Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-7430: How to update a single AD object in DirectControl cache using adobjectrefresh command

8 September,16 at 05:24 PM

Applies to:  

Centrify DirectControl 5.3.1 and higher on all platforms 

Question:

Is there a way to update a single AD object in the DirectControl cache? Adflush works but it has no granular control for large or complex AD environments. 

Answer:

Starting in DirectControl 5.3.1 we introduced a new command called "adobjectrefresh" to update the cache for a specific user or group object instead of the entire zone.

Due to all the latencies (AD replication, adclient cache update) after the user or group was added to request privilege (login or dzdo) or role assignments and due to the unpredictability of when this takes effect on the target machine, we need a new CLI to flush and refresh specific user/group immediately.

 

This new command provides a CLI to ask adclient to flush and refresh a specific user/group object  immediately.  The new CLI should be able to refresh user/group based on unixname/samAccountName/DN/UPN.

Currently adflush -O <GUID> can flush a specific GUID, but it's not exposed to customer, and is not convenient.

Things we need to know before using this command:
a.  adclient should be in connected mode when running this CLI, so object can be refreshed.
b.  A -f option can force flush the object in disconnected mode, though object will not be refreshed.
c.  If Adclient is down, CLI cannot continue.
d.  This CLI works for all zone type

Syntax for adobjectrefresh command:

adobjectrefresh [-f] -u username [-u username, … …]

adobjectrefresh [-f] -g groupname [-g groupname, … …]

-f, --force        force flush the object even if adclient is in disconnected mode

-u, --user        refresh user

-g, --group        refresh group

adobjectrefresh also support multiple groups and can be specified with the following format:

adobjectrefresh -u u1 -u u2@domain -g g1 -g g2

More detailed information on the command from the man page:

NAME

       adobjectrefresh - Refresh a user or group.

SYNOPSIS

       adobjectrefresh  [-g,  --group  groupname ] [-u, --user username ] [-i,

       --ignoremembers] [-f, --force] [-h, --help] [-v, --version] [-V, --verbose]

EXAMPLES

       To refresh a user on a connected computer:

       adobjectrefresh -u username

       To flush a group from the Centrify cache on a disconnected computer:

       adobjectrefresh -fg groupname

       To refresh a group without refreshing the group's  members  on  a  connected computer:

       adobjectrefresh -gi groupname

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6041: How to show current license type in use by adclient? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-3925: How to add Centrify parameter to a group policy articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out? articleKB-6050: How to configure a group for automatic Kerberos Credentials for infinite renewal?