Using Centrify to manage access to Windows computers

Centrify provides a cross-platform solution that relies on the deployment of a Centrify agent. To manage access to Windows servers and workstations, an administrator installs the Centrify agent for Windows and identifies the zone the computer should use. If an administrator has installed the agent and added your computer to a zone, the computer is a Centrify-managed computer. When you log on, the agent will check that you have been assigned a role that allows a local or remote logon. As long as you have a role assignment that allow you to log on, logging on proceeds normally. If you have not been assigned a role that allows you to log on, you will be denied access to the computer.

In most cases, an Active Directory administrator or another delegated administrator will also define rights and roles that enable you to run as another account that has elevated privileges. For example, the administrator might create a role that allows you to manage a Microsoft SQL Server instance using administrative privileges and another role that enables you to run an Exchange management tool using a shared service account.

The administrator is responsible for defining the specific rights that are available in different roles and for assigning those roles to the appropriate Active Directory users and groups. The administrator can also assign selected roles to local Windows users and groups.

As a user logging on to a Centrify-managed computer, you have the option to select from and switch between the roles you have been assigned. For example, you begin the day by logging on to your computer using your Active Directory credentials. In most cases, this account does not have elevated privileges. In your work queue, you find that you need to add a new database to the SQL Server instance you manage. Because this change requires administrative privileges not available in your logon account, you select the role that has elevated privileges that you have been assigned for managing SQL Server instances. When you are done adding the database in Microsoft SQL Server Management Studio, you switch back to your default logon account.

The administrator determines whether the elevated privileges in your role are limited to a specific application, for example, Microsoft SQL Server Management Studio, any application on your desktop, or only allowed on a remote server. You are responsible for selecting the appropriate role to do the work required from the list of roles available to you.