1ADCLI(8) System Commands ADCLI(8)
2
6 adcli - Tool for performing actions on an Active Directory domain
7
9 adcli info domain.example.com
10 adcli join domain.example.com
12 adcli update
14 adcli testjoin
16 adcli create-user [--domain=domain.example.com] user
18 adcli delete-user [--domain=domain.example.com] user
20 adcli create-group [--domain=domain.example.com] user
22 adcli delete-group [--domain=domain.example.com] user
24 adcli add-member [--domain=domain.example.com] group user...
26 adcli remove-member [--domain=domain.example.com] group user...
28 adcli preset-computer [--domain=domain.example.com] computer...
30 adcli reset-computer [--domain=domain.example.com] computer
32 adcli delete-computer [--domain=domain.example.com] computer
34 adcli show-computer [--domain=domain.example.com] computer
36 adcli create-msa [--domain=domain.example.com]
38
40 adcli is a command line tool that can perform actions in an Active
41 Directory domain. Among other things it can be used to join a computer
42 to a domain.
43 See the various sub commands below. The following global options can be
45 used:
46 -D, --domain=domain
48 The domain to connect to. If a domain is not specified, then the
49 domain part of the local computer's host name is used.
50 -R, --domain-realm=REALM
52 Kerberos realm for the domain. If not specified, then the upper
53 cased domain name is used.
54 -S, --domain-controller=server
56 Connect to a specific domain controller. If not specified, then an
57 appropriate domain controller is automatically discovered.
58 --use-ldaps
60 Connect to the domain controller with LDAPS. By default the LDAP
61 port is used and SASL GSS-SPNEGO or GSSAPI is used for
62 authentication and to establish encryption. This should satisfy all
63 requirements set on the server side and LDAPS should only be used
64 if the LDAP port is not accessible due to firewalls or other
65 reasons.
66 Please note that the place where CA certificates can be found to
68 validate the AD DC certificates must be configured in the OpenLDAP
69 configuration file, e.g. /etc/openldap/ldap.conf. As an
70 alternative it can be specified with the help of an environment
71 variable, e.g.
72 $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
74 ...
75 Please see ldap.conf(5) for details.
77 -C
79 Use the default Kerberos credential cache to authenticate with the
80 domain.
81 --login-ccache[=ccache_name]
83 Use the specified Kerberos credential cache to authenticate with
84 the domain. If no credential cache is specified, the default
85 Kerberos credential cache will be used. Credential caches of type
86 FILE can be given with the path to the file. For other credential
87 cache types, e.g. DIR, KEYRING or KCM, the type must be specified
88 explicitly together with a suitable identifier.
89 Please note that since the ccache_name is optional the =(equal)
91 sign is mandatory. If = is missing the parameter is treated as
92 optionless extra argument. How this is handled depends on the
93 specific sub-command.
94 -U, --login-user=User
96 Use the specified user account to authenticate with the domain. If
97 not specified, then the name 'Administrator' will be used.
98 --no-password
100 Don't show prompts for or read a password from input.
101 -W, --prompt-password
103 Prompt for a password if necessary. This is the default.
104 --stdin-password
106 Read a password from stdin input instead of prompting for a
107 password.
108 -v, --verbose
110 Run in verbose mode with debug output.
111
113 adcli info displays discovered information about an Active Directory
114 domain or an Active Directory domain controller.
115 $ adcli info domain.example.com
117 ...
118 $ adcli info --domain-controller=dc.domain.example.com
120 ...
121 adcli info will output as much information as it can about the domain.
123 The information is designed to be both machine and human readable. The
124 command will exit with a non-zero exit code if the domain does not
125 exist or cannot be reached.
126 To show domain info for a specific domain controller use the
128 --domain-controller option to specify which domain controller to query.
129 Use the --verbose option to show details of how the domain is
131 discovered and queried. Many of the global options, in particular
132 authentication options, are not usable with the adcli info command.
133
135 adcli join creates a computer account in the domain for the local
136 machine, and sets up a keytab for the machine. It does not configure an
137 authentication service (such as sssd).
138 $ adcli join domain.example.com
140 Password for Administrator:
141 In addition to the global options, you can specify the following
143 options to control how this operation is done.
144 -N, --computer-name=computer
146 The short non-dotted name of the computer account that will be
147 created in the domain. If not specified, then the first portion of
148 the --host-fqdn is used.
149 -O, --domain-ou=OU=xxx
151 The full distinguished name of the OU in which to create the
152 computer account. If not specified, then the computer account will
153 be created in a default location.
154 -H, --host-fqdn=host
156 Override the local machine's fully qualified domain name. If not
157 specified, the local machine's hostname will be retrieved via
158 gethostname(). If gethostname() only returns a short name
159 getaddrinfo() with the AI_CANONNAME hint is called to expand the
160 name to a fully qualified domain name.
161 -K, --host-keytab=/path/to/keytab
163 Specify the path to the host keytab where host credentials will be
164 written after a successful join operation. If not specified, the
165 default location will be used, usually /etc/krb5.keytab.
166 --login-type={computer|user}
168 Specify the type of authentication that will be performed before
169 creating the machine account in the domain. If set to 'computer',
170 then the computer must already have a preset account in the domain.
171 If not specified and none of the other --login-xxx arguments have
172 been specified, then will try both 'computer' and 'user'
173 authentication.
174 --os-name=name
176 Set the operating system name on the computer account. The default
177 depends on where adcli was built, but is usually something like
178 'linux-gnu'.
179 --os-service-pack=pack
181 Set the operating system service pack on the computer account. Not
182 set by default.
183 --os-version=version
185 Set the operating system version on the computer account. Not set
186 by default.
187 --description=description
189 Set the description attribute on the computer account. Not set by
190 default.
191 --service-name=service
193 Additional service name for a kerberos principal to be created on
194 the computer account. This option may be specified multiple times.
195 --user-principal=host/name@REALM
197 Set the userPrincipalName field of the computer account to this
198 kerberos principal. If you omit the value for this option, then a
199 principal will be set in the form of host/host.example.com@REALM
200 --one-time-password
202 Specify a one time password for a preset computer account. This is
203 equivalent to using --login-type=computer and providing a password
204 as input.
205 --trusted-for-delegation=yes|no|true|false
207 Set or unset the TRUSTED_FOR_DELEGATION flag in the
208 userAccountControl attribute to allow or not allow that Kerberos
209 tickets can be forwarded to the host.
210 --add-service-principal=service/hostname
212 Add a service principal name. In contrast to the --service-name the
213 hostname part can be specified as well in case the service should
214 be accessible with a different host name as well.
215 --show-details
217 After a successful join print out information about join operation.
218 This is output in a format that should be both human and machine
219 readable.
220 --show-password
222 After a successful join print out the computer machine account
223 password. This is output in a format that should be both human and
224 machine readable.
225 --add-samba-data
227 After a successful join add the domain SID and the machine account
228 password to the Samba specific databases by calling Samba's net
229 utility.
230 Please note that Samba's net requires some settings in smb.conf to
232 create the database entries correctly. Most important here is
233 currently the workgroup option, see smb.conf(5) for details.
234 --samba-data-tool=/path/to/net
236 If Samba's net cannot be found at /usr/bin/net, this option can be
237 used to specific an alternative location with the help of an
238 absolute path.
239 If supported on the AD side the msDS-supportedEncryptionTypes attribute
241 will be set as well. Either the current value or the default list of
242 AD's supported encryption types filtered by the permitted encryption
243 types of the client's Kerberos configuration are written.
244
246 adcli update updates the password of the computer account on the domain
247 controller for the local machine, write the new keys to the keytab and
248 removes older keys. It keeps the previous key on purpose because AD
249 will need some time to replicate the new key to all DCs hence the
250 previous key might still be used.
251 $ adcli update
253 If used with a credential cache, other attributes of the computer
255 account can be changed as well if the principal has sufficient
256 privileges.
257 $ kinit Administrator
259 $ adcli update --login-ccache=/tmp/krbcc_123
260 In addition to the global options, you can specify the following
262 options to control how this operation is done.
263 -N, --computer-name=computer
265 The short non-dotted name of the computer account that will be
266 created in the domain. If not specified, it will be retrieved from
267 the keytab entries.
268 -H, --host-fqdn=host
270 The local machine's fully qualified domain name. If not specified,
271 the local machine's hostname will be retrieved from the keytab
272 entries.
273 -K, --host-keytab=/path/to/keytab
275 Specify the path to the host keytab where current host credentials
276 are stored and the new ones will be written to. If not specified,
277 the default location will be used, usually /etc/krb5.keytab.
278 --os-name=name
280 Set the operating system name on the computer account. Not set by
281 default.
282 --os-service-pack=pack
284 Set the operating system service pack on the computer account. Not
285 set by default.
286 --os-version=version
288 Set the operating system version on the computer account. Not set
289 by default.
290 --description=description
292 Set the description attribute on the computer account. Not set by
293 default.
294 --service-name=service
296 Additional service name for a Kerberos principal to be created on
297 the computer account. This option may be specified multiple times.
298 --user-principal=host/name@REALM
300 Set the userPrincipalName field of the computer account to this
301 Kerberos principal.
302 --computer-password-lifetime=lifetime
304 Only update the password of the computer account if it is older
305 than the lifetime given in days. By default the password is updated
306 if it is older than 30 days.
307 --trusted-for-delegation=yes|no|true|false
309 Set or unset the TRUSTED_FOR_DELEGATION flag in the
310 userAccountControl attribute to allow or not allow that Kerberos
311 tickets can be forwarded to the host.
312 --account-disable=yes|no|true|false
314 Set or unset the ACCOUNTDISABLE flag in the userAccountControl
315 attribute to disable or enable the computer account.
316 --add-service-principal=service/hostname
318 Add a service principal name. In contrast to the --service-name the
319 hostname part can be specified as well in case the service should
320 be accessible with a different host name as well.
321 --remove-service-principal=service/hostname
323 Remove a service principal name from the keytab and the AD host
324 object.
325 --show-details
327 After a successful join print out information about join operation.
328 This is output in a format that should be both human and machine
329 readable.
330 --add-samba-data
332 After a successful join add the domain SID and the machine account
333 password to the Samba specific databases by calling Samba's net
334 utility.
335 Please note that Samba's net requires some settings in smb.conf to
337 create the database entries correctly. Most important here is
338 currently the workgroup option, see smb.conf(5) for details.
339 Note that if the machine account password is not older than 30
341 days, you have to pass --computer-password-lifetime=0 to force the
342 update.
343 --samba-data-tool=/path/to/net
345 If Samba's net cannot be found at /usr/bin/net, this option can be
346 used to specific an alternative location with the help of an
347 absolute path.
348 If supported on the AD side the msDS-supportedEncryptionTypes attribute
350 will be set as well. Either the current value or the default list of
351 AD's supported encryption types filtered by the permitted encryption
352 types of the client's Kerberos configuration are written.
353
355 adcli testjoin uses the current credentials in the keytab and tries to
356 authenticate with the machine account to the AD domain. If this works
357 the machine account password and the join are still valid. If it fails
358 the machine account password or the whole machine account have to be
359 refreshed with adcli join or adcli update.
360 $ adcli testjoin
362 Only the global options not related to authentication are available,
364 additionally you can specify the following options to control how this
365 operation is done.
366 -K, --host-keytab=/path/to/keytab
368 Specify the path to the host keytab where current host credentials
369 are stored and the new ones will be written to. If not specified,
370 the default location will be used, usually /etc/krb5.keytab.
371
373 adcli create-user creates a new user account in the domain.
374 $ adcli create-user Fry --domain=domain.example.com \
376 --display-name="Philip J. Fry" --mail=fry@domain.example.com
377 In addition to the global options, you can specify the following
379 options to control how the user is created.
380 --display-name="Name"
382 Set the displayName attribute of the new created user account.
383 -O, --domain-ou=OU=xxx
385 The full distinguished name of the OU in which to create the user
386 account. If not specified, then the computer account will be
387 created in a default location.
388 --mail=email@domain.com
390 Set the mail attribute of the new created user account. This
391 attribute may be specified multiple times.
392 --unix-home=/home/user
394 Set the unixHomeDirectory attribute of the new created user
395 account, which should be an absolute path to the user's home
396 directory.
397 --unix-gid=111
399 Set the gidNumber attribute of the new created user account, which
400 should be the user's numeric primary group id.
401 --unix-shell=/bin/shell
403 Set the loginShell attribute of the new created user account, which
404 should be a path to a valid shell.
405 --unix-uid=111
407 Set the uidNumber attribute of the new created user account, which
408 should be the user's numeric primary user id.
409 --nis-domain=nis_domain
411 Set the msSFU30NisDomain attribute of the new created user account,
412 which should be the user's NIS domain is the NIS/YP service of
413 Active Directory's Services for Unix (SFU) are used. This is needed
414 to let the 'UNIX attributes' tab of older Active Directoy versions
415 show the set UNIX specific attributes. If not specified adcli will
416 try to determine the NIS domain automatically if needed.
417
419 adcli delete-user deletes a user account from the domain.
420 $ adcli delete-user Fry --domain=domain.example.com
422 The various global options can be used.
424
426 adcli create-group creates a new group in the domain.
427 $ adcli create-group Pilots --domain=domain.example.com \
429 --description="Group for all pilots"
430 In addition to the global options, you can specify the following
432 options to control how the group is created.
433 --description="text"
435 Set the description attribute of the new created group.
436 -O, --domain-ou=OU=xxx
438 The full distinguished name of the OU in which to create the group.
439 If not specified, then the group will be created in a default
440 location.
441
443 adcli delete-group deletes a group from the domain.
444 $ adcli delete-group Pilots --domain=domain.example.com
446 The various global options can be used.
448
450 adcli add-member adds one or more users to a group in the domain. The
451 group is specified first, and then the various users to be added.
452 $ adcli add-member --domain=domain.example.com Pilots Leela Scruffy
454 The various global options can be used.
456
458 adcli remove-member removes a user from a group in the domain. The
459 group is specified first, and then the various users to be removed.
460 $ adcli remove-member --domain=domain.example.com Pilots Scruffy
462 The various global options can be used.
464
466 adcli preset-computer pre-creates one or more computer accounts in the
467 domain for machines to later use when joining the domain. By doing this
468 machines can join using a one time password or automatically without a
469 password.
470 $ adcli preset-computer --domain=domain.example.com \
472 host1.example.com host2
473 Password for Administrator:
474 If the computer names specified contain dots, then they are treated as
476 fully qualified host names, otherwise they are treated as short
477 computer names. The computer accounts must not already exist.
478 In addition to the global options, you can specify the following
480 options to control how this operation is done.
481 -O, --domain-ou=OU=xxx
483 The full distinguished name of the OU in which to create the
484 computer accounts. If not specified, then the computer account will
485 be created in a default location.
486 --one-time-password
488 Specify a one time password to use when presetting the computer
489 accounts. If not specified, then a default password will be used,
490 which allows for later automatic joins.
491 --os-name=name
493 Set the operating system name on the computer account. The default
494 depends on where adcli was built, but is usually something like
495 'linux-gnu'.
496 --os-service-pack=pack
498 Set the operating system service pack on the computer account. Not
499 set by default.
500 --os-version=version
502 Set the operating system version on the computer account. Not set
503 by default.
504 --service-name=service
506 Additional service name for a kerberos principal to be created on
507 the computer account. This option may be specified multiple times.
508 --user-principal
510 Set the userPrincipalName field of the computer account to this
511 kerberos principal in the form of host/host.example.com@REALM
512
514 adcli reset-computer resets a computer account in the domain. If the
515 appropriate machine is currently joined to the domain, then its
516 membership will be broken. The account must already exist.
517 $ adcli reset-computer --domain=domain.example.com host2
519 If the computer names specified contain dots, then they are treated as
521 fully qualified host names, otherwise they are treated as short
522 computer names.
523 In addition to the global options, you can specify the following
525 options to control how this operation is done.
526 --login-type={computer|user}
528 Specify the type of authentication that will be performed before
529 creating the machine account in the domain. If set to 'computer',
530 then the computer must already have a preset account in the domain.
531 If not specified and none of the other --login-xxx arguments have
532 been specified, then will try both 'computer' and 'user'
533 authentication.
534
536 adcli delete-computer deletes a computer account in the domain. The
537 account must already exist.
538 $ adcli delete-computer --domain=domain.example.com host2
540 Password for Administrator:
541 If the computer name contains a dot, then it is treated as fully
543 qualified host name, otherwise it is treated as short computer name.
544 If no computer name is specified, then the host name of the computer
546 adcli is running on is used, as returned by gethostname().
547 The various global options can be used.
549
551 adcli show-computer show the computer account attributes stored in AD.
552 The account must already exist.
553 $ adcli show-computer --domain=domain.example.com host2
555 Password for Administrator:
556 If the computer name contains a dot, then it is treated as fully
558 qualified host name, otherwise it is treated as short computer name.
559 If no computer name is specified, then the host name of the computer
561 adcli is running on is used, as returned by gethostname().
562 The various global options can be used.
564
566 adcli create-msa creates a managed service account (MSA) in the given
567 Active Directory domain. This is useful if a computer should not fully
568 join the Active Directory domain but LDAP access is needed. A typical
569 use case is that the computer is already joined an Active Directory
570 domain and needs access to another Active Directory domain in the same
571 or a trusted forest where the host credentials from the joined Active
572 Directory domain are not valid, e.g. there is only a one-way trust.
573 $ adcli create-msa --domain=domain.example.com
575 Password for Administrator:
576 The managed service account, as maintained by adcli, cannot have
578 additional service principals names (SPNs) associated with it. An SPN
579 is defined within the context of a Kerberos service which is tied to a
580 machine account in Active Directory. Since a machine can be joined to a
581 single Active Directory domain, managed service account in a different
582 Active Directory domain will not have the SPNs that otherwise are part
583 of another Active Directory domain's machine.
584 Since it is expected that a client will most probably join to the
586 Active Directory domain matching its DNS domain the managed service
587 account will be needed for a different Active directory domain and as a
588 result the Active Directory domain name is a mandatory option. If
589 called with no other options adcli create-msa will use the short
590 hostname with an additional random suffix as computer name to avoid
591 name collisions.
592 LDAP attribute sAMAccountName has a limit of 20 characters. However,
594 machine account's NetBIOS name must be at most 16 characters long,
595 including a trailing '$' sign. Since it is not expected that the
596 managed service accounts created by adcli will be used on the NetBIOS
597 level the remaining 4 characters can be used to add uniqueness. Managed
598 service account names will have a suffix of 3 random characters from
599 number and upper- and lowercase ASCII ranges appended to the chosen
600 short host name, using '!' as a separator. For a host with the
601 shortname 'myhost', a managed service account will have a common name
602 (CN attribute) 'myhost!A2c' and a NetBIOS name (sAMAccountName
603 attribute) will be 'myhost!A2c$'. A corresponding Kerberos principal in
604 the Active Directory domain where the managed service account was
605 created would be 'myhost!A2c$@DOMAIN.EXAMPLE.COM'.
606 A keytab for the managed service account is stored into a file
608 specified with -K option. If it is not specified, the file is named
609 after the default keytab file, with lowercase Active Directory domain
610 of the managed service account as a suffix. On most systems it would be
611 /etc/krb5.keytab with a suffix of 'domain.example.com', e.g.
612 /etc/krb5.keytab.domain.example.com.
613 adcli create-msa can be called multiple times to reset the password of
615 the managed service account. To identify the right account with the
616 random component in the name the corresponding principal is read from
617 the keytab. If the keytab got deleted adcli will try to identify an
618 existing managed service account with the help of the fully-qualified
619 name, if this fails a new managed service account will be created.
620 The managed service account password can be updated with
622 $ adcli update --domain=domain.example.com --host-keytab=/etc/krb5.keytab.domain.example.com
624 and the managed service account can be deleted with
626 $ adcli delete-computer --domain=domain.example.com 'myhost!A2c'
628 In addition to the global options, you can specify the following
630 options to control how this operation is done.
631 -N, --computer-name=computer
633 The short non-dotted name of the managed service account that will
634 be created in the Active Directory domain. The long option name
635 --computer-name is kept to underline the similarity with the same
636 option of the other sub-commands. If not specified, then the first
637 portion of the --host-fqdn or its default is used with a random
638 suffix.
639 -O, --domain-ou=OU=xxx
641 The full distinguished name of the OU in which to create the
642 managed service account. If not specified, then the managed service
643 account will be created in a default location.
644 -H, --host-fqdn=host
646 Override the local machine's fully qualified DNS domain name. If
647 not specified, the local machine's hostname will be retrieved via
648 gethostname(). If gethostname() only returns a short name
649 getaddrinfo() with the AI_CANONNAME hint is called to expand the
650 name to a fully qualified DNS domain name.
651 -K, --host-keytab=/path/to/keytab
653 Specify the path to the host keytab where credentials of the
654 managed service account will be written after a successful
655 creation. If not specified, the default location will be used,
656 usually /etc/krb5.keytab with the lower-cased Active Directory
657 domain name added as a suffix e.g.
658 /etc/krb5.keytab.domain.example.com.
659 --show-details
661 After a successful creation print out information about the created
662 object. This is output in a format that should be both human and
663 machine readable.
664 --show-password
666 After a successful creation print out the managed service account
667 password. This is output in a format that should be both human and
668 machine readable.
669
671 It is common practice in AD to not use an account from the Domain
672 Administrators group to join a machine to a domain but use a dedicated
673 account which only has permissions to join a machine to one or more OUs
674 in the Active Directory tree. Giving the needed permissions to a single
675 account or a group in Active Directory is called Delegation. A typical
676 example on how to configured Delegation can be found in the Delegation
677 section of the blog post Who can add workstation to the domain[1].
678 When using an account with delegated permissions with adcli basically
680 the same applies as well. However some aspects are explained here in a
681 bit more details to better illustrate different concepts of Active
682 Directory and to make it more easy to debug permissions issues during
683 the join. Please note that the following is not specific to adcli but
684 applies to all applications which would like to modify certain
685 properties or objects in Active Directory with an account with limited
686 permissions.
687 First, as said in the blog post it is sufficient to have "Create
689 computer object" permissions to join a computer to a domain. But this
690 would only work as expected if the computer object does not exist in
691 Active Directory before the join. Because only when a new object is
692 created Active Directory does not apply additional permission checks on
693 the attributes of the new computer object. This means the delegated
694 user can add any kind of attribute with any value to a new computer
695 object also long as they meet general constraints like e.g. that the
696 attribute must be defined in the schema and is allowed in a objectclass
697 of the object, the value must match the syntax defined in the schema or
698 that the sAMAccountName must be unique in the domain.
699 If you want to use the account with delegated permission to remove
701 computer objects in Active Directory (adcli delete-computer) you should
702 of course make sure that the account has "Delete computer object"
703 permissions.
704 If the computer object already exists the "Create computer object"
706 permission does not apply anymore since now an existing object must be
707 modified. Now permissions on the individual attributes are needed. e.g.
708 "Read and write Account Restrictions" or "Reset Password". For some
709 attributes Active Directory has two types of permissions the plain
710 "Read and Write" permissions and the "Validated Write" permissions. For
711 the latter case there are two specific permissions relevant for adcli,
712 namely
713 • Validated write to DNS host name
715 • Validated write to service principal name
717 Details about the validation of the values can be found in the
719 "Validated Writes" section of [MS-ADTS], especially dNSHostName[2] and
720 servicePrincipalName[3]. To cut it short for "Validated write to DNS
721 host name" the domain part of the fully-qualified hostname must either
722 match the domain name of the domain you want to join to or must be
723 listed in the msDS-AllowedDNSSuffixes attribute. And for "Validated
724 write to service principal name" the hostname part of the service
725 principal name must match the name stored in dNSHostName or some other
726 attributes which are not handled by adcli. This also means that
727 dNSHostName cannot be empty or only contain a short name if the service
728 principal name should contain a fully-qualified name.
729 To summarize, if you only have validated write permissions you should
731 make sure the domain part of the hostname matches the domain you want
732 to join or use the --host-fqdn with a matching name.
733 The plain read write permissions do not run additional validations but
735 the attribute values must still be in agreement with the general
736 constraints mentioned above. If the computer object already exists
737 adcli might need the following permissions which are also needed by
738 Windows clients to modify existing attributes:
739 • Reset Password
741 • Read and write Account Restrictions
743 • Read and (validated) write to DNS host name
745 • Read and (validated) write to service principal name
747 additionally adcli needs
749 • Read and write msDS-supportedEncryptionTypes
751 This is added for security reasons to avoid that Active Directory
753 stores Kerberos keys with (potentially weaker) encryption types than
754 the client supports since Active Directory is often configured to still
755 support older (weaker) encryption types for compatibility reasons.
756 All other attributes are only set or modified on demand, i.e. adcli
758 must be called with an option the would set or modify the given
759 attribute. In the following the attributes adcli can modify together
760 with the required permissions are listed:
761 • userPrincipalName
763 • Read/Write userPrincipal Name
765 • msDS-supportedEncryptionTypes
767 • Read/Write msDS-SupportedEncryptionTypes
769 • dNSHostName
771 • Read/Write dNSHostName
773 • Read and write DNS host name attributes
775 • Validated write to DNS host name
777 • servicePrincipalName
779 • Read/Write servicePrincipalName
781 • Validated write to service principal name
783 • operatingSystem
785 • Read/Write Operating System
787 • operatingSystemVersion
789 • Read/Write Operating System Version
791 • operatingSystemServicePack
793 • Read/Write operatingSystemServicePack
795 • userAccountControl
797 • Read/Write userAccountControl
799 • description
801 • Read/Write Description
803 For the management of users and groups (adcli create-user, adcli
805 delete-user, adcli create-group, adcli delete-group) the same applies
806 only for different types of objects, i.e. users and groups. Since
807 currently adcli only supports the creation and the removal of user and
808 group objects it is sufficient to have the "Create/Delete User objects"
809 and "Create/Delete Group objects" permissions.
810 If you want to manage group members as well (adcli add-member, adcli
812 remove-member) "Read/Write Members" permissions are needed as well.
813 Depending on the version of Active Directory the "Delegation of Control
815 Wizard" might offer some shortcuts for common task like e.g.
816 • Create, delete and manage user accounts
818 • Create, delete and manage groups
820 • Modify the membership of a group
822 The first 2 shortcuts will provided full access to user and group
824 objects which, as explained above, is more than currently is needed.
825 After using those shortcut it is a good idea to verify in the
826 "Security" tab in the "Properties" of the related Active Directory
827 container that the assigned permissions meet the expectations.
828
830 Please send bug reports to either the distribution bug tracker or the
831 upstream bug tracker at
832 https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli
833
835 realmd(8), net(8), sssd(8)
836 Further details available in the realmd online documentation at
838 http://www.freedesktop.org/software/realmd/
839
841 1. Who can add workstation to the domain
842 https://docs.microsoft.com/en-us/archive/blogs/dubaisec/who-can-add-workstation-to-the-domain
843 2. dNSHostName
845 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/5c578b15-d619-408d-ba17-380714b89fd1
846 3. servicePrincipalName
848 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/28ca4eca-0e0b-4666-9175-a37ccb8edada
849realmd ADCLI(8)