Introduction

One of the key features of using Centrify for AD Bridging, is that it allows a single Active Directory user or group to have multiple, distinct UNIX profiles for different groups of machines (in Centrify Zones), or even on individual machines within a zone (so-called Managed Computer overrides). To make this possible, Centrify stores the UNIX profile as properties of serviceConnectionPoint objects in the Centrify Zone hierarchy in Active Directory.

In Centrify zones of the RFC2307 or Standard type, the Active Directory user or group object to which the UNIX profile links, is referenced with its unique Active Directory Security Identifier (SID) as value of an attribute of the serviceConnectionPoint object.

Profiles in other zone types may reference the active directory object differently; these other zones are considered out of scope for this article, as the vast majority of customers will implement Centrify standard hierarhical zones.

When a user or group is de-provisioned from Active Directory, the UNIX profile(s) that point to this user or group also should to be de-provisioned, lest the profile becomes orphaned and may prevent a new profile from being created using the same UNIX login or group name.

This article details how UNIX profiles can be de-provisioned, when to use which profile de-provisioning method, and how to deal with orphaned profiles.

Profile de-provisioning methods

Various de-provisioning methods exist, allowing interactive profile de-provisioning, or automated de-provisioning. This section details the most common methods for profile de-provisioning with Centrify.

Manual de-provisioning using the Centrify DirectManage Access console

This method consists of manually deleting the Centrify profiles in the Active Directory Users and Computers management console (also known as ADUC or dsa.msc).

In order to use the Centrify profile property pages for ADUC, the following two pre-requisites need to be met:

• (On every machine where you wish to access the Centrify profile tabs) The required extension must have been installed, either by checking the box ADUC property page extension in the Centrify DirectManage Access installation wizard (see below):
•   
• Alternatively, a stand-alone installation of the property page extension can be achieved by installing the .msi or .exe file located in the \DirectManage\ADUC Property Page Extension directory on the Centrify Server Suite 2016 installation media.

• (Once for the entire Active Directory forest) During the setup wizard of the Centrify DirectManage Access Manager console, the option Activate Centrify profile property pages has been checked, or alternatively, at any other time, an Active Directory Enterprise Administrator can register the Profile property page for ADUC by following the instructions in the section titled Creating Display Specifiers for Centrify profiles in the Centrify Server Suite Planning and Deployment Guide (centrify-unix-deployment-guide.pdf on the Centrify Server Suite 2016 - DirectManage installation media).

To manually de-provision a user or group's Centrify Zone objects using ADUC:

• Open the Microsoft Active Directory Users and Computers management console, on a machine where the ADUC profile page extension has been installed.
• Find the user object that you wish to de-provision, and select Properties.
• Access the tab named Centrify Profile. In the domain drop-down menu, select the right domain to de-provision the zone objects from. In the User Information drop-down menu, select Profiles. All the user's Centrify Zone profiles should now be listed in the centre area of the selected tab. Select one of them, and click on the Remove button at the bottom of the window. Repeat the process until no profiles remain visible. Next, select Role Assignments from the User Information drop-down menu, and remove all the direct role assignments that may have been made in Centrify zones.
• Once all the zone objects for the user have been removed, you can delete the user object in Active Directory

As this method is relatively time-consuming, it is a viable option only for environments with very low volumes of de-provisioning requests, that are treated through a small number of pre-designated Windows machines, running the Active Directory Users and Computers console.

Built-in support for semi-automatic de-provisioning using ADUC

For environments with higher de-provisioning volumes, Centrify provides a method to automatically delete all the user's or group's zone information when the object is deleted from Active Directory using the Active Directory Users and Computers management console, without having to go through the Centrify Profile tab and having to manually remove each Centrify zone object related to the user or group object.

In order to use the automatic zone object de-provisioning in ADUC, the following pre-requisites need to be met:

• The exact pre-requisites need to be met as listed in the section above Manual de-provisioning using the Centrify DirectManage Access console. This means that the Centrify profile property page extension needs to be installed on every machine where user objects will be deleted from Active Directory using ADUC, and the property page needs to have been registered in Active Directory using an Active Directory Enterprise Administrator account.
• (to be performed once for the entire Active Directory forest) During the setup wizard of the Centrify DirectManage Access Manager console, the option Register administrative notification handler for Microsoft Active Directory Users and Computers snap-in has been checked, or alternatively, at any other time: an Active Directory Enterprise Administrator can register the administrative notification handler by following the instructions in the section titled Registering the administrative notification handler in the Centrify Server Suite Planning and Deployment Guide.

To automatically de-provision a user or group's Centrify Zone objects in ADUC:

• Open the Microsoft Active Directory Users and Computers management console, on a machine where the ADUC profile page extension has been installed.
• Find the user object that you wish to de-provision
• Delete the object. A popup window will appear immediately, asking you to delete not just the object, but also its Zone information (referred to as Centrify DirectControl Data):
• Make sure the checkbox for Centrify DirectControl Data is checked (as shown in the above screenshot), and click on Yes to delete both the Active Directory object itself, as well as all the related zone profiles and Role Assignments.

While the above method is less time-consuming than manually deleting every single profile and role assignment, it is still only a viable option for environments with low volumes of de-provisioning requests, and where all requests are treated through a small number of pre-designated Windows machines, running the Active Directory Users and Computers console on machines that have the Centrify profile property page extension installed.

To remove UNIX profiles in an environment where one deals with much higher volumes of de-provisioning requests, more automation is needed. The following two methods deal with this automation:

De-provisioning using the Centrify Zone Provisioning Agent

A big advantage of using the Centrify Zone Provisioning Agent (ZPA), is that it will take care of all (de-)provisioning needs in a Zone, without needing to perform any action other than toggling the membership status of the user or group in the provisioning group of that zone. This allows a company to delegate the (de-)provisions of UNIX users profiles to a team that does not require extensive technical knowledge on UNIX profiles. The ZPA will not be a topic in this article, as it is a well-documented subject; however, its ease of use should make one seriously consider its usage in (de-)provisioning processes.

Automated de-provisioning using PowerShell scripts

Centrify provides various toolboxes for larger environments, where a need exists to automate the task of detecting orphaned profiles.

To automate this task on Windows, Centrify provides a DirectControl PowerShell module, which is included on the installation media for the Centrify Server Suite consoles, and is an optional component during installation of DirectManage.

Centrify User profiles can be de-provisioned, prior to deletion of the user object with the following PowerShell code that leverages CMDlets included with the DirectControl PowerShell module:

Import-Module Centrify.DirectControl.PowerShell
Import-Module ActiveDirectory
$User_SAM_ToRemove = "alain.deloin@contoso.com"
[System.Collections.ArrayList]$arrCdmUserProfiles = Get-CdmUserProfile -User $User_SAM_ToRemove
foreach ($userProfile in $arrCdmUserProfiles)
{
      Remove-CdmUserProfile $userProfile
}

As you can see, this script is fairly straightforward; the $User_SAM_ToRemove takes a string of the identity of the user to de-provision, in a format supported by Get-CdmUserProfile. This can be for example in the format sAMAccountName@FullyQualifiedADDomainName; alternatively, you can even pass a user object retrieved with the Get-ADUser CMDlet.

All UNIX profiles for the specified user that are found in this domain with the Get-CdmUserProfile CMDlet are loaded into an ArrayList. Then, the Remove-CdmUserProfile CMDlet is run on each profile in the ArrayList, which will delete it.

Group profiles can be de-provisioned in a very similar fashion, using the respective Get-CdmGroupProfile and Remove-CdmGroupProfile CMDlets.

If you wish to programmatically remove Role Assignments in hierarchical Centrify Zones, things get a little more complex; unfortunately, unlike the Get-CdmUserProfile and Get-CdmGroupProfile CMDlets, the Get-CdmRoleAssignment CMDlet does not merely take a user or group identity. It also needs a Zone object, Managed Computer Object or Computer Role object to search in. This means that you will first need to enumerate all the Zones in the Active Directory environment, all the Managed Computer objects and all the Computer Roles, and load the results for example into ArrayLists. Then each item of every list can be iterated through, and any resultant CdmRoleAssignment objects can be removed with Remove-CdmRoleAssignment.

Automated de-provisioning using ADEdit scripts

While the action of de-provisioning Active Directory objects seems better at place in a Windows environment, this by any means is not impossible to do on a *NIX platform. The following snippet of code shows you the general approach on how to remove the user profile of a user with sAMAccountName alain.deloin with a user object in the Active Directory domain contoso.com, from the zone named Global in the same domain.

#!/bin/env adedit
package require ade_lib
proc remove_user { zone_dn user_upn } {
select_zone $zone_dn
if { [catch {select_zone_user $user_upn}] } {
# do nothing - user does not have a profile in zone
} else {
# user has a profile in the zone - remove it
delete_zone_user
}
}
# Main program variables
set domain contoso.com
set zoneDN "CN=Global,CN=Zones,OU=Centrify,DC=contoso,DC=com"
set userUPN "alain.deloin@contoso.com"
# Main program
bind $domain
remove_user $zoneDN $userUPN

The above snippet of code shows what to do for a single Centrify Zone, Managed Computer object, or Computer Role (these are all treated as Zones in ADEdit). In a production environment, you would need to enumerate all of the Zones, Managed Computer objects and Computer Roles in the Active Directory environment, after which you call the remove_user function for each of them, while also passing the identity of the user to de-provision.

Group profiles and Role Assignments can be de-provisioned in a similar fashion, using the select_zone_group and delete_zone_group functions for Groups Profiles and select_role_assignment and delete_role_assignment functions for Role Assignments.

Conclusion

While the various profile de-provisioning methods have been detailed above, it cannot always be guaranteed that they have been followed when a user or group object with a UNIX profile is deleted from Active Directory. 

For example, a user may be deleted using a console that does not have the Centrify Profile property page extension installed, or someone may have scripted a mass-pruning of objects without taking into account the de-provisioning of Centrify Zone objects relating to these users.

As a result, after having deployed Centrify in a production environment, chances are that some of the de-provisioned Active Directory users and groups have left behind their UNIX profiles in Centrify Zones; these profiles have in effect become orphaned. 

In Part 2 of the series we'll look at how to deal with these orphaned objects.