This page outlines how to perform common tasks with active directory

NOTE: This page is a work in progress and is subject to change without warning

Changing Passwords

Locking/Unlocking Accounts

Editing user attributes

User attributes can be changed by editing a users LDAP record. The easiest way to do this interactively is with either samba-tool user edit <username> on a domain controller or ldapvi cn=<username> if editing from any other machine.

Users can also be batch edited with ldapmodify. See below for details.

Important attributes that might need to be changed are:

Field

Description

displayName

automatically generated as "<givenName> <sn>"

givenName

Firstname

sn

Surname

gecos

Stores the user's real name on *NIX systems, defaults to be the same as displayName

LoginShell

User's *NIX shell, defaults to /bin/zsh

gidNumber

The user's primary POSIX group

ldap tools

LDAP access in AD environments requires authentication to work properly, either use -x -W -D "<your_username>@ad.ucc.gu.uwa.edu.au" to authenticate the query, or Kerberos (kinit and add -Y GSSAPI to ldapvi or whatever)

fixing email

If the user has their email in their mail folder in their homedir rather than the general mail spool use ldapvi to fix where it looks for their mailbox

kinit

ldapvi -b dc=ad,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au --host AD.UCC.GU.UWA.EDU.AU -Y GSSAPI

find the user, then add their mail location, something like:

otherMailbox: mbox:/home/ucc/<username>/Mail:INBOX=/home/ucc/<username>/Mail/inbox