Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-0250: UID/GID does not increment for users with delegated permissions

Centrify DirectControl ,  

15 January,16 at 05:18 PM

Applies to: Centrify DirectControl 2.1.x, 3.0.x

UID/GID doesnt increment even though AD User has been given rights to Add/Modify/Remove users and groups in a zone through Centrify Admin Console.

Add/Modify/Remove users and groups task in the delegation means strictly adding, removing, modifying users and groups.
But since UID/GID information is stored in "Description" attribute of a zone and user doesn't get the permissions to edit this attribute
by delegating permissions to Add/Modify/Remove users and groups; UID/GID doesnt increment automatically.

here are two ways to approach the above problem.

While running the delegation wizard and giving an ADUser permissions to Add/Modify/Remove users, check the checkbox for "Change Zone Properties" task.
This gives enough permissions to the ADUser to modify values in the "Description" attribute of a zone.
But in most cases, Administrators doesn't want to delegate permissions to "Change Zone Properties" to an ADUser. In that case please use the steps mentioned in solution two.

1. Using the ADSIEdit, navigate to the zone container.
2. Select 'Properties' on the container.
3. Go to "Security" tab.
4. Click "Add" and select the user. By default Read permissions will be enabled for this user.
5. Now Click on the "Advanced" tab and find the user in the permission entries and click on "Edit" button.
6. Navigate to "Properties" tab and look for permission " Write Description". Enable this permission and click "OK" on all open screens. By doing this we are giving permissions to change only one zone property where Centrify stores gid, uid information.

This will be fixed in the later versions of Centrify DirectControl.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.