User and Group Commands in AD Bridge

User and group commands allow you to locate users or groups using filters such as name or ID. You can also list users and groups.

Find a User or a Group

You can check a domain user's or group's information by either name or ID. These commands can verify that the client can locate the user or group in Active Directory.

Find a User by Name

find-user-by-name domain\\username

Search for a user by name.

Replace domain\\username with the full domain user name or the single domain user name of the user.

/opt/pbis/bin/find-user-by-name mydomain\\trejo

Optionally set the level of detail of information that is returned.

/opt/pbis/bin/find-user-by-name --level 2 mydomain\\trejo
User info (Level-2):
====================
Name:                         trejo
SID:                          S-1-5-21-3447809367-3151979076-456401374-1135
UPN:                          trejo@MYDOMAIN.EXAMPLE.COM
Generated UPN:                NO
DN:                           CN=trejo,CN=Users,DC=MYDOMAIN,DC=EXAMPLE,DC=COM
Uid:                          239600751
Gid:                          239600770
Gecos:                        Markus Trejo
Shell:                        /bin/sh
Home dir:                     /home/MYDOMAIN/trejo-macbook/trejo-bvt
LMHash length:                0
NTHash length:                0
Local User:                   NO
Account disabled (or locked): FALSE
Account expired:              FALSE
Password never expires:       TRUE
Password Expired:             FALSE
Prompt for password change:   YES
User can change password:     YES
Days till password expires:   0
Logon restriction:            NO
trejo-macbook:~ root#

Find a User by User ID

find-user-by-id UID

Search for a user by UID.

/opt/pbis/bin/find-user-by-id 593495196

Find a User in Active Directory by Security Identifier

find-by-sid SID

Find a user in Active Directory by security identifier (SID).

Run the command as root.

/opt/pbis/bin/find-user-by-id 593495196

[root@rhel4d bin]# /opt/pbis/bin/find-by-sid S-1-5-21-382349973-3885793314-468868962-1180
User info (Level-0):
====================
Name:     EXAMPLE\hab
SID:      S-1-5-21-382349973-3885793314-468868962-1180
Uid:      593495196
Gid:      593494529
Gecos:    Jurgen Habermas
Shell:    /bin/ sh
Home dir: /home/ EXAMPLE/ hab

Find a Group by Name

find-group-by-name domain\\groupname

Finds a group.

/opt/pbis/bin/find-group-by-name example.com\\dnsadmins

Find a Group by ID

find-group-by-id GID

Finds a group using the group ID.

/opt/pbis/bin/find-group-by-id 593494534

[root@rhel4d bin]# /opt/pbis/bin/find-group-by-id 593494534
Group info (Level-0):
====================
Name:     EXAMPLE\schema^admins
Gid:      593494534
SID:      S-1-5-21-382349973-3885793314-468868962-518

List Users or Groups

List Users

enum-users

Enumerate the users in Active Directory and view their members, group IDs, and security IDs. The AD Bridge agent enumerates users in the primary domain. Users in trusted domains and linked cells are not enumerated. NSS membership settings in the registry do not affect the result of the command.

To view full information about the users, include the level option when you execute the command: /opt/pbis/bin/enum-users --level 2.

/opt/pbis/bin/enum-users

User info (Level-2):
====================
Name:                       EXAMPLE\sduval
UPN:                        SDUVAL@EXAMPLE.COM
Generated UPN:              NO
Uid:                        593495151
Gid:                        593494529
Gecos:                      Shelley Duval
Shell:                      /bin/sh
Home dir:                   /home/EXAMPLE/sduval
LMHash length:              0
NTHash length:              0
Local User:                 NO
Account disabled:           FALSE
Account Expired:            FALSE
Account Locked:             FALSE
Password never expires:     FALSE
Password Expired:           FALSE
Prompt for password change: NO

List Members

enum-members

Enumerate the members of a group. This command can return user or group information if they are part of the group specified.

If there are nested groups and the user runs the command /opt/pbis/bin/enum-members --group --by-name <domain name>\\<group name>, it will return the nested groups. If the user runs the command /opt/pbis/bin/enum-members --user --by-name <domain name>\\<group name>, it will return the users in that group.

/opt/pbis/bin/enum-members

Example output for users returned in a group:

User object (1] (5-1-5-21-3705731645-4233351989-3429207207-1127)
Enabled: yes
Distinguished name: CN=user,0U=thirdfloor,DC=mydomain,DC=com SAM account name: User
NetBIOS domain name: mydomain UPN: user@mydomain.com Display Name: User
Alias: <null>
UNIX name: mydomain\User GECOS: User
Shell: /bin/sh
Home directory: /home/local/mydomain/User
Windows home directory: <null> Local windows home directory: UID: 822608999
Primary group SID: S-1-5-21-3705731645-4233351989-3429207207-513 Primary GID: 822608385
Password expired: no
Password never expires: no
Change password on next logon: no User can change password: yes Account disabled: no
Account expired: no
Account locked: no

User object (2] (5-1-5-21-3705731645-4233351989-3429207207-1126)
Enabled: yes
Distinguished name: CN= user,0U= thirdfloor,DC=mydomain,DC=com SAM account name: User
NetBIOS domain name: mydomain UPN: mydomain.com Display Name: User
Alias: <null>
UNIX name: mydomain\User GECOS: User
Shell: /bin/sh
Home directory: /home/local/mydomain/User
Windows home directory: <null> Local windows home directory: UID: 822608998
Primary group SID: S-1-5-21-3705731645-4233351989-3429207207-513 Primary GID: 822608385
Password expired: no
Password never expires: no
Change password on next logon: no User can change password: yes Account disabled: no
Account expired: no
Account locked: no
                            
User object (3) (5-1-5-21-3705731645-4233351989-3429207207-1125)
Enabled: yes
Distinguished name: CN= user,0U=thirdfloor,DC=mydomain,DC=com SAM account name: User
NetBIOS domain name: mydomain UPN: user@mydomain.com Display Name: User
Alias: <null>
UNIX name: mydomain\user GECOS: User
Shell: /bin/sh
Home directory: /home/local/mydomain/user

List Groups

enum-groups

Enumerate the groups in Active Directory and view the group IDs and security IDs of members. The AD Bridge agent enumerates groups in the primary domain. Groups in trusted domains and linked cells are not enumerated. NSS membership settings in the registry do not affect the result of the command.

To view full information about the groups, include the level option when you execute the command: /opt/pbis/bin/enum-users --level 2.

/opt/pbis/bin/enum-groups

List Groups for a User

You can list the groups where a particular user is a member.

list-groups-for-user

List the groups where a particular user is a member. You can search either by user name or user ID.

/opt/pbis/bin/list-groups-for-user  --uid 593495196

[root@rhel5d bin]# ./list-groups-for-user example\\hab
Number of groups found for user 'example\hab' : 2
Group[1 of 2] name = EXAMPLE\enterprise^admins (gid = 593494535)
Group[2 of 2] name = EXAMPLE\domain^users (gid = 593494529)