14 July,20 at 05:29 PM
This Cheat Sheet should be used with Centrify Mac Agent version 5.2.4 and higher.
The Centrify Mac Diagnostic Tool location:
/Library/Application Support/Centrify/MacDiagnosticTool.app
Centrify Agent
To join the domain in Auto Zone:
sudo /usr/local/sbin/adjoin --user domain_admin_username --workstation domain.com
To join the domain in Zone mode:
sudo /usr/local/sbin/adjoin --user domain_admin_username --zone zonename domain.com
To leave the domain and disable the computer object:
sudo /usr/local/sbin/adleave --user domain_admin_username
To leave the domain and remove the computer object:
sudo /usr/local/sbin/adleave --user domain_admin_username --remove
To leave the domain and leave the computer object untouched in Active Directory:
sudo /usr/local/sbin/adleave --user domain_admin_username --remove
To print information for the domain:
/usr/local/bin/adinfo
To print network diagnostic information for the domain:
sudo /usr/local/bin/adinfo --diag
To view licensing mode:
/usr/local/sbin/adlicense
To enable licensed features:
sudo /usr/local/sbin/adlicense --licensed
To look up an Active Directory user's information:
/usr/local/bin/adquery user -A username
To look up an Active Directory computer's information:
/usr/local/bin/adquery user -A computername$
To look up an Active Directory computer's Manager (managedBy attribute used with FileVault policy):
/usr/local/bin/adquery user -b managedBy computername$
To look up an Active Directory group's information:
/usr/local/bin/adquery group -A groupname
To change the currently logged in user's Active Directory password:
/usr/local/bin/adpasswd
To change an Active Directory user's password:
/usr/local/bin/adpasswd --adminuser domain_admin_username username@domain.com
To flush the Mac agent cache (Active Directory users will need to login again to cache their credentials after this is ran):
sudo /usr/local/sbin/adflush
The location of the Centrify configuration file:
/etc/centrifydc/centrifydc.conf
The location of Centrify Kerberos tools:
/usr/local/share/centrifydc/kerberos/bin/
To restart the Mac agent:
sudo /usr/local/share/centrifydc/bin/centrifydc restart
To turn on logging:
sudo/usr/local/share/centrifydc/bin/cdcdebug on
To turn off logging:
sudo/usr/local/share/centrifydc/bin/cdcdebug off
To clear out the current log file:
sudo/usr/local/share/centrifydc/bin/addebug clear
Log file location:
/var/log/centrifydc.log
To uninstall the Mac agent:
sudo /usr/local/share/centrifydc/bin/uninstall.sh
To uninstall silently:
sudo /usr/local/share/centrifydc/bin/uninstall.sh --std-suite
Group Policy
To force group policy updates for both user and machine policies:
/usr/local/bin/adgpupdate
To update group policy for user policies only:
/usr/local/bin/adgpupdate --target User
To update group policy for machine policies only:
/usr/local/bin/adgpupdate --target Computer
To view the curent set group policies:
/usr/local/bin/adgpresult
To view the curent set user group policies:
/usr/local/bin/adgpresult --user username
To view the curent set machine group policies:
/usr/local/bin/adgpresult --machine
The location of computer group policy reports:
/var/centrifydc/reg/machine/gp.report
The location of the user group policy reports:
/var/centrifydc/reg/user/username/gp.report
The location of login scripts:
/var/centrifydc/loginscripts/machine
/var/centrifydc/loginscripts/user/username
/var/centrifydc/scripts/additional/login
/var/centrifydc/scripts/additional/logout
To retrieve machine certificates:
sudo /usr/local/share/centrifydc/sbin/adcert --machine --keychain
To retrieve user certificates:
/usr/local/share/centrifydc/sbin/adcert --user --keychain
The location of machine certificates:
/var/centrify/net/certs
The location of user certificates:
~/.centrify
/Users/username/.centrify
Directory Services
To see if the machine is joined to the domain using the Apple plugin:
/usr/sbin/dsconfigad –show
To unbind from the domain using the Apple plugin:
sudo /usr/sbin/dsconfigad –remove -username domain_admin_username
To list all of the users in the Directory Service and in Active Directory for the zone:
/usr/bin/dscl /Search -list /Users
To list only the Active Directory users enabled for the zone:
/usr/bin/dscl /CentrifyDC -list /Users
To display detailed information about the specified Active Directory user:
/usr/bin/dscl /CentrifyDC -read /Users/username
To list all of the groups in the DirectoryService and in Active Directory for the zone:
/usr/bin/dscl /Search -list /Groups
To list only the Active Directory groups enabled for the zone:
/usr/bin/dscl /CentrifyDC -list /Groups
Command to display detailed informationa bout the specified Active Directory group name:
/usr/bin/dscl /CentrifyDC -read /Groups/groupname
FileVault
To see if FileVault is enabled:
/usr/bin/fdesetup status
To list FileVault enabled users:
/usr/bin/fdesetup list
To disable FileVault:
sudo /usr/bin/fdesetup disable
To add a local or mobile account to the FileVault user list:
sudo /usr/bin/fdesetup add -usertoadd username
Smart Card
To see if smart card support is enabled:
/usr/local/bin/sctool --status
To enable smart card support:
/usr/local/bin/sctool --enable
To disable smart card support:
/usr/local/bin/sctool --disable
To dump out all the certificates and Active Directory information present on the smart card:
/usr/local/bin/sctool --dump
To get a new kerberos ticket:
/usr/local/bin/sctool --pkinit
Related Articles: