Assigning the Windows Login role to a group

After a computer joins a Centrify zone, users must be granted access to that computer by being assigned a role with the right to log on. So far, only the Administrator account has that privilege. This exercise illustrates how you can give that privilege to other users through their Active Directory group membership.

In most cases, you can assign the Windows Login role to all local Windows users, all Active Directory users, or both, if you want to automatically allow new users to log on locally or remotely. However, the Window Login role does not override any native Windows security policies. For example, if the Local Security Policy on the domain controller does not allow Domain Users to log on locally, assigning the Windows Login role to the Domain Users security group will not allow members of that group to log on locally.

If the Windows client computer you are using for the evaluation does not allow users to log on locally or does not accept remote desktop connections, you might have to make Eval Group a member of a specific Windows security group, such as Server Operators or Remote Desktop Users, to complete further exercises.

To assign the Windows Login role to an Active Directory group:

  1. On the Window client computer, open Access Manager.
  2. Expand the zone, then expand Authorization.
  3. Right-click Role Assignments and select Assign Role.
  4. Select Windows Login from the list of role definitions, then click OK to display Assign Role.

    By default the role is set to start immediately and never expire.

  5. Select Accounts below to assign the role to the group you created in Creating an Active Directory user and group.

    For purposes outside of this exercise, you could assign the role to more users by selecting All accounts and then specifying All Active Directory accounts, All local Windows accounts, All local UNIX accounts, or any combination of these three selections.

  6. Click Add AD Account to display Add User Role Assignment.

  7. Change the Find filter from User to Group.

  8. Type all or part of the group name, click Find Now, then select the group in the results and click OK.

    For example, type Eval to search for Eval Group and select that group in the results.

  9. Click OK to complete the assignment and close the Assign Role window.

    Now all members of Eval Group can log on to this computer.

To verify the role assignment, you can log off as the administrator and log in as the user you created in Creating an Active Directory user and group, for example, amy.adams. When you log on using the new account, the default desktop has no administrative privileges. For example, the new user cannot stop or start services on the local computers because the account do not have the administrative privileges required to do so. The next exercise shows you how to give a user elevated privileges when she is running a specific application.