Installation and service account privilege requirements

Installing the connector requires file installation (running the installer.exe file) and registration (running ProxyUI.exe for the first time). File installation requires local administrative permissions on the connector machine because you need to copy files to Program Files, set up Windows service, modify registry, etc. Registration also requires local administrative permissions because you need to write the settings to registry. However, additional permissions may be required depending on what you want to do.

Services Required Rights and Privileges

Synchronize deleted objects in Active Directory with Privileged Access Service

When you delete users in Active Directory and want this deletion synchronized with Privileged Access Service, you have two options:

  • You must be the domain administrator of the Active Directory domain for the relevant deleted objects container. If you are deleting users in multiple domains, make sure that you are the domain administrator for all those domains.
  • Delegate read permissions to the service account for the deleted objects container in the corresponding domain.

If you do not take one of the above actions, users deleted in Active Directory will be listed on the Users page in Admin Portal until you manually delete them. However, they will not have access to any Privileged Access Service functionalities.

See Deleting Active Directory /LDAP user accounts for more information on deleting Active Directory accounts.

Register the connector as an Active Directory proxy (e.g. only for App Gateway)

If you want to register a connector as an Active Directory proxy, you need to have Read permissions to the Active Directory server.

Register the connector in your Privileged Access Service account

To register the connector in your Privileged Access Service account, you must be either a member of the sysadmin role in Admin Portal or be a member of a role that has the Register Centrify Connector permission. See Admin Portal administrative rights for the details.

All Active Directory accounts are members of the built-in Authenticated Users group. By default, members of the Authenticated Users group have list and read permissions on most Active Directory objects. The specific permissions vary for different object types and Active Directory versions.

You can also install the Centrify Connector on non-Active Directory computers. In this case, you can use local (i.e. non-Active Directory) accounts.