Adding and Provisioning an Evaluation User and Group

Before any Active Directory users can log on to the Verify Privilege Server Suite-managed computer, you must provision an Active Directory account with UNIX profile attributes and assign the user a role that has login privileges. To demonstrate the process in the evaluation, you will create a new Active Directory user, provision the user with a UNIX profile, and assign the user basic access privileges.

To create a new Active Directory user with access to the Verify Privilege Server Suite-managed computer

  1. Open Active Directory Users and Computers and create a new User object.

    1. Fill in the First, Last, and the User logon name fields.

    2. Type and confirm a password and select the Password never expires option.

    3. Acknowledge the warning, click Next, then click Finish.

  2. Create a new Active Directory group in the UNIX Groups organizational unit you created under the IBM Security organizational unit.

    1. For the Group name enter Login Users.

    2. Select Global as the scope for the group and Security for the type of group, then click OK.

  3. Add the evaluation user to the Login Users group.

    1. Select the user you created in Step 1, right-click and select Add to a group.

    2. Select the Login Users group, then click OK.

  4. Provision a UNIX profile for the new user using Access Manager.

    1. Expand the Zones node and select the Headquarters, right-click, then select Add User.

    2. Select the user you created for the evaluation.

    3. Select Define user UNIX profile only and deselect Assign roles.

    4. Accept the default values for all profile properties.

    5. Review your selections, click Next, then click Finish.

  5. Assign the default UNIX Login role to the Login Users group using Access Manager.

    1. Expand the Authorization node under the Headquarters zone.

    2. Select Role Assignments, right-click, then select Assign Role.

    3. Select the UNIX Login role and click OK.

    4. Click Add AD account.

    5. Change the object to Find from User to Group, then search for and select the Login Users group, then click OK.

    6. Click OK to complete the role assignment.

Verify Access by Logging On

The Active Directory user can now log on to the UNIX or Linux computers that has joined the domain and the parent zone.

To verify the user can log on using Active Directory credentials

  1. Open a terminal on your joined Linux or UNIX computer and switch to the root account.

  2. Run adflush to clear the Verify Privilege Server Suite Agent for *NIX’s cache.

    This step simply ensures that the agent will make a new connection to Active Directory to get the latest user and group information.

  3. Log off as root.

  4. Log in using the Active Directory credentials for the evaluation user you created and added to the Login User group.