Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2721: Insufficient access rights given when creating computer roles, though all rights granted in "delegate zone control" wizard.

Authentication Service ,  

7 March,17 at 05:55 PM

Applies to: Centrify DirectControl Console version 5.0.x on Windows

An insufficient access rights error is shown when creating a computer role even though the account has been granted all rights in the "delegate zone control" wizard.

This is intended behaviour and the reason is similar to why "delegate zone control" cannot delegate the permissions to create zones.

If a user is granted to have the "create msDS-AzScopeName" permission, the account will be the owner of the msDS-AzScopeName object. The owner can then grant itself permission to "create container" under that msDS-AzScopeName, regardless of whatever deny permissions were set in the ancestor containers. 
If the user creates a container under msDS-AzScopeName, they can then make themselves have permission to "create AD user". Creating an AD user on AD is an important privilege and should not be easily granted to anybody. This is why DirectControl Console does not allow delegation to create zones and delegation to create computer roles.

- Precreate the computer role with a Domain Admin account.


** If there is no concern for the security issue mentioned in the Cause **
1. Grant User/Group "create msDS-AzScope objects" right for the msDS-AzApplication object ONLY under the corresponding zone's authorization container.

User-added image

2. Grant User/Group "create msDS-AzRole objects" right for the msDS-AzScope object under the corresponding zone's authorization container.

3. Grant User/Group the PROPERTIES permission "write msDS-TasksForAzRole" for msDS-AzRole object under the corresponding zone's authorization container.