Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6023: DirectAuthorize for Windows and non-interactive accounts

24 December,15 at 05:42 PM

Applies to
DirectAuthorize for Windows 3.1.0+

Question
Can non-interactive accounts utilize DirectAuthorize for Windows? 

Answer: 
Yes. Although DirectAuthorize for Windows is mainly designed for interactive account use, non-interactive accounts can use DirectAuthorize for Windows by using the RunAsRole.exe CLI tool. It can be incorporated into scripts to run applications using a specified Centrify access role. 

Basic syntax for the tool is the following: 
runasrole /role:role[/zone] [options] application [argument]
    Sample Usage: 
runasrole /role:myrole1/myzone1 mmc.exe c:\windows\system32\compmgmt.msc


 For more information regarding the usage of this tool, please consult the Centrify Administrator's Guide for Windows document.  



Notes regarding DirectAuthorize for Windows:
 
1. It does not take away permissions. It grants additional permission when requested and can grant domain level groups to accounts. For example, if an AD service account is in local administrators group. The AD service account will always have that group membership privilege regardless of how the Centrify role is designed. 
    
2. It cannot remove permissions from some privilleged accounts. For example, it cannot remove permissions from a service account that has local administrator’s privileges. 
    
3. If a task is to be run against remote hosts (e.g. pull information off them and compile them into a report), the following criteria need to be met for the RunAsRole script to work. 
        a. The role being used by the script has the appropriate network access right
        b. The task is using standard Windows authentication method to connect to remote system.

    

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

No related Articles