Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2721: Insufficient access rights given when creating computer roles, though all rights granted in "delegate zone control" wizard.

Authentication Service ,  

7 March,17 at 05:55 PM

Applies to: Centrify DirectControl Console version 5.0.x on Windows

Problem:
An insufficient access rights error is shown when creating a computer role even though the account has been granted all rights in the "delegate zone control" wizard.

Cause:
This is intended behaviour and the reason is similar to why "delegate zone control" cannot delegate the permissions to create zones.

If a user is granted to have the "create msDS-AzScopeName" permission, the account will be the owner of the msDS-AzScopeName object. The owner can then grant itself permission to "create container" under that msDS-AzScopeName, regardless of whatever deny permissions were set in the ancestor containers. 
 
If the user creates a container under msDS-AzScopeName, they can then make themselves have permission to "create AD user". Creating an AD user on AD is an important privilege and should not be easily granted to anybody. This is why DirectControl Console does not allow delegation to create zones and delegation to create computer roles.

Resolution:
- Precreate the computer role with a Domain Admin account.

Or:

** If there is no concern for the security issue mentioned in the Cause **
1. Grant User/Group "create msDS-AzScope objects" right for the msDS-AzApplication object ONLY under the corresponding zone's authorization container.

User-added image

2. Grant User/Group "create msDS-AzRole objects" right for the msDS-AzScope object under the corresponding zone's authorization container.

























3. Grant User/Group the PROPERTIES permission "write msDS-TasksForAzRole" for msDS-AzRole object under the corresponding zone's authorization container.


 

Related Articles

 articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6041: How to show current license type in use by adclient article[How To] Setup Centrify PIM for Google Compute Engine Linux VM Instances articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6056: How to report the group policy settings that are in effect for the local computer? article[DevOps] Creating a Kerberos Keytab to Automate DirectControl Active Directory joins & removals article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I