Enabling Windows local account management

You can have Centrify manage your local Windows user and group accounts; to do so, you need to enable and configure a few settings. Install the agent and enable local account management on each Windows system where you want to manage local accounts.

Be aware that if you enable local account management, the service does not delete any built-in Windows users or groups, even if you mark one of those accounts for remove.

Note:   Windows local account management is not supported on domain controllers.

To configure local account management for Windows:

  1. From the Centrify Privilege Elevation Service Settings dialog box Local Account Management tab, click Configure.

    The Local Account Management Configuration dialog box opens.

  2. Select the Enable local account management option.
  3. Select Yes to enforce local account management or No to not enforce local account management.

    Enforcing local account management means that after you remove a local Windows user or group from Access Manager, the service will remove the local user or group from the computer after the next synchronization.

    If you choose not to enforce local account management, in order to remove a user you mark it as removed rather than explicitly removing the account from Access Manager.

  4. Specify a script that will run when the service synchronizes local account information with Access Manager and the affected computers. The script can set the passwords for the local accounts and also display a list of enabled, disabled, or removed users.

    For details, see Creating and managing local Windows user passwords.

    There is a sample script provided that you can use as a starting point:

    C:\Program Files\Centrify\Centrify Agent for Windows\SampleNotification.ps1

    The script will run after each synchronization of local accounts when the any of the following have occurred:

    • New local users are added
    • Local users are enabled
    • Local users are disabled
    • Local users are removed
  5. Specify a synchronization interval.

    This interval controls how often the service synchronizes local account information between Access Manager and the affected computers. The default is 60 minutes.

  6. Click OK to save your changes and close the dialog box.