Creating a network right

In the preceding section, you saw how you can provide a user with a desktop that has elevated privileges on a local computer (the Windows client computer in this case). However, using administrative privileges on your local Windows client computer does not give you privileges on a remote computer. In this section, you create a network access right that gives a user administrator privileges on a remote computer.

To illustrate network access rights using the local Windows client computer and a remote computer, you must install the Centrify Agent for Windows on the remote computer and join that remote computer to the zone you created in Creating the first zone (for example, Headquarters).

You can use the domain controller or another computer as the remote computer for this exercise. Install the Centrify Agent for Windows on the computer that you are using as the remote computer and join that computer to the Headquarters zone before proceeding.

If you are using only one Windows client computer for the evaluation and cannot install the agent on the domain controller or another remote computer, you should skip this exercise.

  1. Install the Centrify Agent for Windows on the computer that you are using as the remote computer.

    See Installing the Centrify Agent for Windows for more information.

  2. Log on to the remote computer with your administrator account and create a folder on the C: drive named ShareFolder.

  3. Select the folder, right-click, then select Properties.

  4. Click the Sharing tab, then click Share.

  5. Select Find people, type “back” to search for and select the built-in Backup Operators group, then click OK.

  6. Right-click the Backup Operators group and set the Permission Level to Read/Write, then click Share.

  7. Click Done, click Close to exit, then log off the remote computer as the administrator.

  8. Log on to the local Windows client computer as amy.adams.

  9. Try to open ShareFolder on the remote computer.

  10. Verify that Windows tells you that you do not have sufficient permissions, then click Cancel.

  1. Log on to the local Windows client computer with your administrator account and open Access Manager.

  2. Create the new network access right.

    • Select Windows Right Definitions > Network Access, right-click, then select New Network Access.

    • Type ShareAccess as the name of the new access right on the General tab.

    • Click the Access tab, select Self with added group privileges, then click Add Built-in Groups.

    • Select the Backup Operators group, then click OK.

    • Select Re-authenticate current user to require users to authenticate their identity when they use a role with this right, then click OK.

    • Select Require multi-factor authentication If you would like to enable multi-factor authentication for the right.

    Before you enable multi-factor authentication, you should be aware that multi-factor authentication for Centrify-managed Windows computers relies on the infrastructure provided by the Privileged Access Service. For more information on preparing to use multi-factor authentication, see the Multi-factor Authentication Quick Start Guide.

  3. Add the new right to the existing DesktopAdmin role.

    • Under Role Definitions, select the DesktopAdmin role, right-click, then select Add Right.
    • Select the ShareAccess right in the list, then click OK.

  4. Assign the role to a selected computer in the zone.

    • Expand the zone to Computers > computer name> Role Assignments node. If you are using a local and remote computer for this exercise, select the remote computer for making the role assignment.

    • Select Role Assignments, right-click, then select Assign Role.

    • Select DesktopAdmin in the list of roles, then click OK.

  5. Assign the role to an Active Directory group.

    • Click Add AD Account.

    • Change the Find filter from User to Group to search for and select the group you created for the evaluation (for example, Eval Group), then click OK.

    • Verify that the account is included in the Accounts list in the Assign Roles dialog box, then click OK.

    • Open the Privilege Elevation Service Settings (from the Agent Configuration shortcut > Centrify Privilege Elevation Service > Settings), click the Troubleshooting tab, then click Refresh to get the latest authorization information.

  1. Log on to the local Windows client computer as amy.adams.

    If you try to open ShareFolder in the default desktop, Windows denies access.

  2. Open the Centrify applet, select New Desktop, and select the DesktopAdmin role.

    This role has the network access right that gives you remote access to the computer running as the account with Read/Write permission.

  3. Open ShareFolder and verify that Windows gives you access.

In this exercise, you added a remote access right to a role that already had a desktop right and saw how changing desktops changes the user’s rights.