DirectAuthorize for Windows 3.1.0+Question
Can non-interactive accounts utilize DirectAuthorize for Windows? Answer:
Yes. Although DirectAuthorize for Windows is mainly designed for interactive account use, non-interactive accounts can use DirectAuthorize for Windows by using the RunAsRole.exe CLI tool. It can be incorporated into scripts to run applications using a specified Centrify access role.
Basic syntax for the tool is the following:
runasrole /role:role[/zone] [options] application [argument]
runasrole /role:myrole1/myzone1 mmc.exe c:\windows\system32\compmgmt.msc
For more information regarding the usage of this tool, please consult the Centrify Administrator's Guide for Windows document.
Notes regarding DirectAuthorize for Windows:
1. It does not take away permissions. It grants additional permission when requested and can grant domain level groups to accounts. For example, if an AD service account is in local administrators group. The AD service account will always have that group membership privilege regardless of how the Centrify role is designed.
2. It cannot remove permissions from some privilleged accounts. For example, it cannot remove permissions from a service account that has local administrator’s privileges.
3. If a task is to be run against remote hosts (e.g. pull information off them and compile them into a report), the following criteria need to be met for the RunAsRole script to work.
a. The role being used by the script has the appropriate network access right
b. The task is using standard Windows authentication method to connect to remote system.