Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-9203: How to Restrict or Allow User Logins in Classic Zone

Centrify DirectControl ,  

26 September,17 at 10:16 PM

Question:
 
Classic zone will allow all provisioned users in Active Directory to login to any machine that is joined to the domain.  This is the default behavior for classic zone.  How can a classic zone be restricted so that only specific provisioned users are allowed to login while other provisioned users are denied login?

Answer:
 
To configure a classic zone to allow a specific provisioned user to login (and exclude other provisioned users), edit the /etc/centrifydc/centrifydc.conf file and set the parameter pam.allow.users file. This parameter can be either a file or a list of sAMAccountNames. Once the parameter is set, it will allow login by the configured provisioned users and exclude all others.
  
case 1: the pam.allow.users parameter is pointing to a file which contains a list of allowed provisioned users
 
i.e. In /etc/centrifydc/centrifydc.conf
  
pam.allow.users: file:/etc/centrifydc/users.allow

In /etc/centrifydc/users.allow
  
User-added image
  

 
case 2: the parameter value is the list of users that will be allowed login
  
i.e. In /etc/centrifydc/centrifydc.conf
  
pam.allow.users: tetsu,dean@centrifyimage.vms,darrell@centrifyimage.vms

After making a change to centrifydc.conf, or after adding a new name to the users.allow file, the adclient needs to be reloaded
  
# adreload
 
adquery user for an included provisioned user (tetsu in the image below) will show zoneEnabled:true
adquery user for a restricted provisioned user (donald in the image below) will show zoneEnabled:false

 
User-added image

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.