Active Directory Tool Commands in AD Bridge

AD Bridge Enterprise includes a tool to modify objects in Active Directory. Using the tool, you can:

  • Query and modify objects in Active Directory.
  • Find and manage objects in AD Bridge Cells.

Command:

/opt/pbis/bin/adtool

Help Syntax:

/opt/pbis/bin/adtool --help -a

Active Directory Commands

add-to-group

Add a domain user, group, or computer to a security group.

Add TestUser to TestGroup:

adtool -a add-to-group --user TestUser --to-group=TestGroup

Add TestGroup2 to TestGroup:

adtool -a add-to-group --group TestGroup2 --to-group=TestGroup

Add TestComputer3 to TestGroup:

adtool -a add-to-group --computer TestComputer3 --to-group=TestGroup

delete-object

Delete an object.

Delete a cell object and all its children if any (--force):

adtool -a delete-object --dn OU=TestOU --force

disable-user

Disable a user account in Active Directory.

/opt/pbis/bin/adtool -a disable-user --name=user6

enable-user

Enable a user account in Active Directory.

adtool -a enable-user --name=TestUser

unlock-account

Unlock a user or computer account.

adtool -a unlock-account --user=aduser

lookup-object

Retrieve object attributes.

adtool -a lookup-object --dn=CN=RHEL7,CN=Computers,DC=company,DC=com

move-object

Move and rename an object.

Rename AD object OU=OldName and move it to a new location:

adtool -a move-object --from OU=OldName,DC=department,DC=company,DC=com --to OU=NewName,OU=TestOU,DC=department,DC=company,DC=com

new-computer

Create a computer object.

/opt/pbis/bin/adtool -d domain.com -n pbisadmin -x Password1 -a new-computer --dn OU=Test,DC=domain,DC=com --name=tst-QAmachine

new-computer --keytab

Create a computer object with a keytab file. An additional option --spn can be used to set the Service Principal Name on the computer object.

adtool -a new-computer --dn "CN=<computers>,DC=<domain>,DC=<NET>" --name <ACCOUNT NAME> --password <PASSWD> --keytab-file <file.keytab> --spn="HOST, NFS"

new-group

Create a global security group.

Create a new group in OU=Groups,OU=TestOu:

adtool -a new-group --dn OU=Groups,OU=TestOu --name TestGroup

new-ou

Create an organizational unit.

Create an OU in a root naming context:

adtool -a new-ou --dn OU=TestOu

Create an OU in DC=department,DC=company,DC=com:

adtool -a new-ou --dn OU=TestOu,DC=department,DC=company,DC=com

Create an AD Bridge cell in the OU TestOU setting the default login shell property to /bin/ksh:

adtool -a new-ou --dn OU=TestOu --default-login-shell=/bin/ksh

new-user

Create a user account.

Create an account for TestUser in OU=Users,OU=TestOu:

adtool -a new-user --dn OU=Users,OU=TestOu --cn=TestUserCN --logon-name=TestUser --password=$PASSWD

new-user --keytab

Create a user account with a keytab file. An additional option --spn can be used to set the Service Principal Name on the user object.

If there is no keytab with an existing account, then password changes that include a keytab location will create a keytab file for that account:

adtool -a reset-user-password --name <USERNAME> --password <PASSWD> --keytab-file /tmp/file.keytab --spn="NFS" --no-must-change-password

If a keytab exists for an account, then password changes are added to the current keytab.

To create a keytab file, you must use: --no-must-change-password --account-enabled

adtool  -a new-user --dn "OU=<OU>,DC=<DOMAIN>,DC=<NET>" --logon-name <USER NAME>  --first-name <FIRSTNAME> --last-name <LAST NAME> --password <PASSWD> --keytab-file /tmp/file.keytab --spn="NFS" --no-must-change-password --account-enabled

remove-from-group

Remove a user, group, or computer from a security group.

Remove TestUser from TestGroup:

adtool -a remove-from-group --user TestUser --fromgroup=TestGroup

Remove TestGroup2 from TestGroup:

adtool -a remove-from-group --group TestGroup2 --fromgroup=TestGroup

Remove TestComputer3 from TestGroup:

adtool -a remove-from-group --computer TestComputer3 --fromgroup=TestGroup

reset-user-password

Reset a user password.

Reset a user's password reading the password from the TestUser.pwd file:

cat TestUser.pwd | adtool -a reset-user-password --name=TestUser --password=- --no-password-expires

search-computer

Search for computer objects, print DNs.

/opt/pbis/bin/adtool -d domain.com -a search-computer --search-base OU=Test,DC=domain,DC=com --scope subtree --name tst-QAmachine

search-group

Search for group objects, print DNs.

/opt/pbis/bin/adtool -a search-group --search-base=OU=Test,DC=schnauzers,DC=com --scope=subtree --name=testgroup0

search-object

Search for any type of objects using LDAP filter.

Look up all attributes of an AD object using filter-based search:

adtool -a search-object --filter '(&(objectClass=person) (displayName=TestUser))' -t | adtool -a lookup-object

search-ou

Search for organizational units, print DNs.

Look up the description attribute of an OU specified by name with a wildcard:

adtool -a search-ou --name='*RootOu' -t | adtool -a lookup-object --dn=- --attrr= description

search-user

Search for users, print DNs.

Look up the unixHomeDirectory attribute of a user with sAMAccountName TestUser:

adtool -a search-user --name TestUser -t | adtool -a lookup-object --dn=- --attrr= unixHomeDirectory

Look up the userAccountControl attribute of a user with CN TestUserCN:

adtool -a search-user --name CN=TestUserCN -t | adtool -a lookupobject --dn=- --attr=userAccountControl

Look up the userAccountControl attribute of a user with CN TestUserCN:

adtool -a search-user --name CN=TestUserCN -t | adtool -a lookupobject --dn=- --attr=userAccountControl

set-attr

Set or clear a value for an attribute.

Multi-value entries are limited to 100 entries.

To set:

adtool -a set-attr --dn CN=$HOSTNAME-u,OU=$HOSTNAME-ou,OU=adtool,OU=automation --attrName gecos --attrValue "setattr"

To clear:

adtool -a set-attr --dn CN=$HOSTNAME-u,OU=$HOSTNAME-ou,OU=adtool,OU=automation --attrName gecos

To set multi-value:

adtool -a set-attr --dn CN=$HOSTNAME-u,OU=$HOSTNAME-ou,OU=adtool,OU=automation --attrName businessCategory --attrValue "Engineering;QA;Development"

To clear multi-value:

adtool -a set-attr --dn CN=$HOSTNAME-u,OU=$HOSTNAME-ou,OU=adtool,OU=automation --attrName businessCategory

AD Bridge Cell Management Commands

add-to-cell

Add a user or group to an AD Bridge cell.

Add group TestGroup to an AD Bridge cell in TestOU:

adtool -a add-to-cell --dn OU=TestOU, DC=department,DC=company,DC=com --group=TestGroup

delete-cell

Delete an AD Bridge cell.

Change the default login shell property of an AD Bridge cell in TestOU:

/opt/pbis/bin/adtool -a delete-cell --dn=OU=Test,DC=domain,DC=com --force

edit-cell

Modify AD Bridge cell properties.

/opt/pbis/bin/adtool -a edit-cell --dn=OU=Test,DC=domain,DC=com --default-login-shell=/bin/ksh

edit-cell-group

Modify properties of a cell's group.

Change login shell property of TestUser in a cell created in TestOU:

adtool -a edit-cell-user --dn OU=TestOU --user TestUser --login-shell=/usr/bin/ksh

edit-cell-user

Modify properties of a cell's user.

/opt/pbis/bin/adtool -a edit-cell-user --dn=OU=Test,DC=domain,DC=com --user=CN=testuser,OU=Test,DC=domain,DC=com --uid=123456789

link-cell

Link AD Bridge Cells.

Link cell in OU=TestOU1 to the default cell in DC=country:

adtool -a link-cell --source-dn OU=TestOU1,DC=department,DC=company,DC=com --target-dn DC=country,DC=company,DC=com

lookup-cell

Retrieve AD Bridge cell properties.

Find cells linked to an AD Bridge cell in OU=TestOU,DC=department,DC=company,DC=com:

adtool -a lookup-cell --dn OU=TestOU --linked-cells

lookup-cell-group

Retrieve AD Bridge cell properties.

Find cells linked to an AD Bridge cell in OU=TestOU,DC=department,DC=company,DC=com:

adtool -a lookup-cell --dn OU=TestOU --linked-cells

lookup-cell-user

Retrieve properties of a cell's user.

Look up login shell property of TestUser in a cell created in TestOU:

adtool -a lookup-cell-user --dn OU=TestOU --user TestUser --login-shell

new-cell

Create a new AD Bridge cell.

/opt/pbis/bin/adtool -a new-cell --dn=OU=Husky,DC=domain,DC=com --default-login-shell=/bin/bash

remove-from-cell

Remove a user or group from a AD Bridge cell.

Remove TestUser from an AD Bridge cell in TestOU:

adtool -a remove-from-cell --dn OU=TestOU,DC=department,DC=company,DC=com --user=TestUser

search-cells

Search for AD Bridge Cells.

Search for cells in a specific location:

adtool -a search-cells --search-base OU=department,DC=country,DC=company,DC=com

unlink-cell

Unlink AD Bridge Cells.

Unlink cell in OU=TestOU1 from the default cell in DC=country:

adtool -a unlink-cell --source-dn OU=TestOU1,DC=department,DC=company,DC=com --target-dn DC=country,DC=company,DC=com

Example:

This example shows how to use two authentication methods and how to search Active Directory even though the computer on which the command was executed was not connected to the domain. The account specified in the options is an Active Directory administrative account.

root@ubuntu:/opt/pbis/bin# ./adtool -a search-cells --search-base dc=connecticut,dc=com --logon-as=Administrator --passwd=-

In this case, the successful result would be:

Enter password:
CN=$LikewiseIdentityCell,DC=connecticut,DC=com
CN=$LikewiseIdentityCell,OU=mySecureOU,DC=connecticut,DC=com
Total cells: 2

Additional Commands and Options

To get information about the options for each action, use the following syntax:

/opt/pbis/bin/adtool --help -a <ACTION>

Here is an example with the information that is returned:

/opt/pbis/bin/adtool --help -a new-user
Usage: adtool [OPTIONS] (-a |--action) new-user <ARGUMENTS>new-user - create a new user account.
Acceptable arguments ([X] - required):
--dn=STRING			DN/RDN of the parent container/OU containing the user. (use '-' 
				for stdin input)
--cn=STRING			Common name (CN) of the new user. (use '-' for stdin input)
--logon-name=STRING		Logon name of the new user.  (use '-' for stdin input) [X]
--pre-win-2000-name=STRING	Pre Windows-2000 logon name
--first-name=STRING		First name of the new user.
--last-name=STRING		Last name of the new user.
--description=STRING		Description of the user.
--password=STRING		User's password. (use '-' for stdin input)
--no-must-change-password	User is not required to change the password at next logon. If 
				omitted user must change password at next logon unless 
				"--no-password-expires' option is specified
--no-password-expires		The password never expires. If omitted - user must change password 
				on next logon.
--account-enabled		User account will be enabled. By default it is disabled on creation

Options

To view the tool's options and to see examples of how to use them, execute the following command:

/opt/pbis/bin/adtool --help
        

Here is an example with the information that is returned:

[root@rhel5d bin]# ./adtool --help Usage: adtool [OPTIONS] <ACTION> [ACTION_ARGUMENTS]
			
HELP OPTIONS
-u, --usage			Display brief usage message
-?, --help			Show this message, help on all actions (-a), or help on a 
				specific action (-a <ACTION>).
-v, --version			Print program version and exit.

COMMON OPTIONS
-l, --log-level=LOG_LEVEL	Acceptable values: 1 (error), 2(warning), 3(info), 4(verbose) 
				5 (trace) (Default: warning).
-q, --quiet			Suppress printing to stdout. Just set the return code. print-dn 
				option makes an exception.
-t, --print-dn			Print DNs of the objects to be looked up, modified or searched for.
-r, --read-only		Do not actually modify directory objects when executing actions.

CONNECTION OPTIONS
-s, --server=STRING		Active Directory server to connect to.
-d, --domain=STRING		Domain to connect to.
-p, --port=INT			TCP port number
-m, --non-schema 		Turn off schema mode

AUTHENTICATION OPTIONS	
-n, --logon-as=STRING		User name or UPN.
-x, --passwd=STRING		Password for authentication. (use '-' for stdin input)
-k, --keytab=STRING		Full path of keytab file, e.g. /etc/krb5.keytab
-c, --krb5cc=STRING 		Full path of krb5 ticket cache file, 
				e.g. /tmp/krb5cc_foo@example.com
-z, --no-sec			Turns off secure authentication. Simple bind will be used. Use 
				with caution!

ACTION
-a, --action[=<ACTION>] 	Action to execute. Type '--help -a' for a list of actions, or 
				'--help -a <ACTION>' for information on a specific action.
Try '--help -a' for a list of actions.

Use adtool

Privileges: The adtool provides similar features as native Microsoft Active Directory tools. When using adtool, be sure to use an account that has appropriate permissions in place to apply changes to Active Directory objects.

For example, to add a user to a security group, you must be a member of a security group, such as the Enterprise Administrators security group.

For more information on Active Directory privileges, permissions, and security groups, see the following references on the Microsoft TechNet website:

Options: There are short and long options. Separate arguments from options with either space or equal sign. If you are not sure about the results of an action you want to execute, run it in read-only mode first (-r). It can also be useful to set the log level to TRACE (-l 5) to see all execution steps the tool is taking.

Authentication: The adtool uses single sign-on by default if the computer is domain-joined. Otherwise, it uses krb5 using a cached ticket, keytab file, or username and password (unless secure authentication is turned-off (--no-sec).

Name resolution: In most cases, you can reference objects by FQDN, RDN, UPN, or names that make sense for a specific action. Use a dash if you want the tool to read values from stdin. This allows you to combine commands using pipes, such as search and lookup actions.

Multi-forest support: You can reference an object from a name context (forest) different from the one you are currently connected to, provided that there is a proper trust relation between them. In this way, for instance, you can add a user from one forest to a cell defined in another forest.

Create a New Cell: When you create a new cell, the tool adds the default primary group (domain users) to the cell. If you add a user to the cell and the user has a primary group different from the default group, which is an atypical case, you must also add the primary group to the cell. The tool does not do this automatically.

Add Users or Groups Across Domains: When you add a user or group to a cell, and if the user or group is in a domain different from the one hosting the cell, you must use an account that has write permissions in the cell domain and at least read permissions in the domain hosting the user or group.

For example, you want to add a user such as CORP\kathy, whose primary group is domain users, to a cell in a domain named CORPQA. Two conditions must be met:

  • You must be authenticated to the CORPQA domain as a user with administrative rights in the CORPQA domain.
  • Your user account must exist in the CORP domain with at least read permissions for the CORP domain.

Since, in this example, the primary group of CORP\kathy is CORP\domain users, you must also add CORP\domain users to the cell in the CORPQA domain.

Automate Commands with a Service Account: To run the tool under a service account, such as a cron job, avoid using krb5 tickets for authentication, especially those cached by the AD Bridge Enterprise authentication service in the directory. The tickets may expire, and the tool will not renew them. Instead, we recommend that you create an entry for the service account in a keytab file and use the keytab file for authentication.

Work with a Default Cell: The tool uses the default cell only when the value of the parameter is the root naming context, such as when you use an expression like --dn DC=corp,DC=example,DC=com to represent corp.example.com.