Centrify DirectControl, Centrify Identity Service, Mac Edition, Centrify DirectAudit
KB-0249: ADUser with All delegation rights on a zone cannot perform delegation
All supported Centrify DirectControl versions.
AD User doesn't have the ability to delegate zone control to any users, even though user has been given ‘All’ rights on a zone through Centrify Admin Console. You may receive the following error message: Set security descriptor failed: Access is denied
The "All" task in the delegation means all of the listed permissions, not full control of the zone.
To allow an AD User to delegate permissions of a zone, the "modify permission" on the zone and child objects must be granted. The permission can be granted by using ADSIEdit.
Below are the steps to grant the above permission:
1. Using ADSIEdit, navigate to the OU where Centrify zones container is present. 2. Right click on the zone needing the above permissions and choose "Properties". 3. Click "Security" tab -> "Advanced" button -> "Add" button, choose the appropriate user. 4. On the "Object" tab -> Choose "This object and all child objects" for 'Apply onto' -> Select 'Allow' for "Modify Permissions" 5. Click “OK” on all the open screens. 6. In the command prompt window, run the command “gpupdate /force”
AD User should now be able to delegate permissions on the zone.