KB-0250: UID/GID does not increment for users with delegated permissions
Applies to: Centrify DirectControl 2.1.x, 3.0.x
Problem: UID/GID doesnt increment even though AD User has been given rights to Add/Modify/Remove users and groups in a zone through Centrify Admin Console.
Cause: Add/Modify/Remove users and groups task in the delegation means strictly adding, removing, modifying users and groups. But since UID/GID information is stored in "Description" attribute of a zone and user doesn't get the permissions to edit this attribute by delegating permissions to Add/Modify/Remove users and groups; UID/GID doesnt increment automatically.
Workaround: here are two ways to approach the above problem.
One: While running the delegation wizard and giving an ADUser permissions to Add/Modify/Remove users, check the checkbox for "Change Zone Properties" task. This gives enough permissions to the ADUser to modify values in the "Description" attribute of a zone. But in most cases, Administrators doesn't want to delegate permissions to "Change Zone Properties" to an ADUser. In that case please use the steps mentioned in solution two.
Two: 1. Using the ADSIEdit, navigate to the zone container. 2. Select 'Properties' on the container. 3. Go to "Security" tab. 4. Click "Add" and select the user. By default Read permissions will be enabled for this user. 5. Now Click on the "Advanced" tab and find the user in the permission entries and click on "Edit" button. 6. Navigate to "Properties" tab and look for permission " Write Description". Enable this permission and click "OK" on all open screens. By doing this we are giving permissions to change only one zone property where Centrify stores gid, uid information.
Solution: This will be fixed in the later versions of Centrify DirectControl.