Creating child zones

For Windows, the primary reason for creating child zones is to inherit role definitions and role assignments from a parent zone. Less often, you might want to use a child zone to override role definitions and assignments that you have made in a parent zone. For example, if you have created a role definitions that allows a user to run a specific application with administrative privileges in a parent zone, you can use child zones to limit the scope of that right to specific subsets of computers.

What to do before creating child zones

Before you create child zones, you must have installed Access Manager, run the Setup Wizard to create the Zones container, and created at least one parent zone. You should also have a basic zone design that describes the zone hierarchy for the child zone. There are no other prerequisites for performing this task.

Rights required for this task

Only the user who creates a zone has full control over the zone and can delegate administrative tasks to other users and groups through the Zone Delegation Wizard. To create new child zones, your user account must be a domain user with the following permissions:

Select this target object To apply these permissions

Container for the parent zones, for example if the parent zone is berlin:


On the Object tab, select Allow to apply the following permission to this object and all child objects:

  • Create Container Objects
  • Create Organizational Unit Objects

Note:   Both permissions are required if you want to allow zones to be created as either container objects or organizational unit objects.

Parent container for Computers in the zone

On the Object tab, select Allow to apply the following permission to this object only:

  • Create group objects
  • Write Description property

These permissions are only needed if you are supporting “agentless” authentication in the new zone.

Note:   If the Active Directory administrator manually sets the permissions required to create zones, you should verify that the account also has permission to add an authorization store, define rights and roles, and manage role assignments.

Who should perform this task

A Windows administrator performs this task, depending on your organization’s policies. The user who creates the zone is responsible for delegating administrative tasks to other users or groups, if necessary. In most organizations, this task is done using an account with domain administrator privileges.

How often you should perform this task

After you are fully deployed, you create new child zones infrequently to address changes to the scope of ownership and administrative tasks.

Steps for completing this task

The following instructions illustrate how to create a new child zone using Access Manager.

To create a new child zone using Access Manager:

  1. Open the Access Manager console.
  2. In the console tree, expand Zones and individual zones to select the parent zone for the new child zone.
  3. Right-click, then click Create Child Zone.
  4. Type the zone name and, optionally, a longer description of the zone.

    Because this is a child zone, you should use the default parent container and container type, then click Next.

  5. In most cases, you'll want to leave the Skip permission delegation option deselected. If you select this option, the service does not set the security descriptor for the zone; you'll need to go in and set that attribute yourself. Some organizations prefer to set security descriptors manually. Security descriptors include security information such as the object owner, who has access rights to the object, and so forth.

  6. Review information about the child zone, then click Finish.