Starting Centrify Access Manager for the first time

The first time you start Access Manager, a Setup Wizard prepares the Active Directory forest with parent containers for licenses and zones. The Setup Wizard also sets the appropriate permissions for the objects. For example, all authenticated users are granted read access of the Licenses container by default. These steps are typically performed once by a domain administrator. If you choose to, you can create the container objects manually.

What to do before updating Active Directory

Before you use Access Manager the first time, you should contact the Active Directory administrator to determine the appropriate location for the Licenses and Zones parent containers and whether you have the appropriate rights for completing this task. The specific administrative rights required for this task depend on the policies of your organization and who has permission to create classStore and parent and child container objects in Active Directory.

Rights required for this task

If you don’t have administrative rights to create container objects in Active Directory, a domain administrator in the forest root domain can manually create the container objects and set the rights on those objects to allow other users to complete the initial configuration without being members of an administrative group.

The following table describes the minimum rights that must be granted on manually created container objects for other users to successfully complete the configuration with the Setup Wizard.

This target object Requires these permissions Applied to

Licenses container

  • Read all properties
  • Create classStore objects
  • Modify permissions

This object only

  • Write Description property
  • Write displayName property

This object and all child objects

By default, all Authenticated Users have read and list contents permission for the Licenses container and all of its child objects.

Zones container

  • Read all properties
  • Create classStore objects
  • Create Container objects

This object only

  • Write displayName property

This object and all child objects

If you are a domain administrator and use the Setup Wizard to create the container objects, you should add a security group for Zone Administrators to Active Directory. Set the following permissions on the parent Zones container to allow other users to manage zones.

This target object Requires these permissions Applied to

Zones container

  • Read all properties
  • Create Container objects
  • Delete Container objects

This object only

  • Write displayName property

This object and all child objects

Who should perform this task

A Windows Active Directory administrator performs this task, depending on your organization’s policies, by running the Setup Wizard or by manually creating container objects and notifying another user of the location of the container objects. The user who runs the Setup Wizard must be granted the rights required to create classStore objects.

How often you should perform this task

In most organizations, you only do this once for an Active Directory forest. However, if you want to create more than one administrative boundary, you can create additional parent containers as needed.

Steps for completing this task

The following instructions illustrate how to run the Setup Wizard from Access Manager.

To update Active Directory using Access Manager:

  1. Open Access Manager.
  2. At the Welcome page, click Next.
  3. Select Use currently connected user credentials to use your current log on account or select Specify alternate user credentials and type a user name and password, then click Next.
  4. Select a location for installing license keys in Active Directory, then click Next.

    The default container for license keys is domain_name/Program Data/Centrify/Licenses. To create or select a container object in a different location, click Browse. If an Active Directory administrator has created the Licenses container for you, click Browse and navigate to the appropriate location. The Setup Wizard will create a classStore object in the location you specify.

    You can create additional containers in other locations later using the Manage Licenses dialog box.

  5. Review the permission requirements for the container, then click Yes to confirm your selection.

  6. Type or copy and paste the license key you received, then click Add.

    If you received multiple license keys, add each key to the list of installed licenses, then click Next. If you received license keys in a text file, click Import to import the keys directly from the file instead of adding the keys individually, then click Next.

  7. Select Create default zone container and specify a location for the Zones container, then click Next.

    The default container location for zones is domain_name/Program Data/Centrify/Zones. To create or select a container object in a different location, click Browse. If an Active Directory administrator has created the Zones container for you, click Browse and navigate to the appropriate location. The Setup Wizard will create a classStore object in the location you specify.

    Any zones you create are placed in this container location by default.

    The next three pages only apply if you are managing multiple platforms. For a Windows‑only deployment, you can click Next to leave the following options unselected:

    • Grant computer accounts in the Computers container permission to update their own account information.
    • Register administrative notification handler for Microsoft Active Directory Users and Computers snap-in.
    • Activate Centrify profile property pages.
  8. Review and confirm your configuration settings, click Next, then click Finish.

After you click Finish, the Access Manager console is displayed.

What to do next

Create at least one parent zone.

Where you can find additional information

If you want to learn more about the importance and benefits of using zones, see the following topics for additional information: