Permissions required for alternate accounts and organizational units

You can run the connector service as an Active Directory service account instead of as a Local System account. The account you select must have all of the required permissions. For example, if you run as a specific Active Directory service account, the account must be a member of the local administrators group, and you must confirm that it has at least read permission to the container that has Privileged Access Service user accounts and Active Directory Groups used as members of Roles.

You must verify that the relevant accounts have permission to read Active Directory users and groups as if authentication would work. Each time role permissions are reassessed, the Connector tries to resolve the Active Directory groups mapped to any role in which the Active Directory user is potentially a member.

The host computer must also have read access to the container or organizational unit (OU) that stores the user accounts. Without read access, the connector cannot authenticate the user. Domain computers have this permission by default; however, the connector host may not. This most often occurs in multi-forest or multi-domain setups and can occur even when two-way trust is already defined. You can tell when this occurs—the connector log would show the error message, "unable to locate forest or user object."

In this case, you need to give the Local System account read access permission to the containers or organizational units.

To create your Centrify Connector service account:

  1. Open Active Directory Users and Computers.
  2. Create a new user account that will be used as the Centrify Connector service account.
  3. Set a password and vault the password securely.

To add the Centrify Connector service account to the local administrator's group on the Centrify Connector machine:

On the Centrify Connector machine:

  1. Log in with a local administrator account.
  2. Open the Edit Local Users and Groups control panel.
  3. Edit the Administrators group to include your Centrify Connector service account.

To set the Centrify Connector service to run as the Centrify Connector service account.

On the Centrify Connector machine:

  1. Open the Service Control panel and locate the Centrify Connector service.
  2. From the Log On tab, set the Centrify Connector service account that will operate the service.
  3. Save all your changes and restart the service.