DocumentationRelease Notes
Documentation

What are AD Bridge Cells?

Suggest Edits

An AD Bridge Cell is a container of Unix settings for Active Directory users and groups so they can log into Linux and Unix computers.

For each user, the settings include a Unix user identifier (UID), the group identifier (GID) of the primary group, a home directory, and a login shell.

Default and Named Cells in AD Bridge

When you create a cell, AD Bridge creates a container object, CN=$LikewiseIdentityCell, in the domain root or in the OU where you created the cell.

There are two types of AD Bridge Cells:

  • Default Cell: A cell located at the root of the domain, the Linux/Unix specific data is stored directly in the AD user or group object. It gets its name from becoming the default when no other cells are found. This should be your primary method for mapping identities.

    In a multi-domain or multi-forest enterprise, the Default Cells of the domains merge into a single, enterprise-wide Default Cell, where users from each domain can authenticate with their credentials. Users' UIDs, GIDs, and other settings are defined separately in each domain, but nothing additional is needed at the domain-level to enable the user to authenticate.

    Each forest that has a two-way transitive forest trust with the computer's forest is listed in the Default Cell. Each domain, in each forest, can opt in to this enterprise-wide Default Cell by creating a Default Cell in that domain. Any user who is listed in the Default Cell in a domain can be seen by the AD Bridge-enabled operating systems of any computer joined to the Default Cell.

    When used with Directory Integrated mode, various attributes are indexed in the global catalog. This enables faster look-ups and login across the forest.

  • Named Cell: A Named Cell is associated with an organizational unit (OU). It gets its name from the OU the cell resides in. The Unix-specific data is stored in CN=Users and CN=Groups in the $LikewiseIdentityCell container object. The objects point to the Active Directory user or group information with a backlinked security identifier. This allows for unique mapping outside of what is configured in the user/group object.

Which cell should you use?

Default Cell should always be used. It allows for seamless integration across the forest and naturally uses the information storage in the user/group attributes.

Named Cells should be used when there are systems that require different mapping from what is in the Default Cell or for foreign users (across 1-way trusts) that we cannot easily look up their information.

How are AD Bridge Cell useful?

You can use cells to map a user to different UIDs and GIDs for different computers.To manage your AD Bridge Cells, use the following tools:

  • Active Directory Users and Computers: An AD Bridge Cell Settings tab is added to the dialog box of the following objects in the Active Directory Users and Computers MMC snap-in:
    • Domain
    • Users
    • Groups
    • Organizational Units
  • Cell Manager: Cell Manager is an AD Bridge MMC snap-in for managing your AD Bridge Cells. Cell Manager is installed when you install the BeyondTrust Management Console.

The AD Bridge Active Directory Users and Computers snap-in can work without cells. The plug-in can manage the RFC2307 attributes on users and groups without using a cell. In this case, a Default Cell is assumed. The AD Bridge Cell Settings tab will display (Default (Assumed)).

ℹ️

Note

For more information, see Use the btopt.exe tool to manage options.

ℹ️

Note

Ensure the account you use to manage AD Bridge Cell properties is a member of the Domain Admins group or Enterprise Admins group. The account needs privileges to create and change objects and child objects in Active Directory.

How cells are processed in AD Bridge

AD Bridge searches Active Directory for cell information

When an Active Directory user logs on to an AD Bridge client computer, the AD Bridge agent searches Active Directory for the user's AD Bridge Cell information.

The search typically begins at the node where the computer is joined to Active Directory and can extend to all forests that have a two-way transitive trust with the client computer's forest.

AD Bridge agent checks the cell type

The AD Bridge agent determines the OU where the computer is a member and checks whether a Named Cell is associated with it.

AD Bridge agent continues search if no cell found for the OU

If a cell is not associated with the OU, the AD Bridge agent on the Unix or Linux computer moves up the directory structure, searching the parent and grandparent OUs until it finds an OU that has an AD Bridge Cell associated with it.

Named Cell found

If a Named Cell is found, AD Bridge searches for a user or group's attributes in the cell associated with the computer.

If an OU with an associated cell is not found, the AD Bridge agent uses the Default Cell for the domain to map the username to UID and GID information.

Default Cell processing

A Default Cell is processed differently than a Named Cell. When processing a Default Cell, AD Bridge searches for a user or group's attributes in the Default Cell of the domain where the user or group resides. For example, a two-domain topology configured with one domain for users and another domain for computers would require two Default Cells:

  • a Default Cell in the domain where user and group objects reside
  • a Default Cell in the domain where computer objects are joined

A Linux or Unix computer can be a member of an OU that does not have a cell associated with it. In such a case, the Group Policy Objects (GPOs) associated with the OU apply to the Linux or Unix computer, but user UID and GID mappings follow the policy of the nearest parent cell or the Default Cell.

AD Bridge does not require you to have a Default Cell, but for AD Bridge to operate properly you must ensure that the AD Bridge agent can always find a cell.

ℹ️

Note

For more information about modes, cells, and user rights, see Best practices.

Cell design and identities in AD Bridge

AD Bridge Cells allow managing overlapping Unix identities in a single Active Directory organization for AD Bridge. Cells work in Directory Integrated mode only.

Storing Unix identities

Cells store Unix identity information separate from other cells. This allows a single user or group to have different names or different numerical ID values (UID or GID) in different environments, all associated with the same AD identity.

This also allows multiple users or groups to have overlapping names or numerical ID values (UID or GID) in separate environments. Each cell requires additional overhead for the standard procedure for account management and for troubleshooting end-user logon issues, because both cases require the additional step of determining which cell the operation must be performed against.

ℹ️

Note

To minimize complexity while allowing the flexibility of cells, we recommend that you use no more than four cells.

Named cells

Named Cells store Unix identity information (uid, uidNumber, gidNumber, gecos, unixHomeDirectory, logonShell) in a subcontainer of the organizational unit (OU) which is associated with the cell.

Whether a user exists in the local domain or a trusted domain, the Unix identity information exists in an object in the cell. In other words, a Named Cell can reference users or groups from outside the current AD domain.

Default cells

Default Cell mode refers to how an AD domain is set up. There is one Default Cell, and it is enterprise-wide. All trusted Microsoft Active Directory Global Catalogs are part of the Default Cell. However, individual AD domains participate in the Default Cell by creating the Default Cell object in the root of those domains.

In Default Cell mode, the Unix identity information is stored in the same OU as the user object that the Unix Identity information is related to. This enforces a single Unix identity for a single AD user across the entire enterprise. Therefore, the Default Cell should be viewed as the ultimate authority for Unix information within an enterprise.

Directory Integrated mode - Default Cell configurations

In Directory Integrated mode, the Default Cell stores the Unix identity information directly to the user or group object in the same manner as First Name (givenName), Address (address, city, state), and Email (emailAddress) attributes.

Because the Directory Integrated Mode - Default Cell stores the information to the user or group object, existing Identity Management (IDM) products do not need to be modified to provision users for the Default Cell in Directory Integrated Mode. This also allows non-AD Bridge computers that use the RFC 2307 attributes to use the same identity information as AD Bridge.

In Directory Integrated mode, the Default Cell is the preferred method for all AD Bridge installations. In all cases where Unix identity information can be made to be non-overlapping, the Directory Integrated Mode - Default Cell should be used.

Directory Integrated mode - Named Cell configurations

In Directory Integrated mode, Named Cells create objects of class PosixAccount and serviceConnectionPoint, which are linked back to the user or group object associated with the AD Bridge object.

Directory Integrated Mode - Named Cells are recommended wherever multiple cells beyond the Default Cell are required.

Schemaless mode cells

⚠️

Important

Schemaless mode is deprecated. The content below is for information only.

The AD Bridge clients determine cell and schema configuration at startup and re-check this configuration periodically. Because of how the data is stored, migration from a Schemaless Default Cell to a Directory Integrated Mode - Default Cell configuration requires more work, more steps, and more potential risks than any other cell migration.

For migration and long-term support purposes, Schemaless Mode Cells should only be created as Named Cells.

ℹ️

Note

Directory Integrated mode is preferred for the performance benefits and because Microsoft Active Directory is moving towards Directory Integrated Mode by default.

Helpful tips for multiple cell use

If you have multiple Unix and Linux computers but are not using a centralized scheme to manage UIDs and GIDs, it is likely that each computer has unique UID-GID mappings.

When using multiple cells, it can be helpful to identify what Unix and Linux objects each cell represents. For example:

  • Individual Unix or Linux computers
  • A single domain
  • Multiple domains (which require multiple cells)

Create a cell and associate it with an OU or a domain

To associate a cell with an OU, for example, you must be a member of the Domain Administrators security group, or you must be assigned permissions to manage container objects in an OU.

⚠️

Important

Before you associate a cell with an OU, make sure you chose the schema mode. You cannot easily change the schema mode after you create a cell, including a Default Cell.

  1. Start Active Directory Users and Computers.
  2. In the console tree, right-click the OU or the domain for which you want to create a cell, click Properties, and then click the AD Bridge Cell Settings tab.
  3. Under AD Bridge Cell Information, select the Create Associated AD Bridge Cell check box, and then click OK.

You can now associate a user with cells.

ℹ️

Note

For more information, see Associate a user with AD Bridge cells.

Updated about 1 month ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.