Permissions required for alternate accounts and organizational units
You can run the connector service as an Active Directory service account instead of as a Local System account. The account you select must have all of the required permissions. For example, if you run as a specific Active Directory service account, the account must be a member of the local administrators group, and you must confirm that it has at least read permission to the container that has Privileged Access Service user accounts and Active Directory Groups used as members of Roles.
You must verify that the relevant accounts have permission to read Active Directory users and groups as if authentication would work. Each time role permissions are reassessed, the Connector tries to resolve the Active Directory groups mapped to any role in which the Active Directory user is potentially a member.
The host computer must also have read access to the container or organizational unit (OU) that stores the user accounts. Without read access, the connector cannot authenticate the user. Domain computers have this permission by default; however, the connector host may not. This most often occurs in multi-forest or multi-domain setups and can occur even when two-way trust is already defined. You can tell when this occurs—the connector log would show the error message, "unable to locate forest or user object."
In this case, you need to give the Local System account read access permission to the containers or organizational units.

- Open Active Directory Users and Computers, select the user account container, and open the Properties.
- Select the Security tab and then click Add to add the user account you are using to run the connector service. Click OK after you add the user account.
- Click the user account in Group or User Names and click the Allow box for the Read permission.
- Click OK.
Any user or group that has been given permission to read and write the LockoutTime attribute for an OU or other container can unlock user accounts that reside in that container. See https://support.microsoft.com/en-us/kb/294952 to delegate the right to unlock locked user accounts to a particular group or user in Active Directory.
Password reset requires you to delegate a group of users to have the ability to reset passwords for another subset of users in a particular OU. See Password Reset Permissions for information on delegating password reset permissions.
To create your Centrify Connector service account:
- Open Active Directory Users and Computers.
- Create a new user account that will be used as the Centrify Connector service account.
- Set a password and vault the password securely.
To add the Centrify Connector service account to the local administrator's group on the Centrify Connector machine:
On the Centrify Connector machine:
- Log in with a local administrator account.
- Open the Edit Local Users and Groups control panel.
- Edit the Administrators group to include your Centrify Connector service account.
To set the Centrify Connector service to run as the Centrify Connector service account.
On the Centrify Connector machine:
- Open the Service Control panel and locate the Centrify Connector service.
- From the Log On tab, set the Centrify Connector service account that will operate the service.
- Save all your changes and restart the service.