Deployment Manager uses the AD users' own credentials as the encryption key.
When you enter account information in Deployment Manager, the user name and password are securely stored in the Deployment Manager repository and are available only to the user who creates them. In addition, all passwords in the repository are encrypted with the access token of the currently logged on Windows user. Therefore, even if other users have access to the Deployment Manager repository, they cannot decrypt stored passwords because they do not have access to the Windows user account and password used to encrypt the information. Decrypting a stored password requires the user who created the password in Deployment Manager to log on and access the database from the same computer used when the password was encrypted.
The idea behind Deployment Manager is automation.
In order to automate tasks across hundreds of systems, the credentials stored are used to connect to systems and perform privileged operations like installation of Centrify's software and management of local accounts.
Otherwise the application would have to prompt the user for a password every time a connection or privileged operation is performed.