Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-7504: What does the Azman right 'create msDS-AzScope' used for zones actually allow users to do?

Centrify DirectControl ,  

22 September,16 at 10:34 PM

Applies to:

Centrify DirectAuthorize on All Platforms


Question:

Does the 'create msDS-AzScope' right allow the user to create users, groups and containers inside the container where those rights have been assigned or delegated to that user?


Answer:


Yes, with the default AD schema, this will right implicitly grant user to have permissions to create users and groups.

This is a design defect in the default AD schema.

Microsoft has provided a recommendation on how the AD schema should change in order to prevent this from happening.

Please see this Microsoft KB for more details.
https://support.microsoft.com/en-us/kb/2841254 (Link provided as a courtesy)

If that permission is not granted then then the following features will not be available.

1) Create "Computer Roles"
2) Create override profile values at the computer level
3) Create role assignment at the computer level

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.