Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

[TIPS] A Centrify for Mac Cheat Sheet

14 July,20 at 05:29 PM

This Cheat Sheet should be used with Centrify Mac Agent version 5.2.4 and higher.


The Centrify Mac Diagnostic Tool location:
/Library/Application Support/Centrify/



Centrify Agent


To join the domain in Auto Zone:
sudo /usr/local/sbin/adjoin --user domain_admin_username --workstation


To join the domain in Zone mode:
sudo /usr/local/sbin/adjoin --user domain_admin_username --zone zonename


To leave the domain and disable the computer object:
sudo /usr/local/sbin/adleave --user domain_admin_username 


To leave the domain and remove the computer object:
sudo /usr/local/sbin/adleave --user domain_admin_username --remove


To leave the domain and leave the computer object untouched in Active Directory:
sudo /usr/local/sbin/adleave --user domain_admin_username --remove


To print information for the domain:


To print network diagnostic information for the domain:
sudo /usr/local/bin/adinfo --diag


To view licensing mode:



To enable licensed features:

sudo /usr/local/sbin/adlicense --licensed


To look up an Active Directory user's information:

/usr/local/bin/adquery user -A username


To look up an Active Directory computer's information:

/usr/local/bin/adquery user -A computername$


To look up an Active Directory computer's Manager (managedBy attribute used with FileVault policy):


/usr/local/bin/adquery user -b managedBy computername$


To look up an Active Directory group's information:

/usr/local/bin/adquery group -A groupname


To change the currently logged in user's Active Directory password:



To change an Active Directory user's password:

/usr/local/bin/adpasswd --adminuser domain_admin_username


To flush the Mac agent cache (Active Directory users will need to login again to cache their credentials after this is ran):

sudo /usr/local/sbin/adflush


The location of the Centrify configuration file:


The location of Centrify Kerberos tools:


To restart the Mac agent:
sudo /usr/local/share/centrifydc/bin/centrifydc restart


To turn on logging:
sudo/usr/local/share/centrifydc/bin/cdcdebug on


To turn off logging:
sudo/usr/local/share/centrifydc/bin/cdcdebug off 


To clear out the current log file:

sudo/usr/local/share/centrifydc/bin/addebug clear

Log file location:


To uninstall the Mac agent:
sudo /usr/local/share/centrifydc/bin/


To uninstall silently:
sudo /usr/local/share/centrifydc/bin/ --std-suite



Group Policy


To force group policy updates for both user and machine policies:


To update group policy for user policies only:
/usr/local/bin/adgpupdate --target User


To update group policy for machine policies only:
/usr/local/bin/adgpupdate --target Computer


To view the curent set group policies:



To view the curent set user group policies:

/usr/local/bin/adgpresult --user username


To view the curent set machine group policies:

/usr/local/bin/adgpresult --machine


The location of computer group policy reports:


The location of the user group policy reports:


The location of login scripts:



To retrieve machine certificates:
sudo /usr/local/share/centrifydc/sbin/adcert --machine --keychain


To retrieve user certificates:
/usr/local/share/centrifydc/sbin/adcert --user --keychain


The location of machine certificates:


The location of user certificates:




Directory Services


To see if the machine is joined to the domain using the Apple plugin:
/usr/sbin/dsconfigad –show


To unbind from the domain using the Apple plugin:

sudo /usr/sbin/dsconfigad –remove -username domain_admin_username


To list all of the users in the Directory Service and in Active Directory for the zone:
/usr/bin/dscl /Search -list /Users


To list only the Active Directory users enabled for the zone:
/usr/bin/dscl /CentrifyDC -list /Users


To display detailed information about the specified Active Directory user:
/usr/bin/dscl /CentrifyDC -read /Users/username


To list all of the groups in the DirectoryService and in Active Directory for the zone:
/usr/bin/dscl /Search -list /Groups


To list only the Active Directory groups enabled for the zone:
/usr/bin/dscl /CentrifyDC -list /Groups


Command to display detailed informationa bout the specified Active Directory group name:
/usr/bin/dscl /CentrifyDC -read /Groups/groupname





To see if FileVault is enabled:

/usr/bin/fdesetup status


To list FileVault enabled users:

/usr/bin/fdesetup list


To disable FileVault:

sudo /usr/bin/fdesetup disable


To add a local or mobile account to the FileVault user list:

sudo /usr/bin/fdesetup add -usertoadd username



Smart Card


To see if smart card support is enabled: 
/usr/local/bin/sctool --status


To enable smart card support: 
/usr/local/bin/sctool --enable


To disable smart card support: 
/usr/local/bin/sctool --disable


To dump out all the certificates and Active Directory information present on the smart card:

/usr/local/bin/sctool --dump


To get a new kerberos ticket: 

/usr/local/bin/sctool --pkinit


Related Articles:


A Centrify Server Suite Cheat Sheet