Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-7048: Configuring a Privileged Role to Access a Resource on the Domain Controller

24 June,16 at 07:05 PM

Applies to:
Centrify DirectControl Suite 2016 (CDC 5.3.0) and higher on all Windows platforms

How to configure and use Windows Right Definitions / Role Assignments to allow a Windows User to run the ADUC (Active Directory Users and Computers) snap-in and make modifications using an elevated role.

In this example, the user Donald, will be configured to run ADUC using an elevated privilege to allow him to enable and disable user accounts in the ADUC Organization Unit named "TestUsers".  The elevated privilege will have the access of the AD Group "cfyA_CentrifyAdministrators". Donald is not a member of this group in AD, but when he runs as with this privilege he will essentially become a member of the group for the duration of the command. The same procedure can be used for other resources on the Domain Controller such as the Group Policy Editor (gpedit.exe).
1) Install the Centrify Windows Agent on the Domain controller
Why is this a requirement:  In this example, the data being modified is in Active Directory.  The Domain Controller is the gate keeper for AD data.  The Centrify Agent is needed to vouch for the user accessing the data and convince the DC that the user has the right to use the group privilege. Because Centrify is installed on the DC by a domain administrator, it is viewed as having authority to assure that the incoming user has the right to access the ADUC resource.
To install the Agent, execute the Centrify Server Suite autorun.exe, pick Centrify Windows Agent and follow the prompts to install.

User-added image
2) Join the Domain Controller to the same zone as the Windows machine (the DC can actually be in a different zone, but in this example, the DC will be in the same zone for simplicity).
3) In Access Manager, define the Network Access.  The name of the Right is "ADUC Network Access".
User-added image
In the Access tab, select  Connect remotely to the computer as "Self with added group privileges" and add cfyA_CentrifyAdministrators as the group.
User-added image
4) Create the Role Definition.  The Role definition in this example is Role_Windows_ADUC
User-added image
5) Assign the Role.
User-added image
6) Ensure the resource in ADUC has the security settings to allow the privileged Group (or User) from the Windows Right Definition, to modify the resource.  In this example, cfyA_CentrifyAdministrators needs to have rights to the TestUsers Organizations Unit in AD.
User-added image

7) Test the role on the client Windows machine. Login to the Windows client machine as Donald. Right click on the ADUC application and pick Run with Privilege
User-added image

If more than one role is assigned to Donald, the desired role needs to be selected. Select Role_Windows_ADUC and then click on OK
User-added image
The application launches and Donald is able to make changes to the users in the TestUsers OU.  For example:
User-added image