Running Access Manager for the first time
The first time you start the Centrify Access Manager console, a Setup Wizard guides you through the initial configuration of the Active Directory forest. This initial setup creates the recommended or a custom deployment structure including the parent containers for Licenses and Zones and sets the permissions for modifying the objects within the containers. These steps are only performed once and can be done manually, if you choose.
Because the Setup Wizard creates container objects, you might need to use a domain administrator account. This requirement depends on the specific permissions your organization has configured for different classes of users. For example, if your organization only permits Domain Admins to create parent and child objects in Active Directory, you need to use an account with those permissions to run the Setup Wizard. For more information about the permissions required to perform specific configuration steps, see Permissions required to use the Setup Wizard.
To start the Setup Wizard and update the Active Directory forest:
- Open Access Manager from the desktop shortcut or Start menu.
Verify the name of the domain controller displayed is a member of the Active Directory forest you want to update or type the name of a different domain controller if you want to connect to a different forest, then click OK.
- If you want to connect to a different forest, type the name of a domain controller in that forest.
- If you want to connect to the forest with different credentials, select Connect as another user, then type a user name and password to connect as.
- At the Welcome page, click Next.
- Select Use currently connected user credentials to use your current log on account or select Specify alternate user credentials and type a user name and password, then click Next.
Select Generate the Centrify recommended deployment structure if you want to create all of the containers for the recommended deployment structure automatically.
If you select this option, select whether you want to generate the default deployment structure or generate a custom structure, then click Next.
- If you are generating the default structure, clicking Next enables you to select or create the location for the deployment structure in Active Directory. For example, if you want to create the top of the default deployment structure at the domain level, click Next, then click Browse to select the domain name. After you have selected a location, click OK. then click Next to create the deployment structure.
- If you are generating a custom structure, clicking Next enables you to export the script that creates the default structure or run a script you have previously written.
If you are generating a default or custom deployment structure, verify the successful execution of the script that creates the structure, then click Next to continue.
You can add other Licenses containers in other locations later using the Manage Licenses dialog box.
If you are not using the recommended deployment structure, the default container for license keys is domain_name/Program Data/Centrify/Licenses. To create the parent container in a different location, you can click Browse.
Review the permission requirements for the container, then click Yes to continue.
If you don’t want to allow the permissions for the selected container, click No and select a different container to continue.
Type or copy and paste the license key you received, then click Add.
If you received multiple license keys, add each key to the list of installed licenses, then click Next. If you received license keys in a text file, click Import to import the keys directly from the file instead of adding the keys individually, then click Next.
You can also add and remove license containers and keys after the initial configuration.
For details about licensing, including how to request new license keys after deployment, check license usage and compliance, and how license counts are determined, see the License Management Administrator’s Guide.
If you are not using the recommended deployment structure, the default container for zones is domain_name/Program Data/Centrify/Zones. To create the parent container in a different location, you can click Browse.
You can skip creating the parent container in the forest or have more than one Zones parent container. For example, if you have a regional OU structure in Active Directory—where each region is responsible for its own set of zones—each region should have its own top-level organizational unit. For example, if you have separate OU structures for Tucson, AZ, and Newark, NJ, you would have separate deployment structures—CentrifyAZ and CentrifyNJ, for example—with separate parent containers for zones under each deployment structures. Users in each region can select the appropriate parent container when they create new zones.
Note: Users must have permission to read and create container objects on the parent Zones container and all child objects. You should verify the appropriate users have the permissions required to create new zones.
If you are using the recommended deployment structure, click Next to continue.
This option allows “self-service” join operations for computers in the Computers container. It is only applicable if you are not using the recommended deployment structure. If you want to support “self-service” join operations and are not using the recommended deployment structure, select Grant computer accounts in the Computers container permission to update their own account information, then click Next.
If you plan to use Access Manager to manage information stored in Active Directory and maintain data integrity, click Next to continue.
You should select Register administrative notification handler for Microsoft Active Directory Users and Computers snap-in if you want to automatically maintain the integrity of the information in Centrify profiles.
This option prevents Centrify profile information from being left “orphaned” when changes are made to Active Directory objects such as users and groups. This option is not selected by default because it requires you to have Enterprise Admin or Domain Admin rights for the forest root domain.
Select Activate Centrify profile property pages if you want to be able to display Centrify profiles in any Active Directory context, then click Next.
Setting this option ensures that displaying the properties for a user, group, or computer always displays the Centrify Profile tab regardless of how you navigate to the Properties dialog box.
- Review and confirm your configuration settings, click Next, then click Finish.