11 April,19 at 11:50 AM
Introduction
One of the key features of using Centrify for AD Bridging, is that it allows a single Active Directory user or group to have multiple, distinct UNIX profiles for different groups of machines (in Centrify Zones), or even on individual machines within a zone (so-called Managed Computer overrides). To make this possible, Centrify stores the UNIX profile as properties of serviceConnectionPoint objects in the Centrify Zone hierarchy in Active Directory.
In Centrify zones of the RFC2307 or Standard type, the Active Directory user or group object to which the UNIX profile links, is referenced with its unique Active Directory Security Identifier (SID) as value of an attribute of the serviceConnectionPoint object.
Profiles in other zone types may reference the active directory object differently; these other zones are considered out of scope for this article, as the vast majority of customers will implement Centrify standard hierarhical zones.
When a user or group is de-provisioned from Active Directory, the UNIX profile(s) that point to this user or group also should to be de-provisioned, lest the profile becomes orphaned and may prevent a new profile from being created using the same UNIX login or group name.
This article details how UNIX profiles can be de-provisioned, when to use which profile de-provisioning method, and how to deal with orphaned profiles.
Profile de-provisioning methods
Various de-provisioning methods exist, allowing interactive profile de-provisioning, or automated de-provisioning. This section details the most common methods for profile de-provisioning with Centrify.
Manual de-provisioning using the Centrify DirectManage Access console
This method consists of manually deleting the Centrify profiles in the Active Directory Users and Computers management console (also known as ADUC or dsa.msc).
In order to use the Centrify profile property pages for ADUC, the following two pre-requisites need to be met:
To manually de-provision a user or group's Centrify Zone objects using ADUC:
As this method is relatively time-consuming, it is a viable option only for environments with very low volumes of de-provisioning requests, that are treated through a small number of pre-designated Windows machines, running the Active Directory Users and Computers console.
Built-in support for semi-automatic de-provisioning using ADUC
For environments with higher de-provisioning volumes, Centrify provides a method to automatically delete all the user's or group's zone information when the object is deleted from Active Directory using the Active Directory Users and Computers management console, without having to go through the Centrify Profile tab and having to manually remove each Centrify zone object related to the user or group object.
In order to use the automatic zone object de-provisioning in ADUC, the following pre-requisites need to be met:
To automatically de-provision a user or group's Centrify Zone objects in ADUC:
While the above method is less time-consuming than manually deleting every single profile and role assignment, it is still only a viable option for environments with low volumes of de-provisioning requests, and where all requests are treated through a small number of pre-designated Windows machines, running the Active Directory Users and Computers console on machines that have the Centrify profile property page extension installed.
To remove UNIX profiles in an environment where one deals with much higher volumes of de-provisioning requests, more automation is needed. The following two methods deal with this automation:
De-provisioning using the Centrify Zone Provisioning Agent
A big advantage of using the Centrify Zone Provisioning Agent (ZPA), is that it will take care of all (de-)provisioning needs in a Zone, without needing to perform any action other than toggling the membership status of the user or group in the provisioning group of that zone. This allows a company to delegate the (de-)provisions of UNIX users profiles to a team that does not require extensive technical knowledge on UNIX profiles. The ZPA will not be a topic in this article, as it is a well-documented subject; however, its ease of use should make one seriously consider its usage in (de-)provisioning processes.
Automated de-provisioning using PowerShell scripts
Centrify provides various toolboxes for larger environments, where a need exists to automate the task of detecting orphaned profiles.
To automate this task on Windows, Centrify provides a DirectControl PowerShell module, which is included on the installation media for the Centrify Server Suite consoles, and is an optional component during installation of DirectManage.
Centrify User profiles can be de-provisioned, prior to deletion of the user object with the following PowerShell code that leverages CMDlets included with the DirectControl PowerShell module:
Import-Module Centrify.DirectControl.PowerShell
Import-Module ActiveDirectory
$User_SAM_ToRemove = "alain.deloin@contoso.com"
[System.Collections.ArrayList]$arrCdmUserProfiles = Get-CdmUserProfile -User $User_SAM_ToRemove
foreach ($userProfile in $arrCdmUserProfiles)
{
Remove-CdmUserProfile $userProfile
}
As you can see, this script is fairly straightforward; the $User_SAM_ToRemove takes a string of the identity of the user to de-provision, in a format supported by Get-CdmUserProfile. This can be for example in the format sAMAccountName@FullyQualifiedADDomainName; alternatively, you can even pass a user object retrieved with the Get-ADUser CMDlet.
All UNIX profiles for the specified user that are found in this domain with the Get-CdmUserProfile CMDlet are loaded into an ArrayList. Then, the Remove-CdmUserProfile CMDlet is run on each profile in the ArrayList, which will delete it.
Group profiles can be de-provisioned in a very similar fashion, using the respective Get-CdmGroupProfile and Remove-CdmGroupProfile CMDlets.
If you wish to programmatically remove Role Assignments in hierarchical Centrify Zones, things get a little more complex; unfortunately, unlike the Get-CdmUserProfile and Get-CdmGroupProfile CMDlets, the Get-CdmRoleAssignment CMDlet does not merely take a user or group identity. It also needs a Zone object, Managed Computer Object or Computer Role object to search in. This means that you will first need to enumerate all the Zones in the Active Directory environment, all the Managed Computer objects and all the Computer Roles, and load the results for example into ArrayLists. Then each item of every list can be iterated through, and any resultant CdmRoleAssignment objects can be removed with Remove-CdmRoleAssignment.
Automated de-provisioning using ADEdit scripts
While the action of de-provisioning Active Directory objects seems better at place in a Windows environment, this by any means is not impossible to do on a *NIX platform. The following snippet of code shows you the general approach on how to remove the user profile of a user with sAMAccountName alain.deloin with a user object in the Active Directory domain contoso.com, from the zone named Global in the same domain.
#!/bin/env adedit
package require ade_lib
proc remove_user { zone_dn user_upn } {
select_zone $zone_dn
if { [catch {select_zone_user $user_upn}] } {
# do nothing - user does not have a profile in zone
} else {
# user has a profile in the zone - remove it
delete_zone_user
}
}
# Main program variables
set domain contoso.com
set zoneDN "CN=Global,CN=Zones,OU=Centrify,DC=contoso,DC=com"
set userUPN "alain.deloin@contoso.com"
# Main program
bind $domain
remove_user $zoneDN $userUPN
The above snippet of code shows what to do for a single Centrify Zone, Managed Computer object, or Computer Role (these are all treated as Zones in ADEdit). In a production environment, you would need to enumerate all of the Zones, Managed Computer objects and Computer Roles in the Active Directory environment, after which you call the remove_user function for each of them, while also passing the identity of the user to de-provision.
Group profiles and Role Assignments can be de-provisioned in a similar fashion, using the select_zone_group and delete_zone_group functions for Groups Profiles and select_role_assignment and delete_role_assignment functions for Role Assignments.
Conclusion
While the various profile de-provisioning methods have been detailed above, it cannot always be guaranteed that they have been followed when a user or group object with a UNIX profile is deleted from Active Directory.
For example, a user may be deleted using a console that does not have the Centrify Profile property page extension installed, or someone may have scripted a mass-pruning of objects without taking into account the de-provisioning of Centrify Zone objects relating to these users.
As a result, after having deployed Centrify in a production environment, chances are that some of the de-provisioned Active Directory users and groups have left behind their UNIX profiles in Centrify Zones; these profiles have in effect become orphaned.
In Part 2 of the series we'll look at how to deal with these orphaned objects.
Centrify profile de-provisioning & orphaned object removal - Part 2
KB-20210: Common Questions Regarding Centrify DirectControl and CoreOS
Centrify 17.1, 17.1 Hotfix 1 & Hotfix 2 Release Notes
Centrify Cloud 16.9 Release Notes
Centrify Cloud 16.10 Release Notes
[TIPS] A Centrify Server Suite Cheat Sheet
Centrify 17.6 and 17.6 Hotfix Release Notes
[HOW TO]Install and setup the Centrify Licensing Service
KB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0)