Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2209: ADUser with All delegation rights on a zone cannot perform delegation

Authentication Service ,   Mac & PC Management Service ,  

4 October,16 at 03:58 PM

Problem:

AD User doesn't have the ability to delegate zone control to any users, even though user has been given ‘All’ rights on a zone through Centrify Admin Console.

You may receive the following error message: 
Set security descriptor failed: Access is denied​


Cause:

The "All" task in the delegation means all of the listed permissions, not full control of the zone.


Resolution:

To allow an AD User to delegate permissions of a zone, the "modify permission" on the zone and child objects must be granted. The permission can be granted by using ADSIEdit.

Below are the steps to grant the above permission:

1. Using ADSIEdit, navigate to the OU where Centrify zones container is present.
2. Right click on the zone needing the above permissions and choose "Properties".
3. Click "Security" tab -> "Advanced" button -> "Add" button, choose the appropriate user.
4. On the "Object" tab -> Choose "This object and all child objects" for 'Apply onto' -> Select 'Allow' for "Modify Permissions"
5. Click “OK” on all the open screens.
6. In the command prompt window, run the command “gpupdate /force”

AD User should now be able to delegate permissions on the zone.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-5180: Does PowerShell module support with DirectControl in classic zones? articleKB-3445: How to remove/revoke a user from Zone Delegation articleKB-2721: Insufficient access rights given when creating computer roles, though all rights granted in "delegate zone control" wizard.