Importing Local Account Profiles

Most organizations have at least some local user and group profiles that must be migrated to Active Directory. Access Manager provides an Import from UNIX wizard that enables you to import user and group profiles from local /etc/passwd and /etc/group files or from NIS servers and domains.

If you are not migrating any local account profiles, you can skip this section. However, if you have a large or complex user population to migrate, you should use the information in this section along with the Planning and Deployment Guide for a more complete view of the migration process and analysis requirement.

Collecting Account Information

Before using the Import from UNIX wizard, you should do the following to prepare:

  • Identify each source of user information and analyze the information to determine your zone requirements.

  • Run appropriate commands—such as getent passwd, getent group, or niscat—to export user and group information and save it in properly-formatted text files.

    Copy the text files to a location that is accessible from the Windows network. If you want to import information directly from NIS maps instead of text files, you should verify that you can access NIS servers and domains from the Windows network.

  • Review the text files entries to remove account entries that don’t need to be mapped to Active Directory accounts.

    You can automatically exclude system accounts with UID or GID values from 0 to 99 during the import process, but you might want to remove other accounts prior to the import. As part of the review process, determine which entries should map to existing Active Directory accounts or which entries require new Active Directory objects.

Using Variables When Importing UNIX Users

When you import UNIX user accounts, you can use a variable in the GECOS field so that Active Directory will automatically populate that information. The variable you can use is as follows:

% {u:xxx}

For example: In your /etc/passwd file, you have the following information for a user:

ron:x:10061:10061:%{u:displayName}:/home/ron:/bin/bash

After you import the user with the UNIX import user wizard, the following user is in the pending import area:

UID: 10061

Login name: ron

Shell: /bin/bash

Home directory: /home/ron

Primary Group: 10061

GECOS: %{u:displayName}

After you map this pending user to a user account in Active Directory, the %{u:displayName} text is converted to the user's display name at runtime by adclient. When you view the user profile in Active Directory or Access Manager, you'll see the %{u:displayName} text in the GECOS field; when you query the user from a UNIX computer using something such as adquery or getpwent, you'll see the actual user display name in the GECOS field.

Using the Import from UNIX Wizard

After you have created text files with user and group information or verified access to a NIS server and domain, you are ready to perform the first step in the migration process using the Import from UNIX wizard.

To import user and group information:

  1. Open Access Manager.

  2. Expand Zones and any parent or child zones required to select the zone name into which you want to import users and groups.

  3. Select UNIX Data, right-click, then click Import from UNIX.

  4. Select the import source, then click Next.

    • If you select Network Information Service (NIS), type the name of the NIS domain and the host name of the NIS server. The NIS domain and server must be accessible from the Windows network for information to be imported successfully.

    • If you select UNIX configuration files, click Browse to locate the text files to import.

      If you selected Network Information Service or UNIX configuration files in Step 4, go to Step 5.

  5. Select the import options you want to use, then click Next.

    The import options displayed depend on the import source. For example, if you selected UNIX configuration files and specified a text file containing user accounts and a text file containing group accounts, the import options are:

    • Include system accounts to include accounts with UID or GID values from 0 to 99.

      On most computers, accounts with UID or GID values from 0 to 99 are reserved for accounts, such as root, tty, and ftp that you don’t need to import or manage using Active Directory. Select the Include system accounts option to include these accounts. This option is only displayed if importing from UNIX configuration files.

    • Automatically shorten the UNIX name to 8 characters to limit UNIX user and group names to a maximum of 8 characters.

      On some computers, user and group names cannot be longer than 8 characters. If you are importing users and groups that might need access to computers that do not support names longer than 8 characters, you can select Automatically shorten the Unix name to 8 characters to automatically truncate the names imported.

      If you are importing from NIS, you can choose to import users, groups, or both.

  6. Select a location for storing pending import data, then click Next.

    For example, to store pending data for the current zone in an XML file, select Store in XML file and specify the location for the file. If the file does not already exist in the default location, you are prompted to create it. To select another location for the XML file, click Browse.

  7. Review the summary of information to be imported, and select the Check data conflicts while importing option if you want to check for conflicts and potential matching candidates during the import process, then clickFinish.

    If you are importing a large number of users or groups, selecting Check data conflicts while importing can cause the import process to take some time to complete. If you don’t select this option, you must check the status of users or groups after importing.

After you close the Import from UNIX wizard, users and groups are placed in Active Directory or in an XML file with the status of Pending Import. You must then decide how each user and group should be mapped to accounts in Active Directory.

Checking for Conflicts and Matching Candidates

To move a user or group from Pending Import to a UNIX profile attached to an Active Directory user or group, you must first check for potential conflicts and for potential matching user or group candidates in Active Directory. If you selected the Check data conflicts while importing option in the Import from UNIX wizard, you have already completed this step and can continue to Mapping UNIX profiles to Active Directory accounts.

To check the status of pending information:

  1. Open Access Manager.

  2. Expand Zones and any parent or child zones required to select the zone name into which you imported users and groups.

  3. Expand UNIX Data, then expand Groups and Users to see the Pending Import nodes.

    For example, if you imported information for the “Finance” zone, open that zone, expand UNIX Data, then expand Groups and Users.

  4. Select Pending Import to display the list of users or groups to be imported.

    For example:

    Pending import

  5. Select all or a subset of pending import users or groups, right-click, then click Check status.

    • For pending import groups, a potential match is an Active Directory group with a common name or sAMAccountName that is the same as the pending import group name.

    • For pending import users, a potential match is an Active Directory user with a common name that is the same as the pending import user’s GECOS field, or sAMAccountName that is the same as the UNIX user name.

      If there is a match, Access Manager displays that group or user as the default Active Directory candidate and the status as Ready to import.

      If Access Manager can’t identify a potential match in Active Directory or there are other issues, the status for the pending import group or user describes the issue encountered.

Mapping UNIX Profiles to Active Directory Accounts

After you check the status of pending import groups or users, you can map the pending import group or user to an Active Directory group or user. The actions you can take depend on the object you select and its current state. For example, if you select a pending group, you can choose to:

  • Accept the default Active Directory candidate for the selected group if a candidate is identified.

  • Create a new Active Directory group and attach the selected UNIX group profile to it.

  • Extend an existing Active Directory group to include the selected UNIX group profile.

  • Merge the members of the selected UNIX group with an existing UNIX group in Active Directory.

  • Delete the selected UNIX group.

  • View and modify the properties of the selected UNIX group.

Accepting the Active Directory Candidate

If Access Manager finds a potential match for the pending import group or user in Active Directory, it displays the matching candidate in the details pane. You can accept the suggested candidate by right-clicking the pending import group or user, then selecting Accept. After you accept the Active Directory candidate for a pending group or user, the group or user is removed from the Pending Import list.

If all of the pending import group members have an Active Directory candidate associated with them, they are added as members of the Active Directory group. However, the group will remain in the Pending Import list until all of its members are successfully mapped to Active Directory users or removed as members.

Creating a New Active Directory Account

If Access Manager did not find a potential match in Active Directory, you must determine whether the pending import group or user should be mapped to an existing Active Directory account or requires a new Active Directory account. If the pending group or user requires a new Active Directory account, right-click the pending group or user, then select the Create new option to open the wizard for creating a new Active Directory group or a new Active Directory user.

Follow the prompts displayed in the wizard to provide the additional information needed to create the group or user account.

Adding a Profile to an Existing Active Directory Account

If Access Manager did not find a potential match in Active Directory but an appropriate Active Directory account exists, you must map the pending import group or user to the appropriate Active Directory group or user. If the pending import profile should be added to an existing Active Directory group or user, right-click the pending group or user, then select the Extend existing option to open the wizard for adding a UNIX profile to an existing Active Directory group or existing Active Directory user.

Merging Pending Group Members into an Existing Group

If Access Manager did not find a potential match for a Pending Import group in Active Directory, you might want to merge the members of the Pending Import group into a group that already has a UNIX profile in the zone. If you want to add the members of a selected pending import group to an existing group profile, right-click the pending import group, then select the Merge into existing Unix group option to open the wizard for merging the membership of a pending import group with the membership of an existing UNIX group.

Deleting a UNIX Profile for a Pending Group or User

If there are no suitable candidates to map a pending import group or user, you might want to remove a pending group or user from the Pending Import list. If you want to delete a pending import group or user, you can do so by right-clicking the pending import group or user, then selecting the Delete option.

Viewing or Modifying Properties for a Pending Group or User

If there are conflicts between a pending import profile and information in Active Directory, you might need to modify the properties associated with the pending import profile before you can take any other action. If you want to view or modify the properties for a pending import group or user, right-click the pending import group or user, then select Properties.

If you select a pending group, the properties include the UNIX profile, the time of the import, the file location the information was imported from, the members of the group, and the status of the group.

If you select a pending user, the properties include the UNIX profile, the time of the import, the file location the information was imported from, and the status of the user.

Resolving Errors and Conflicts

In some cases, you might encounter errors (Error) that must be resolved before a pending import user or group can be migrated into Active Directory. For example, pending import groups cannot be imported if the group profile has any of the following problems:

  • The group’s GID is negative.

  • There is another UNIX group with the same GID already defined in the zone.

  • There is a UNIX group with the same group name already defined in the zone.

  • The matching Active Directory candidate already has a UNIX profile in the zone.

Similarly, pending import users cannot be imported if the user profile has any of the following problems:

  • The user’s UID is negative.

  • The user’s primary group GID is negative.

  • There is a UNIX user with the same user name already defined in the zone.

In most cases, you must resolve these issues by modifying the properties for the pending import profile. For example, assume you are importing a passwd file that includes the UNIX user account pierre with the UID 1001, but there is already an UNIX profile in the zone with the UNIX name pierre and UID of 500. After you check the status, the Pending Import list of users will indicate there is an error.

To resolve a conflict like this, you might select the pending import user, right-click, then select Properties to change the UNIX user name from pierre to another name, such as pierre2. You should keep in mind, however, that conflicts like this might require investigation to determine the appropriate course of action. For example, if you are attempting to import the UNIX profile for the user pierre and there’s a conflict, you need to determine whether pierre with the UID of 1001 is the same person as pierre with a UID of 500 and where each UID is applicable. If both profiles are for one person accessing different computers, you might simply need to define a computer-level override on the specific computer where the UID of 1001 is required. If the pending import user actually refers to a different person, you might have to map the profile to a different Active Directory account or move the computer to a different zone.

Resolving Warnings

In addition to the errors that prevent users or groups from being imported, there are several conditions that generate a warning (Warning). Warnings indicate potential problems that you should try to resolve. After you check the status for pending import groups and users, the most common warning is “No matching Active Directory candidate is found.” To continue, you must identify or create an Active Directory account for the pending import profile.

If you make changes to a pending import user or group to correct problems, you should click Check status after the change to check for any additional issues that might need to be resolved.

Overriding and Modifying User Properties

If you are using hierarchical zones, user profile information is inherited from parent zones into any child zones you define. You can override the inherited profile attributes at any time to create a new user profile in a specific child zone or on individual computers, if needed. Overriding profile attributes enables you to migrate legacy local accounts without modifying any existing account information or file and directory ownership.

You can also modify either the user profile or the Active Directory user account properties for any user at any time using the tool of your choice. For example, you can use Access Manager, the Access Module for Windows PowerShell, ADEdit, Active Directory Users and Computers, or the Delinea Windows API to modify the zone profile or Active Directory properties for a selected user.

To override a profile attribute in a user profile:

  1. Open Access Manager.

  2. Expand Zones and any parent or child zones required to select the zone name in which you want to override a profile attribute.

    For example, if you want to override the default login shell in the child zone that only AIX computers join, you might expand Child Zones to view and select the IBM AIX Only zone.

    If you want to override a profile attribute for a specific computer, expand Computers to select the computer name on which you want to override the profile attribute. For example, if you want to override the default numeric identifier for a user on the AIX computer aix6v0.ajax.org, you might expand the IBM AIX Only child zone and the Computers node to view and select the aix6v0.ajax.org computer.

  3. Expand UNIX Data for the zone or computer, then select Users.

  4. Select the user, right-click, then select Zone Profile.

    The profile displays the attributes inherited from the parent zone or currently set.

  5. Select an attribute and provide the override value.

    For example, select Shell and type /usr/bin/ksh to give the selected user profile a different default login shell—one appropriate for an AIX computer—in the selected zone or on the selected computer.

  6. Click OK to save the profile change.