Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-1169: Incorrect operatingSystemVersion attribute on Computer object

Auditing and Monitoring Service ,   Authentication Service ,   Mac & PC Management Service ,  

12 April,16 at 11:21 AM

Applies to: Centrify DirectControl versions 4.2 and above.
The Operating System field for computers are incorrectly updated. 
For example, on an HP machine - it shows HP-UX [6.0] instead of HP-UX [B.11.11]
The following warnings may also be seen in logs:
adclient[5230]: WARN <bg:updateOS> ase.bind.cache LDAP update: threw unexpected exception: ldap_result2error ldap_mdify_ext CN=rhel3,CN=Computers,
CN=default,CN=Zones,CN=DirectControl,OU=countries,DC=continents,DC=com : Insufficient access : 00002098: SecErr: DSID-0310646, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Starting in DirectControl 4.2, Centrify uses a Microsoft RPC mechanism to create/update the computer object, which forces the value to be either 5 or 6. 
After the RPC call is made, LDAP is used to update the value to what it should be. If the permissions are not right, then adclient fails to update with the right information and the wrong values are seen; HP-UX [6.0] instead of HP-UX [B.11.11]

Depending on the environment, there are two methods:
Method 1:
If the computers are placed under the default "Computers" container:
  1. Open up the Centrify DirectControl Administrator Console / DirectManage Access Manager.
  2. Right-click on Centrify DirectControl / DirectManage Access Manager node > "Setup Wizard..."
  3. Follow the wizard up to the screen for "Delegate Permissions", select the checkbox for "Grant computer accounts in the Computers container permission to update their own account information"
    User-added image
  4. Allow AD replication to occur, then restart the agents using the command:
    sudo /usr/share/centrifydc/bin/centrifydc restart
Method 2:
If the computers are placed in non-default OUs or Containers:
  1. Using Microsoft ADSI Edit, navigate to the OU/Container where computers are located.
  2. Right-click > select Properties > "Security" tab > "Advanced" button > "Add" button > type "SELF" as shown below > click OK.
    User-added image
  3. Go to the "Properties" tab and select to Apply onto: "Computer objects" (or "Descendant Computer objects")
  4. Allow the permissions shown below and click OK.
    User-added image
  5. Allow AD replication to occur, then restart the agents with:
    sudo /usr/share/centrifydc/bin/centrifydc restart