Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2209: ADUser with All delegation rights on a zone cannot perform delegation

Authentication Service ,   Mac & PC Management Service ,  

4 October,16 at 03:58 PM


AD User doesn't have the ability to delegate zone control to any users, even though user has been given ‘All’ rights on a zone through Centrify Admin Console.

You may receive the following error message: 
Set security descriptor failed: Access is denied​


The "All" task in the delegation means all of the listed permissions, not full control of the zone.


To allow an AD User to delegate permissions of a zone, the "modify permission" on the zone and child objects must be granted. The permission can be granted by using ADSIEdit.

Below are the steps to grant the above permission:

1. Using ADSIEdit, navigate to the OU where Centrify zones container is present.
2. Right click on the zone needing the above permissions and choose "Properties".
3. Click "Security" tab -> "Advanced" button -> "Add" button, choose the appropriate user.
4. On the "Object" tab -> Choose "This object and all child objects" for 'Apply onto' -> Select 'Allow' for "Modify Permissions"
5. Click “OK” on all the open screens.
6. In the command prompt window, run the command “gpupdate /force”

AD User should now be able to delegate permissions on the zone.