How to use etautil to add Active Directory account into Endpoint Group

book

Article ID: 210569

calendar_today

Updated On:

Products

CA Identity Manager

Issue/Introduction

Can we use etautil command to add or update Endpoint group (Active Directory Security Group) of an Active Directory account?

Environment

Identity Manager 14.x

Resolution

Yes.

First of all, please make sure the Security Groups in Active Directory (AD) Endpoint have been explored. So when you launch Provisioning Manager, select the AD Endpoint and go to its Content.., you can see the groups.

In my lab, I have "SGUsers" group under Home > Users and "VIPNew" and "VIPUsed" groups under NorthRyde > NewComers. See below.

Then I have created a new user, i.e. "sguser100 user" and assign AD Provisioning Role. The AD Provisioning Role has Account Template that specifies the user to belong to "SGUser" group.

The user has been provisioned AD account and that account belongs to SGUsers group.

After that I have run the following etautil command

etautil -d im -u etaadmin -p Password01 update "eTADSOrgUnitName=Users,eTADSOrgUnitName=Home,eTADSDirectoryName=sanwi06-2k16-ad_EP,eTNamespaceName=ActiveDirectory,dc=im" eTADSAccount eTADSAccountName="sguser100 user" to +eTADSmemberOf="CN=VIPUsed,OU=NewComers,OU=NorthRyde,DC=wslab2,DC=local";

Please notice the + sign prefix added before eTADSmemberOf=.... As eTADSmemberOf is multi values attribute this command will add "sguser100 user" another group. The command will not remove "sguser100 user" from "SGUsers" group that the user already belongs to.

After that, if I run the following etautil command

etautil -d im -u etaadmin -p Password01 update "eTADSOrgUnitName=Users,eTADSOrgUnitName=Home,eTADSDirectoryName=sanwi06-2k16-ad_EP,eTNamespaceName=ActiveDirectory,dc=im" eTADSAccount eTADSAccountName="sguser100 user" to -eTADSmemberOf="CN=VIPUsed,OU=NewComers,OU=NorthRyde,DC=wslab2,DC=local";

Please notice the - sign prefix added before eTADSmemberOf=.... The command will remove "sguser100 user" from "VIPUsed" group but not from other group(s) the user already belongs to.

If you don't prefix eTADSmemberOf=..., that means *replace*, all group memberships will be removed and replace to only "VIPUsed" group.

Please be informed that if I removed "sguser100 user" from "SGUsers" group using etautil and then I run Synchronization > Synchronize User with Account Templates, I will then restore "sguser100 user" to belong to "SGUsers" group.

Attachments