1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
samba-mirror/docs-xml/manpages/samba-tool.8.xml
Rob van der Linde 93f4be1647 netcmd: docs: update documentation for new auth policy command structure
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00

3183 lines
84 KiB
XML

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<refentry id="samba-tool.8">
<refmeta>
<refentrytitle>samba-tool</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class="source">Samba</refmiscinfo>
<refmiscinfo class="manual">System Administration tools</refmiscinfo>
<refmiscinfo class="version">&doc.version;</refmiscinfo>
</refmeta>
<refnamediv>
<refname>samba-tool</refname>
<refpurpose>Main Samba administration tool.
</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>samba-tool</command>
<arg choice="opt">-h</arg>
<arg choice="opt">-W myworkgroup</arg>
<arg choice="opt">-U user</arg>
<arg choice="opt">-d debuglevel</arg>
<arg choice="opt">--v</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
<manvolnum>7</manvolnum></citerefentry> suite.</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-h|--help</term>
<listitem><para>
Show this help message and exit
</para></listitem>
</varlistentry>
&cmdline.common.connection.realm;
&cmdline.common.credentials.simplebinddn;
&cmdline.common.credentials.password;
&cmdline.common.credentials.user;
&cmdline.common.connection.workgroup;
&cmdline.common.credentials.nopass;
&cmdline.common.credentials.usekerberos;
&cmdline.common.credentials.usekrb5ccache;
&cmdline.common.credentials.authenticationfile;
<varlistentry>
<term>--ipaddress=IPADDRESS</term>
<listitem><para>
IP address of the server
</para></listitem>
</varlistentry>
<varlistentry>
<term>--color=always|never|auto</term>
<listitem>
<para>
Indicate whether samba-tool should use ANSI colour codes
in its output. If 'auto' (the default), samba-tool will
use colour when its output is directed toward a terminal,
unless the NO_COLOR environment variable is set and
non-empty.
</para>
<para>
The values 'yes' and 'force' are accepted as synonyms for
'always'; 'no' and 'none' for 'never'; and 'tty' and
'if-tty' for 'auto'.
</para>
<para>
Note that asking for colour doesn't mean samba-tool will
necessarily be very colourful. Many commands are very
monochrome, particularly when successful.
</para>
</listitem>
</varlistentry>
&cmdline.common.debug.client;
</variablelist>
</refsect1>
<refsect1>
<title>COMMANDS</title>
<refsect2>
<title>computer</title>
<para>Manage computer accounts.</para>
</refsect2>
<refsect3>
<title>computer add <replaceable>computername</replaceable> [options]</title>
<para>Add a new computer to the Active Directory Domain.</para>
<para>The new computer name specified on the command is the
sAMAccountName, with or without the trailing dollar sign.</para>
<variablelist>
<varlistentry>
<term>--computerou=COMPUTEROU</term>
<listitem><para>
DN of alternative location (with or without domainDN counterpart) to
default CN=Computers in which new computer object will be created.
E.g. 'OU=OUname'.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--description=DESCRIPTION</term>
<listitem><para>
The new computer's description.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--ip-address=IP_ADDRESS_LIST</term>
<listitem><para>
IPv4 address for the computer's A record, or IPv6 address for AAAA record,
can be provided multiple times.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--service-principal-name=SERVICE_PRINCIPAL_NAME_LIST</term>
<listitem><para>
Computer's Service Principal Name, can be provided multiple times.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--prepare-oldjoin</term>
<listitem><para>
Prepare enabled machine account for oldjoin mechanism.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>computer create <replaceable>computername</replaceable> [options]</title>
<para>Add a new computer. This is a synonym for the
<command>samba-tool computer add</command> command and is available
for compatibility reasons only. Please use
<command>samba-tool computer add</command> instead.</para>
</refsect3>
<refsect3>
<title>computer delete <replaceable>computername</replaceable> [options]</title>
<para>Delete an existing computer account.</para>
<para>The computer name specified on the command is the
sAMAccountName, with or without the trailing dollar sign.</para>
</refsect3>
<refsect3>
<title>computer edit <replaceable>computername</replaceable></title>
<para>Edit a computer AD object.</para>
<para>The computer name specified on the command is the
sAMAccountName, with or without the trailing dollar sign.</para>
<variablelist>
<varlistentry>
<term>--editor=EDITOR</term>
<listitem><para>
Specifies the editor to use instead of the system default, or 'vi' if no
system default is set.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>computer list</title>
<para>List all computers.</para>
</refsect3>
<refsect3>
<title>computer move <replaceable>computername</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
<para>This command moves a computer account into the specified
organizational unit or container.</para>
<para>The computername specified on the command is the
sAMAccountName, with or without the trailing dollar sign.</para>
<para>The name of the organizational unit or container can be
specified as a full DN or without the domainDN component.</para>
</refsect3>
<refsect3>
<title>computer show <replaceable>computername</replaceable> [options]</title>
<para>Display a computer AD object.</para>
<para>The computer name specified on the command is the
sAMAccountName, with or without the trailing dollar sign.</para>
<variablelist>
<varlistentry>
<term>--attributes=USER_ATTRS</term>
<listitem><para>
Comma separated list of attributes, which will be printed.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect2>
<title>contact</title>
<para>Manage contacts.</para>
</refsect2>
<refsect3>
<title>contact add [<replaceable>contactname</replaceable>] [options]</title>
<para>Add a new contact to the Active Directory Domain.</para>
<para>The name of the new contact can be specified by the first
argument 'contactname' or the --given-name, --initial and --surname
arguments. If no 'contactname' is given, contact's name will be made
up of the given arguments by combining the given-name, initials and
surname. Each argument is optional. A dot ('.') will be appended to
the initials automatically.</para>
<variablelist>
<varlistentry>
<term>--ou=OU</term>
<listitem><para>
DN of alternative location (with or without domainDN counterpart) in
which the new contact will be created.
E.g. 'OU=OUname'.
Default is the domain base.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--description=DESCRIPTION</term>
<listitem><para>
The new contact's description.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--surname=SURNAME</term>
<listitem><para>
Contact's surname.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--given-name=GIVEN_NAME</term>
<listitem><para>
Contact's given name.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--initials=INITIALS</term>
<listitem><para>
Contact's initials.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--display-name=DISPLAY_NAME</term>
<listitem><para>
Contact's display name.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--job-title=JOB_TITLE</term>
<listitem><para>
Contact's job title.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--department=DEPARTMENT</term>
<listitem><para>
Contact's department.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--company=COMPANY</term>
<listitem><para>
Contact's company.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--mail-address=MAIL_ADDRESS</term>
<listitem><para>
Contact's email address.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--internet-address=INTERNET_ADDRESS</term>
<listitem><para>
Contact's home page.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--telephone-number=TELEPHONE_NUMBER</term>
<listitem><para>
Contact's phone number.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--mobile-number=MOBILE_NUMBER</term>
<listitem><para>
Contact's mobile phone number.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--physical-delivery-office=PHYSICAL_DELIVERY_OFFICE</term>
<listitem><para>
Contact's office location.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>contact create [<replaceable>contactname</replaceable>] [options]</title>
<para>Add a new contact. This is a synonym for the
<command>samba-tool contact add</command> command and is available
for compatibility reasons only. Please use
<command>samba-tool contact add</command> instead.</para>
</refsect3>
<refsect3>
<title>contact delete <replaceable>contactname</replaceable> [options]</title>
<para>Delete an existing contact.</para>
<para>The contactname specified on the command is the common name or the
distinguished name of the contact object. The distinguished name of the
contact can be specified with or without the domainDN component.</para>
</refsect3>
<refsect3>
<title>contact edit <replaceable>contactname</replaceable></title>
<para>Modify a contact AD object.</para>
<para>The contactname specified on the command is the common name or the
distinguished name of the contact object. The distinguished name of the
contact can be specified with or without the domainDN component.</para>
<variablelist>
<varlistentry>
<term>--editor=EDITOR</term>
<listitem><para>
Specifies the editor to use instead of the system default, or 'vi' if no
system default is set.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>contact list [options]</title>
<para>List all contacts.</para>
<variablelist>
<varlistentry>
<term>--full-dn</term>
<listitem><para>
Display contact's full DN instead of the name.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>contact move <replaceable>contactname</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
<para>This command moves a contact into the specified organizational
unit or container.</para>
<para>The contactname specified on the command is the common name or the
distinguished name of the contact object. The distinguished name of the
contact can be specified with or without the domainDN component.</para>
</refsect3>
<refsect3>
<title>contact show <replaceable>contactname</replaceable> [options]</title>
<para>Display a contact AD object.</para>
<para>The contactname specified on the command is the common name or the
distinguished name of the contact object. The distinguished name of the
contact can be specified with or without the domainDN component.</para>
<variablelist>
<varlistentry>
<term>--attributes=CONTACT_ATTRS</term>
<listitem><para>
Comma separated list of attributes, which will be printed.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>contact rename <replaceable>contactname</replaceable> [options]</title>
<para>Rename a contact and related attributes.</para>
<para>This command allows to set the contact's name related attributes. The contact's
CN will be renamed automatically.
The contact's new CN will be made up by combining the given-name, initials
and surname. A dot ('.') will be appended to the initials automatically,
if required.
Use the --force-new-cn option to specify the new CN manually and --reset-cn
to reset this change.</para>
<para>Use an empty attribute value to remove the specified attribute.</para>
<para>The contact name specified on the command is the CN.</para>
<variablelist>
<varlistentry>
<term>--surname=SURNAME</term>
<listitem><para>
New surname.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--given-name=GIVEN_NAME</term>
<listitem><para>
New given name.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--initials=INITIALS</term>
<listitem><para>
New initials.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--force-new-cn=NEW_CN</term>
<listitem><para>
Specify a new CN (RDN) instead of using a combination
of the given name, initials and surname.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--reset-cn</term>
<listitem><para>
Set the CN to the default combination of given name,
initials and surname.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--display-name=DISPLAY_NAME</term>
<listitem><para>
New display name.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--mail-address=MAIL_ADDRESS</term>
<listitem><para>
New email address.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect2>
<title>dbcheck</title>
<para>Check the local AD database for errors.</para>
</refsect2>
<refsect2>
<title>delegation</title>
<para>Manage Delegations.</para>
</refsect2>
<refsect3>
<title>delegation add-service <replaceable>accountname</replaceable> <replaceable>principal</replaceable> [options]</title>
<para>Add a service principal as msDS-AllowedToDelegateTo.</para>
</refsect3>
<refsect3>
<title>delegation del-service <replaceable>accountname</replaceable> <replaceable>principal</replaceable> [options]</title>
<para>Delete a service principal as msDS-AllowedToDelegateTo.</para>
</refsect3>
<refsect3>
<title>delegation for-any-protocol <replaceable>accountname</replaceable> [(on|off)] [options]</title>
<para>Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy)
for an account.</para>
</refsect3>
<refsect3>
<title>delegation for-any-service <replaceable>accountname</replaceable> [(on|off)] [options]</title>
<para>Set/unset UF_TRUSTED_FOR_DELEGATION for an account.</para>
</refsect3>
<refsect3>
<title>delegation show <replaceable>accountname</replaceable> [options] </title>
<para>Show the delegation setting of an account.</para>
</refsect3>
<refsect2>
<title>dns</title>
<para>Manage Domain Name Service (DNS).</para>
</refsect2>
<refsect3>
<title>dns add <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>data</replaceable></title>
<para>Add a DNS record.</para>
</refsect3>
<refsect3>
<title>dns delete <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>data</replaceable></title>
<para>Delete a DNS record.</para>
</refsect3>
<refsect3>
<title>dns query <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL</replaceable> [options] <replaceable>data</replaceable></title>
<para>Query a name.</para>
</refsect3>
<refsect3>
<title>dns roothints <replaceable>server</replaceable> [<replaceable>name</replaceable>] [options]</title>
<para>Query root hints.</para>
</refsect3>
<refsect3>
<title>dns serverinfo <replaceable>server</replaceable> [options]</title>
<para>Query server information.</para>
</refsect3>
<refsect3>
<title>dns update <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>olddata</replaceable> <replaceable>newdata</replaceable></title>
<para>Update a DNS record.</para>
</refsect3>
<refsect3>
<title>dns zonecreate <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
<para>Create a zone.</para>
</refsect3>
<refsect3>
<title>dns zonedelete <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
<para>Delete a zone.</para>
</refsect3>
<refsect3>
<title>dns zoneinfo <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
<para>Query zone information.</para>
</refsect3>
<refsect3>
<title>dns zonelist <replaceable>server</replaceable> [options]</title>
<para>List zones.</para>
</refsect3>
<refsect2>
<title>domain</title>
<para>Manage Domain.</para>
</refsect2>
<refsect3>
<title>domain backup</title>
<para>Create or restore a backup of the domain.</para>
</refsect3>
<refsect3>
<title>domain backup offline</title>
<para>Backup (with proper locking) local domain directories into a tar file.</para>
</refsect3>
<refsect3>
<title>domain backup online</title>
<para>Copy a running DC's current DB into a backup tar file.</para>
</refsect3>
<refsect3>
<title>domain backup rename</title>
<para>Copy a running DC's DB to backup file, renaming the domain in the process.</para>
</refsect3>
<refsect3>
<title>domain backup restore</title>
<para>Restore the domain's DB from a backup-file.</para>
</refsect3>
<refsect2>
<title>domain auth policy</title>
<para>Manage authentication policies.</para>
</refsect2>
<refsect3>
<title>domain auth policy list</title>
<para>List authentication policies on the domain.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--json</term>
<listitem><para>
View authentication policies as JSON instead of a list.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain auth policy view</title>
<para>View an authentication policy on the domain.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Name of the authentication policy to view (required).
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain auth policy create</title>
<para>Create authentication policies on the domain.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Name of the authentication policy (required).
</para></listitem>
</varlistentry>
<varlistentry>
<term>--description</term>
<listitem><para>
Optional description for the authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--protect</term>
<listitem>
<para>
Protect authentication policy from accidental deletion.
</para>
<para>
Cannot be used together with --unprotect.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--unprotect</term>
<listitem>
<para>
Unprotect authentication policy from accidental deletion.
</para>
<para>
Cannot be used together with --protect.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--audit</term>
<listitem>
<para>
Only audit authentication policy.
</para>
<para>
Cannot be used together with --enforce.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--enforce</term>
<listitem>
<para>
Enforce authentication policy.
</para>
<para>
Cannot be used together with --audit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--strong-ntlm-policy</term>
<listitem>
<para>
Strong NTLM Policy (Disabled, Optional, Required).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--user-tgt-lifetime-mins</term>
<listitem>
<para>
Ticket-Granting-Ticket lifetime for user accounts.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--user-allow-ntlm-auth</term>
<listitem>
<para>
Allow <constant>NTLM</constant> and <constant>
Interactive NETLOGON SamLogon</constant>
authentication despite the
fact that
<constant>allowed-to-authenticate-from</constant>
is in use, which would
otherwise restrict the user to selected devices.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--user-allowed-to-authenticate-from</term>
<listitem>
<para>
Conditions a device must meet
for users covered by this
policy to be allowed to
authenticate. While this is a
restriction on the device,
any conditional ACE rules are
expressed as if the device was
a user.
</para>
<para>
Must be a valid SDDL string
without reference to Device
keywords.
</para>
<para>
Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--user-allowed-to-authenticate-to=SDDL</term>
<listitem>
<para>
This policy, applying to a
user account that is offering
a service, eg a web server
with a user account, restricts
which accounts may access it.
</para>
<para>
Must be a valid SDDL string.
The SDDL can reference both
bare (user) and Device conditions.
</para>
<para>
SDDL Example: <constant>O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))</constant>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--service-tgt-lifetime-mins</term>
<listitem>
<para>
Ticket-Granting-Ticket lifetime for service accounts.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--service-allow-ntlm-auth</term>
<listitem>
<para>
Allow NTLM network authentication when service
is restricted to selected devices.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--service-allowed-to-authenticate-from</term>
<listitem>
<para>
Conditions a device must meet
for service accounts covered
by this policy to be allowed
to authenticate. While this
is a restriction on the
device, any conditional ACE
rules are expressed as if the
device was a user.
</para>
<para>
Must be a valid SDDL string
without reference to Device
keywords.
</para>
<para>
SDDL Example: <constant>O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))</constant>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--service-allowed-to-authenticate-to=SDDL</term>
<listitem>
<para>
This policy, applying to a
service account (eg a Managed
Service Account, Group Managed
Service Account), restricts
which accounts may access it.
</para>
<para>
Must be a valid SDDL string.
The SDDL can reference both
bare (user) and Device conditions.
</para>
<para>
SDDL Example: <constant>O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))</constant>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--computer-tgt-lifetime-mins</term>
<listitem>
<para>
Ticket-Granting-Ticket lifetime for computer accounts.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--computer-allowed-to-authenticate-to=SDDL</term>
<listitem>
<para>
This policy, applying to a
computer account (eg a server
or workstation), restricts
which accounts may access it.
</para>
<para>
Must be a valid SDDL string.
The SDDL can reference both
bare (user) and Device conditions.
</para>
<para>
SDDL Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain auth policy modify</title>
<para>Modify authentication policies on the domain. The same
options apply as for <constant>domain auth policy create</constant>.</para>
</refsect3>
<refsect3>
<title>domain auth policy delete</title>
<para>Delete authentication policies on the domain.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Name of authentication policy to delete (required).
</para></listitem>
</varlistentry>
<varlistentry>
<term>--force</term>
<listitem><para>
Force authentication policy delete even if it is protected.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain auth policy user-allowed-to-authenticate-from set</title>
<para>Set the user-allowed-to-authenticate-from property by scenario.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Name of authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--by-group=GROUP</term>
<listitem><para>
User is allowed to
authenticate, if the device they
authenticate from is assigned
and granted membership of a
given <constant>GROUP</constant>.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--silo=SILO</term>
<listitem><para>
User is allowed to
authenticate, if the device they
authenticate from is assigned
and granted membership of a
given <constant>SILO</constant>.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain auth policy user-allowed-to-authenticate-to set</title>
<para>Set the user-allowed-to-authenticate-to property by scenario.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Name of authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--group=GROUP</term>
<listitem><para>
The user account, offering a
network service, covered by
this policy, will only be allowed
access from other accounts
that are members of the given
<constant>GROUP</constant>.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--silo=SILO</term>
<listitem><para>
The user account, offering a
network service, covered by
this policy, will only be
allowed access from other accounts
that are assigned to,
granted membership of (and
meet any authentication
conditions of) the given <constant>SILO</constant>.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain auth policy service-allowed-to-authenticate-from set</title>
<para>Set the service-allowed-to-authenticate-from property by scenario.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Name of authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--group=GROUP</term>
<listitem><para>
The service account (eg a Managed
Service Account, Group Managed
Service Account) is allowed to
authenticate, if the device it
authenticates from is a member
of the given <constant>GROUP</constant>.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--silo=SILO</term>
<listitem><para>
The service account (eg a Managed
Service Account, Group Managed
Service Account) is allowed to
authenticate, if the device it
authenticates from is assigned
and granted membership of a
given <constant>SILO</constant>.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain auth policy service-allowed-to-authenticate-to set</title>
<para>Set the service-allowed-to-authenticate-to property by scenario.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Name of authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--group=GROUP</term>
<listitem><para>
The service account (eg a Managed
Service Account, Group Managed
Service Account), will only be
allowed access by other accounts
that are members of the given
<constant>GROUP</constant>.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--silo=SILO</term>
<listitem><para>
The service account (eg a
Managed Service Account, Group
Managed Service Account), will
only be allowed access by other
accounts that are assigned
to, granted membership of (and
meet any authentication
conditions of) the given <constant>SILO</constant>.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain auth policy computer-allowed-to-authenticate-to set</title>
<para>Set the computer-allowed-to-authenticate-to property by scenario.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Name of authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--group=GROUP</term>
<listitem><para>
The computer account (eg a server
or workstation), will only be
allowed access by other accounts
that are members of the given
<constant>GROUP</constant>.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--silo=SILO</term>
<listitem><para>
The computer account (eg a
server or workstation), will
only be allowed access by
other accounts that are
assigned to, granted
membership of (and meet any
authentication conditions of)
the given <constant>SILO</constant>.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect2>
<title>domain auth silo</title>
<para>Manage authentication silos.</para>
</refsect2>
<refsect3>
<title>domain auth silo list</title>
<para>List authentication silos on the domain.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--json</term>
<listitem><para>
View authentication silos as JSON instead of a list.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain auth silo view</title>
<para>View an authentication silo on the domain.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Name of the authentication silo to view (required).
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain auth silo create</title>
<para>Create authentication silos on the domain.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Name of the authentication silo (required).
</para></listitem>
</varlistentry>
<varlistentry>
<term>--description</term>
<listitem><para>
Optional description for the authentication silo.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--user-authentication-policy</term>
<listitem><para>
User account authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--service-authentication-policy</term>
<listitem><para>
Managed service account authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--computer-authentication-policy</term>
<listitem><para>
Computer authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--protect</term>
<listitem>
<para>
Protect authentication silo from accidental deletion.
</para>
<para>
Cannot be used together with --unprotect.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--unprotect</term>
<listitem>
<para>
Unprotect authentication silo from accidental deletion.
</para>
<para>
Cannot be used together with --protect.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--audit</term>
<listitem>
<para>
Only audit silo policies.
</para>
<para>
Cannot be used together with --enforce.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--enforce</term>
<listitem>
<para>
Enforce silo policies.
</para>
<para>
Cannot be used together with --audit.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain auth silo modify</title>
<para>Modify authentication silos on the domain.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Name of the authentication silo (required).
</para></listitem>
</varlistentry>
<varlistentry>
<term>--description</term>
<listitem><para>
Optional description for the authentication silo.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--user-authentication-policy</term>
<listitem><para>
User account authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--service-authentication-policy</term>
<listitem><para>
Managed service account authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--computer-authentication-policy</term>
<listitem><para>
Computer authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--protect</term>
<listitem>
<para>
Protect authentication silo from accidental deletion.
</para>
<para>
Cannot be used together with --unprotect.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--unprotect</term>
<listitem>
<para>
Unprotect authentication silo from accidental deletion.
</para>
<para>
Cannot be used together with --protect.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--audit</term>
<listitem>
<para>
Only audit silo policies.
</para>
<para>
Cannot be used together with --enforce.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--enforce</term>
<listitem>
<para>
Enforce silo policies.
</para>
<para>
Cannot be used together with --audit.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain auth silo delete</title>
<para>Delete authentication silos on the domain.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Name of authentication silo to delete (required).
</para></listitem>
</varlistentry>
<varlistentry>
<term>--force</term>
<listitem><para>
Force authentication silo delete even if it is protected.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain auth silo member grant</title>
<para>Grant a member access to an authentication silo.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Name of authentication silo (required).
</para></listitem>
</varlistentry>
<varlistentry>
<term>--member</term>
<listitem><para>
Member to grant access to the silo (DN or account name).
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain auth silo member list</title>
<para>List members in an authentication silo.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Name of authentication silo (required).
</para></listitem>
</varlistentry>
<varlistentry>
<term>--json</term>
<listitem><para>
View members as JSON instead of a list.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain auth silo member revoke</title>
<para>Revoke a member from an authentication silo.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Name of authentication silo (required).
</para></listitem>
</varlistentry>
<varlistentry>
<term>--member</term>
<listitem><para>
Member to revoke from the silo (DN or account name).
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain claim claim-type list</title>
<para>List claim types on the domain.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--json</term>
<listitem><para>
View claim types as JSON instead of a list.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain claim claim-type view</title>
<para>View a single claim type on the domain.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Display name of claim type to view (required).
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain claim claim-type create</title>
<para>Create claim types on the domain.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--attribute</term>
<listitem><para>
Attribute of claim type to create (required).
</para></listitem>
</varlistentry>
<varlistentry>
<term>--class</term>
<listitem>
<para>
Object classes to set claim type to.
</para>
<para>
Example: --class=user --class=computer
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Optional display name or use attribute name.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--description</term>
<listitem><para>
Optional description or use from attribute.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--enable</term>
<listitem>
<para>
Enable claim type.
</para>
<para>
Cannot be used together with --disable.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--disable</term>
<listitem>
<para>
Disable claim type.
</para>
<para>
Cannot be used together with --enable.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--protect</term>
<listitem>
<para>
Protect claim type from accidental deletion.
</para>
<para>
Cannot be used together with --unprotect.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--unprotect</term>
<listitem>
<para>
Unprotect claim type from accidental deletion.
</para>
<para>
Cannot be used together with --protect.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain claim claim-type modify</title>
<para>Modify claim types on the domain.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Display name of claim type to modify (required).
</para></listitem>
</varlistentry>
<varlistentry>
<term>--class</term>
<listitem>
<para>
Object classes to set claim type to.
</para>
<para>
Example: --class=user --class=computer
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--description</term>
<listitem><para>
Set the claim type description.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--enable</term>
<listitem>
<para>
Enable claim type.
</para>
<para>
Cannot be used together with --disable.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--disable</term>
<listitem>
<para>
Disable claim type.
</para>
<para>
Cannot be used together with --enable.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--protect</term>
<listitem>
<para>
Protect claim type from accidental deletion.
</para>
<para>
Cannot be used together with --unprotect.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--unprotect</term>
<listitem>
<para>
Unprotect claim type from accidental deletion.
</para>
<para>
Cannot be used together with --protect.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain claim claim-type delete</title>
<para>Delete claim types on the domain.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Display name of claim type to delete (required).
</para></listitem>
</varlistentry>
<varlistentry>
<term>--force</term>
<listitem><para>
Force claim type delete even if it is protected.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain claim value-type list</title>
<para>List claim value types on the domain.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--json</term>
<listitem><para>
View claim value types as JSON instead of a list.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain claim value-type view</title>
<para>View a single claim value type on the domain.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Display name of claim value type to view (required).
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect2>
<title>service-account</title>
<para>Service account management.</para>
</refsect2>
<refsect3>
<title>service-account list</title>
<para>List service accounts on the domain.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--json</term>
<listitem><para>
View service accounts as JSON instead of a list.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>service-account view</title>
<para>View a single service account on the domain.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Account name of service account to view (required).
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>service-account create</title>
<para>Create a new service account on the domain.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Account name of service account (required).
</para></listitem>
</varlistentry>
<varlistentry>
<term>--dns-host-name</term>
<listitem><para>
DNS hostname of this service account (required).
</para></listitem>
</varlistentry>
<varlistentry>
<term>--group-msa-membership</term>
<listitem><para>
Optional Group MSA Membership SDDL.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--managed-password-interval</term>
<listitem><para>
Managed password refresh interval in days.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>service-account modify</title>
<para>Modify an existing service account on the domain.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Account name of service account (required).
</para></listitem>
</varlistentry>
<varlistentry>
<term>--dns-host-name</term>
<listitem><para>
Update DNS hostname of this service account.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--group-msa-membership</term>
<listitem><para>
Update Group MSA Membership SDDL.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>service-account delete</title>
<para>Delete a service accounts on the domain.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Account name of service account to delete.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect2>
<title>service-account group-msa-membership</title>
<para>Service account Group MSA Membership management.</para>
</refsect2>
<refsect3>
<title>service-account group-msa-membership show</title>
<para>Display Group MSA Membership for a service account.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Account name of service account (required).
</para></listitem>
</varlistentry>
<varlistentry>
<term>--json</term>
<listitem><para>
Return as JSON instead of a list.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>service-account group-msa-membership add</title>
<para>Add a principal to Group MSA Membership for a service account.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Account name of service account (required).
</para></listitem>
</varlistentry>
<varlistentry>
<term>--principal</term>
<listitem><para>
Name, DN or SID of principal to add.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>service-account group-msa-membership remove</title>
<para>Remove a principal from Group MSA Membership for a service account.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--name</term>
<listitem><para>
Account name of service account (required).
</para></listitem>
</varlistentry>
<varlistentry>
<term>--principal</term>
<listitem><para>
Name, DN or SID of principal to remove.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>domain classicupgrade [options] <replaceable>classic_smb_conf</replaceable></title>
<para>Upgrade from Samba classic (NT4-like) database to Samba AD DC
database.</para>
</refsect3>
<refsect3>
<title>domain dcpromo <replaceable>dnsdomain</replaceable> [DC|RODC] [options]</title>
<para>Promote an existing domain member or NT4 PDC to an AD DC.</para>
</refsect3>
<refsect3>
<title>domain demote</title>
<para>Demote ourselves from the role of domain controller.</para>
</refsect3>
<refsect3>
<title>domain exportkeytab <replaceable>keytab</replaceable> [options]</title>
<para>Dumps Kerberos keys of the domain into a keytab.</para>
</refsect3>
<refsect3>
<title>domain info <replaceable>ip_address</replaceable> [options]</title>
<para>Print basic info about a domain and the specified DC.
</para>
</refsect3>
<refsect3>
<title>domain join <replaceable>dnsdomain</replaceable> [DC|RODC|MEMBER|SUBDOMAIN] [options]</title>
<para>Join a domain as either member or backup domain controller.</para>
</refsect3>
<refsect3>
<title>domain level <replaceable>show|raise</replaceable> <replaceable>options</replaceable> [options]</title>
<para>Show/raise domain and forest function levels.</para>
</refsect3>
<refsect3>
<title>domain passwordsettings <replaceable>show|set</replaceable> <replaceable>options</replaceable> [options]</title>
<para>Show/set password settings.</para>
</refsect3>
<refsect3>
<title>domain passwordsettings pso</title>
<para>Manage fine-grained Password Settings Objects (PSOs).</para>
</refsect3>
<refsect3>
<title>domain passwordsettings pso apply <replaceable>pso-name</replaceable> <replaceable>user-or-group-name</replaceable> [options]</title>
<para>Applies a PSO's password policy to a user or group.</para>
</refsect3>
<refsect3>
<title>domain passwordsettings pso create <replaceable>pso-name</replaceable> <replaceable>precedence</replaceable> [options]</title>
<para>Creates a new Password Settings Object (PSO).</para>
</refsect3>
<refsect3>
<title>domain passwordsettings pso delete <replaceable>pso-name</replaceable> [options]</title>
<para>Deletes a Password Settings Object (PSO).</para>
</refsect3>
<refsect3>
<title>domain passwordsettings pso list [options]</title>
<para>Lists all Password Settings Objects (PSOs).</para>
</refsect3>
<refsect3>
<title>domain passwordsettings pso set <replaceable>pso-name</replaceable> [options]</title>
<para>Modifies a Password Settings Object (PSO).</para>
</refsect3>
<refsect3>
<title>domain passwordsettings pso show <replaceable>user-name</replaceable> [options]</title>
<para>Displays a Password Settings Object (PSO).</para>
</refsect3>
<refsect3>
<title>domain passwordsettings pso show-user <replaceable>pso-name</replaceable> [options]</title>
<para>Displays the Password Settings that apply to a user.</para>
</refsect3>
<refsect3>
<title>domain passwordsettings pso unapply <replaceable>pso-name</replaceable> <replaceable>user-or-group-name</replaceable> [options]</title>
<para>Updates a PSO to no longer apply to a user or group.</para>
</refsect3>
<refsect3>
<title>domain provision</title>
<para>Promote an existing domain member or NT4 PDC to an AD DC.</para>
</refsect3>
<refsect3>
<title>domain trust</title>
<para>Domain and forest trust management.</para>
</refsect3>
<refsect3>
<title>domain trust create <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
<para>Create a domain or forest trust.</para>
</refsect3>
<refsect3>
<title>domain trust modify <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
<para>Modify a domain or forest trust.</para>
</refsect3>
<refsect3>
<title>domain trust delete <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
<para>Delete a domain trust.</para>
</refsect3>
<refsect3>
<title>domain trust list <replaceable>options</replaceable> [options]</title>
<para>List domain trusts.</para>
</refsect3>
<refsect3>
<title>domain trust namespaces [<replaceable>DOMAIN</replaceable>] <replaceable>options</replaceable> [options]</title>
<para>Manage forest trust namespaces.</para>
</refsect3>
<refsect3>
<title>domain trust show <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
<para>Show trusted domain details.</para>
</refsect3>
<refsect3>
<title>domain trust validate <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
<para>Validate a domain trust.</para>
</refsect3>
<refsect2>
<title>drs</title>
<para>Manage Directory Replication Services (DRS).</para>
</refsect2>
<refsect3>
<title>drs bind</title>
<para>Show DRS capabilities of a server.</para>
</refsect3>
<refsect3>
<title>drs kcc</title>
<para>Trigger knowledge consistency center run.</para>
</refsect3>
<refsect3>
<title>drs options</title>
<para>Query or change <replaceable>options</replaceable> for NTDS Settings
object of a domain controller.</para>
</refsect3>
<refsect3>
<title>drs replicate <replaceable>destination_DC</replaceable> <replaceable>source_DC</replaceable> <replaceable>NC</replaceable> [options]</title>
<para>Replicate a naming context between two DCs.</para>
</refsect3>
<refsect3>
<title>drs showrepl</title>
<para>Show replication status. The <arg
choice="opt">--json</arg> option results in JSON output, and
with the <arg choice="opt">--summary</arg> option produces
very little output when the replication status seems healthy.
</para>
</refsect3>
<refsect2>
<title>dsacl</title>
<para>Administer DS ACLs</para>
</refsect2>
<refsect3>
<title>dsacl delete</title>
<para>Delete an access list entry on a directory object.</para>
</refsect3>
<refsect3>
<title>dsacl get</title>
<para>Print access list on a directory object.</para>
</refsect3>
<refsect3>
<title>dsacl set</title>
<para>Modify access list on a directory object.</para>
</refsect3>
<refsect2>
<title>forest</title>
<para>Manage Forest configuration.</para>
</refsect2>
<refsect3>
<title>forest directory_service</title>
<para>Manage directory_service behaviour for the forest.</para>
</refsect3>
<refsect3>
<title>forest directory_service dsheuristics <replaceable>VALUE</replaceable></title>
<para>Modify dsheuristics directory_service configuration for the forest.</para>
</refsect3>
<refsect3>
<title>forest directory_service show</title>
<para>Show current directory_service configuration for the forest.</para>
</refsect3>
<refsect2>
<title>fsmo</title>
<para>Manage Flexible Single Master Operations (FSMO).</para>
</refsect2>
<refsect3>
<title>fsmo seize [options]</title>
<para>Seize the role.</para>
</refsect3>
<refsect3>
<title>fsmo show</title>
<para>Show the roles.</para>
</refsect3>
<refsect3>
<title>fsmo transfer [options]</title>
<para>Transfer the role.</para>
</refsect3>
<refsect2>
<title>gpo</title>
<para>Manage Group Policy Objects (GPO).</para>
</refsect2>
<refsect3>
<title>gpo create <replaceable>displayname</replaceable> [options]</title>
<para>Create an empty GPO.</para>
</refsect3>
<refsect3>
<title>gpo del <replaceable>gpo</replaceable> [options]</title>
<para>Delete GPO.</para>
</refsect3>
<refsect3>
<title>gpo dellink <replaceable>container_dn</replaceable> <replaceable>gpo</replaceable> [options]</title>
<para>Delete GPO link from a container.</para>
</refsect3>
<refsect3>
<title>gpo fetch <replaceable>gpo</replaceable> [options]</title>
<para>Download a GPO.</para>
</refsect3>
<refsect3>
<title>gpo getinheritance <replaceable>container_dn</replaceable> [options]</title>
<para>Get inheritance flag for a container.</para>
</refsect3>
<refsect3>
<title>gpo getlink <replaceable>container_dn</replaceable> [options]</title>
<para>List GPO Links for a container.</para>
</refsect3>
<refsect3>
<title>gpo list <replaceable>username</replaceable> [options]</title>
<para>List GPOs for an account.</para>
</refsect3>
<refsect3>
<title>gpo listall</title>
<para>List all GPOs.</para>
</refsect3>
<refsect3>
<title>gpo listcontainers <replaceable>gpo</replaceable> [options]</title>
<para>List all linked containers for a GPO.</para>
</refsect3>
<refsect3>
<title>gpo setinheritance <replaceable>container_dn</replaceable> <replaceable>block|inherit</replaceable> [options]</title>
<para>Set inheritance flag on a container.</para>
</refsect3>
<refsect3>
<title>gpo setlink <replaceable>container_dn</replaceable> <replaceable>gpo</replaceable> [options]</title>
<para>Add or Update a GPO link to a container.</para>
</refsect3>
<refsect3>
<title>gpo show <replaceable>gpo</replaceable> [options]</title>
<para>Show information for a GPO.</para>
</refsect3>
<refsect3>
<title>gpo manage symlink list</title>
<para>List VGP Symbolic Link Group Policy from the sysvol</para>
</refsect3>
<refsect3>
<title>gpo manage symlink add</title>
<para>Adds a VGP Symbolic Link Group Policy to the sysvol</para>
</refsect3>
<refsect3>
<title>gpo manage symlink remove</title>
<para>Removes a VGP Symbolic Link Group Policy from the sysvol</para>
</refsect3>
<refsect3>
<title>gpo manage files list</title>
<para>List VGP Files Group Policy from the sysvol</para>
</refsect3>
<refsect3>
<title>gpo manage files add</title>
<para>Add VGP Files Group Policy to the sysvol</para>
</refsect3>
<refsect3>
<title>gpo manage files remove</title>
<para>Remove VGP Files Group Policy from the sysvol</para>
</refsect3>
<refsect3>
<title>gpo manage openssh list</title>
<para>List VGP OpenSSH Group Policy from the sysvol</para>
</refsect3>
<refsect3>
<title>gpo manage openssh set</title>
<para>Sets a VGP OpenSSH Group Policy to the sysvol</para>
</refsect3>
<refsect3>
<title>gpo manage sudoers add</title>
<para>Adds a Samba Sudoers Group Policy to the sysvol.</para>
</refsect3>
<refsect3>
<title>gpo manage sudoers list</title>
<para>List Samba Sudoers Group Policy from the sysvol.</para>
</refsect3>
<refsect3>
<title>gpo manage sudoers remove</title>
<para>Removes a Samba Sudoers Group Policy from the sysvol.</para>
</refsect3>
<refsect3>
<title>gpo manage scripts startup list</title>
<para>List VGP Startup Script Group Policy from the sysvol</para>
</refsect3>
<refsect3>
<title>gpo manage scripts startup add</title>
<para>Adds VGP Startup Script Group Policy to the sysvol</para>
</refsect3>
<refsect3>
<title>gpo manage scripts startup remove</title>
<para>Removes VGP Startup Script Group Policy from the sysvol</para>
</refsect3>
<refsect3>
<title>gpo manage motd list</title>
<para>List VGP MOTD Group Policy from the sysvol.</para>
</refsect3>
<refsect3>
<title>gpo manage motd set</title>
<para>Sets a VGP MOTD Group Policy to the sysvol</para>
</refsect3>
<refsect3>
<title>gpo manage issue list</title>
<para>List VGP Issue Group Policy from the sysvol.</para>
</refsect3>
<refsect3>
<title>gpo manage issue set</title>
<para>Sets a VGP Issue Group Policy to the sysvol</para>
</refsect3>
<refsect3>
<title>gpo manage access add</title>
<para>Adds a VGP Host Access Group Policy to the sysvol</para>
</refsect3>
<refsect3>
<title>gpo manage access list</title>
<para>List VGP Host Access Group Policy from the sysvol</para>
</refsect3>
<refsect3>
<title>gpo manage access remove</title>
<para>Remove a VGP Host Access Group Policy from the sysvol</para>
</refsect3>
<refsect2>
<title>group</title>
<para>Manage groups.</para>
</refsect2>
<refsect3>
<title>group add <replaceable>groupname</replaceable> [options]</title>
<para>Create a new AD group.</para>
</refsect3>
<refsect3>
<title>group create <replaceable>groupname</replaceable> [options]</title>
<para>Add a new AD group. This is a synonym for the
<command>samba-tool group add</command> command and is available
for compatibility reasons only. Please use
<command>samba-tool group add</command> instead.</para>
</refsect3>
<refsect3>
<title>group addmembers <replaceable>groupname</replaceable> <replaceable>members</replaceable> [options]</title>
<para>Add members to an AD group.</para>
</refsect3>
<refsect3>
<title>group delete <replaceable>groupname</replaceable> [options]</title>
<para>Delete an AD group.</para>
</refsect3>
<refsect3>
<title>group edit <replaceable>groupname</replaceable></title>
<para>Edit a group AD object.</para>
<variablelist>
<varlistentry>
<term>--editor=EDITOR</term>
<listitem><para>
Specifies the editor to use instead of the system default, or 'vi' if no
system default is set.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>group list</title>
<para>List all groups.</para>
</refsect3>
<refsect3>
<title>group listmembers <replaceable>groupname</replaceable> [options]</title>
<para>List all members of the specified AD group.</para>
<para>By default the sAMAccountNames are listed. If no sAMAccountName
is available, the CN will be used instead.</para>
<variablelist>
<varlistentry>
<term>--full-dn</term>
<listitem><para>
List the distinguished names instead of the sAMAccountNames.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--hide-expired</term>
<listitem><para>
Do not list expired group members.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--hide-disabled</term>
<listitem><para>
Do not list disabled group members.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>group move <replaceable>groupname</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
<para>This command moves a group into the specified organizational unit
or container.</para>
<para>The groupname specified on the command is the sAMAccountName.
</para>
<para>The name of the organizational unit or container can be
specified as a full DN or without the domainDN component.</para>
<para></para>
</refsect3>
<refsect3>
<title>group removemembers <replaceable>groupname</replaceable> <replaceable>members</replaceable> [options]</title>
<para>Remove members from the specified AD group.</para>
</refsect3>
<refsect3>
<title>group show <replaceable>groupname</replaceable> [options]</title>
<para>Show group object and it's attributes.</para>
</refsect3>
<refsect3>
<title>group stats [options]</title>
<para>Show statistics for overall groups and group memberships.</para>
</refsect3>
<refsect3>
<title>group rename <replaceable>groupname</replaceable> [options]</title>
<para>Rename a group and related attributes.</para>
<para>This command allows to set the group's name related attributes. The
group's CN will be renamed automatically.
The group's CN will be the sAMAccountName.
Use the --force-new-cn option to specify the new CN manually and the
--reset-cn to reset this change.</para>
<para>Use an empty attribute value to remove the specified attribute.</para>
<para>The groupname specified on the command is the sAMAccountName.</para>
<variablelist>
<varlistentry>
<term>--force-new-cn=NEW_CN</term>
<listitem><para>
Specify a new CN (RDN) instead of using the sAMAccountName.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--reset-cn</term>
<listitem><para>
Set the CN to the sAMAccountName.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--mail-address=MAIL_ADDRESS</term>
<listitem><para>
New mail address
</para></listitem>
</varlistentry>
<varlistentry>
<term>--samaccountname=SAMACCOUNTNAME</term>
<listitem><para>
New account name (sAMAccountName/logon name)
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect2>
<title>ldapcmp <replaceable>URL1</replaceable> <replaceable>URL2</replaceable> <replaceable>domain|configuration|schema|dnsdomain|dnsforest</replaceable> [options] </title>
<para>Compare two LDAP databases.</para>
</refsect2>
<refsect2>
<title>ntacl</title>
<para>Manage NT ACLs.</para>
</refsect2>
<refsect3>
<title>ntacl changedomsid <replaceable>original-domain-SID</replaceable> <replaceable>new-domain-SID</replaceable> <replaceable>file</replaceable> [options]</title>
<para>Change the domain SID for ACLs.
Can be used to change all entries in acl_xattr when the machine's SID
has accidentally changed or the data set has been copied
to another machine either via backup/restore or rsync.</para>
<variablelist>
<varlistentry>
<term>--use-ntvfs</term>
<listitem><para>
Set the ACLs directly to the TDB or xattr. The POSIX permissions will
NOT be changed, only the NT ACL will be stored.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--service=SERVICE</term>
<listitem><para>
Specify the name of the smb.conf service to use. This option is
required in combination with the --use-s3fs option.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--use-s3fs</term>
<listitem><para>
Set the ACLs for use with the default s3fs file server via the VFS
layer. This option requires a smb.conf service, specified by the
--service=SERVICE option.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--xattr-backend=[native|tdb]</term>
<listitem><para>
Specify the xattr backend type (native fs or tdb).
</para></listitem>
</varlistentry>
<varlistentry>
<term>--eadb-file=EADB_FILE</term>
<listitem><para>
Name of the tdb file where attributes are stored.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--recursive</term>
<listitem><para>
Set the ACLs for directories and their contents recursively.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--follow-symlinks</term>
<listitem><para>
Follow symlinks when --recursive is specified.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--verbose</term>
<listitem><para>
Verbosely list files and ACLs which are being processed.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>ntacl get <replaceable>file</replaceable> [options]</title>
<para>Get ACLs on a file.</para>
</refsect3>
<refsect3>
<title>ntacl set <replaceable>acl</replaceable> <replaceable>file</replaceable> [options]</title>
<para>Set ACLs on a file.</para>
</refsect3>
<refsect3>
<title>ntacl sysvolcheck</title>
<para>Check sysvol ACLs match defaults (including correct ACLs on GPOs).</para>
</refsect3>
<refsect3>
<title>ntacl sysvolreset</title>
<para>Reset sysvol ACLs to defaults (including correct ACLs on GPOs).</para>
</refsect3>
<refsect2>
<title>ou</title>
<para>Manage organizational units (OUs).</para>
</refsect2>
<refsect3>
<title>ou add <replaceable>ou_dn</replaceable> [options]</title>
<para>Add a new organizational unit.</para>
<para>The name of the organizational unit can be specified as a full DN
or without the domainDN component.</para>
<variablelist>
<varlistentry>
<term>--description=DESCRIPTION</term>
<listitem><para>
Specify OU's description.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>ou create <replaceable>ou_dn</replaceable> [options]</title>
<para>Add a new organizational unit. This is a synonym for the
<command>samba-tool ou add</command> command and is available
for compatibility reasons only. Please use
<command>samba-tool ou add</command> instead.</para>
</refsect3>
<refsect3>
<title>ou delete <replaceable>ou_dn</replaceable> [options]</title>
<para>Delete an organizational unit.</para>
<para>The name of the organizational unit can be specified as a full DN
or without the domainDN component.</para>
<variablelist>
<varlistentry>
<term>--force-subtree-delete</term>
<listitem><para>
Delete organizational unit and all children recursively.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>ou list [options]</title>
<para>List all organizational units.</para>
<variablelist>
<varlistentry>
<term>--full-dn</term>
<listitem><para>
Display DNs including the base DN.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>ou listobjects <replaceable>ou_dn</replaceable> [options]</title>
<para>List all objects in an organizational unit.</para>
<para>The name of the organizational unit can be specified as a full DN
or without the domainDN component.</para>
<variablelist>
<varlistentry>
<term>--full-dn</term>
<listitem><para>
Display DNs including the base DN.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-r|--recursive</term>
<listitem><para>
List objects recursively.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>ou move <replaceable>old_ou_dn</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
<para>Move an organizational unit.</para>
<para>The name of the organizational units can be specified as a full DN
or without the domainDN component.</para>
</refsect3>
<refsect3>
<title>ou rename <replaceable>old_ou_dn</replaceable> <replaceable>new_ou_dn</replaceable> [options]</title>
<para>Rename an organizational unit.</para>
<para>The name of the organizational units can be specified as a full DN
or without the domainDN component.</para>
</refsect3>
<refsect2>
<title>rodc</title>
<para>Manage Read-Only Domain Controller (RODC).</para>
</refsect2>
<refsect3>
<title>rodc preload <replaceable>SID</replaceable>|<replaceable>DN</replaceable>|<replaceable>accountname</replaceable> [options]</title>
<para>Preload one account for an RODC.</para>
</refsect3>
<refsect2>
<title>schema</title>
<para>Manage and query schema.</para>
</refsect2>
<refsect3>
<title>schema attribute modify <replaceable>attribute</replaceable> [options]</title>
<para>Modify the behaviour of an attribute in schema.</para>
</refsect3>
<refsect3>
<title>schema attribute show <replaceable>attribute</replaceable> [options]</title>
<para>Display an attribute schema definition.</para>
</refsect3>
<refsect3>
<title>schema attribute show_oc <replaceable>attribute</replaceable> [options]</title>
<para>Show objectclasses that MAY or MUST contain this attribute.</para>
</refsect3>
<refsect3>
<title>schema objectclass show <replaceable>objectclass</replaceable> [options]</title>
<para>Display an objectclass schema definition.</para>
</refsect3>
<refsect2>
<title>shell</title>
<para>Opens an interactive Samba Python shell.</para>
</refsect2>
<refsect3>
<title>shell [options]</title>
<para>Opens an interactive Python shell for Samba ldb connection.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
<listitem><para>
LDB URL for database or target server.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect2>
<title>sites</title>
<para>Manage sites.</para>
</refsect2>
<refsect3>
<title>sites list [options]</title>
<para>List sites.</para>
<variablelist>
<varlistentry>
<term>--json</term>
<listitem><para>
Output as JSON instead of a list
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>sites view <replaceable>site</replaceable> [options]</title>
<para>View site details.</para>
</refsect3>
<refsect3>
<title>sites create <replaceable>site</replaceable> [options]</title>
<para>Create a new site.</para>
</refsect3>
<refsect3>
<title>sites remove <replaceable>site</replaceable> [options]</title>
<para>Delete an existing site.</para>
</refsect3>
<refsect3>
<title>sites subnet list <replaceable>site</replaceable> [options]</title>
<para>List subnets for a site.</para>
<variablelist>
<varlistentry>
<term>--json</term>
<listitem><para>
Output as JSON instead of a list
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>sites subnet view <replaceable>subnet</replaceable> [options]</title>
<para>View subnet details.</para>
</refsect3>
<refsect3>
<title>sites subnet create <replaceable>subnet</replaceable> <replaceable>site-of-subnet</replaceable> [options]</title>
<para>Create a new subnet.</para>
</refsect3>
<refsect3>
<title>sites subnet remove <replaceable>subnet</replaceable> [options]</title>
<para>Delete an existing subnet.</para>
</refsect3>
<refsect3>
<title>sites subnet set-site <replaceable>subnet</replaceable> <replaceable>site-of-subnet</replaceable> [options]</title>
<para>Assign a subnet to a site.</para>
</refsect3>
<refsect2>
<title>spn</title>
<para>Manage Service Principal Names (SPN).</para>
</refsect2>
<refsect3>
<title>spn add <replaceable>name</replaceable> <replaceable>user</replaceable> [options]</title>
<para>Create a new SPN.</para>
</refsect3>
<refsect3>
<title>spn delete <replaceable>name</replaceable> [<replaceable>user</replaceable>] [options]</title>
<para>Delete an existing SPN.</para>
</refsect3>
<refsect3>
<title>spn list <replaceable>user</replaceable> [options]</title>
<para>List SPNs of a given user.</para>
</refsect3>
<refsect2>
<title>testparm</title>
<para>Check the syntax of the configuration file.</para>
</refsect2>
<refsect2>
<title>time</title>
<para>Retrieve the time on a server.</para>
</refsect2>
<refsect2>
<title>user</title>
<para>Manage users.</para>
</refsect2>
<refsect3>
<title>user add <replaceable>username</replaceable> [<replaceable>password</replaceable>]</title>
<para>Add a new user to the Active Directory Domain.</para>
</refsect3>
<refsect3>
<title>user create <replaceable>username</replaceable> [<replaceable>password</replaceable>]</title>
<para>Add a new user. This is a synonym for the
<command>samba-tool user add</command> command and is available
for compatibility reasons only. Please use
<command>samba-tool user add</command> instead.</para>
</refsect3>
<refsect3>
<title>user delete <replaceable>username</replaceable> [options]</title>
<para>Delete an existing user account.</para>
</refsect3>
<refsect3>
<title>user disable <replaceable>username</replaceable></title>
<para>Disable a user account.</para>
</refsect3>
<refsect3>
<title>user edit <replaceable>username</replaceable></title>
<para>Edit a user account AD object.</para>
<variablelist>
<varlistentry>
<term>--editor=EDITOR</term>
<listitem><para>
Specifies the editor to use instead of the system default, or 'vi' if no
system default is set.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>user enable <replaceable>username</replaceable></title>
<para>Enable a user account.</para>
</refsect3>
<refsect3>
<title>user list</title>
<para>List all users.</para>
<para>By default the user's sAMAccountNames are listed.</para>
<variablelist>
<varlistentry>
<term>--full-dn</term>
<listitem><para>
List user's distinguished names instead of the sAMAccountNames.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-b BASE_DN|--base-dn=BASE_DN</term>
<listitem><para>
Specify base DN to use. Only users under the specified base DN will be
listed.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--hide-expired</term>
<listitem><para>
Do not list expired user accounts.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--hide-disabled</term>
<listitem><para>
Do not list disabled user accounts.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--locked-only</term>
<listitem><para>
Only list locked user accounts.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>user setprimarygroup <replaceable>username</replaceable> <replaceable>primarygroupname</replaceable></title>
<para>Set the primary group a user account.</para>
</refsect3>
<refsect3>
<title>user getgroups <replaceable>username</replaceable></title>
<para>Get the direct group memberships of a user account.</para>
</refsect3>
<refsect3>
<title>user show <replaceable>username</replaceable> [options]</title>
<para>Display a user AD object.</para>
<variablelist>
<varlistentry>
<term>--attributes=USER_ATTRS</term>
<listitem><para>
Comma separated list of attributes, which will be printed.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>user move <replaceable>username</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
<para>This command moves a user account into the specified
organizational unit or container.</para>
<para>The username specified on the command is the
sAMAccountName.</para>
<para>The name of the organizational unit or container can be
specified as a full DN or without the domainDN component.</para>
</refsect3>
<refsect3>
<title>user password [options]</title>
<para>Change password for a user account (the one provided in
authentication).</para>
</refsect3>
<refsect3>
<title>user rename <replaceable>username</replaceable> [options]</title>
<para>Rename a user and related attributes.</para>
<para>This command allows to set the user's name related attributes. The user's
CN will be renamed automatically.
The user's new CN will be made up by combining the given-name, initials
and surname. A dot ('.') will be appended to the initials automatically,
if required.
Use the --force-new-cn option to specify the new CN manually and --reset-cn
to reset this change.</para>
<para>Use an empty attribute value to remove the specified attribute.</para>
<para>The username specified on the command is the sAMAccountName.</para>
<variablelist>
<varlistentry>
<term>--surname=SURNAME</term>
<listitem><para>
New surname
</para></listitem>
</varlistentry>
<varlistentry>
<term>--given-name=GIVEN_NAME</term>
<listitem><para>
New given name
</para></listitem>
</varlistentry>
<varlistentry>
<term>--initials=INITIALS</term>
<listitem><para>
New initials
</para></listitem>
</varlistentry>
<varlistentry>
<term>--force-new-cn=NEW_CN</term>
<listitem><para>
Specify a new CN (RDN) instead of using a combination
of the given name, initials and surname.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--reset-cn</term>
<listitem><para>
Set the CN to the default combination of given name,
initials and surname.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--display-name=DISPLAY_NAME</term>
<listitem><para>
New display name
</para></listitem>
</varlistentry>
<varlistentry>
<term>--mail-address=MAIL_ADDRESS</term>
<listitem><para>
New email address
</para></listitem>
</varlistentry>
<varlistentry>
<term>--samaccountname=SAMACCOUNTNAME</term>
<listitem><para>
New account name (sAMAccountName/logon name)
</para></listitem>
</varlistentry>
<varlistentry>
<term>--upn=UPN</term>
<listitem><para>
New user principal name
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>user setexpiry <replaceable>username</replaceable> [options]</title>
<para>Set the expiration of a user account.</para>
</refsect3>
<refsect3>
<title>user setpassword <replaceable>username</replaceable> [options]</title>
<para>Sets or resets the password of a user account.</para>
</refsect3>
<refsect3>
<title>user unlock <replaceable>username</replaceable> [options]</title>
<para>This command unlocks a user account in the Active Directory
domain.</para>
</refsect3>
<refsect3>
<title>user getpassword <replaceable>username</replaceable> [options]</title>
<para>Gets the password of a user account.</para>
</refsect3>
<refsect3>
<title>user get-kerberos-ticket <replaceable>username</replaceable> [options]</title>
<para>Gets a Kerberos Ticket Granting Ticket as the account.</para>
</refsect3>
<refsect3>
<title>user syncpasswords <replaceable>--cache-ldb-initialize</replaceable> [options]</title>
<para>Syncs the passwords of all user accounts, using an optional script.</para>
<para>Note that this command should run on a single domain controller only
(typically the PDC-emulator).</para>
</refsect3>
<refsect3>
<title>user auth policy assign <replaceable>username</replaceable> [options]</title>
<para>Set assigned authentication policy for user.</para>
<variablelist>
<varlistentry>
<term>--policy</term>
<listitem><para>
Name of authentication policy to assign or leave empty to remove.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>user auth policy remove <replaceable>username</replaceable></title>
<para>Remove assigned authentication policy from user.</para>
</refsect3>
<refsect3>
<title>user auth policy view <replaceable>username</replaceable></title>
<para>View the assigned authentication policy for user.</para>
</refsect3>
<refsect3>
<title>user auth silo assign <replaceable>username</replaceable> [options]</title>
<para>Set assigned authentication silo for user.</para>
<variablelist>
<varlistentry>
<term>--silo</term>
<listitem><para>
Name of authentication silo to assign or leave empty to remove.
</para></listitem>
</varlistentry>
</variablelist>
</refsect3>
<refsect3>
<title>user auth silo remove <replaceable>username</replaceable></title>
<para>Remove assigned authentication silo from user.</para>
</refsect3>
<refsect3>
<title>user auth silo view <replaceable>username</replaceable></title>
<para>View the assigned authentication silo for user.</para>
</refsect3>
<refsect2>
<title>vampire [options] <replaceable>domain</replaceable></title>
<para>Join and synchronise a remote AD domain to the local server.
Please note that <command>samba-tool vampire</command> is deprecated,
please use <command>samba-tool domain join</command> instead.</para>
</refsect2>
<refsect2>
<title>visualize [options] <replaceable>subcommand</replaceable></title>
<para>Produce graphical representations of Samba network state.
To work out what is happening in a replication graph, it is sometimes
helpful to use visualisations.</para>
<para>
There are two subcommands, two graphical modes, and (roughly) two modes
of operation with respect to the location of authority.</para>
<refsect3><title>MODES OF OPERATION</title>
<varlistentry>
<term>samba-tool visualize ntdsconn</term>
<listitem><para>Looks at NTDS connections.
</para></listitem>
</varlistentry>
<varlistentry>
<term>samba-tool visualize reps</term>
<listitem><para>Looks at repsTo and repsFrom objects.
</para></listitem>
</varlistentry>
<varlistentry>
<term>samba-tool visualize uptodateness</term>
<listitem><para>Looks at replication lag as shown by the
uptodateness vectors.
</para></listitem>
</varlistentry>
</refsect3>
<refsect3><title>GRAPHICAL MODES</title>
<varlistentry>
<term>--distance</term>
<listitem><para>Distances between DCs are shown in a matrix in
the terminal.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--dot</term>
<listitem><para>Generate Graphviz dot output (for
ntdsconn and reps modes). When viewed using dot or
xdot, this shows the network as a graph with DCs as
vertices and connections edges. Certain types of
degenerate edges are shown in different colours or
line-styles. </para></listitem>
</varlistentry>
<varlistentry>
<term>--xdot</term>
<listitem><para>Generate Graphviz dot output as with
<arg choice="opt">--dot</arg> and attempt to view it
immediately using <command>/usr/bin/xdot</command>.
</para></listitem>
</varlistentry>
</refsect3>
<varlistentry>
<term>-r</term>
<listitem><para>Normally,
<command>samba-tool</command> talks to one database;
with the <arg choice="opt">-r</arg> option attempts
are made to contact all the DCs known to the first
database. This is necessary for <command>samba-tool
visualize uptodateness</command> and for
<command>samba-tool visualize reps</command> because
the repsFrom/To objects are not replicated, and it can
reveal replication issues in other modes.
</para></listitem>
</varlistentry>
</refsect2>
<refsect2>
<title>help</title>
<para>Gives usage information.</para>
</refsect2>
</refsect1>
<refsect1>
<title>VERSION</title>
<para>This man page is complete for version &doc.version; of the Samba
suite.</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para>The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.</para>
</refsect1>
</refentry>