Troubleshoot Accounts and Attributes

The following topics provide help with troubleshooting account issues.

Allow Access to Account Attributes

AD Bridge is compatible with Small Business Server 2003. However, because the server locks down several user account values by default, you must create a group in Active Directory for your Unix computers, add each AD Bridge client computer to it, and configure the group to read all user information.

On other versions of Windows Server, the user account values are available by default. If, however, you use an AD security setting to lock them down, they will be unavailable to the AD Bridge agent.

To find Unix account information, the AD Bridge agent requires that the AD computer account for the machine running AD Bridge can access the attributes in the following table.

Attribute	Requirement
uid	Required when you use AD Bridge in schema mode.
uidNumber	Required when you use AD Bridge in schema mode.
gidNumber	Required when you use AD Bridge in schema mode.
userAccountControl	Required for Directory Integrated mode and Schemaless mode. It is also required for unprovisioned mode, which means that you have not created an AD Bridge Cell in Active Directory.

To allow access to account attributes:

In Active Directory Users and Computers, create a group named Unix Computers.
Add each AD Bridge client computer to the group.
In the console tree, right-click the domain, choose Delegate Control, click Next, click Add, and then enter the group named Unix Computers.
Click Next, select Delegate the following common tasks, and then in the list select Read all user information.
Click Next, and then click Finish.
On the target Linux or Unix computer, restart the AD Bridge agent to reinitialize the computer account’s logon to Active Directory and to get the new information about group membership.
Run /opt/pbis/enum-users to verify that you can read user information.

For more information, see Storage Modes in the AD Bridge Installation Guide.