Using Centrify application utility rights

This section describes how you can manage user access to Windows programs and features using Centrify application utility rights.

There are many common administrative tasks such as managing software installations, changing network settings, and adding or removing Windows features that require access to the explorer.exe application on Windows systems. Because granting users privileged access to explorer.exe can allow the user to perform many other tasks that you may want to remain restricted, you can use the Centrify application utilities, Application Manager, Network Manager and Windows Feature Manager, to grant access to these tasks using the corresponding predefined rights.

When you create a new zone, the Centrify utility rights are automatically added to the list of Windows Right Definitions. However, in zones that existed before the addition of these utility rights, you may need to add them by following the procedure below.

To add the Centrify Utilities to the list of Windows Right Definitions

  1. Right click Windows Right Definitions and select Add predefined rights.

    Windows Right Definitions can be found in the following location:

    The application rights can be found in the following location:

    Access Manager > Zones > Zone Name > Authorization > Windows Right Definitions

  2. Select the rights you would like to add and click OK.

    The rights will now appear under Applications.

It is important to note that if you do not install the Centrify agent for Windows in the default location during the installation or upgrade process, users who are assigned these rights may not be able to access the corresponding applications. If you have installed the agent in a location other than the default location, you can specify a variable in the application right settings to allow them to be used by assigned users by doing the following:

To specify the application right path

  1. Right click on the application right and select Properties.

    The application rights can be found in the following location:

    Access Manager > Zones > Zone Name > Authorization > Windows Right Definitions > Applications.

  2. Click the Match Criteria tab, and then click Edit.

  3. Check the Path box in the Commands components section, and select Specific path.

  4. In the Specific path field, enter the following variable: %winagentinstall%

Do this for each of the Centrify Utility application rights.

Application Manager

Application Manager is a Centrify utility that allows a user to manage installed software. Application Manager is similar to the Windows utility Programs and Features. It can allow users who are assigned a role with the Centrify Utility - Application Manager right to Refresh, Uninstall, Change, or Repair installed software.

Windows Feature Manager

When you assign workstation users a role with the predefined right Centrify Utility - Windows Feature Manager, they will be able to access the normal Windows Feature Manager, where they can choose what Windows features to add or remove.

When you assign server users a role with this right, the Centrify Windows Feature Manager will launch. This utility is similar to the normal Windows utility, with a few notable differences.

Opening the Centrify utility will launch a wizard. When you select whether to add or remove roles and features on the first screen of the wizard, you can only perform one action at a time. For example, if you choose Add roles and features, you will not be able remove any installed features until you go back to the initial screen and choose Remove roles and features.

Additionally, when you attempt to install features that require the installation of dependent components, you will be prompted to add those features. All features with one or more components installed will appear with a check mark next to the name.

Network Manager

When you assign users a role with the predefined right Centrify Utility - Network Manager, they will be able to access the Centrify version of Network Manager that is similar to the Windows version.

Users assigned a role with this right can view a list of network adapters for Ethernet and wireless connections and configure their IP and DNS settings.