WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL
© CENTRIFY CORPORATION 2004-2005. ALL RIGHTS RESERVED.
"SFU schema attributes appear as a Centrify Zone on the user properties page in Active
Directory Users and Computers" in the section "Microsoft Services for UNIX schema
extensions" earlier in this guide.
You can also modify these properties with the Centrify DirectControl Administrator
Enabling Active Directory Groups and Users for UNIX
When you use DirectControl to join a UNIX or Linux computer to an Active Directory
domain, the same type of digital identity is used for the new UNIX or Linux account as is
used for a Windows account. When you join a computer to the domain, a computer
account is set up for the UNIX computer in Active Directory. You can view or edit this
computer account in either Active Directory Users and Computers or in the DirectControl
Although you typically create Active Directory user or group accounts by using Active
Directory Users and Computers, you can also import users or groups from UNIX
configuration files or from NIS domains. After a user account is stored in Active Directory,
you can enable or disable access to UNIX computers as needed.
Giving UNIX Access to Groups
Before giving UNIX access to users (covered in the next section), you must first create at
least one UNIX-enabled Active Directory group account that you can use for the primary
group identifier (GID) for all UNIX-enabled users (or for a subset of UNIX-enabled users).
Depending on your site configuration, you might want to provide different default groups
for different users in your actual deployment.
You can use either of the following two methods to give an existing Active Directory
group access to UNIX:
You can use Active Directory Users and Computers to open the Properties page for
a group, and then click the Centrify Profile tab to specify UNIX properties for the
You can use the Centrify DirectControl Administrator Console to add an existing
Active Directory group to any Centrify DirectControl Zone.
The following procedure shows you how to use the second method.
To add Active Directory groups to a Centrify DirectControl Zone
1. On the Windows computer, open the Centrify DirectControl Administrator Console.
2. In the console tree, click Zones, and then open the Zone name to which you want to
add the Active Directory group. For example, open the default Zone.
Groups, and then click Add Group to Zone.
4. Type a search string to locate the group, and then click Find Now. For example, type
to display the groups FinanceUsers and FinanceAdmins.
5. Select both groups in the results, and then click OK.
6. Review the UNIX profile settings for the FinanceAdmins group, make any changes,
and then click OK.
7. Review the UNIX profile settings for the FinanceUsers group, make any changes,
and then click OK.
8. After you add the group to the Zone, you can view or change the UNIX properties by
opening the group's property page in Active Directory Users and Computers or in the
DirectControl Administrator Console and selecting the Centrify Profile tab.