Centrify Identity ServiceProblem:
On the host machines, running the Centrify Connector, local user profiles are created, despite the User never having logged on to the Connector host. Cause:
The profiles get created by the Directory Services API when the call for "ChangePassword" happens, when a User uses the Self Service Password reset option from the User portal>Account tab IF they have rights to "Logon Locally" to the Connector host. Workaround:
To prevent this from occurring, the following steps can be taken. Note that this will not delete the profiles already created, but instead will prevent any further profiles from being created.
1) On each Connector host machine, login as an Administrator and open up the Local Group Policy Editor by typing gpedit.msc
in the Run box.
2) Navigate to "Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
3) Click on "Allow log on locally
" and remove "Users" and "Backup Operators" and click "apply."
Note- Default settings to "Allow logon locally" are;
• On workstations and servers: Administrators, Backup Operators, Power Users, Users, and Guest.
• On domain controllers: Account Operators, Administrators, Backup Operators, and Print Operators.
For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Centrify Customer Portal at support.centrify.com.