Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-0249: ADUser with All delegation rights on a zone cannot perform delegation

Centrify DirectAudit ,   Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

4 October,16 at 03:58 PM

Applies to:

All supported Centrify DirectControl versions. 


Problem:

AD User doesn't have the ability to delegate zone control to any users, even though user has been given ‘All’ rights on a zone through Centrify Admin Console.
You may receive the following error message: Set security descriptor failed: Access is denied​


Cause:

The "All" task in the delegation means all of the listed permissions, not full control of the zone.


Solution:

To allow an AD User to delegate permissions of a zone, the "modify permission" on the zone and child objects must be granted. The permission can be granted by using ADSIEdit.

Below are the steps to grant the above permission:

1. Using ADSIEdit, navigate to the OU where Centrify zones container is present.
2. Right click on the zone needing the above permissions and choose "Properties".
3. Click "Security" tab -> "Advanced" button -> "Add" button, choose the appropriate user.
4. On the "Object" tab -> Choose "This object and all child objects" for 'Apply onto' -> Select 'Allow' for "Modify Permissions"
5. Click “OK” on all the open screens.
6. In the command prompt window, run the command “gpupdate /force”

AD User should now be able to delegate permissions on the zone.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.