ZPA: cannot list all users.

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 3
Registered: ‎02-07-2017
#1 of 2 607

ZPA: cannot list all users.

Howdy!

I am dealing with an extremely large user pool of over 220,000 users and need to verify a user account has been autoprovisioned.  i've got four new accounts that cannot login and get the typical Mac shaky screen instead. Obviously I cannot see all the accounts at one time in Centrify Access Manager, however I should be able to enter the user name in the User or UNIX User search fields to see the account.  I cannot see my own account (which logs in) and cannot see the 4 user accounts (which do not log in).

 

I can verify that the users were entered into AD correctly but cannot verify they were autoprovisioned.

Posts: 961
Topics: 3
Kudos: 256
Blog Posts: 6
Ideas: 0
Solutions: 126
Registered: ‎07-06-2010
#2 of 2 591

Re: ZPA: cannot list all users.

Hi,

 

Thank you for using Centrify.  

 

Given the large amount of users, as you noted, the MMC Snap-in, Access Manager is not the best way to search for users.  Intead, we recommend using the CLI interfaces, adedit or PowerShell.

 

Below is an example of how to look for a user using the adedit CLI.  In this example, bart.simpson is not in the zone, but user felderi.santiago-a is.

 

$ adedit
>bind centrifylab.net user
administrator@CENTRIFYLAB.NET's password:
>select_zone "CN=CentrifyLab,CN=Zones,OU=Centrify,DC=centrifylab,DC=net"
>select_zone_user bart.simpson@centrifylab.net
NssUser not in current zone
>select_zone_user felderi.santiago-a@centrifylab.net
>show
Bindings:
        centrifylab.net: selab-dc2.centrifylab.net
Current zone:
        CN=CentrifyLab,CN=Zones,OU=Centrify,DC=centrifylab,DC=net
Current nss zone user:
        felderi.santiago-a@centrifylab.net:felderi.santiago-a:931137463:2147483648:%{u:displayName}:%{home}/%{user}:%{shell}:
Forests have valid license:
>

If the user is not being provisioned, check the ZPA settings and make sure the users meet the provisioning criteria.  You can also turn on logging and view the ZPA provisioning log to identify why the users are not getting provisioned:

 

Screen Shot 2018-09-24 at 10.13.45 AM.png

 

Hope this helps.  Please let us know if you have any questions.

 

 

Regards,

Felderi Santiago
VP of Enterprise Solutions
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify: