Starting Access Manager for the first time

The first time you start Access Manager, you can use the Setup Wizard to prepare the Active Directory forest with organizational units and containers for Centrify objects. From the Setup Wizard, you can create either the recommended deployment structure or a custom deployment structure and set all of the appropriate permissions for the objects automatically. If you skip this initial configuration, you can rerun the Setup Wizard at a later time or create organizational units and containers manually. At a minimum, however, you need to select a location in Active Directory for license keys and zones. For more information about the recommended organizational units and permissions, see the Planning and Deployment Guide.

What to do before updating Active Directory

Before you use Access Manager the first time, you should contact the Active Directory administrator to determine the appropriate location for the deployment structure and whether you have the appropriate rights for completing this task. The specific administrative rights required for this task depend on the policies of your organization and who has permission to create classStore and parent and child container objects in Active Directory.

Rights required for this task

If you don’t have administrative rights to create container objects in Active Directory, a domain administrator in the forest root domain can run the Setup Wizard or manually create the container objects and set the rights on those objects to allow other users to complete the initial configuration without being members of an administrative group.

The following table describes the minimum rights that must be granted on manually created container objects for other users to successfully complete the configuration with the Setup Wizard.

This target object Requires these permissions Applied to

Licenses container

  • Read all properties
  • Create classStore objects
  • Modify permissions

This object only

  • Write Description property
  • Write displayName property

This object and all child objects

By default, all Authenticated Users have read and list contents permission for the Licenses container and all of its child objects.

Zones container

  • Read all properties
  • Create classStore objects
  • Create Container objects

This object only

  • Write displayName property

This object and all child objects

If you are a domain administrator and manually creating the container objects, you should add a security group for Zone Administrators to Active Directory. Set the following permissions on the parent Zones container to allow other users to manage zones.

This target object Requires these permissions Applied to

Zones container

  • Read all properties
  • Create Container objects
  • Delete Container objects

This object only

  • Write displayName property

This object and all child objects

Who should perform this task

A Windows Active Directory administrator performs this task, depending on your organization’s policies, by running the Setup Wizard or by manually creating container objects and notifying another user of the location of the container objects. The user who runs the Setup Wizard must be granted the rights required to create classStore objects.

How often you should perform this task

In most organizations, you only do this once for an Active Directory forest. However, if you want to create more than one administrative boundary, you can create additional parent containers as needed.

Steps for completing this task

The following instructions illustrate how to run the Setup Wizard from Access Manager.

To update Active Directory using Access Manager:

  1. Open Access Manager.
  2. Verify the name of the domain controller and the user credentials for connecting to the forest, then click OK.
  3. At the Welcome page, click Next.
  4. Select Use currently connected user credentials to use your current log on account or select Specify alternate user credentials and type a user name and password, then click Next.
  5. Select Generate the Centrify recommended deployment structure if you want to create all of the containers for the recommended deployment structure automatically.

    If you select this option, select whether you want to generate the default deployment structure or generate a custom structure, then click Next.

    • If you are generating the default structure, clicking Next enables you to select or create the location for the deployment structure in Active Directory. For example, if you want to create the top of the default deployment structure at the domain level, click Next, then click Browse to select the domain name. After you have selected a location, click OK. then click Next to create the deployment structure.
    • If you are generating a custom structure, clicking Next enables you to export the script that creates the default structure or run a script you have previously written.

    If you are generating a default or custom deployment structure, verify the successful execution of the script that creates the structure, then click Next to continue.

  6. Verify the parent container for licenses is in the top-level Centrify container if you are using the default deployment structure or the container of your choice, then click Next.

    You can add other Licenses containers in other locations later using the Manage Licenses dialog box.

  7. Review the permission requirements for the container, then click Yes to continue.
  8. Type or copy and paste the license key you received, then click Add.

    If you received multiple license keys, add each key to the list of installed licenses, then click Next. If you received license keys in a text file, click Import to import the keys directly from the file instead of adding the keys individually, then click Next.

  9. Verify the Create default zone container option is selected and the parent container for zones is in the top-level Centrify container or the container of your choice, then click Next.

    If you run the Setup Wizard at any time after the initial creation of the Zones container, this step displays the Change default zone container option and the current container location. Select this option and click Browse to change the default container for zones, then click Next.

  10. If you are using the recommended deployment structure, click Next to continue.

    This option allows “self-service” join operations for computers in the Computers container. It is only applicable if you are not using the recommended deployment structure. If you want to support “self-service” join operations and are not using the recommended deployment structure, select Grant computer accounts in the Computers container permission to update their own account information, then click Next.

  11. If you plan to use Access Manager to manage information stored in Active Directory and maintain data integrity, click Next to continue.

    You should select Register administrative notification handler for Microsoft Active Directory Users and Computers snap-in if you want to automatically maintain the integrity of the information in Centrify profiles.

    This option prevents Centrify profile information from being left “orphaned” when changes are made to Active Directory objects such as users and groups. This option is not selected by default because it requires you to be a member of Enterprise Admins or Domain Admins group for the forest root domain.

  12. Select Activate Centrify profile property pages if you want to be able to display Centrify profiles in any Active Directory context, then click Next.

    Setting this option ensures that displaying the properties for a user, group, or computer always displays the Centrify Profile tab regardless of how you navigate to the Properties dialog box.

  13. Review and confirm your configuration settings, click Next, then click Finish.

What to do next

Create at least one parent zone.

Where you can find additional information

If you want to learn more about the importance and benefits of using zones, see the following topics for additional information: