Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-7048: Configuring a Privileged Role to Access a Resource on the Domain Controller

24 June,16 at 07:05 PM

Applies to:
 
Centrify DirectControl Suite 2016 (CDC 5.3.0) and higher on all Windows platforms

Question:
 
How to configure and use Windows Right Definitions / Role Assignments to allow a Windows User to run the ADUC (Active Directory Users and Computers) snap-in and make modifications using an elevated role.


Answer:
 
In this example, the user Donald, will be configured to run ADUC using an elevated privilege to allow him to enable and disable user accounts in the ADUC Organization Unit named "TestUsers".  The elevated privilege will have the access of the AD Group "cfyA_CentrifyAdministrators". Donald is not a member of this group in AD, but when he runs as with this privilege he will essentially become a member of the group for the duration of the command. The same procedure can be used for other resources on the Domain Controller such as the Group Policy Editor (gpedit.exe).
  
1) Install the Centrify Windows Agent on the Domain controller
  
Why is this a requirement:  In this example, the data being modified is in Active Directory.  The Domain Controller is the gate keeper for AD data.  The Centrify Agent is needed to vouch for the user accessing the data and convince the DC that the user has the right to use the group privilege. Because Centrify is installed on the DC by a domain administrator, it is viewed as having authority to assure that the incoming user has the right to access the ADUC resource.
 
To install the Agent, execute the Centrify Server Suite autorun.exe, pick Centrify Windows Agent and follow the prompts to install.
  

User-added image
   
   
2) Join the Domain Controller to the same zone as the Windows machine (the DC can actually be in a different zone, but in this example, the DC will be in the same zone for simplicity).
  
  
3) In Access Manager, define the Network Access.  The name of the Right is "ADUC Network Access".
  
User-added image
  
  
In the Access tab, select  Connect remotely to the computer as "Self with added group privileges" and add cfyA_CentrifyAdministrators as the group.
  
User-added image
  
  
4) Create the Role Definition.  The Role definition in this example is Role_Windows_ADUC
   
User-added image
    
 
5) Assign the Role.
  
User-added image
  
  
  
6) Ensure the resource in ADUC has the security settings to allow the privileged Group (or User) from the Windows Right Definition, to modify the resource.  In this example, cfyA_CentrifyAdministrators needs to have rights to the TestUsers Organizations Unit in AD.
  
User-added image
  
  

7) Test the role on the client Windows machine. Login to the Windows client machine as Donald. Right click on the ADUC application and pick Run with Privilege
   
User-added image
   
  

If more than one role is assigned to Donald, the desired role needs to be selected. Select Role_Windows_ADUC and then click on OK
  
User-added image
  
  
The application launches and Donald is able to make changes to the users in the TestUsers OU.  For example:
  
User-added image

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6041: How to show current license type in use by adclient? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-6050: How to configure a group for automatic Kerberos Credentials for infinite renewal? articleKB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out? articleKB-3925: How to add Centrify parameter to a group policy articleKB-7066: Configuring Centrify Report Services for Large Active Directory Environments