Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-9006: "Change default zone container" failed in Access Manager Setup Wizard

Authentication Service ,  

8 May,18 at 10:09 AM

Applies to: 
Centrify DirectManage Access Manager Suite 2017.1 or earlier


AD user has following permissions granted on target AD container in order to change Centrify's default zone container location.

Allow – Create/Delete classStore objects
Allow – Full Control on descending classStore objects

This 'Change default zone container' task is unsuccessful with error received "You do not have permission to create the zone container at"

User-added image


Access Manager Centrify Suite 2017.1 and earlier requires AD user has permission 'create container objects' on given target zone container, while this permission should not checked if the specified target container already exists. 
This is a bug of Access Manager Suite 2017.1 and earlier. 

Besides when changing the default zone container on Access Manager the previous zone container identifier will be deleted, therefore permission to delete classStore object on previous zone container is also required. Centrify will need to enhance the document guide about this in future release. 

zone container identifier is a classStore object stored in the zone container named as $CentrifyZoneContainer
User-added image
The zone container identifier is an AD object created as:
- Type = classStore;
- Name = $CentrifyZoneContainer;
- DisplayName = $CimsZoneContainerVersion2


Option 1 - Grant 2 more permissions to the operator (AD user). 
- On target zone container
• Create Container objects (Applied to this object only)
- On previous zone container  
• Delete classStore objects (Applied to this object and descendant objects)

Option 2 - Create a new zone container identifier within target zone container with powershell command and remove the previous zone container identifier.

New-ADObject -Name `$CentrifyZoneContainer -DisplayName `$CimsZoneContainerVersion2 -Type classStore -Path "OU=targetcontainer,DC=domain,DC=com"

* Replace "OU=targetcontainer,DC=domain,DC=com" with the real target zone container's  distinguished name. 

Option 3 - Move the old zone container identifier to the target container with proper administrative privilege. 
i) Right click on the old zone container identifier and go to 'Move';
ii) Select the target zone container from the promoted list;
iii) Click 'OK' to save the change.

Then the current zone container will be shown as the target one in launched Setup wizard. 

This issue has been fixed in Suite 2017.2. Access Manager will not check user's container creation permission if target container already exists.