Managing Zones

Zones are the key component for organizing access rights and role assignments for Windows computers. This chapter describes how to use Access Manager to create zones, manage zone properties, add Windows computers to selected zones, and move and rename zone objects.

Starting Access Manager for the First Time

The first time you start Access Manager, a Setup Wizard prepares the Active Directory forest with parent containers for licenses and zones. The Setup Wizard also sets the appropriate permissions for the objects. For example, all authenticated users are granted read access of the Licenses container by default. These steps are typically performed once by a domain administrator. If you choose to, you can create the container objects manually.

What to do Before Updating Active Directory

Before you use Access Manager the first time, you should contact the Active Directory administrator to determine the appropriate location for the Licenses and Zones parent containers and whether you have the appropriate rights for completing this task. The specific administrative rights required for this task depend on the policies of your organization and who has permission to create classStore and parent and child container objects in Active Directory.

Rights Required for this Task

If you don’t have administrative rights to create container objects in Active Directory, a domain administrator in the forest root domain can manually create the container objects and set the rights on those objects to allow other users to complete the initial configuration without being members of an administrative group.

The following table describes the minimum rights that must be granted on manually created container objects for other users to successfully complete the configuration with the Setup Wizard.

This target object	Requires these permissions	Applied to
Licenses container	Read all properties Create classStore objects Modify permissions	This object only
	Write Description property Write displayName property	This object and all child objects
	By default, all Authenticated Users have read and list contents permission for the Licenses container and all of its child objects.
Zones container	Read all properties Create classStore objects Create Container objects	This object only
	Write displayName property	This object and all child objects

If you are a domain administrator and use the Setup Wizard to create the container objects, you should add a security group for Zone Administrators to Active Directory. Set the following permissions on the parent Zones container to allow other users to manage zones.

This target object	Requires these permissions	Applied to
Zones container	Read all properties Create Container objects Delete Container objects	This object only
	Write displayName property	This object and all child objects

Who Should Perform this Task

A Windows Active Directory administrator performs this task, depending on your organization’s policies, by running the Setup Wizard or by manually creating container objects and notifying another user of the location of the container objects. The user who runs the Setup Wizard must be granted the rights required to create classStore objects.

How Often You Should Perform this Task

In most organizations, you only do this once for an Active Directory forest. However, if you want to create more than one administrative boundary, you can create additional parent containers as needed.

Steps for Completing this Task

The following instructions illustrate how to run the Setup Wizard from Access Manager.

To update Active Directory using Access Manager:

Open Access Manager.
At the Welcome page, click Next.
Select Use currently connected user credentials to use your current log on account or select Specify alternate user credentials and type a user name and password, then click Next.
Select a location for installing license keys in Active Directory, then click Next.

The default container for license keys is domain_name/Program Data/Centrify/Licenses. To create or select a container object in adifferent location, click Browse. If an Active Directory administratorhas created the Licenses container for you, click Browse and navigate to theappropriate location. The Setup Wizard will create a classStore object in the location you specify.

You can create additional containers in other locations later using the Manage Licenses dialog box.
Review the permission requirements for the container, then click Yes to confirm your selection.
Type or copy and paste the license key you received, then click Add.

If you received multiple license keys, add each key to the list of installed licenses, then click Next. If you received license keys in a text file,click Import to import the keys directly from the file instead of adding the keys individually, then click Next.
Select Create default zone container and specify a location for the Zones container, then click Next.

The default container location for zones is domain_name/Program Data/Centrify/Zones. To create or select a container object in a differentlocation, click Browse. If an Active Directory administrator has createdthe Zones container for you, click Browse and navigate to the appropriatelocation. The Setup Wizard will create a classStore object in the location you specify.

Any zones you create are placed in this container location by default.

The next three pages only apply if you are managing multiple platforms. For a Windows-only deployment, you can click Next to leave the following options unselected:
- Grant computer accounts in the Computers container permission to update their own account information.
- Register administrative notification handler for Microsoft Active Directory Users and Computers snap-in.
- Activate profile property pages.
Review and confirm your configuration settings, click Next, then click Finish.

After you click Finish, the Access Manager console is displayed.

What to Do Next

Create at least one parent zone.

Where you can find additional information

If you want to learn more about the importance and benefits of using zones, see the following topics for additional information:

Access control for Windows computers
How zones organize access rights and roles
Identity and privilege management

Preparing to Use Zones

One of the most important aspects of managing computers with Delinea software is the ability to organize computers, users, and groups into zones. You use zones to create logical groupings for:

Managing access rights, role definitions, and role assignments.
Delegating administrative tasks based on a separation of duties.
Associating groups of computers and groups of users with specific role

assignments.

Controlling Access through Hierarchical Zones

Server Suite for Windows only supports hierarchical zones. Hierarchical zones enable you to establish parent-child zone relationships, allowing rights, role definitions, and role assignments to be inherited down the zone hierarchy. One of the first decisions you need to make is how you can use the zone hierarchy most effectively.

With hierarchical zones, you define rights and roles in a parent zone so that those definitions are available in one or more child zones, as needed. Child zones can also inherit user and group role assignments. At any point in the zone hierarchy, you can choose to use or override information from a parent zone.

There are no predefined limits to the number of zones that can be used in a zone hierarchy or the number of levels deep zones can be nested in the hierarchy you define. For practical purposes, keep the hierarchy similar to the following:

One or more top-level parent zones that includes all users and groups.
One to three levels of intermediate child zones based on natural access

control or administrative boundaries.

There are many different approaches you can take to defining the scope of a zone, including organizing by platform, department, manager, application, geographical location, or how a computer is used. The factors that are most likely to affect the zone design, however, will involve managing access rights and roles and delegating administrative tasks to the appropriate users and groups.

Managing Access Rights and Roles Using Zones

Zones enable you to grant specific rights to users in specific roles on specific computers. By assigning roles, you can control the scope of resources any particular group of users can access and what those users can do. For example, all of the computers in the finance department could be grouped into a single zone called “finance” and the members of that zone could be restricted to finance employees and senior managers, each with specific rights, such as permission to log on locally, access a database, update certain files, or generate reports.

Rights represent specific operations users are allowed to perform. A role is a collection of rights that can be defined in a parent or child zone and inherited. For example, a role defined in a parent zone can be used in a child zone, in a computer role, or at the computer level.

System and Predefined Rights

There are specialized login rights, called system rights. The system rights for Windows computers are:

Console login is allowed: Specifies that users are allowed to log on

locally using their Active Directory account credentials.
Remote login is allowed: Specifies that users are allowed to log on

remotely using their Active Directory account credentials.
PowerShell remote access is allowed: Specifies that users are allowed to

log on remotely to PowerShell.

There are additional predefined rights that allow access to specific applications. For example, there are predefined rights that allow users to run Performance Monitor or Server Manager without having an administrator’s password. You grant users permission to access computers by assigning them to a role that includes at least one login right. You can then give them access to specific applications or privileges using additional predefined or custom access rights.

Granting Permission to Log On

By default, zones always provide the Windows Login role to allow users to log on locally or remotely to computers in the zone. Users must have at least one role assignment that grants console or remote login access or they will not be allowed to access any of the computers in the zone.

The Windows Login role grants users the permission to log on whether they are authenticated by specifying a user name and password or by using a smart card and personal identification number (PIN).

Because the Windows Login role only allows users to log on, it is often assigned to users in a parent zone and inherited in child zones. However, the Window Login role does not override any native Windows security policies. For example, most domain users are not allowed to log on to domain controllers. Assigning users the Windows Login role does not grant them permission to log on to the domain controllers. Similarly, if users are required to be members of a specific Windows security group, such as Server Operators or Remote Desktop Users, to log on to specific computers, the native Windows security policies take precedence.

There are additional predefined roles that grant specific rights, such as the Rescue always permit login role that grants users the “rescue” right to log on if audit and monitoring service is required but not available. In general, at least one user should be assigned this role to ensure an administrator can log on if the audit and monitoring service service fails or a computer becomes unstable.

Delegating Administrative Tasks in Hierarchical Zones

You can use zones to delegate administrative tasks to specific users or groups. Using hierarchical zones, you can give separate groups of administrators the authority to manage a different sets of computers and users without granting them permission to perform actions on other computers, in other zones, or on other Active Directory objects. You can also use zones to establish a separation of duties so that only specific groups or users can perform certain tasks. For example, you can create a child zone for software-development and give the dev_mgrs group authority to manage rights and roles and manage role assignments on the computers in that zone.

By creating child zones and delegating administrative tasks within those zones, you can group computers that form a natural administrative set or that should be managed by different administrative teams. For example, you might want to group computers that are managed by a local support organization in one zone and computers that are managed by a corporate IT group in another zone. You can also control what different groups of users can do within each child zone. For example, you can set up regional zones to provide a separation of duties, authorizing users in San Francisco to manage computers in their local office while a team in Barcelona has authority to join computers to the zone and manage role assignments for offices located in Spain but does not have the authority to add users or groups.

Associating Computers and Role Assignments

You can use zones to associate a set of users with a particular role assignment to a particular set of computers. This association of a group of computers with a particular role assignment is called a computer role. For example, you might have several computers that are dedicated to a specific function, such as hosting Oracle databases, or to a functional area, such as payroll. Some groups of users who access these computers might require a specific set of rights. For example, the database administrators who access the computers hosting Oracle databases need different rights than users who are updating payroll records in the databases being hosted.

A computer role enables you to link the privileges associated with the database administrator role assignment, such as permission to backup and restore or create new tables, with the computers that host the Oracle databases. You can configure a separate computer role for the rights required by the users processing payroll on the same set of computers. The computer role creates the link between users with a specific role assignment, database administrator or payroll department, and the computers where that role assignment applies.

If you add an Oracle database server, you add it to the computer group. If new users are assigned the database administrator role, they automatically receive the appropriate access rights on the computers hosting Oracle databases.

You can also use computer roles to specify whether you want session-level auditing for a group of computers.

Creating a New Parent Zone

In most cases, you design a basic zone structure as part of the deployment process. After the initial deployment, you can create new hierarchical zones any time you have new administrative boundaries. For example, if you acquire another organization, add offices that are managed by a different group, or restructure the organization along different functional lines, you are likely to need new zones.

What to Do Before Creating a New Parent Zone

Before you can create parent zones, you must have installed Access Manager and run the Setup Wizard. You should also have a basic zone design that describes how you are organizing information, for example, whether you are using one top-level parent zone or more than one parent zone. There are no other prerequisites for performing this task.

Rights Required for this Task

Only the user who creates a zone has full control over the zone and can delegate administrative tasks to other users and groups through the Zone Delegation Wizard. To create new zones, your user account must be a domain user with the following permissions:

Select this target object	To apply these permissions
Parent container for new zones, for example: domain/Delinea/Zones	On the Object tab, select Allow to apply the following permission to this object and all child objects: Create Container Objects Create Organizational Unit Objects. Note: Both permissions are required if you want to allow zones to be created as either container objects or organizational unit objects.
Parent container for Computers in the zone	On the Object tab, select Allow to apply the following permission to this object only: Create group objects Write Description property

If the Active Directory administrator manually sets the permissions required to create zones, you should verify that the account also has permission to add an authorization store, define rights and roles, and manage role assignments.

Who Should Perform this Task

A Windows domain administrator performs this task, depending on your organization’s policies. The user who creates the zone is responsible for delegating administrative tasks to other users or groups, if necessary. In most organizations, this task is done using an account with domain administrator privileges.

How Often You Should Perform this Task

After you are fully deployed, you create new zones infrequently to address changes to your organization.

Steps for Completing this Task

The following instructions illustrate how to create a new parent zone using Access Manager. Examples of script that uses the Windows API are included in the Software Developer’s Kit or may be available in community forums on the Delinea website. For code examples using ADEdit, see the ADEdit Command Reference and Scripting Guide.

To create a new parent zone using Access Manager:

Open the Access Manager console.
In the console tree, select Zones and right-click, then click Create New Zone.
Type the zone name and, optionally, a longer description of the zone.

In most cases, you should use the default parent container and container type that you created when you configured the Active Directory forest, then click Next.

For zones that include Windows computers, you should always use the default zone type, which creates the new zone as a hierarchical zone.For Windows computers, only hierarchical zones are supported. The only reasons for changing the default other settings would be if you want to:
- Create a zone in a new location to separate administrative activity for different groups of administrators.
- Create a zone as an organizational unit because you want to assign a Group Policy Object to the zone.
In most cases, you'll want to leave the Skip permission delegationoption deselected. If you select this option, the service does not set thesecurity descriptor for the zone; you'll need to go in and set thatattribute yourself. Some organizations prefer to set security descriptorsmanually. Security descriptors include security information such as the object owner, who has access rights to the object, and so forth.
Review information about the zone you are creating, then click Finish.

What to Do Next

After you create a new parent zone, you might want to create its child zones.

Where you can find additional information

If you want to learn more about the importance and benefits of using zones, see the following topics for additional information:

How zones organize access rights and roles
Preparing to use zones

Creating Child Zones

For Windows, the primary reason for creating child zones is to inherit role definitions and role assignments from a parent zone. Less often, you might want to use a child zone to override role definitions and assignments that you have made in a parent zone. For example, if you have created a role definitions that allows a user to run a specific application with administrative privileges in a parent zone, you can use child zones to limit the scope of that right to specific subsets of computers.

What to Do Before Creating Child Zones

Before you create child zones, you must have installed Access Manager, run the Setup Wizard to create the Zones container, and created at least one parent zone. You should also have a basic zone design that describes the zone hierarchy for the child zone. There are no other prerequisites for performing this task.

Rights Required for this Task

Only the user who creates a zone has full control over the zone and can delegate administrative tasks to other users and groups through the Zone Delegation Wizard. To create new child zones, your user account must be a domain user with the following permissions:

Select this target object	To apply these permissions
Container for the parent zones, for example if the parent zone is berlin: domain/MyOU/Zones/berlin	On the Object tab, select Allow to apply the following permission to this object and all child objects: Create Container Objects Create Organizational Unit Objects. Note: Both permissions are required if you want to allow zones to be created as either container objects or organizational unit objects.
Parent container for Computers in the zone	On the Object tab, select Allow to apply the following permission to this object only: Create group objects Write Description property These permissions are only needed if you are supporting “agentless” authentication in the new zone.

Who Should Perform this Task

A Windows administrator performs this task, depending on your organization’s policies. The user who creates the zone is responsible for delegating administrative tasks to other users or groups, if necessary. In most organizations, this task is done using an account with domain administrator privileges.

How Often You Should Perform this Task

After you are fully deployed, you create new child zones infrequently to address changes to the scope of ownership and administrative tasks.

Steps for Completing this Task

The following instructions illustrate how to create a new child zone using Access Manager.

To create a new child zone using Access Manager:

Open the Access Manager console.
In the console tree, expand Zones and individual zones to select the parent zone for the new child zone.
Right-click, then click Create Child Zone.
Type the zone name and, optionally, a longer description of the zone.

Because this is a child zone, you should use the default parent container and container type, then click Next.
In most cases, you'll want to leave the Skip permission delegationoption deselected. If you select this option, the service does not set thesecurity descriptor for the zone; you'll need to go in and set thatattribute yourself. Some organizations prefer to set security descriptorsmanually. Security descriptors include security information such as the object owner, who has access rights to the object, and so forth.
Review information about the child zone, then click Finish.

Opening and Closing Zones

Because properties and objects are organized into zones, you must open a zone to work with its contents. If you open a parent zone, its child zones are also available for you to use by default. If you open a child zone, you can choose whether to open its parent zone. Once you open a zone, it stays open until you close it and you can have multiple zones and zone levels open at the same time. If you have a large number of zones, you should close any zones you aren’t actively working with for better performance.

As an alternative to opening individual or parent and child zones manually, you can automatically load all zones in a forest or all zones in a specific container at startup time. If you choose to load all zones, you cannot manually close zones.

To open an individual parent or child zone:

Open Access Manager.
In the console tree, select Zones and right-click, then click Open Zone.
Type all or part of the name of the zone you want to open, then click Find Now.
Select the zone to open from the list of results, then click OK. You can

use the CTRL and SHIFT keys to select multiple zones.

After you open the zones you want to work with, you should save your changes when you exit the Access Manager console, so that the open zones are displayed by default the next time you start the console.

To close an open zone:

Open Access Manager.
Expand the zone hierarchy until you can select the specific zone name you

want to close
Right-click, then click Close.
Click Yes to confirm that you want to close the zone.

To load all zones automatically:

Open Access Manager.
In the console tree, select Access Manager, right-click, then click Options.
On the Filter Settings tab, select Load all zones, then select connected forest to automatically load all zones in the forest or clickBrowse to navigate to specific container.

Selecting this option prevents you from opening or closing any zones manually. You should not select the Load all zones option if you want to manually open and close individual zones for performance reasons.

Changing Zone Properties

After you create a zone, you can change its zone properties at any time. For example, if you want to change the parent zone for a child zone, you can do so by modifying the child zone’s properties.

To change the properties for a zone:

Open Access Manager.
Expand Zones to display the list of zones, then expand the zone hierarchy until you see the zone you want to modify.
Select the zone, right-click, then click Properties.
On the General tab, you can view the location of the zone in Active Directory and the zone type.

From the General tab, you can make the following changes:
- Change the parent zone for a child zone.
- Modify the zone description.
- Select a specific Licenses container for the zone to use.
- Configure the access control list of permissions for the zone.
  
  For example, click Browse to find and select a new zone to use as the parent of a child zone, then click OK to save the new zoneproperties. For Windows computers, only the properties on the General tab are applicable.

Moving a Child Zone to a New Parent Zone

You can make an existing zone a child of another zone by dragging and dropping it from one zone to another or by changing the Parent zone field on the zone’s Properties General tab.

If a child zone inherits role assignments from its parent zone, the console displays a warning message and prevents you from moving the zone until you have removed the role assignments. If moving the zone creates a circular hierarchy, the console prevents you from moving the zone.

Delegating Control of Administrative Tasks

If you are the creator of a parent or child zone, you can use the Access Manager console to give other users and groups permission to perform specific types of administrative tasks within each zone you create. For example, assume you have created a zone called Finance. Certain users or groups who access computers in that zone must be able to perform administrative tasks on their own without your help. You want to give them the permissions they require to accomplish specific tasks without turning over full control to anyone except your most trusted administrative staff. Using Access Manager and the Zone Delegation Wizard, you select the appropriate groups and users for the Finance zone and specify exactly what each do. For example:

Members of the group Finance-ITStaff are allowed to perform All

administrative tasks within the Finance zone. They can change zone

properties, join and remove computers from the zone, define rights and

roles, and assign roles to users and groups. Only your most trusted

administrative staff are members of this group.
Members of the group FinanceManagers are allowed to join and remove

computers from the zone and assign roles to users and groups.
Members of the group FinanceUsers are allowed to add users, add groups, and

join computers to the zone, but perform no other tasks.
The users jason.ellison and noah.stone have permission to remove computers

from the zone.

In most cases, each zone should have at least one Active Directory group that can be delegated to perform all administrative tasks, so that members of that group can manage their own zone. You are not required to create or use a zone administrator group for every zone. However, assigning the management of each zone to a specific user or group creates a natural separation of duties for administrative tasks.

If you delegate control for individual tasks—for example, by assigning only the join computers task to one group and only the add and remove users tasks to another—you should ensure the members of each group know the tasks they are assigned.

You can delegate administrative tasks for parent zones, for child zones, and for individual computers. Because computer-level overrides are essentially single computer zones, you can assign administrative tasks to users and groups at the computer level.

To delegate which users and groups have control over the objects in a zone:

Open Access Manager.
Expand Zones to display the list of zones, then expand the zone hierarchy until you see the specific zone you want to modify.
Select the zone, right-click, then click Delegate Zone Control.
Click Add to find the users, groups, or computer accounts to which you want to delegate specific tasks.
Select the type of account—User, Group, or Computer—to search for, type all or part of the account name, then click Find Now.
Select one or more accounts from the list of results, then click OK.
Repeat Step 4 through Step 6 until you are finished adding users and groups to which you want to assign the same administrative tasks, then clickNext.
Select the tasks you want to delegate to the user or group, then click Next.

For example, if you want all of the members of the group you selected in the previous steps to be able perform all administrative tasks for a zone, select All.
If you are delegating the task of joining computers to a zone, you can specify the scope of computers you can join to the zone; you pick a container in Active Directory to grant access to.

If you leave the scope blank, the scope is the domain root. Be aware that the postalAddress field is used for information about joining computers to azone; if you lookup the permissions for people you've delegated the task ofjoining computers to a zone, they'll have permissions to the postalAddress field for the affected computers.
Review your delegation settings, then click Finish to close the wizard.

Granting the Authority to Perform All Administrative Tasks

Only the administrator who creates a zone has full control over the zone’s properties and only that administrator can delegate administrative tasks to other users. For each zone you create, you should identify at least one user or group that can be delegated to perform all administrative tasks. For example, if you have a Finance zone, you may want to create a Finance Admins group in Active Directory and then delegate All tasks to that group so that members of that group can manage the zone.

Although you are not required to create or use a zone administrator group for every zone, assigning the management of each zone to a specific user or group simplifies the delegation of administrative tasks.

If members of the designated administrative group must be able to create parent or child zones, they should be assigned the rights described in Creating a new parent zone and Creating child zones.

Restricting Authority to Specific Administrative Tasks

You can use the Zone Delegation Wizard to set up fine-grain control over the specific administrative tasks different sets of users or groups can perform. For example, you can choose to grant the Join Operators group permission to join computers to the zone and no other tasks. You can then specify another group is only allowed add and remove users. If you choose to use fine-grain control over specific administrative tasks, you should ensure the members of those groups know their restricted authority.

If you delegate administrative tasks to one or more groups that have members logged on, you should inform the group members that they should log out and log back on so that they can perform the administrative tasks assigned to the group.

Adding Windows Computers to a Zone

To use identity and privilege management features, a Windows computer must have the Agent for Windows installed, be joined to an Active Directory domain, and joined to a zone. Depending on your organization’s policies, you can either allow any authenticated user with a valid domain account to join a zone or require a domain administrator account to join a zone.

If you want to have individual users deploy the Agent for Windows on their own computers and join a zone without administrative rights, you can prepare the zone in advance and let users know which zone to join. If only domain administrators are allowed to join computers to zones, you should log on to computers with the Agent for Windows installed using an account that has appropriate administrative rights and provide a password.

Preparing Windows Computer Accounts

If joining a zone is restricted to privileged users, you may want to prepare a computer account in the zone before joining. By preparing the computer account before joining, users can add their computers to the zone without any special rights or permissions in Active Directory.

To prepare a Windows computer account using Access Manager:

Open Access Manager.
Expand Zones to display the list of zones, then expand the parent and child zone hierarchy until you see the specific zone to which you want to add the computer account.
Right-click, then click Prepare Windows Computer.
Click Find Now to search for and select the computer account to add to the selected zone.
Click OK to add the computer account to the Access Manager console in the zone’s Computers container.
A dialog box displays that asks if you want to skip permission delegation when creating the computer. In most cases, click No.

If you click Yes, the service does not set the security descriptor for the zone; you'll need to go in and set that attribute yourself. Someorganizations prefer to set security descriptors manually. Securitydescriptors include security information such as the object owner, who has access rights to the object, and so forth.

Changing the Zone for the Computer

You can move computer accounts from one zone to another at any time, if needed. Users who have administrative privileges can change the current zone on their local computer using the agent configuration panel. You can also change the zone information for a computer from Access Manager by changing its Active Directory properties or by dragging and dropping the computer from its current to a new zone.

To change the zone for a computer using Access Manager and Active Directory properties:

Open Access Manager.
Expand Zones to display the list of zones, then expand the zone

hierarchy until you see the specific zone you want to modify.
Expand Computers to display the list of computers in the zone.
Select the computer that you want to modify, then right-click and select

AD Properties.
Click the Windows Profile tab.
Click Browse and type all or part of the zone name, then click Find Now.
Select the new zone for the computer from the list of results, then click

OK.
If the computer has role assignments defined, Access Manager prevents you

from moving the computer until you remove the role assignments.

Leaving a Zone

You can remove a computer from a zone at any time. Users who have administrative privileges can leave the current zone on their local computer using the agent configuration panel. You can also remove the zone information for a computer from Access Manager by deleting the computer from its current zone. Leaving the zone does not remove the computer object from Active Directory.

To remove a computer from a zone using Access Manager:

Open Access Manager.
Expand Zones to display the list of zones, then expand the zone

hierarchy until you see the specific zone you want to modify.
Expand Computers to display the list of computers in the zone.
Select the computer that you want to remove from the zone, right-click, then

select Delete.
Click Yes to confirm the removal of the computer from the zone.

Renaming a Zone

You can rename a zone at any time. For example, if your organization changes how business units are aligned, moves to a new location, or merges with another organization, you might want to update zone names and descriptions to reflect these changes. You might also want to rename zones if your initial deployment did not use a naming convention for new zones, and you want to implement one after you have agents deployed.

What to Do Before Renaming a Zone

Before you rename zones, you might want to define and document a naming convention to use for future zones or the reasons for changing the zone name. You should also identify the computers in the zone to be renamed. You do not need to restart the agent on Windows computers for the new zone name to be recognized. However, you might need to perform other administrative tasks—such as changing role assignments—after renaming a zone. There are no other prerequisites for performing this task.

Rights Required for this Task

To rename a zone, your user account must be set with the following permissions:

Select this target object	To apply these permissions
Parent container for an individual zone For example, a ZoneName container object, such as: domain/Zones/arcade	Click the Properties tab and select Allow to apply the following properties to this object only: Write Description Write name Write Name These are the minimum permissions required to rename a zone and not allow a user or group to modify any other zone properties. You can set permissions manually, or automatically grant these and other permissions to specific users or groups by selecting the Change zone properties task in the Zone Delegation Wizard.

Select this target object

To apply these permissions

Parent container for an individual zone For example, a ZoneName container object, such as: domain/Zones/arcade

Click the Properties tab and select Allow to apply the following properties to this object only: Write Description Write name Write Name These are the minimum permissions required to rename a zone and not allow a user or group to modify any other zone properties. You can set permissions manually, or automatically grant these and other permissions to specific users or groups by selecting the Change zone properties task in the Zone Delegation Wizard.

Who Should Perform this Task

How Often You Should Perform this Task

After you are deployed, you rename zones only when you need to address organizational changes or to implement or improve the naming conventions you use.

Steps for Completing this Task

The following instructions illustrate how to rename a zone using Access Manager.

To rename a zone using Access Manager:

Open Access Manager.
Expand Zones to display the list of zones, then expand any child zones in the zone hierarchy until you see the specific zone you want to modify.
Select the zone to change, right-click, then click Rename.
Type the new name and, if needed, any changes to the zone description.

You do not have to restart any Agents on the computers in the zone you have renamed. Computers will remain joined to the zone even after changing the zone name.
Users who have administrative privileges can verify the updated zone name on their local computer using the agent configuration panel.

Working Directly with Managed Computers

When you deploy a Agent on a computer, that computer has tools installed locally to allow you to manage access, troubleshoot agent operations, and view information about roles and role assignments, and auditing status.

Depending on the rights associated with the role you are using, you can use the tools on the managed computer to open new desktops, run individual applications with elevated privileges, connect to services on remote computers, join or change the zone for a computer, set the level of detail to record in log files, generate diagnostic information for the agent, and view detailed information about your own or other users’ effective rights and roles.

Using the Agent Configuration

The Agent for Windows provides an agent configuration panel from which you can configure agent settings for the Privileged Access Service, Privilege Elevation Service, and Audit & Monitoring Service. If you have the appropriate privileges, you can use the agent configuration panel to select the zone for a computer to join, change the current zone, or remove a computer from a zone.

To use the agent configuration panel to select the zone for a local computer:

Log on to a computer where the Agent is deployed.
From the Windows Start menu, select Agent Configuration.
Click Privilege Elevation Service.
Click Settings.
On the General tab, click Change.
Click Browse, type all or part of the zone name, and click Find Now

to search for the zone.
Select the new zone in the search results, click OK, then click OK

to return General tab.
Click Close to return to the agent configuration panel.

You can also use the agent configuration panel to set logging level, view logs, and get diagnostic information about agent operations. For more information about using the agent configuration panel to configure logging and get diagnostic information, see Troubleshooting and common questions.

If you allow users to join their own computers to a zone, you should notify them of the zone to use and see that they have access to the User's Guide for Windows.

Working with Zone Role Workflow

You can enable zone role workflow in the Admin Portal so that your users can request access to systems in particular zones. Enabling zone role workflow requires having a Connector installed in the domain. For improved performance, you can also install the Client with the CSS Extension on the affected systems.

For details about how to enable zone role workflow, see Zone role workflow

Using Zone Role Workflow with the Connector

If you set up zone role workflow with just the Connector, be aware that there will be a delay between when the approver approves the request and when the user can access the affected systems. Although the Connector updates Active Directory immediately after the approver approves the request, a delay occurs because it can take some time to replicate the Active Directory information and also because the Agent reloads authorization information from Active Directory at specified intervals.

Using Zone Role Workflow with the Client

If you set up zone role workflow and also install the Client (so that you'll have installed both the Agent and the Client) and enable the CSS Extension on the Client, then there is no delay. Once the designated approvers approve the request, the user can access the specified system(s) immediately. The Client uses the client channel in the background to securely communicate with the Agent.

For deployments that have zone role workflow enabled for use with the Client, the affected systems must have Python 3.4 or later installed.