Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2260: How to troubleshoot if a user is not shown in "Show Effective Users"

Authentication Service ,  

12 April,16 at 11:08 AM

Applies to: Centrify DirectControl 5.0.x

After adding a group of users to "Role Assignments" in the Centrify DirectManage Access Manager/DirectControl console, the users do not show up in "Show Effective Users" for Centrify servers. It is specific to one group and other groups are working fine.

An attempt was made to add users (vs group) manually with "Login Rights", but was also unsuccessful in making the users visible. The Role Assignments for the group and users were checked and confirmed to be configured correctly.

From the Unix machine,  "adquery user -A username | grep zoneE*" returns the user is not Zone-enabled:


What can be done to troubleshoot this?

Check the following areas:
1) Does the user have a valid UNIX profile in the current or parent Zones?
2) Are the following attributes defined to create a complete Effective UNIX profile?:
- Login name
- Primary group
- Home directory
- Shell

"Effective UNIX profile" means the union of profile attributes from current Zone up to root Zone. Centrify will still consider the "Effective UNIX profile" as complete, even if the profile in child and parent zones separately are incomplete.

The user will be shown in "Show Effective Users" when both the above conditions are satisfied, adquery will also return zoneEnabled:true once this occurs.
1. To check if the user has a UNIX profile in Centrify DirectManage Access Manager/DirectControl console:
- For Zone, check the <Zone node> -> UNIX Data -> Users.
- For computer, check the <computer node> -> UNIX Data -> Users.
Check to see if the members of group "nix_users_tivoli_admin" are listed in the above locations.
The user should have at least one profile in one of the Zones/computer.

2. To check if the profile is complete, right-click the user profile in the Users node and select Zone Profile.
If cumulatively all five of the Effective UNIX profile attributes are defined; the profile is considered complete.