tenant`	Displays the customer-specific URL for a computer enrolled in Delinea PAS.
`-V`, `--verbose`	Displays debug information for each operation.
`-v`, `--version`	Displays the version information.

Examples:

Copy

root@mylinux ~]# cinfo
                Enrolled in:       https://abc1234.my.centrify.net/
                Enrolled as:
                    Service account:  mylinux$@acme.net
                    Resource name:    mylinux
                    IP/DNS name:      10.10.10.1
                    Owner:            sysadmin (Type: Role)
                Customer ID:        ABC1234
                Enabled features:   AgentAuth, AAPM, DMC
                Client Channel status: Online
                Client status:      connected

creload

Use the creload command to force the client to reload configuration properties after you've changed them using cedit.

Root or Administrator privilege required? Yes

Usage:

creload [-hVv]

Command option	Description
`-h`,`--help`	Displays the command help.
`-V`, `--verbose`	Displays debug information for each operation.
`-v`, `--version`	Displays the version information.

Examples:

Copy

[root@mylinux ~]# creload

crotatepasswd

Use the crotatepasswd command to rotate the password for the specified account, such as for an account for a domain, database, or a system. If you're rotating the password for a vaulted local account, the password is updated both locally and in the Admin Portal. If the password is currently checked out, you must use the --force option to force the password rotation. In order to use this command, the system must have the AAPM feature enabled.

Root or Administrator privilege required? Yes

Usage:

crotatepasswd [-fhVv] [-T value] [<target>/]<account>

Command option	Description
`-f`, `--force`	Ignores any password checkouts and force a password rotation.
`-h`, `--help`	Displays the command help.
`-T`, `--type=value`	Specifies the type of the target to which the account belongs. Valid values are: system, domain, or database.
`-V`, `--verbose`	Displays debug information for each operation.
`-v`, `--version`	Displays the version information.

Examples:

Copy

[root@mylinux ~]# crotatepasswd frodo
            Rotating password for frodo...
            Failed to rotate password for frodo: Failed to rotate password from identity platform: The password for this account is currently checked out
[root@mylinux ~]#
[root@mylinux ~]# crotatepasswd --force frodo
            Rotating password for frodo...
            Rotated Password for frodo

csetaccount

Use the csetaccount command to create or update a vaulted privilege account in Delinea PAS for the specified local account. In order to use this command, the system must have the AAPM feature enabled.

Root or Administrator privilege required? Yes

Usage:

Copy

csetaccount.exe [-hPVv] [-a <name>|user:<name>|role:<name>] [-d <description>] [-m <true|false>] [--password <password>] [-p [user:|role:|group:]<name>:<right>[,<right2>,...,<rightN>]] [-s <set1>[,<set2>...,<setN>]] [--stdin] [-u, --username username] [-w <enable|disable|default>] [-x <true|false>] <account>

Command option	Description
`-a`, `--approver=<name>\|user:<name>\|role:<name>`	Specifies the approver for the account. This parameter applies if privileged account workflow is enabled.
`-d`, `--description=<description>`	Specifies the account description.
`-h`, `--help`	Displays the command help.
`-m`, `--managed=<true\|false>`	Specifies whether the account password is managed.
`-P`, `--nopassword`	Specifies to not require password input. Use this option to update the account settings without updating the stored password.
`--password=<password>`	Specifies the account password. If you don't specify this parameter, then you're prompted for the password.
`-p`, `--permission=[user:\|role:\|group:]<name>:<right>[,<right2>,...,<rightN>] \| Specifies the account permissions.`
`-s`, `--set=\set1>[,<set2>...,<setN>]`	Specifies one or more sets to add the account to.
`--stdin`	Reads the user password from stdin instead of an interactive prompt.
`-u`, `--username`	Specifies the administrative user that is used to add or update an account. If you specify this parameter, you don't have to run this command as an administrative user. The service will prompt you to enter the password for the specified username.
`-V`, `--verbose`	Displays debug information for each operation.
`-v`, `--version`	Displays the version information.
`-w`, `--workflow=<enable\|disable\|default>`	Specifies whether privileged account workflow is enabled.
`-x`, `--useproxy=<true\|false>`	Specifies the account to use as a proxy account.

Examples:

Copy

[root@mylinux ~]# csetaccount -m true frodo
            Password for frodo:
            Account frodo has been successfully vaulted

cunenroll

Use the cunenroll command to un-enroll a vaulted system from Delinea PAS. Un-enrolling a system means the following:

Remove the system from Delinea PAS in such a way that any client-based features no longer work on the system (unless you re-enroll the system).
Unless you specify otherwise, un-enrolling does not completely remove the system from Delinea PAS. Vault functions such as remote access to the system still work. The system displays in Delinea PAS with an unenrolled status.
The Cloud Client software remains installed on the system. This way, you can re-enroll the system without having to reinstall anything.

To unenroll a system using the cunenroll command, you must specify one of the following options:

\-m machine credential
\-u user credentials (the user account must have Grant permission on the system)

To completely remove the system from Delinea PAS, you specify the option -d. Using the -d option removes the system completely from Delinea PAS and any client-generated accounts. To remove a system from Delinea PAS, you must have the View and Delete permissions.

Root or Administrator privilege required? Yes

Usage:

cunenroll [-CdfhmRtVv] [-u value]

Command option	Description
`-C`, `--noconf` (Linux only)	Specifies to not update the local configuration upon unenrolling from the Delinea PAS. >Note: Please contact Delinea Support before you use this parameter.
`-d`, `--delete`	Deletes this computer account from the Delinea PAS, including all resource information and all associated accounts.
`-f`, `--force`	Forces an unenroll operation locally without connecting to the Delinea PAS.
`-h`, `--help`	Displays the command help.
`-m`, `--machine`	Uses the machine credential to unenroll from Delinea PAS.
`-R`, `--restore` (Linux only)	Restores the configuration without unenrolling from Delinea PAS. The `--restore` option restores the PAM/NSS modules configuration so that the Delinea PAS modules are not loaded anymore and the PAM/NSS state back to what it was like it was before enrollment. >Note: Please contact Delinea Support before you use this parameter.
`-t`, `--terminate-user-sessions`	Use this option together with the 'delete' option. If there are any current sessions where user initiated the connection from within Delinea PAS, use this option to terminate all of the sessions. Sessions that were initiated from the command line are not terminated.
`-u`, `--user=value`	Specifies the administrative user used to unenroll from the Delinea PAS.
`-V`, `--verbose`	Displays debug information for each operation.
`-v`, `--version`	Displays version information.

Examples:

Copy

(This example uses the system's service account in PAS and deletes the system in PAS.
            [root@mylinux ~]# cunenroll --delete --machine
            Successfully Unenrolled.