Applies to:
Centrify DirectControl Suite 2016 (CDC 5.3.0) and higher on all Windows platforms
Question:
How to configure and use Windows Right Definitions / Role Assignments to allow a Windows User to run the ADUC (Active Directory Users and Computers) snap-in and make modifications using an elevated role.
Answer:
In this example, the user Donald, will be configured to run ADUC using an elevated privilege to allow him to enable and disable user accounts in the ADUC Organization Unit named "TestUsers". The elevated privilege will have the access of the AD Group "cfyA_CentrifyAdministrators". Donald is not a member of this group in AD, but when he runs as with this privilege he will essentially become a member of the group for the duration of the command. The same procedure can be used for other resources on the Domain Controller such as the Group Policy Editor (gpedit.exe).
1) Install the Centrify Windows Agent on the Domain controller
Why is this a requirement: In this example, the data being modified is in Active Directory. The Domain Controller is the gate keeper for AD data. The Centrify Agent is needed to vouch for the user accessing the data and convince the DC that the user has the right to use the group privilege. Because Centrify is installed on the DC by a domain administrator, it is viewed as having authority to assure that the incoming user has the right to access the ADUC resource.
To install the Agent, execute the Centrify Server Suite autorun.exe, pick Centrify Windows Agent and follow the prompts to install.
2) Join the Domain Controller to the same zone as the Windows machine (the DC can actually be in a different zone, but in this example, the DC will be in the same zone for simplicity).
3) In Access Manager, define the Network Access. The name of the Right is "ADUC Network Access".
In the Access tab, select Connect remotely to the computer as "Self with added group privileges" and add cfyA_CentrifyAdministrators as the group.
4) Create the Role Definition. The Role definition in this example is Role_Windows_ADUC
5) Assign the Role.
6) Ensure the resource in ADUC has the security settings to allow the privileged Group (or User) from the Windows Right Definition, to modify the resource. In this example, cfyA_CentrifyAdministrators needs to have rights to the TestUsers Organizations Unit in AD.
7) Test the role on the client Windows machine. Login to the Windows client machine as Donald. Right click on the ADUC application and pick Run with Privilege
If more than one role is assigned to Donald, the desired role needs to be selected. Select Role_Windows_ADUC and then click on OK
The application launches and Donald is able to make changes to the users in the TestUsers OU. For example: