After adding a machine-level override, the change is not reflecting on the host.
All versions of Centrify DirectControl on all supported platforms.
User/group added to machine override is not applying to the machine (ie. 'adquery' reports incomplete details or access is not working as expected)
In this scenario, the cause of the issue is that the user/group that was added as a machine override (defined in Access Manager at the computer level) was the first override added.
When an override is added to a machine for the first time, a new container is created in AD that is associated with the computer account and Centrify profile object (serviceConnectionPoint). This object is a computer zone. The LDAP query responsible for seeking this object is very resource-expensive, so it is only performed by the agent during the startup logic. Until this search is performed, the agent does not know about the new object that has become associated with it, which results in the new information not being made available to the host.
Here is an example of what the objects in AD can be expected to look like once a computer zone has been added:
dn: CN=rhel65.alera.ath:zone,CN=Computers,CN=Legion,CN=Alera,CN=Zones,OU=Centrify,DC=alera,DC=ath objectClass: top objectClass: container cn: rhel65.alera.ath:zone
This behavior is expected. Please restart the 'centrifydc' service on the host. This will force the host to effectively rebuild what it knows about itself, as present in AD. This is necessary as there is now a new object created that it is associated with. Once this has been performed, the machine override should be available, as expected.
Note: This is a one-time occurrence, once the first override has been added, and should not be necessary for future work-flow. If you would like to introduce a deployment step to head this off, the computer zones may always be pre-created, which would render this a non-issue.