Skip to content
/ ad-posix-attrs Public

Autogenerates POSIX attributes for existing Active Directory users and groups

4 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

hkbakke/ad-posix-attrs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
src
src
 
 
README.md
README.md
 
 

Repository files navigation

ad-posix-attrs

Autogenerates RFC2307 POSIX attributes for existing Active Directory users and groups.

For users the following attributes are updated:

  • uidNumber
  • gidNumber
  • unixHomeDirectory
  • loginShell

For groups the following attributes are updated:

  • gidNumber

Configuration

No configuration file is needed by default. If you want to define a custom configuration, put your configuration in config.json in the same folder as add-attrs.ps1, or use a custom path with -Config "path-to-config". There is an example configuration with default values in config.json.example.

Use

Run in dry-run mode until you are sure it does the right thing:

.\add-attrs.ps1 -DryRun

By default add-attrs only adds missing attributes, and never updates POSIX-attributes that are already set, either manually or by some other mechanism. To update missing attributes, just run:

.\add-attrs.ps1

If you for some reason want to overwrite all exisiting attributes with the values generated by add-attrs, do:

.\add-attrs.ps1 -Force

Only do this if you know what you are doing! If add-attrs generates other UIDs and GIDs than what you already had, and they have been in use for a while on Unix-like systems, you will mess up your filesystem ownerships and permissions on those systems, and you must manually fix the affected files and directories. Using -DryRun is strongly recommended, to be able to verify that the uidNumbers or gidNumbers are not changed, unless that is what you actually intend to do.

Note about the Administrator user

The Administrator user will by default be ignored, and any existing POSIX attributes cleared. This is to be compatible with the Administrator to root mapping in modern Samba Active Directory Domain Controllers. Administrator will not be mapped to root if it has a uidNumber set. However, if you only have Windows Active Directory Domain Controllers it may make sense to assign POSIX attributes to Administrator too, as this user is no more special to non-Windows hosts than any other domain user in behaviour or access levels. To do this set -IncludeAdministrator.

Run as task

  • Create service account in AD

  • Delegate control to your AD structure to this user with the following permissions

      Read All Properties
  Write All Properties

    For the following object types:

      Group
  User

  • Create a task that executes the powershell script. Run the script as the AD service account. Ensure the AD user has "Log on as a batch job" rights on the host.

About

Autogenerates POSIX attributes for existing Active Directory users and groups

Topics

windows json powershell attributes active-directory posix rfc2307

Resources

Readme
Activity

Stars

4 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages