To allow another person who is not an Active Directory administrator to perform all of tasks in the evaluation, you can delegate control of the Centrify organizational unit to that person. If you are an Active Directory administrator or a member of the Domain Admins group in the evaluation domain, you can skip this step.
To delegate control of the organizational unit for Centrify
Open Active Directory Users and Computers and select the domain.
Select the top-level organizational unit for Centrify objects, Centrify.
Right-click, then select Delegate Control.
In the Delegation of Control wizard, click Next.
Search for and select the user or group for delegation, then click Next.
Select the tasks to delegate, then click Next.
At a minimum, select the following common tasks:
- Create, delete, and manage user accounts
- Reset user passwords and force password change at next logon
- Read all user information
- Create, delete, and manage groups
- Modify the membership of a group
If you are delegating the task of joining computers to a zone, you can specify the scope of computers you can join to the zone; you pick a container in Active Directory to grant access to.
If you leave the scope blank, the scope is the domain root. Be aware that the postalAddress field is used for information about joining computers to a zone; if you lookup the permissions for people you've delegated the task of joining computers to a zone, they'll have permissions to the postalAddress field for the affected computers.