Permissions for managing mobile device objects in Active Directory
If you want to manage your mobile device objects in Active Directory, you need to delegate the necessary permissions to the Centrify Connector:
At least read permission to the container that has the Privileged Access Service user accounts.
A broader set of permissions on the container that has the registered device objects.
When you designate the registered device object container or organizational unit in the Device Registration Settings, you need to set the read permission and the permissions for the Active Directory user account for the container or organizations unit that stores the registered device objects. Repeat the second procedure for every container or organizational unit you use to store the registered device objects.

- Open Active Directory Users and Computers, select the user account container, and open the Properties.
- Select the Security tab and then click Add to add the user account you are using to run the connector service. Click OK after you add the user account.
- Click the user account in Group or User Names and click the Allow box for the Read permission.
- Click OK.

- Open Active Directory Users and Computers, select the registered device object container, and open Properties.
- Select the Security tab then the Advanced button to view the Advanced Security Settings.
- Click Add to add a new permission entry.
- Click Object Types and confirm that the object type for your connector is selected.
- Click OK.
- Navigate to Select User, Computer, Service Account, or Group window.
- Enter the first few characters of the object name into the object name text box then click Check Names.
- Select the object name for your connector and click OK.
- Select Allow for the Create Computer objects permission.
- Click OK.
- Click Add to add another permission entry.
- Click Object Types and confirm that the object type for your connector is selected.
- Select the object name for your connector and click OK.
The Permission Entry for MobileDevices window opens.
- Click the Allow box for the following permissions on the Object tab:
- Write all properties
- Delete
- Read permissions
- All validated writers
- Click OK on the succeeding windows to exit the Properties configuration windows.