ADEdit Tcl Procedure Library Reference
This section describes the commands in the ade_lib Tcl library. The command descriptions are in alphabetical order. The syntax of each command shows optional elements in [square brackets] and variables in italics.
add_user_to_group
Use the add_user_to_group command to add an Active Directory user to an Active Directory group.
Syntax
add_user_to_group user group
Options
This command takes no options.
Arguments
This command takes the following arguments:
| Argument | Type | Desription |
|---|---|---|
| user | string | Required. Specifies the user principal name (UPN) of the Active Directory user to add. |
| group | string | Required. Specifies the UPN of the Active Directory group to which to add the user. |
Return value
This command returns nothing if it runs successfully.
Examples
add_user_to_group adam.avery@acme.com pubs@acme.com
Related Tcl library commands
The following commands perform actions related to this command:
create_adusercreates a new Active Directory user account and sets its password.create_adgroupcreates a new Active Directory group account and specifies its scope.create_usercreates a new zone user based on an existing Active Directory user, assigns field values to the new user, and saves the new user to Active Directory.create_groupcreates a new zone group based on an existing Active Directory group, assigns it a UNIX name and group ID, and saves the new group to Active Directory.remove_user_from_groupremoves an Active Directory user from an Active Directory group.
convert_msdate
Use the convert_msdate command to specify a Microsoft date value from an Active Directory object field such as pwdLastSet and convert it into a human-readable form.
Syntax
convert_msdate msdate
Options
This command takes no options.
Arguments
This command takes the following argument:
| Argument | Type | Description |
|---|---|---|
| msdate | string | Required. Specifies the Microsoft date value for conversion. |
Return value
This command returns the day of the week, the day of the month, the time of day using a 24-hour clock, the time zone, and the year.
Examples
convert_msdate [get_object_field pwdLastSet]
This example returns converted into a format similar to this:
Thu Mar 24 14:40:26 PDT 2010
The unseen value returned by get_object_field pwdLastSet in this example was 12914026824062500, which was converted to a human-readable time and date.
Related Tcl library commands
None.
create_adgroup
Use the create_adgroup command to create a new Active Directory group account with a specified distinguished name (DN), sAMAccountName, and group scope.
Syntax
create_adgroup dn sam gscope`
Options
This command takes no options.
Arguments
This command takes the following arguments:
| Argument | Type | Description |
|---|---|---|
| dn | string | Required. Specifies the distinguished name of the new group. |
| sam | string | Required. Specifies the sAMAccountName of the new group. |
| gscope | string | Required. Specifies the scope for the new group. The possible values are: global universal local (for Domain local) |
Return value
This command returns nothing if it runs successfully.
Examples
create_adgroup {CN=pubs,CN=Users,DC=acme,DC=com} pubs global
This example creates the group pubs with a global scope in the Active Directory Users container.
create_adgroup {CN=ApacheAdmins,OU=Unix Groups,OU=ACME,DC=acme,DC=com} pubs global
This example creates the group ApacheAdmins in the organizational unit Unix Groups, which is in the organizational unit ACME.
Related Tcl library commands
The following commands perform actions related to this command:
create_adusercreates a new Active Directory user account and sets its password.create_usercreates a new zone user based on an existing Active Directory user, assigns field values to the new user, and saves the new user to Active Directory.create_groupcreates a new zone group based on an existing Active Directory group, assigns it a UNIX name and group ID, and saves the new group to Active Directory.add_user_to_groupadds an Active Directory user to an Active Directory group.remove_user_from_groupremoves an Active Directory user from an Active Directory group.
create_aduser
Use the create_aduser command to create a new Active Directory user account with a specified distinguished name (DN), user principal name (UPN), sAMAccountName, and password.
Syntax
create_aduser dn upn sam pw ?dname? ?gname? ?spn? ?gecos?
Options
This command takes no options.
Arguments
This command takes the following arguments:
| Argument | Type | Description |
|---|---|---|
| dn | string | Required. Specifies the distinguished name of the new user. |
| upn | string | Required. Specifies the user principal name of the new user. |
| sam | string | Required. Specifies the sAMAccountName of the new user. |
| pw | string | Required. Specifies the password for the new user. |
| dname | string | Optional. Specifies the displayName for the new user. |
| gname | string | Optional. Specifies the givenName for the new user. |
| spn | string | Optional. Specifies the servicePrincipalName for the new user. |
| gecos | string | Optional. Specifies the gecos for the new user. |
Return value
This command returns nothing if it runs successfully.
Examples
create_aduser {CN=ulysses urkham,CN=Users,DC=acme,DC=com} ulysses.urkham@acme.com ulysses.urkham {5$6fEr2B}
This example creates a new Active Directory user account ulysses.urkham@acme.com.
Related Tcl library commands
create_adgroupcreates a new Active Directory group account and specifies its scope.create_usercreates a new zone user based on an existing Active Directory user, assigns field values to the new user, and saves the new user to Active Directory.create_groupcreates a new zone group based on an existing Active Directory group, assigns it a UNIX name and group ID, and saves the new group to Active Directory.add_user_to_groupadds an Active Directory user to an Active Directory group.remove_user_from_groupremoves an Active Directory user from an Active Directory group.
create_assignment
Use the create_assignment command to create a new role assignment for a user or group and save it to Active Directory.
Syntax
create_assignment upn role[/zonename] [from] [to] [description]
Options
This command takes no options.
Arguments
This command takes the following arguments:
| Argument | Type | Description |
|---|---|---|
| upn | string | Required. Specifies the user principal name of the Active Directory user or group to whom to assign the role. |
| role*/[zonename]* | string | Required. Specifies the name of the role to assign and (optional) the name of the zone in which the role is assigned. If the zone name is present, a slash(/) separates the role name and the zone name. If the zone name isn’t present, the role assignment occurs in the currently selected zone. |
| from | string | Optional. Specifies the start date and time for the role assignment. The start date and time can be expressed using the format: yr-mon-day hour:min |
| to | string | Optional. Specifies the expiration date and time for the role is assignment. The expiration date and time can be expressed using the format: yr-mon-day hour:min |
| description | string | Optional. Specifies a description of the role assignment. |
Return value
This command returns nothing if it runs successfully.
Examples
create_assignment ulysses.urkham@acme.com admin/support {} {} “Test assignment”
This example creates a role assignment for the rights defined in the role “admin” from the “support” zone to the user Ulysses Urkham. The role assignment is set to start immediately (by specifying ) and never expire (by specifying the second ) and has an optional description.
create_assignment amy@example.demo mgr {2021-03-31 10:51} {2021-03-31 12:51}
This example creates a role assignment for the rights defined in the role “mgr” from the current zone to the user amy@example.com. This role assignment is set to start at a specific time and expire two hours later and has no description.
Related Tcl library commands
None.
create_dz_command
Use the create_dz_command command to create a new UNIX privileged command in the currently selected zone.
Syntax
create_dz_command dzc cmd ?desc? ?form? ?dzdo_runas? ?dzsh_runas? ?flags? ?pri? ?umask? ?path? ?selinux_role? ?selinux_type?
Options
This command takes no options.
Arguments
This command takes the following arguments:
| Argument | Type | Description |
|---|---|---|
| name | string | Required. Specifies the name to assign to the new UNIX command. |
| command | string | Required. Specifies the UNIX command string or strings. You can use wild cards or a regular expression. |
| description | string | Optional. Specifies text describing the UNIX command. |
| form | integer | Optional. Specifies whether the command and path strings use wild cards (0) or a regular expression (1). |
| dzdo_runas | string | Optional. Specifies the list of users and groups that can run this command under dzdo (similar to sudo). Users can be listed by user name or UID. |
| selinux_role | string | Optional. Specifies the SELinux role to use when constructing a new security context for command execution. Note that selinux_role is only supported on Red Hat Enterprise Linux systems and effective only on systems with SELinux enabled and joined to a hierarchical zone. |
| selinux_type | string | Optional. Specifies the SELinux type to use when constructing a new security context for command execution. Note that selinux_type is only supported on Red Hat Enterprise Linux systems and effective only on systems with SELinux enabled and joined to a hierarchical zone. |
| dzsh_runas | string | Optional. Specifies the list of users and groups that can run this command in the restricted shell environment (dzsh). Users can be listed by user name or UID. |
| flags | integer | Optional. Specifies an integer that defines a combination of different properties for the command. For more information about setting this field, see set_dzc_field. |
| pri | integer | Optional. Specifies the command priority for the restricted shell command object. For more information about setting this field, see set_dzc_field. |
| umask | integer | Optional. Specifies an integer that defines who can execute the command. For more information about setting this field, see set_dzc_field. |
| path | string | Optional. Specifies the path to the command’s location. You can use wild cards, a regular expression, or one of the following keywords: USERPATH to set to the command path to the equivalent of the Standard user path option. SYSTEMPATH to set to the path to the equivalent of the Standard system path option. SYSTEMSEARCHPATH to set to the path to the equivalent of the System search path option. If you don’t specify this argument, the default is USERPATH. |
Return value
This command returns nothing if it runs successfully.
Examples
create_dz_command testvi vi {Test UNIX command vi} {} {sfapps:perez,cody} {} {16}
Related Tcl library commands
None.
create_group
Use the create_group command to create a new zone group for the currently selected zone. This command creates the new group based on an existing Active Directory group. It also assigns the new group a new UNIX profile that includes the UNIX group name and the UNIX group numeric identifier (GID).
Syntax
create_group upn name gid ?req?
Options
This command takes no options.
Arguments
This command takes the following arguments:
| Argument | Type | Description |
|---|---|---|
| upn | string | Required. Specifies the user principal name of the Active Directory group to use as the basis for the new zone group. |
| name | string | Required. Specifies the UNIX group name of the new zone group. For hierarchical zones only, specifying “-” unsets the name value. |
| gid | string | Required. Specifies the UNIX group ID to assign to the new zone group. For hierarchical zones only, specifying “-” unsets the gid value. |
| req | string | Optional. Specifies whether the zone group is required. Set the value to 1, y, yes, or true if the group is required in the zone or to 0, n, no, or false if the group in not required in the zone. All other values throw an exception. If a group is required, users cannot remove the group from their active set of groups. |
Return value
This command returns nothing if it runs successfully.
Examples
create_group pubs@acme.com pubs 1094
Related Tcl library commands
The following commands perform actions related to this command:
create_adusercreates a new Active Directory user account and sets its password.create_adgroupcreates a new Active Directory group account and specifies its scope.create_usercreates a new zone user based on an existing Active Directory user, assigns field values to the new user, and saves the new user to Active Directory.add_user_to_groupadds an Active Directory user to an Active Directory group.remove_user_from_groupremoves an Active Directory user from an Active Directory group.
create_nismap
Use the create_nismap command to create a new NIS map in the currently selected zone.
Syntax
create_nismap map key:value comment
Options
This command takes no options.
Arguments
This command takes the following arguments:
| Argument | Type | Description |
|---|---|---|
| map | string | Required. Specifies the name of the new NIS map |
| key | string | Required. Specifies the key of the NIS map entry. |
| value | string | Required. Specifies the value of the NIS map entry. |
| comment | string | Required. Specifies the comment for the NIS map entry. |
Return value
This command returns nothing if it runs successfully.
Examples
create_nismap animals {{cat:1 {The cat says "Mew\!".}} {cow:1 {The cow says "Moo\!".}}}
Related Tcl library commands
None.
create_pam_app
Use the create_pam_app command to create a new PAM application access right in the currently selected zone.
Syntax
create_pam_app name application description
Options
This command takes no options.
Arguments
This command takes the following arguments:
| Argument | Type | Description |
|---|---|---|
| name | string | Required. Specifies the name to assign to the new PAM application access right. |
| application | string | Required. Specifies the name of the PAM application that is allowed to use the adclient PAM authentication service. The name can be literal, or it can contain ? or * wild card characters to specify multiple applications. Note that in a classic zone, setting the application field changes the name of the PAM application right. For example, assume you create a new PAM application right in a classic zone using a command like this: create_pam_app myftp newftp “Sample PAM FTP application”. The PAM application right itself will be renamed as newftp:list_pam_appsnewftp:Sample PAM FTP application. Therefore, in a classic zone, you should always specify the same string for the name and application arguments. In a hierarchical zone, you can specify different strings for the arguments. |
| description | string | Optional. Specifies the text describing the PAM application. |
Return value
This command returns nothing if it runs successfully.
Examples
create_pam_app testvi vi {Test UNIX command vi}
Related Tcl library commands
None.
create_role
Use the create_role command to create a new role definition in the currently selected zone.
Syntax
create_role name description sysrights pamrights cmdrights allowlocal rsenv visible
Options
This command takes no options.
Arguments
This command takes the following arguments:
| Argument | Type | Description |
|---|---|---|
| name | string | Required. Specifies the name to assign to the new role. |
| description | string | Specifies the text string that describes the role. |
| sysrights | integer | Specifies the system rights granted to the role. This value is an integer that represents a combination of binary flags, one for each system right. This field is not applicable in classic zones. |
| pamrights[/zonename] | string | Specifies the PAM application rights to add to the currently selected role. If the PAM application right that you want to add is defined in the current zone, the zonename argument is optional. If the PAM application right is defined in a zone other than the currently selected zone, the zonename argument is required to identify the specific PAM application right to add. |
| cmdrights[/zonename] | string | Specifies the UNIX command rights to add to the currently selected role. If the UNIX command right that you want to add is defined in the current zone, the zonename argument is optional. If the UNIX command right is defined in a zone other than the currently selected zone, the zonename argument is required to identify the specific UNIX command right to add. |
| allowlocal | Boolean | Specifies whether local users can be assigned to the role. If this argument is specified, local users can be assigned to the role. This argument is only applicable if the zone is a hierarchical zone. |
| rsenv | string | Specifies a restricted shell environment for the role you are creating. This argument is only applicable if the zone is a classic zone. |
| visible | Boolean | Specifies whether the account profiles for Active Directory users in the role are visible on computers in the zone. This argument is only applicable if the zone is a hierarchical zone. |
Return value
This command returns nothing if it runs successfully.
Examples
create_role dba {Database admins - US} 11 {{oracle} {ftp}} {{testvi} {ora-stp}}
Related Tcl library commands
None.
create_rs_command
Use the create_rs_command command to create a new restricted shell command for the currently selected restricted shell environment.
Syntax
create_rs_command rsc_name cmd description form dzsh_runas flags pri umask path
Options
This command takes no options.
Arguments
This command takes the following arguments:
| Argument | Type | Description |
|---|---|---|
| rsc_name | string | Required. Specifies the name of the restricted shell command. |
| cmd | string | Required. Specifies the restricted shell command string or strings. You can use wild cards or a regular expression. |
| description | string | Optional. Specifies the text describing the restricted shell command. |
| form | integer | Optional. Indicates whether the cmd and path strings use wild cards (0) or a regular expression (1). |
| dzsh_runas | string | Optional. Specifies the list of users and groups that can run this command in a restricted shell environment (dzsh). Users can be listed by user name or UID. |
| flags | string | Optional. Specifies an integer that specifies a combination of different properties for the command. For more information about setting this field, see set_rsc_field. |
| pri | integer | Optional. Specifies the command priority for the restricted shell command object. For more information about setting this field, see set_rsc_field. |
| umask | integer | Optional. Specifies an integer that defines who can execute the command. For more information about setting this field, see set_rsc_field. |
| path | string | Optional. Specifies the path to the restricted command. You can use wild cards, a regular expression, or one of the following keywords: USERPATH to set to the command path to the equivalent of the Standard user path option. SYSTEMPATH to set to the path to the equivalent of the Standard system path option. SYSTEMSEARCHPATH to set to the path to the equivalent of the System search path option. If you don’t specify this argument, the default is USERPATH. |
Return value
This command returns nothing if it runs successfully.
Examples
create_rs_command test_id id {Sample restricted command description}
Related Tcl library commands
The following commands perform actions related to this command:
create_rs_envcreates a new restricted shell environment.
create_rs_env
Use the create_rs_env command to create a new restricted shell environment for the currently selected zone.
Syntax
create_rs_env rse_name rse_description
Options
This command takes no options.
Arguments
This command takes the following arguments:
| Argument | Type | Description |
|---|---|---|
| rse_name | string | Required. Specifies the name of the new restricted shell environment. |
| rse_description | string | Optional. Specifies the description for the new restricted shell environment. |
Return value
This command returns nothing if it runs successfully.
Examples
create_rs_env restrictedenv “This is a restricted shell environment”
Related Tcl library commands
The following commands perform actions related to this command:
create_rs_commandcreates a new restricted shell command.
create_user
Use the create_user command to create a new zone user for the currently selected zone. This command creates the new user based on an existing Active Directory user. It also assigns the new user a new UNIX profile that includes the user name, user ID, primary group ID, GECOS data, home directory, shell type, and role (or in classic zones whether the user is enabled or disabled).
You can assign the new user a role in a non-classic zone or you can enable or disable the new user in a classic zone. In a non-classic zone, create_user uses whatever role you specify to create a new role assignment object that links the new zone user to the specified role.
Syntax
create_user UPN uname uid gid gecos home shell role
Options
This command takes no options.
Arguments
This command takes the following arguments:
| Argument | Type | Description |
|---|---|---|
| UPN | string | Required. Specifies the user principal name of the Active Directory user to use as the basis for the new zone user. |
| uname | string | Required. Specifies the user name of the new zone user. For hierarchical zones, you can specify a dash (-) for this argument if you don’t want to set the user name. |
| uid | string | Required. Specifies the user ID for the new zone user. For hierarchical zones, you can specify a dash (-) for this argument if you don’t want to set the user ID. |
| gid | string | Required. Specifies the group ID for the new zone user. For hierarchical zones, you can specify a dash (-) for this argument if you don’t want to set the group ID. |
| gecos | string | Required. Specifies the GECOS value (new user account information) for the new zone user. For hierarchical zones, you can specify a dash (-) for this argument if you don’t want to set the GECOS value. You can’t set the GECOS value if the currently selected zone is a classic zone. |
| home | string | Required. Specifies the home directory for the new zone user. For hierarchical zones, you can specify a dash (-) for this argument if you don’t want to set the home directory. |
| shell | string | Required. Specifies the shell type for the new zone user. For hierarchical zones, you can specify a dash (-) for this argument if you don’t want to set the shell type. |
| role | string or Boolean value | Required. For classic zones, this argument determines whether to enable or disable the new zone user. A value of 1, Y, or y enables the user. Any other value disables the user. For hierarchical zones, this argument identifies the role to assign to the new zone user. You can specify a dash (-) for this argument if you don’t want to set the role. However, a role must be assigned before the new zone user has access to computers in hierarchical zones. |
Return value
This command returns nothing if it runs successfully.
Examples
create_user ulysses.urkham@acme.com ulysses 1005 - - %{home}/%{user} %{shell} -
This example creates a zone user “ulysses” based on the Active Directory user ulysses.urkham@acme.com. It sets a UID, does not set a GID or GECOS value by using dashes, sets home and shell values, and does not set a role value (specified by using a dash).
Related Tcl library commands
create_adusercreates a new Active Directory user account and sets its password.create_adgroupcreates a new Active Directory group account and specifies its scope.create_groupcreates a new zone group based on an existing Active Directory group, assigns it a UNIX name and group ID, and saves the new group to Active Directory.add_user_to_groupadds an Active Directory user to an Active Directory group.remove_user_from_groupremoves an Active Directory user from an Active Directory group.
decode_timebox
Use the decode_timebox command to convert an internal timebox value that defines when a role is enabled or disabled into a format that can be evaluated. The command converts the internal hexadecimal value for a role timebox to a hexadecimal timebox value format as described in Timebox Value Format.
The command returns a 168-bit value in hexadecimal format that delineates the hours of the week from midnight Sunday to 11 PM Saturday in order from most-significant bit to least-significant bit. If a bit is set to 1, its corresponding hour is enabled for the role. If set to 0, its corresponding hour is disabled.
This command is useful for deciphering the value returned by the get_role_field for the timebox field.
Syntax
decode_timebox strTimeBox
Options
This command takes no options.
Arguments
This command takes the following arguments:
| Argument | Type | Description |
|---|---|---|
| strTimeBox | hex | A 42-digit hexadecimal timebox value. A value of zero disables all hours of the week. A value of FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF enables all hours of the week. |
Return value
This command returns a decoded hexadecimal value that is the timebox value for a role.
Examples
>select_role test1
>get_role_field timebox
FFF7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>package require ade_lib
1.0
>decode_timebox [grf timebox]
This example returns the decoded 42 hexadecimal that indicates the role is disabled from midnight to one on Sunday:
7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Related Tcl library commands
The following commands perform actions related to this command:
encode_timeboxconverts a readable timebox value to an internal timebox format.modify_timeboxdefines an hour of the week and enables or disables that hour in the timebox value.
encode_timebox
Use the encode_timebox command to convert a human-readable timebox value that defines the when a role is enabled or disabled to an internal timebox value format.
The command converts the hexadecimal timebox value format described in Timebox Value Format to the internal hexadecimal value for a role. The command accepts a 168-bit value in hexadecimal format that delineates the hours of the week from midnight Sunday to 11 PM Saturday from most-significant bit to leastsignificant bit. If a bit is set to 1, its corresponding hour is enabled for the role. If set to 0, its corresponding hour is disabled.
This command is useful for setting the timebox field with the set_role_field command.
Syntax
encode_timebox strTimeBox
Options
This command takes no options.
Arguments
This command takes the following arguments:
| Argument | Type | Description |
|---|---|---|
| strTimeBox | hex | A 42-digit hexadecimal timebox value. A value of zero disables all hours of the week. A value of FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF enables all hours of the week. |
Return value
This command returns a decoded hexadecimal value that is the timebox value for a role.
Examples
>package require ade_lib
>set tb 7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>encode_timebox \$tb
This example returns the encoded 42 hexadecimal that indicates the role is disabled from midnight to one on Sunday:
FFF7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Related ade_lib Tcl library commands
The following commands perform actions related to this command:
decode_timeboxconverts an internal timebox value to a decipherable format.modify_timeboxdefines an hour of the week and enables or disables that hour in the timebox value.
explain_groupType
Use the explain_groupType command to convert a groupType value from an Active Directory object field into human-readable form.
Syntax
explain_groupType gt
Options
This command takes no options.
Arguments
This command takes the following argument:
| Argument | Type | Description |
|---|---|---|
| gt | string | Required. A groupType value for conversion. |
Return value
This command returns a hexadecimal version of the supplied value followed by the names of any flags that are set in the value.
Examples
explain_groupType [get_object_field groupType]
This example returns:
80000004 DOMAIN_LOCALSECURITY
The unseen value returned by get_object_field groupType in this example was -2147483644, which was converted to the hexadecimal value 80000004 and the name of the set flag DOMAIN_LOCALSECURITY.
Related Tcl library commands
The following commands perform actions related to this command:
explain_trustAttributesconverts a trustAttributes value from an Active Directory object into human-readable form.explain_trustDirectionconverts a trustDirection value from an Active Directory object into human-readable form.explain_userAccountControlconverts a userAccountControl value from an Active Directory object into human-readable form.
explain_ptype
Use the explain_ptype command to translate the account type for a role assignment into a descriptive text string.
Syntax
explain_ptype pt
Options
This command takes no options.
Arguments
This command takes the following argument:
| Argument | Type | Description |
|---|---|---|
| pt | string | Required. Specifies the ptype value returned for a role assignment that you want to convert to a text string. |
Return value
This command returns a text string that describes the type of account associated with a role assignment.
Examples
select_role_assignment "lulu@acme.test/UNIX Login"
get_role_assignment_field ptype
a
explain_ptype a
This example returns:
All AD users
The following table summarizes the descriptive names for different account types that can be associated with a role assignment:
| Account type | |
|---|---|
| Local UNIX user | # |
| Local UNIX group | % |
| Local Windows User | $ |
| Local Windows Group | : |
| All AD users | a |
| All Unix users | x |
| All Windows users | w |
explain_trustAttributes
Use the explain_trustAttributes command to convert a trustAttributes value from an Active Directory object field into human-readable form.
Syntax
explain_trustAttributes ta
Options
This command takes no options.
Arguments
This command takes the following argument:
| Argument | Type | Description |
|---|---|---|
| ta | string | Required. A trustAttributes value for conversion. |
Return value
This command returns a hexadecimal version of the supplied value followed by the names of any flags that are set in the value.
Examples
explain_trustAttributes [get_object_field trustAttributes]
This example returns:
8 FOREST_TRANSITIVE
The unseen value returned by get_object_field trustAttributes in this example was 8, which was converted to the hexadecimal value 8 and the name of the set flag DOMAIN_LOCALSECURITY.
Related Tcl library commands
The following commands perform actions related to this command:
explain_groupTypeconverts a groupType value from an Active Directory object into human-readable form.explain_trustDirectionconverts a trustDirection value from an Active Directory object into human-readable form.explain_userAccountControlconverts a userAccountControl value from an Active Directory object into human-readable form.
explain_trustDirection
Use the explain_trustDirection command to convert a trustDirection value from an Active Directory object field into human-readable form.
Syntax
explain_trustDirection td
Options
This command takes no options.
Arguments
This command takes the following argument:
| Argument | Type | Description |
|---|---|---|
| td | string | Required. A trustDirection value for conversion. |
Return value
This command returns the English version of the trust direction specified by the trustDirection value.
Examples
explain_trustDirection [get_object_field trustDirection]
This example returns:
two-way
Related Tcl library commands
The following commands perform actions related to this command:
explain_groupTypeconverts a groupType value from an Active Directory object into human-readable form.explain_trustAttributesconverts a trustAttributes value from an Active Directory object into human-readable form.explain_userAccountControlconverts a userAccountControl value from an Active Directory object into human-readable form.
explain_userAccountControl
Use the explain_userAccountControl command to convert a userAccountControl value from an Active Directory object field into a human-readable form.
Syntax
explain_userAccountControl uac
Options
This command takes no options.
Arguments
This command takes the following argument:
| Argument | Type | Description |
|---|---|---|
| uac | string | Required. A userAccountControl value for conversion. |
Return value
This command returns a hexadecimal version of the supplied value followed by the names of any flags that are set in the value.
Examples
explain_userAccountControl [get_object_field userAccountControl]
returns:
10200 ADS_UF_NORMAL_ACCOUNT ADS_UF_DONT_EXPIRE_PASSWD
The unseen value returned by get_object_field userAccountControl in this example was 66048, which was converted to the hexadecimal value 10200 and the name of the set flags ADS_UF_NORMAL_ACCOUNT and ADS_UF_DONT_EXPIRE_PASSWD.
Related Tcl library commands
The following commands perform actions related to this command:
explain_groupTypeconverts a groupType value from an Active Directory object into human-readable form.explain_trustAttributesconverts a trustAttributes value from an Active Directory object into human-readable form.explain_trustDirectionconverts a trustDirection value from an Active Directory object into human-readable form.
get_all_zone_users
Use the get_all_zone_users command to check Active Directory and return a list of zone users defined within the specified zone and all of its parent zones. If executed in a script, this command does not output its list to stdout, and no output appears in the shell where the script is executed.
Note that this command does not use the currently selected zone to find its list of users. It uses instead the zone specified as an argument for the command. It ignores the currently selected zone. The selected zone remains the selected zone after the command executes.
Syntax
get_all_zone_users [-upn] zone_DN
Abbreviation
None.
Options
This command takes the following option:
| Option | Type | Description |
|---|---|---|
| -upn | string | Return user names in the Tcl list as universal principal names (UPNs). |
Arguments
This command takes the following argument:
| Argument | Type | Description |
|---|---|---|
| zone_DN | string | Required. The distinguished name (DN) of the zone for which to return users. |
Return value
This command returns a Tcl list of zone users defined in the currently selected zone and all of its parent zones. Each entry in the list is in the format sAMAccountName@domain. If a zone user is an orphan user (its corresponding Active Directory user no longer exists), the user is listed by its security identifier (SID) instead of the sAMAccountName.
If the -upn option is present, each entry in the returned Tcl list is a universal principal name (UPN).
Examples
get_all_zone_users engineering
The example returns the list of zone users:
adam.avery@acme.com
brenda.butler@acme.com
chris.carter@acme.com
dave.douglas@acme.com
elliot.evans@acme.com
Related Tcl library commands
The following commands perform actions related to this command:
create_usercreates a new zone user and user profile based on a specified Active Directory user.create_groupcreates a new zone group and group profile based on a specified Active Directory group.get_effective_groupsreturns a Tcl list of groups to which a specified user belongs.
get_effective_groups
Use the get_effective_groups command to return the list of effective groups from current zone up the zone hierarchy. Only groups who have a complete profile—whether defined in the current zone or inherited from a parent zone—are included.
The command supports hierarchical zone and classic zones. For classic zones, the command starts from current zone. For hierarchical zones, you can start the search for effective groups at the computer level by specifying the -hostname option.
You can use the adinfo command to return the computer name.
Syntax
get_effective_groups [-hostname computer_name]
Options
This command takes the following option:
| Option | Type | Description |
|---|---|---|
| -hostname | string | Specifies the name of the computer to start the search at the computer or computer role level if you run the command in a hierarchical zone with computer-level overrides or computer roles. If you don’t specify this option, the search starts in the current zone and computer roles are ignored. |
Return value
This command returns a Tcl list of groups with complete profiles in the currently selected zone and all of its parent zones.
Example
get_effective_groups -hostname centos7.ajax.com
The example returns the list of effective groups starting at the computer level for the computer named centos7.ajax.com.
get_effective_users
Use the get_effective_users command to return the list of effective users from current zone up the zone hierarchy. Only users who have a complete profile—whether defined in the current zone or inherited from a parent zone—are included. Similarly, only users who have a role assignment in the current zone or inherited from a parent zone are included.
The command supports hierarchical zone and classic zones. For classic zones, the command starts from current zone. For hierarchical zones, you can start the search for effective users at the computer level by specifying the -hostname option.
Syntax
get_effective_users [-hostname computer_name]
Options
This command takes the following option:
| Option | Type | Description |
|---|---|---|
| -hostname | string | Specifies the name of the computer to start the search at the computer or computer role level if you run the command in a hierarchical zone with computer-level overrides or computer roles. If you don’t specify this option, the search starts in the current zone and computer roles are ignored. |
Return value
This command returns a Tcl list of users with complete profiles and at least one role assignment in the currently selected zone and all of its parent zones.
Example
get_effective_users -hostname centos7.ajax.com
The example returns the list of effective users starting at the computer level for the computer named centos7.ajax.com.
get_user_groups
Use the get_user_groups command to check Active Directory for a specified user and return a list of the groups to which the user belongs. If executed in a script, this command does not output its list to stdout, and no output appears in the shell where the script is executed.
Syntax
get_user_groups [-dn] [-z] user_DN|user_UPN
Abbreviation
None.
Options
This command takes the following options:
| Option | Description |
|---|---|
| -dn | Return groups in the Tcl list as distinguished names (DNs) instead of user principal names (UPNs). |
| -z | Restricts the Tcl list of groups to groups that belong to the current zone. |
Arguments
This command takes the following argument:
| Argument | Type | Description |
|---|---|---|
| user_DN|user_UPN | string | Required. The user whose groups to return. This argument may specify the user with a distinguished name (DN) or a user principal name (UPN). |
Return value
This command used without options returns a Tcl list of all groups listed in Active Directory to which the specified user belongs. Each entry in the list is the user principal name (UPN) of a group that you can use to look up that group.
If the -dn option is set, the Tcl list uses distinguished names (DNs) for groups.
If the -z option is set, the Tcl list is restricted to groups that belong to the currently selected zone.
Note that the command will not return groups for domains that aren’t currently bound to ADEdit. If the command finds one or more groups outside of the currently bound domains, it will return a “no binding” message for each unbound domain in which it finds a user’s group.
Examples
get_user_groups fred.forth@acme.com
This example returns a list of groups:
poweradmins@acme.com auditors@acme.com
Related Tcl library commands
The following commands perform actions related to this command:
create_groupcreates a new zone group and group profile based on a specified Active Directory group.create_usercreates a new zone user and user profile based on a specified Active Directory user.get_all_zone_usersreturns a Tcl list of zone users for the specified zone and all of its parent zones.
get_user_role_assignments
Use the get_user_role_assignments command to retrieve all of the role assignments in the current zone for a specified user. This command returns all of the role assignments from the groups to which the user belongs and the role assignments assigned directly to the user account.
The command checks Active Directory for the user you specify, identifies the groups that the user is a member of, then returns all the role assignments for the list of groups the user is a member and that have been specifically assigned to the user account, including any user role assignments made in computer roles for the currently selected zone.
Syntax
get_user_role_assignments [-visible] [-hostname hostname] user_DN
Abbreviation
None.
Options
This command takes the following option:
| Option | Description |
|---|---|
| -visible | Specifies that you want to return only visible role assignments in the zone. Use this option to return role assignments for the roles that are identified as visible. This option is only applicable in hierarchical zones. |
| -hostname | Specifies the computer name to search for role assignments to the user in computer roles. If you set this option, the command checks for computer role assignments in the currently selected zone. |
Arguments
This command takes the following argument:
| Argument | Type | Description |
|---|---|---|
| user_DN | string | Required. Specifies the user whose role assignments you want to return. You can use this argument to specify the distinguished name (DN) for a user or a group. |
Return value
This command returns a list of all role assignments for the specified Active Directory user in the currently selected zone.
Note that the command does not return role assignments for all zones where the user might be assigned a role.
Examples
select_zone
“cn=northamerica,cn=zones,ou=acme,dc=pistolas,dc=org”
get_user_role_assignments
“cn=amy.adams,cn=users,dc=pistolas,dc=org”
This example returns a list of groups:
{amy.adams@pistolas.org/UNIX Login/northamerica}
{admsf@pistolas.org/Root/sanfrancisco}
{apps@pistolas.org/demos/seattle}
Related Tcl library commands
The following commands perform actions related to this command:
get_all_zone_usersreturns a Tcl list of zone users for the specified zone and all of its parent zones.get_effective_groupsreturns a list of the groups to which the user belongs.
list_zones
Use the list_zones command to list the zones within a specified domain along with information about each zone. If executed in a script, this command outputs its list to stdout so that the output appears in the shell where the script is executed. The command does not return a Tcl list back to the executing script. Use the ADEdit command get_zones to return a Tcl list.
Syntax
list_zones domain
Options
This command takes no options.
Arguments
This command takes the following argument:
| Argument | Type | Description |
|---|---|---|
| domain | string | Required. The name of the domain in which to list zones. |
Return value
This command returns a list to stdout of the zones within the specified domain. Each entry in the list contains:
- `The zone’s distinguished name (DN)
- `The zone type: tree (supported in Verify Privilege Server Suite 2012 or later), classic3 or classic4
- `The schema used in the zone
Each entry component is separated from the next by a colon (:).
Examples
list_zones
This example returns a list of zones similar to this:
{CN=default,CN=Zones,CN=Acme,DC=acme,DC=com} : classic4 : std
{CN=cz1,CN=Zones,CN=Acme,DC=acme,DC=com} : tree : std
{CN=cz2,CN=Zones,CN=Acme,DC=acme,DC=com} : tree : std
{CN=global,CN=Zones,CN=Acme,DC=acme,DC=com} : tree : rfc
Related Tcl library commands
The following commands perform actions related to this command:
create_assignmentcreates a new role assignment and saves it to Active Directory.precreate_computercreates a zone profile and, if necessary, a new Active Directory computer account.
lmerge
Use the lmerge command to merge and sort the specified lists. You specify the lists to merge as arguments. You must enclose the list commands you want to merge in square brackets.
Syntax
lmerge [list1] [list2] [list[...]]
Options
This command takes no options.
Arguments
This command takes the following arguments:
| Argument | Type | Description |
|---|---|---|
| [list1] | string | Specifies the list command that return the information you want to include first in the merged results. |
| [list2) | string | Specifies the list command that return the information you want to include second in the merged results. |
| [list[...]] | string | Specifies any additional list commands that return information you want to include in the merged results. |
Return value
This command returns nothing if it runs successfully.
Examples
lmerge [list_zone_users] [list_zone_computers] [list_roles]
This example returns a merged list of zone users, zone computers, and zone roles similar to this:
fred@pistolas.org:fred:580398:648:%{u:displayName}:%{home}/%{user}:%{shell}:
lane@pistolas.org:lane:580397:648:%{u:displayName}:%{home}/%{user}:%{shell}:
maya@pistolas.org:maya:580320:648:%{u:displayName}:%{home}/%{user}:%{shell}:
ubu1$@pistolas.org: cpus(1) agentVersion(CentrifyDC 5.2.0): ubu1.pistolas.org
nic3$@pistolas.org: cpus(2) agentVersion(CentrifyDC 5.2.0): nic3.pistolas.org
Rescue - always permit login
listed
UNIX Login
UnixAdminRights
Windows Login
You can specify the list arguments using full command names or abbreviations. For example:
lmerge [lszc] [lspa]
ubu1$@pistolas.org: cpus(1) agentVersion(CentrifyDC 5.2.0): ubu1.pistolas.org
nic3$@pistolas.org: cpus(2) agentVersion(CentrifyDC 5.2.0): nic3.pistolas.org
dzssh-all/Headquarters : dzssh-* : All of ssh services
login-all/Headquarters : * : Predefined global PAM permission. Do not delete.
Related Tcl library commands
None.
modify_timebox
Use the modify_timebox command to modify a timebox value that defines the hours of a week when a role is enabled or disabled. The command defines an hour of the week and then enables or disables that hour in the timebox value. This command is very useful in the set_role_field ADEdit command when setting the timebox field.
Execute this command multiple times on a timebox value to set more than one hour in the value.
For more information about the timebox value format, read the Timebox Value Format.
Syntax
modify_timebox strTimeBox day hour avail
Options
This command takes no options.
Arguments
This command takes the following arguments:
| Argument | Type | Description |
|---|---|---|
| strTimeBox | hex | A 42-digit hexadecimal timebox value. A value of zero disables all hours of the week. A value of FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF enables all hours of the week. |
| day | integer | Required. The day of the week when the hour occurs. 0=Sunday, 1=Monday, and so on to 6=Saturday. |
| hour | integer | Required. The hour of the day to enable or disable. Takes a value from 0 to 23. 0 is from midnight to 1 AM, 1 is from 1 AM to 2 AM, and so on to 23, which is from 11 PM to midnight. |
| avail | integer | Required. Whether to enable or disable the specified hour. 0=disable; all other values=enable. |
Return value
This command returns a hexadecimal value that is the timebox value after enabling or disabling the specified hour of the week.
Examples
set tb 000000000000000000000000000000000000000000
set tb [modify_timebox $tb 6 23 1]
This example returns the modified timebox value:
800000000000000000000000000000000000000000
Related Tcl library commands
The following commands perform actions related to this command:
decode_timeboxconverts an internal timebox value to a decipherable format.encode_timeboxconverts a readable timebox value to an internal timebox format.
precreate_computer
Use the precreate_computer command to create a zone profile for a computer in Active Directory before using the adjoin command to join the domain. The zone profile—a serviceConnectionPoint (scp) object—is usually created by the adjoin command when a computer joins the domain. In some cases, however, creating the zone profile before joining is useful. For example, preparing the computer object before joining enables you to check that you have user profiles and role assignments correctly defined before you join UNIX computers to zones. Verifying this information before the join operation helps to ensure a smooth migration without disrupting users’ access to files or applications.
The zone profile is part of an Active Directory computer object. If an Active Directory computer object doesn’t exist, precreate_computer can create one and then add the zone profile to the new Active Directory computer object. The zone profile is created in ADEdit’s currently selected zone. You can also use the precreate_computer command to specify a container where Active Directory will store the new Active Directory computer object.
You can use the precreate_computer command to create a service connection point for a new or existing Active Directory computer object. You can also use the command to create a computer-specific zone for machine-level zone overrides (in essence a one-computer zone) for the precreated computer. You should note that performing these tasks requires access to the global catalog by default. You can intentionally skip the global catalog search if you know the service connection point you are creating is unique in the forest. However, skipping the global catalog search might prevent you from joining the computer to the domain if there is a conflict.
The precreate_computer command also sets the Active Directory computer object’s password and permissions when creating a zone profile. The password is the computer’s host name in lower case. The permissions the computer object has are:
- Read and Write permissions to the operatingSystemServicePack, operatingSystem, and operatingVersion attributes of the computer object.
- Read permission for the userAccountControl attribute of the computer object.
- Validate write to the servicePrincipalName and dNSHostName attributes.
You can use precreate_computer to specify a DNS name for the precreated computer and one or more trustees for the precreated computer. Each trustee can be either a user or a group, and has the rights needed to join the computer to the precreated computer account using adjoin.
Use the precreate_computer command option, enctype, to specify encryption types.
The precreate_computer command is similar to using adjoin -precreate, but provides more options and flexibility. You can also precreate computer accounts using Access Manager. For more information about precreating computer accounts, See the Administrator’s Guide for Linux and UNIX.
Syntax
precreate_computer *samaccount@domain*[-ad] [-scp] [-czone] [-all] [-container *rdn*]
[-dnsname *dnsname*] [licensetype *type*] [-trustee *upn*[-trustee *upn*] ...] [nogc]
[stype *spn* [-stype *spn*] ...] [-enctype type [-enctype type] ...]
[-notdelegateanyright] [-password <password>]
Options
This command takes the following options:
| Option | Description |
|---|---|
| -ad | Creates an Active Directory computer object. precreate_computer won’t create an Active Directory computer object if it already exists for the computer specified by the argument upn. Note that if no options specify Active Directory computer object creation and no Active Directory computer object already exists, precreate_computer will fail. |
| -all | Creates an Active Directory computer object (if one doesn’t exist already), a service connection point for the computer object, and a computer zone for the computer object: in essence all of the previous three options combined. |
| -container | Stores the new Active Directory computer object (if created) in the Active Directory container specified by rdn, which is the relative distinguished name (RDN) of the container. The root of the specified Active Directory container is the distinguished name (DN) of the current domain. precreate_computer appends the RDN to the root DN to come up with the container DN. |
| -czone | Creates a computer zone for the computer object. |
| -dnsname | Sets the DNS name for the computer account to the provided DNS name. If this option isn’t present, the precreate_computer command automatically sets the DNS name for the computer account. It derives the DNS name from the computer’s sAMAccount name and the domain name. |
| -enctype | Set the msDS encryption types permitted in precreate _computer command. Default is 31. Options are: aes256-cts-hmac-sha1-96, aes256-cts aes128-cts-hmac-sha1-96, aes128-cts arcfour-hmac, rc4-hmac, arcfour-hmac-md5 des-cbc-md5, des des-cbc-crc |
| -licensetype | Specifies the type of license a computer uses. The valid values are server workstation |
| -nogc | Allows you to create the computer account without binding to a global catalog domain controller. You should only use this option if you know the computer scp object does not exist in the domain. |
| -notdelegateanyright | Allows you to create the computer account without delegating any rights. If you specify this option, note that the -trustee option has no effect. |
| -password | Specifies the password for the computer. If you don't specify a password, the service uses the default password. |
| -scp | Creates a service connection point for the Active Directory computer object. |
| -stype | Specifies the service principal types to create for a precreated computer account. You can specify multiple -stype options, with each specifying a different service principal type. If you don’t specify this option, the precreate_computer command automatically creates the several default service principal names for the following service principal types: ipp afpserver nfs cifs ftp http host For each type of service, the precreate_computer command specifies two service principal names in the form of serviceName/computerName and serviceName/computerName.domain.com. For example: ftp/rhel6 ftp/rhel6.acme.com If you specify one or more -stype options, only the service principal names for those service types are created for the precreated computer account. |
| -trustee |
Gives the user or group specified by the upn argument permission to join a computer to the precreated computer account. You can specify multiple -trustee options, with each specifying a different user or group, to give multiple users and groups permission to join a precreated computer to a zone.
|
Arguments
This command takes the following argument:
| Argument | Type | Description |
|---|---|---|
| samaccount@domain | string | Required. Specifies the name of the computer account and the domain to join. The computer name is the sAMAccountName for the account in the form of computer$. For example: engserv$@acme.com |
Return value
This command returns nothing if it runs successfully.
Examples
precreate_computer redhat\$@acme.com -trustee adam.avery@acme.com
\-trustee martin.moore@acme.com -enctype arcfour-hmac
This example precreates a zone profile in the currently selected zone for the computer “redhat$@acme.com”, and specifies as trustees the Active Directory users Adam Avery and Martin Moore.
Because the example does not include the -stype option, this example also automatically creates the following default service principal names for services on the computer:
ipp/redhatandipp/redhat.acme.comafpserver/redhatandafpserver/redhat.acme.comnfs/redhatandnfs/redhat.acme.comcifs/redhatandcifs/redhat.acme.comftp/redhatandftp/redhat.acme.comhttp/redhatandhttp/redhat.acme.comhost/redhatandhost/redhat.acme.com
Related Tcl library commands
The following commands perform actions related to this command:
list_zonesreturns a list of zones in a specified domain to stdout.create_assignmentcreates a new role assignment and saves it to Active Directory.
remove_user_from_group
Use the remove_user_from_group command to remove an Active Directory user from an Active Directory group.
Syntax
remove_user_from_group user group
Options
This command takes no options.
Arguments
This command takes the following arguments:
| Argument | Type | Description |
|---|---|---|
| user | string | Required. The user principal name (UPN) of the Active Directory user to remove. |
| group | string | Required. The UPN of the Active Directory group from which to remove the user. |
Return value
This command returns nothing if it runs successfully.
Examples
remove_user_from_group adam.avery@acme.com pubs@acme.com
Related Tcl library commands
The following commands perform actions related to this command:
create_adusercreates a new Active Directory user account and sets its password.create_adgroupcreates a new Active Directory group account and specifies its scope.create_usercreates a new zone user and user profile based on an existing Active Directory user.create_groupcreates a new zone group and group profile based on an existing Active Directory group.add_user_to_groupadds an Active Directory user to an Active Directory group.
set_change_pwd_allowed
Use the set_change_pwd_allowed command to modify the ADS_UF_PASSWD_CANT_CHANGE flag in the UserAccountControl attribute. This flag controls whether an Active Directory user can change his or her domain password. You must specify the distinguished name of a valid Active Directory user account that should be allowed to change his or her password.
Syntax
set_change_pwd_allowed userdn
Options
This command takes no options.
Arguments
This command takes the following argument:
| Argument | Type | Description |
|---|---|---|
| userdn | string | Required. Specifies the distinguished name of the Active Directory user who is allowed to change his or her password. |
Return value
This command returns nothing if it runs successfully.
Examples
set_change_pwd_allowed
CN=frank.smith,CN=Users,DC=ajax,DC=test
get_object_field sd
(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)
(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)
This example deselects the “User cannot change password” account property for the Active Directory user frank.smith.
Related Tcl library commands
The following commands perform actions related to this command:
create_adusercreates a new Active Directory user account and sets the password for the account.set_change_pwd_deniedprevents an Active Directory user from changing the domain password for his or her account.
set_change_pwd_denied
Use the set_change_pwd_denied command to modify the ADS_UF_PASSWD_CANT_CHANGE flag in the UserAccountControl attribute. This flag controls whether an Active Directory user can change his or her domain password. You must specify the distinguished name of a valid Active Directory user account that should not be allowed to change his or her password.
Syntax
set_change_pwd_denied userdn
Options
This command takes no options.
Arguments
This command takes the following argument:
| Argument | Type | Description |
|---|---|---|
| userdn | string | Required. Specifies the distinguished name of the Active Directory user who is not allowed to change his or her password. |
Return value
This command returns nothing if it runs successfully.
Examples
set_change_pwd_denied CN=adam.avery,CN=Users,DC=ajax,DC=test
get_object_field sd
(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)
(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)
This example selects the “User cannot change password” account property for the Active Directory user adam.avery.
Related Tcl library commands
The following commands perform actions related to this command:
create_adusercreates a new Active Directory user account and sets the password for the account.set_change_pwd_allowedallows an Active Directory user to change the domain password for his or her account.