Centrify Useful Commands and Information

root's picture

If you do not know what Centrify is, most probably you do not need the commands below. However if you are curious, more info can be found on their website: http://www.centrify.com

In a nut shell, Centrify allows UNIX/Linux/OSX machines to join Active Directory. In Centrify enabled environment, you will have only one AD account to connect on all systems, no matter the platform (Windows, Linux, AIX, Solaris, HP-UX, Mac OS X, etc.).

Centrify AD commands:

(if they are not available in your path, you can find them here: /usr/share/centrifydc/bin)

How to see general information about the AD status of AD joined system:


How to query user or groups:

adquery user lameuser1
If you need to see more info, you can add -A parameter:
adquery user -A lameuser1
$ adquery user lameuser1
lameuser1:x:448725:80000:Lame, User:/home/lameuser1:/usr/bin/ksh
$ adquery group adgroup

How to check readiness of machine to join an Active Directory domain:

It is a verification of all requirements before joining a machine. You run this command on the client.
adcheck adgznor.net

How to join a server to Active Directory:

You will need the proper account and password for this command to work.
adjoin adgznor.net -z "Global" -c "adgznor.net/Services/UNIX/Servers" --name `uname -n` -u "SYS_LAMEUSER1@EU.ADGZNOR.NET"

How to remove a server from Active Directory:

When doing adleave, it is advised to not use the force flag, otherwise it will clear-up the status only on a server locally, and not on the Centrify side, where it will need to be manually removed afterwards.
You will need the proper account and password for this command to work.
adleave --verbose -u

How to check authentication issues (if any):

If the auth.log in your machine is in different location, then replace it in the command below.
grep adclient /var/adm/syslog/auth.log

How to reload centrify configuration:


How to flush the centrify local cache:


How to see AD map (network state):

adinfo -y netstate

How to check if an AD user is locked:

If true, then it is locked.
adquery user -A lameuser1 | grep accountLocked

How to see the preferred site (DC is choosing it):

adinfo -V

How to reset an account's key table and synchronizes its contents with the key distribution center in Active Directory:

Useful if the server gets into disconnected mode (due to computer password issue - that can be verified in logs like auth.log).
You will need the proper account and password for this command to work.
adkeytab -r -u

How to enable centrifydc debug mode:

You will have to run this command as root or with sudo.
Turn debug on and watch for any errors: /usr/share/centrifydc/bin/addebug on
Clear any previous debug log /var/log/centrifydc.log: /usr/share/centrifydc/bin/addebug clear

How to restart Centrify Agent:


date ; ps -ef|grep adcl ; stopsrc -s centrifydc ; sleep 3; startsrc -s centrifydc ; sleep 2; ps -ef|grep adcli ; date ; adinfo ; sleep 1; dzinfo -C


date ; ps -ef|grep adcl ; service centrifydc stop ; sleep 3; service centrifydc start ; sleep 1; ps -ef|grep adcli ; date


svcadm disable centrifydc; sleep 5; svcadm enable centrifydc
svcs -a|grep -i centrif ; ps -ef|grep adcl

SunOS v5.8, v5.9:

/etc/init.d/centrifydc stop ; sleep 3; /etc/init.d/centrifydc start

Centrify daemon commands:

How to display detailed information about the DirectAuthorize configuration for a specified user on the local computer:


How to verify computer roles (server roles and group membership):

dzinfo -C

How to execute privileged commands as a specified user on the local computer (works like sudo):


how to list the commands an user can do (with dzdo):

dzinfo -c user

How to see which commands the current logged in user can do:

One output line should be like this: (root) !find * -exec *.
dzdo -l

How to edit a file as another user:

It is similar to using dzdo with the -e option.

Other related commands:

How to list all users that are managed by CENTRIFY (AD users) in AIX:


How to list name and GIDs of all groups managed by CENTRIFY (AD groups) in AIX:

(to limit number of groups visible on server us /etc/centrify/group.ovr file)
lsgroup -R CENTRIFYDC -a id ALL

Centrify files:

CENTRIFY configuration files location:


Centrify enabled samba configuration files location:


Centrify DirectControl configuration file:

It contains a set of configuration parameters that specify different aspects of Centrify DirectControl operation for the local computer.

Good to know

How to to map a local user to the Active Directory user with the parameter pam.mapuser.localuser from centrifydc.conf config file:

In the example below, we map the localuser lameuser with AD user lame.user.
pam.mapuser.lameuser: lame.user

How to remove the message "it can only run as user root, default to run as root":

This message pose no problems but if you run it under a script, you may want to get rid of it.
You can achieve this by just specifying the user under which you want to run the desired command. Check the example below and you will get it.
lameuser1@gzadcl(/home/lameuser1)$ dzdo cat /etc/sudoers | head -n 2
It can only run as user root, default to run as root
# sudoers file.
lameuser1@gzadcl(/home/lameuser1)$ dzdo -u root cat /etc/sudoers | head -n 2
# sudoers file.

Thou shalt not steal!

If you want to use this information on your own website, please remember: by doing copy/paste entirely it is always stealing and you should be ashamed of yourself!
Have at least the decency to create your own text and comments and run the commands on your own servers and provide your output, not what I did!

Or at least link back to this website.