Persisted and non-persisted capabilities

The authentication, privilege elevation, and audit and monitoring services cache persists several role-based capabilities when a computer is not connected to Active Directory. A computer is considered to be not connected when the Windows agent is unable to reach one or more of the following entities:

  • The domain to which the computer is joined.
  • The domain of any zone in the zone hierarchy. The zone hierarchy is the domain of the zone that the machine is joined to, or any parent zones of that joined zone.
  • An Active Directory global catalog (GC) associated with any of these domains.

If the Windows agent can reach all of these entities, it is considered to be connected.

Persisted capabilities

These capabilities are supported when a computer is not connected:

  • Users can log in based on role.
  • Users can run applications based on role.
  • Users can create desktops based on role.
  • Computers can be removed from zones.
  • Centrify software can be installed (but the computer cannot be joined to a zone).
  • Centrify software can be upgraded, but this practice is not recommended because there will be no authorization data in the cache after the upgrade.

Non-persisted capabilities

These limitations exist when a computer is not connected:

  • You cannot join a zone or change a computer’s zone.
  • The use of Network rights is not supported.