Changing Zone Properties

After you create a zone, you can change its zone properties at any time. For example, if you want to change the parent zone for a child zone, you can do so by modifying the child zone’s properties. Depending on whether you are viewing a classic, hierarchical, or SFU zone and the components you have installed, you might see and be able to set different zone properties.

To display the properties for a zone:

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones, as required, to locate and select the zone name for which you want to display properties.

  3. Right-click, then click Properties.

    If the zone you have selected is a hierarchical zone, the properties are organized on the following tabs.

     

Changing the zone description

You can set or change the optional description for a zone at any time. For example, if you didn’t specify a description when you created the zone or if there have been changes in your organization that warrant a change in the description of a zone, you can modify the Description field to make the change.

To change the zone description

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones, as required, to locate and select the zone name for which you want to display properties.

  3. Right-click, then click Properties to display the General tab.

  4. Type a description for the zone in the Description field, then click OK.

    Tab Description
    General

    View and set general information about the selected zone, including the location of the zone in Active Directory, the zone type, and the zone description. For additional details about general properties, see the following topics:

    Changing the zone description

    Changing the parent zone or location of a zone

    Setting the master domain controller for a zone

    Selecting a license container for a zone

    Adding support for agentless clients

    Setting custom permissions for a zone

     
    Platform View and set the identity platform instance to use for the selected zone. For additional details about setting identity platform properties, see the following topic: Selecting a identity platform instance for a zone
    User Defaults Set default values for user profile attributes in the selected zone. For additional details about user default properties, see the following topic: Setting user defaults
    Group Defaults Set default values for group profile attributes in the selected zone. For additional details about group default properties, see the following topic: Setting group defaults
    Variables Add or edit user-defined variables or override the default values of predefined variables in the selected zone. For additional details about zone variables, see the following topic: Configuring variables for a zone
    Provisioning Configure automated provisioning for user and group profiles if you have the Zone Provisioning Agent installed on the local computer. For additional details about provisioning properties, see the following topic: Configuring automated provisioning The Provisioning tab is only displayed if the Zone Provisioning Agent is installed. For detailed information about configuring automated provisioning, see the Planning and Deployment Guide.

Changing the parent zone or location of a zone

From Access Manager, you can make any existing hierarchical zone the child of another zone or make any child zone a new parent zone by dragging and dropping the zone into a new location or by changing the Parent zone field on the zone’s General properties tab.

Selecting the default location when moving a zone

If you make changes to the zone hierarchy, Access Manager prompts you to specify the new Active Directory location for the zone. In most cases, you should accept the default location for the zone you are moving. The default Active Directory location will be either:

  • The new parent zone container if you are moving a child zone from one parent to another or if you moving a parent zone to become a child zone.

  • The default Zones container you created the first time you started Access Manager if you are making a child zone a new top-level parent zone.

You are not required to accept the default Active Directory location when changing the zone hierarchy. If you select a different Active Directory location for the zone, however, you should note the location and whether the zone you are moving is now a parent or a child zone. If the zone structure displayed in Access Manager is different from the zone container structure you are using in Active Directory, you might find unexpected problems with inheritance and overrides, with modifying zone properties, or with deleting zones.

Moving a zone without changing its Active Directory location

When you are prompted to specify the Active Directory location for a zone you are moving, you have the option to select No and leave the current Active Directory location unchanged. If you change the parent zone without changing the Active Directory location for a zone, you should note that the location does not reflect the zone hierarchy. In rare cases, you might find it useful to leave the Active Directory location unchanged but doing so might make it more difficult to locate the zone object at a later time.

Restarting the agent after moving a zone

If you change the location for a zone in Active Directory, you must restart the Centrify Agent for *NIX on the computers in that zone so that they recognize the new zone location.

After you move the ZoneName object to a new parent container or organizational unit, run the following command to restart the Centrify Agent for *NIX on the computers in the zone:

/usr/share/centrifydc/bin/centrifydc restart

To move a zone to a new parent by changing properties

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones, as required, to locate and select the zone name for which you want to display properties.

  3. Right-click, then click Properties to display the General tab.

  4. For the Parent zone field, click Browse to find and select the zone to use as the parent, then click OK.

  5. Click OK to save the new zone properties.

  6. In the Move Zone dialog, verify the location selected for the Yes, move to option to accept the default location, then click OK.

    In rare cases, you might want to click Browse to select a different Active Directory location for the zone you are moving, or select No, then click OK to keep the zone in its original location.

Setting the master domain controller for a zone

In most cases, computers connect to the first available Active Directory domain controller and it is not necessary to specify the master domain controller to use for a zone. In some cases, however, you might want to identify a specific domain controller to use for a zone to prevent connections from other domain controllers from adding or removing users and groups in that zone.

To prevent connections from other domain controllers, you can set the Master domain controller field to the fully-qualified name of the domain controller you want to use. After you identify a master domain controller, administrators who connect to the zone using any other domain controller will not be able to make changes to the zone.

If you have multiple administrators managing any zones, you should notify them before setting or changing the master domain controller. You should also make this change while all other administrators are logged off. Depending how long it takes for replication to complete for all of the domain controllers in the Active Directory forest, you might want to schedule this change for a time when no administrators need access to zone information.

To change the master domain controller

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones, as required, to locate and select the zone name for which you want to change the master domain controller.

    You can use Shift-Click or Ctrl-Click to select multiple zone names.

  3. Right-click, then click Change Master Domain Controller.

  4. Type the fully-qualified domain name for the new domain controller, then click OK.

  5. Click Yes to confirm that you want to change the master domain controller for the zone.

You should avoid changing from one master domain controller to another, if possible. Changing the master domain controller requires you to wait for replication to complete to see up-to-date zone information or modify information in the selected zone. In some cases, however, changing the master domain controller might be unavoidable. For example, if there are zones connecting to a master domain controller that has a hardware failure or must be taken offline for maintenance, you will need to configure a new master domain controller for the zones to use.

If you change the master domain controller, you should run the Analyze command afterwards to check the Active Directory forest and verify that no duplicate UIDs or GIDs have been introduced.

Selecting a license container for a zone

By default, zones are configured to use any available license container in the forest. In most cases, the container used is the default Licenses container you created the first time you started Access Manager. If you have more than one Licenses container, you might want to select a specific license container for a set of computers in the one zone and a different license container for a set of computers in another zone. For example, you might want to select separate Licenses containers for the zones associated with two different business units.

To use a specific license container for a zone, you can type the path to a new container object in the License container field.

To use a specific license container for a zone

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones, as required, to locate and select the zone name for which you want to display properties.

  3. Right-click, then click Properties to display the General tab.

  4. Select a specific license container from the list of available License container, then click OK.

For more information about licenses keys and using multiple license containers, see the License Management Administrator’s Guide.

Adding support for agentless clients

If you are using the Centrify Network Information Service (adnisd) on a managed computer to respond to NIS client requests from computers where the Centrify Agent cannot be installed, you can configure one or more zones to act as the NIS domain for those client requests.

To add support for agentless NIS clients in a zone

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones, as required, to locate and select the zone name for which you want to display properties.

  3. Right-click, then click Properties to display the General tab.

  4. Select the Support agentless client option.

  5. Select the Active Directory attribute you want to use to store the password hash and verify the zone name is the NIS domain name you want to use or type a new name, then click OK.

For more information about installing and using the Centrify Network Information Service (adnisd) to respond to NIS client requests and configuring agentless clients, see the Network Information Service Administrator’s Guide.

Setting custom permissions for a zone

For convenience, you can access Permissions for a zone directly from the zone properties General tab. You can then allow or deny basic permissions—such as Read and Write permissions—to specific users and groups or click Advanced to set more granular permissions on a zone.

Selecting a identity platform instance for a zone

In most cases, the identity platform instance property is set automatically when you register a connector for Privileged Access Service. If you have access to more than one identity platform instance—for example, if you have more than one customer identifier, you can select the URL for a specific instance from the zone properties.

To select a identity platform instance for a zone

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones, as required, to locate and select the zone name for which you want to display properties.

  3. Right-click, then click Properties.

  4. Click the Platform tab.

  5. Verify the identity platform instance URL is the customer-specific URL you want to use, or click Browse to select the URL for a different customer-specific identity platform instance.

    Child zones inherit the identity platform instance property from their parent zone. If you are viewing properties for a child zone, you can selectOverride trusted identity platform instance then click Browse to select a different identity platform instance for the child zone.

    For details about installing and configuring a connector, see "Preparing to use multi-factor authentication."

  6. Click OK to confirm the identity platform instance selected.

Configuring default values for a zone

You can configure default settings for user and group profiles that are added to the zone. The user and group defaults you configure can include predefined variables that populate the user or group profile by using Active Directory attributes or settings configured on individual managed computers.

By specifying user default and group default settings, you can simplify the process of adding user and group profiles to child zones. For example, you can define a default user profile that uses the sAMAccountName attribute for a user’s UNIX login name. All users who are added to the zone are then automatically assigned a UNIX login name based on their sAMAccountName. If you define the default attributes in a parent zone, they can also be inherited in all of the child zones under that parent and only overridden where other values are explicitly required.

Setting user defaults

When you create a zone, it includes a default set of user profile attributes. In most cases, there’s no need to modify any of the default settings unless you want to define partial profiles in a parent zone that will be manually completed in child zones. For example, the default setting for the numeric user identifier (UID) is an automatically generated UID based on the user’s globally unique security identifier (SID). This setting ensures all users who are added to the zone are assigned a unique UID for the entire forest.

If you define a default value for any user profile attribute, that value is used to populate the user profile displayed when you add users to the selected zone. When you add a user to the zone, you can accept the default profile attributes or override any of the default attributes displayed.

To view or modify the default user profile in a zone

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones, as required, to locate and select the zone name for which you want to display properties.

  3. Right-click, then click Properties.

  4. Click the User Defaults tab.

  5. Review the default settings and modify any of the defaults, if needed.

    For most organizations, the default settings are appropriate. For example, the Active Directory sAMAccountName attribute most closely resembles themost common format for the UNIX login name and an automatically generatedUID ensures that all new users have a unique UID in the forest. For moreinformation about the attribute fields or the default values, press F1 to view the context-sensitive help.

  6. Click OK.

For more information about using default values, see Creating user profiles for Active Directory users. For more information about using predefined or custom variables in user profiles, see Setting runtime variables in user profiles.

Setting group defaults

When you create a zone, it includes a default set of group profile attributes. In most cases, there’s no need to modify the default settings for groups unless you are manually assigning numeric group identifiers (GID) or using the Apple algorithm for generating the GID.

If you define a default value for a group attribute, that value is used to populate the group profile displayed when you add groups to the selected zone. When you add a group to the zone, you can accept the default profile attributes or override any of the default attributes displayed.

To view or modify the default group profile in a zone

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones, as required, to locate and select the zone name for which you want to display properties.

  3. Right-click, then click Properties.

  4. Click the Group Defaults tab.

  5. Review the default settings and modify any of the defaults, if needed.

    For most organizations, the default settings are appropriate. For example, the Active Directory sAMAccountName attribute most closely resembles themost common format for the group name and an automatically generated GIDensures that all new group have a unique GID in the forest. For moreinformation about the attribute fields or the default values, press F1 to view the context-sensitive help.

  6. Click OK.

For more information about using default values, see Creating group profiles for Active Directory groups. For more information about using predefined or custom variables in user profiles, see Setting runtime variables in user profiles.

Configuring variables for a zone

Predefined and custom variables enable you to generate user profiles and group profiles using Active Directory properties or properties defined on managed computers.

You can add custom runtime variables, or override the definition for predefined variables, in a zone by modifying the zone properties. Runtime variables are resolved by the agent when a computer joins a zone. The default user profile settings use predefined runtime variables in place of specific values for the GECOS, Home directory, and Shell attributes.

Zone variables and their definitions are inherited down the zone hierarchy, and can be overridden in a child zone or on individual computers. You can also use configuration parameters to control the value for any variables locally on particular computers. If a value is set in the configuration file, it overrides any values that you set for the zone.

Adding custom runtime variable

In most cases, you don’t need to add custom variables to a zone. However, if you have modified the Active Directory schema or want to use custom attributes in user or group profiles, you can add custom variables to the zone to accommodate your changes.

To add a custom variable to a zone

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones, as required, to locate and select the zone name for which you want to display properties.

  3. Right-click, then click Properties.

  4. Click the Variables tab.

  5. Click Add.

  6. Type a variable name and a value, then click OK.

    For example, you might want to define a custom variable named gecos and set its value to a static string, such as Engineering-Nova Scotia-Q22, for a zone.

    Similarly, you might want to add custom variables for different operating systems you support, such as mac-home or aix-shell for a zone that includescomputers with different operating systems. For example, if a zone includesLinux, AIX, and Mac OS X computers, you might have a default profile thatuses the predefined variables, but a subset of accounts that use the mac-home or aix-shell custom variables.

  7. Click OK to save the properties.

Modifying predefined variable values

In most cases, you don’t need to override predefined variable values for a zone. However, if you have created different zones for different operating systems, you might find it useful to modify predefined variable values for those zones to address different operating system requirements.

To modify a predefined variable value in a zone

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones, as required, to locate and select the zone name for which you want to display properties.

  3. Right-click, then click Properties.

  4. Click the Variables tab.

  5. Click Add.

  6. Type the name of a predefined variable and a value, then click OK.

    For example, you might want to change the predefined variable named home and set its value to an appropriate home directory for the zone, such as/export/home for a zone where all of the computers are Solaris computers, or/Users for a zone with only Mac OS X computers. Similarly, you might want tochange the predefined variable shell to set its value to /usr/bin/ksh for a zone with IBM AIX computers.

  7. Click OK to save the properties.

Editing or removing variables

After you have added custom variables or modified predefined variable values in a zone, you can later select those variables to edit or remove them.

Configuring automated provisioning

The Centrify Zone Provisioning Agent is a separate service that enables automated provisioning and de-provisioning of user and group accounts on a zone-by-zone basis. You can configure the Zone Provisioning Agent to monitor specific Active Directory groups for a zone. If you add or remove Active Directory users or groups in the monitored groups, the Zone Provisioning Agent automatically adds or removes the corresponding user or group profiles in the zone. If you have the Centrify Zone Provisioning Agent installed, you can use the zone properties Provisioning tab to do the following:

  • Enable provisioning for users, groups, or both.

  • Specify the Active Directory group to base provisioning on.

  • Select the method for automatically generating profile attributes for users, groups, or both.

For more detailed information about automated provisioning and using the Zone Provisioning Agent, see the Planning and Deployment Guide. For more information about the attribute fields or the options for generating profile attributes, press F1 to view the context-sensitive help.