Centrify DirectAuthorize on All PlatformsQuestion:
Does the 'create msDS-AzScope
' right allow the user to create users, groups and containers inside the container where those rights have been assigned or delegated to that user?Answer:
Yes, with the default AD schema, this will right implicitly grant user to have permissions to create users and groups.
This is a design defect in the default AD schema.
Microsoft has provided a recommendation on how the AD schema should change in order to prevent this from happening.
Please see this Microsoft KB for more details.https://support.microsoft.com/en-us/kb/2841254 (Link provided as a courtesy)
If that permission is not granted then then the following features will not be available.
1) Create "Computer Roles"
2) Create override profile values at the computer level
3) Create role assignment at the computer level