Installation and service account privilege requirements

Installing the connector requires file installation (running the installer.exe file) and registration (running ProxyUI.exe for the first time). File installation requires local administrative permissions on the connector machine because you need to copy files to Program Files, set up Windows service, modify registry, etc. Registration also requires local administrative permissions because you need to write the settings to registry. However, additional permissions may be required depending on what you want to do.

Services Required Rights and Privileges

Manage mobile device objects in Active Directory

To manage mobile device objects in Active Directory, you need to delegate the necessary permissions to the connector.

  • At least read permission to the container that has the Privileged Access Service user accounts.
  • A broader set of permissions (write all properties, delete, read permissions, and all validated writes) on the container that has the registered device objects.

See Permissions for managing mobile device objects in Active Directory.

Synchronize deleted objects in Active Directory with Privileged Access Service

When you delete users in Active Directory and want this deletion synchronized with Privileged Access Service, you have two options:

  • You must be the domain administrator of the Active Directory domain for the relevant deleted objects container. If you are deleting users in multiple domains, make sure that you are the domain administrator for all those domains.
  • Delegate read permissions to the service account for the deleted objects container in the corresponding domain.

If you do not take one of the above actions, users deleted in Active Directory will be listed on the Users page in Admin Portal until you manually delete them. However, they will not have access to any Privileged Access Service functionalities.

See Deleting Active Directory /LDAP user accounts for more information on deleting Active Directory accounts.

Register the connector as an Active Directory proxy (e.g. only for App Gateway)

If you want to register a connector as an Active Directory proxy, you need to have Read permissions to the Active Directory server.

Register the connector in your Privileged Access Service account

To register the connector in your Privileged Access Service account, you must be either a member of the sysadmin role in Admin Portal or be a member of a role that has the Register Centrify Connector permission. See Admin Portal administrative rights for the details.

Set up ADUC property page extension

To extend the user interface on the Active Directory Users and Computers console, you need to provide the enterprise administrator user name and password. The extension only applies to using Active Directory Group Policies to manage mobile devices.

All Active Directory accounts are members of the built-in Authenticated Users group. By default, members of the Authenticated Users group have list and read permissions on most Active Directory objects. The specific permissions vary for different object types and Active Directory versions.

You can also install the Centrify Connector on non-Active Directory computers. In this case, you can use local (i.e. non-Active Directory) accounts.