Applies to: 
Centrify DirectManage Access Manager Suite 2017.1 or earlier

Problem:

AD user has following permissions granted on target AD container in order to change Centrify's default zone container location.
Allow – Create/Delete classStore objects
Allow – Full Control on descending classStore objects

This 'Change default zone container' task is unsuccessful with error received "You do not have permission to create the zone container at domain.com/Centrify/Zones". 



Cause:

Access Manager Centrify Suite 2017.1 and earlier requires AD user has permission 'create container objects' on given target zone container, while this permission should not checked if the specified target container already exists. 
This is a bug of Access Manager Suite 2017.1 and earlier. 

Besides when changing the default zone container on Access Manager the previous zone container identifier will be deleted, therefore permission to delete classStore object on previous zone container is also required. Centrify will need to enhance the document guide about this in future release. 

* zone container identifier is a classStore object stored in the zone container named as $CentrifyZoneContainer. 

The zone container identifier is an AD object created as:
- Type = classStore;
- Name = $CentrifyZoneContainer;
- DisplayName = $CimsZoneContainerVersion2

Workarounds:

Option 1 - Grant 2 more permissions to the operator (AD user). 
- On target zone container 
• Create Container objects (Applied to this object only)
- On previous zone container  
• Delete classStore objects (Applied to this object and descendant objects)

Option 2 - Create a new zone container identifier within target zone container with powershell command and remove the previous zone container identifier.

New-ADObject -Name `$CentrifyZoneContainer -DisplayName `$CimsZoneContainerVersion2 -Type classStore -Path "OU=targetcontainer,DC=domain,DC=com"

* Replace "OU=targetcontainer,DC=domain,DC=com" with the real target zone container's  distinguished name. 

Option 3 - Move the old zone container identifier to the target container with proper administrative privilege. 
i) Right click on the old zone container identifier and go to 'Move';
ii) Select the target zone container from the promoted list;
iii) Click 'OK' to save the change.

Then the current zone container will be shown as the target one in launched Setup wizard. 

Resolution:
This issue has been fixed in Suite 2017.2. Access Manager will not check user's container creation permission if target container already exists.