Centrify DirectControl, Centrify Identity Service, Mac Edition
Centrify Infrastructure Services
KB-2209: ADUser with All delegation rights on a zone cannot perform delegation
AD User doesn't have the ability to delegate zone control to any users, even though user has been given ‘All’ rights on a zone through Centrify Admin Console.
You may receive the following error message:
Set security descriptor failed: Access is denied
The "All" task in the delegation means all of the listed permissions, not full control of the zone.
To allow an AD User to delegate permissions of a zone, the "modify permission" on the zone and child objects must be granted. The permission can be granted by using ADSIEdit.
Below are the steps to grant the above permission:
1. Using ADSIEdit, navigate to the OU where Centrify zones container is present. 2. Right click on the zone needing the above permissions and choose "Properties". 3. Click "Security" tab -> "Advanced" button -> "Add" button, choose the appropriate user. 4. On the "Object" tab -> Choose "This object and all child objects" for 'Apply onto' -> Select 'Allow' for "Modify Permissions" 5. Click “OK” on all the open screens. 6. In the command prompt window, run the command “gpupdate /force”
AD User should now be able to delegate permissions on the zone.