11 April,19 at 11:50 AM
A while back, I wrote an article for this technical forum outlining the use cases as well as the functionality of the adrmlocal and adfixid commands that are packaged with the Direct Control clients installed on the unix servers.
Follow this link to review that article: Using adrmlocal and adfixid
While adrmlocal works well to remove /etc/passwd entries by targeting matching unix user accounts that are now stored in AD and presented by the Direct Control agent, adrmlocal leaves/ignores user/shared/service account entries that don't exist in AD.
Some of these accounts could potentially be managed by a configuration tool, ie Puppet, Chef, Ansible. Or, these accounts could ultimately be managed by Centrify; account passwords vaulted/rotated and MFA/2FA enabled (CIS/CPS), privileged/sudo rights centrally managed (DirectAuthorize/dzdo) and Kerberos ticketing.
But there will be accounts across the local unix environment that are no longer needed. Leaving these local accounts active potentially creates a security risk or end up on an audit report. Now, you could spend time writing a script to collect these password files, programmatically sort through each entry trying to identify those abandoned local accounts. Or you could delegate the task to a junior systems administrator, who will most likely log into every server and manually identify and remove the abandoned local accounts line by line.
But these days, a Centrify Administrator's work can be gauged by the efficiency and accuracy when peforming a task. In this post, I want to present a methodology to clean up the local /etc/passwd file through the use of our Centrify Deployment Manager tool. Deployment Manager is packaged with our Server Suite of product. If you have gone through any of the Centrify training or engaged with Centrify's Professional Services team, most likely you are familiar with this tool and have it installed in your environment.
If you have not, you will need to install Centrify Deployment Manager.
The installer files are located in the DirectManage folder of the Server Suite zip files.
Once installed, launch the Deployment Manager using the Desktop Icon:
The first step is to add the servers you want to have Deployment Manager evaluate. To do this, Right-Click on 'Computers' and select 'Add Computers..."
There are several different methods to add computers to Deployment Manager. I happen to prefer 'Import a computer list from a text file'. This allows us to be efficient and accurate by only listing servers we are targeting for clean-up.
Next, provide a text file of servers (either hostname or IP address):
Then you must provide an account that has privilege access to root either by way of sudo or dzdo. The root account works as well.
Then provide the associated account password.
Once Deployment Manager successfully discovers your servers, it will download a copy of /etc/passwd and /etc/group to the tool.
You can work individually with each server at this point or choose to work with the consolidated users data for all servers discovered by clicking on 'Local Accounts'.
On the right pane, you will see the consolidated list of local accounts from all servers discovered.
Now, the Deployment Manager tool allows the user to sort each column. Just click the column name and adjust the sorting by Ascending or Descending.
Sort by UNIX Name:
Isolate the user you want to remove from the servers' local /etc/passwd file.
Multi-select entries using control-click or shift-click; then right-click your highlighted selection and choose 'Delete'.
Deployment Manager will reach out to the server and perform a removal of the accounts you have selected. Keep in mind, Deployment Manager will not delete the home directories of the users. Centrify wants to avoid deleting data that might not have been reviewed or migrated by the user/peers/managers.
Before:
After:
You can also delete local unix groups that you have migrated to Centrify:
Most Centrify Administrators will only need to clean up ONLY the local user and group files of servers that they have joined to AD.
If you have a slick script/tool that you use to manage your local users and group clean-up, please don't hesitate to share it with the community.
NOTE: Some of you who took a close look at the images above, YES...Centrify Deployment Manager can change passwords of local accounts (and in bulk too!).