Perform Administrative Tasks Using Commands
Most administrative tasks can be performed using Access Manager on a Windows computer or by using ADEdit commands or scripts from a Server Suite-managed computer that has access to the Active Directory domain controller. In some cases, however, there are operations that you must or prefer to perform locally on a managed computer by executing command-line programs.
The command line programs allow you to perform administrative tasks—such as join or leave a domain or generate diagnostic information—directly in a UNIX shell. Many of the command-line programs require administrative privileges or must run using root to perform privileged operations. You can define command rights for these programs to grant permission to run them to other users.
The following table provides a summary of the command-line programs for access control and privilege management that are installed with the Server Suite Agent for *NIX. For complete information about the options you can specify for any command, see the man page for that command.
| This command | Enables you to do this |
|---|---|
| adcache | Clear the local cache on a computer. You can use this command to clear all cached information or a specific cache file. You can also use the command to check a cache file for a specific key value and to reclaim disk space. |
| adcheck | Check the operating system, network, and Active Directory connections to verify that a computer is ready to join an Active Directory domain. |
| adchzone | Move a joined computer from a classic zone to a hierarchical zone. Before moving a computer with this command, you must use admigrate to migrate the classic zone to a hierarchical zone. |
| adclient | Start, stop, or manage operations for the Server Suite Agent process on a local computer. In most cases, you should start and stop adclient using a startup script. |
| addebug | Start or stop detailed logging activity for the Server Suite Agent (adclient) process on a local computer. If you do not specify an option, the addebug command displays its current status, indicating whether logging is active or disabled. You must be logged in as root to run this command. |
| addbloader | Create a database file with zone information. You can then use the adreport command to generate reports from this file, or read it with standard tools. |
| addns | Update DNS records on an Active Directory-based DNS server in environments where the DHCP server cannot update DNS records automatically. |
| adfinddomain | Display the domain controller associated with the Active Directory domain you specify. |
| adfixid | Resolve UID and GID conflicts and change the ownership of a local user’s files to match the user and group IDs defined for the user in Active Directory. |
| adflush | Clear the cache on a local computer. Executing adflush with no options expires the domain controller and global catalog caches. |
| adgpupdate | Retrieve group policies from the Active Directory domain controller and apply the policy settings to the local computer and current user immediately. |
| adid | Display the real and effective UIDs and GIDs for the current user or a specified user. |
| adinfo | Display detailed Active Directory, network, and diagnostic information for a local computer. Options control the type of information and level of detail displayed. |
| adjoin | Add the local host computer to the specified Active Directory domain. You must log in as root to run the adjoin command. |
| adkeytab | Create and manage Kerberos key tables (*.keytab files) and coordinate changes with the Kerberos key distribution center (KDC) provided by Active Directory. The arguments required and options available depend on the operation you want to perform. |
| adleave | Remove the local host computer from its current Active Directory domain. You must log in as root to run the adleave command. |
| adlicense | Enable or disable licensed features on a local computer. You must log in as root to run the adlicense command. |
| admanagelocal | Display currently managed local accounts, status of local account management, and force a foreground sync of local accounts. |
| admigrate | Migrate information from a classic zone to a hierarchical zone. You can migrate a classic zone to a new peer hierarchical zone, or you can specify a parent zone for the migration. |
| adobfuscate | Obscure sensitive information, such as email addresses, host names, and user names, that might be recorded in a log file before sending the file to Delinea for analysis. You must create a pattern file to use with this command. The command reads the pattern file and replaces items matching the patterns specified with generic values. |
| adpasswd | Change the password of the user executing the command or change the password of another Active Directory user. |
| adquery | Query Active Directory for information about users and groups from the command line on a Delinea-managed computer. This command is provided for backward compatibility. In most cases, you should use adedit commands or scripts to perform administrative tasks in Active Directory from Linux or UNIX computers. |
| adreload | Force the Server Suite Agent process (adclient) to reload the configuration properties in the /etc/centrifydc.conf file and in other files in the /etc/centrifydc directory. |
| adreport | Generate user, computer, command, and role assignment reports for a zone. You must run the addbloader command to create a database containing information about a zone before you can run this command to generate a report. |
| adrmlocal | Report and remove local user names that duplicate Active Directory user names. |
| adsendaudittrailevent | Specify where to send audit trail events. You can choose to send audit trail events to the syslog facility, the Server Suite auditing service, or both. |
| adsetgroups | View or change the list of groups available for the current user. |
| adsmb | Perform file operations, such as get a file, write a file, or display the contents of a directory using the Server Suite smb stack. |
| adsshauthkeys | Retrieve all public keys for a single user from the user object in Active Directory. |
| adupdate | Update user and group account information from the command line on Server Suite-managed computer. This command is provided for backward compatibility. In most cases, you should use adedit commands or scripts to perform administrative tasks in Active Directory from Linux or UNIX computers. |
| dzdo | Execute a privileged command as root or another specified user. You must be assigned a role that grants privileged command rights to use this command. |
| dzedit | Edit a file as root or another user. |
| dzinfo | Display detailed information about the configuration of rights and roles for one or more specified users on the local computer. If you do not specify a user, the command returns information for the currently logged on user. |
| dzsh | Run commands in a restricted environment shell. This shell is a customized Bourne shell that provides environment variables, job control, command history, and access to specific commands defined by roles. |
| ldapadd | Open a connection to the Active Directory domain controller or another LDAP server to add new entries. |
| ldapcompare | Open a connection to the specified Active Directory domain controller or another LDAP server to compare LDAP entries. You can use this command to determine whether a specified entry has a particular attribute-value combination. The only information returned is whether the comparison evaluated to true or false. No other information about the entry is provided. |
| ldapdelete | Open a connection to the specified Active Directory domain controller or another LDAP server using the provided distinguished name and password to delete the specified entry or entries. |
| ldapmodify | Open a connection to the specified Active Directory domain controller or another LDAP server using the provided distinguished name and password to modify the specified entry or entries. |
| ldapmodrdn | Open a connection to the specified Active Directory domain controller or another LDAP server using the provided distinguished name and password to move or rename the specified entry or entries. |
| ldapsearch | Open a connection to the specified Active Directory domain controller or another LDAP server using the provided distinguished name and password to locate and retrieve the specified entry or entries. |
| nisflush | Clear the Server Suite Network Information Service cache on a local computer, or restart the service without flushing the cache. You must be logged in as the root user to run this command. |
