The Zone Provisioning Agent is intended to run on an ongoing basis on a computer that is always available. It requires a Windows user account with the right to Log on as a service. If you have a single forest, you can install the Zone Provisioning Agent on one or two computers. If you install the Zone Provisioning Agent on two computers, you should only run one instance at a time. The Zone Provisioning Agent on the second computer is intended for standby operation. You should only start the Zone Provisioning Agent on the second computer if the first instance fails.
Note: The business rules that control provisioning are stored in Active Directory. If only one computer has the Zone Provisioning Agent and that computer stops running, the automated provisioning of UNIX users and group is interrupted until the computer and the Zone Provisioning Agent are restarted. Users with existing access to UNIX computers are not affected.
- Zone Property Page Extension must be installed on the same computer as the Centrify Access Manager console. This extension adds a tab to the Zone Properties for configuring provisioning rules.
- Provisioning Agent can be installed separately from the property page as a standalone service or on the same computer as Access Manager. The computer where you install the service should be available at all times. In most cases, this Windows service is not installed on the same computer as Access Manager.
- Command Line Utility can be installed separately or on the same computer as Access Manager. The command line utility allows you to write scripts for provisioning tasks or update zones on demand.
If you have more than one forest, you should install a Zone Provisioning Agent in each forest. If you have geographical domains within a single forest, you may want to install a Zone Provisioning Agent in each geographical domain. If you install a second instance of the Provisioning Agent for failover, be sure that only one instance of the Provisioning Agent runs in each forest.
|Account name (suggested)||Type of account||Required permissions||Notes|
|Cfy_SVC_ZPA||Active Directory account||Log on as a service||The Zone Provisioning Agent requires permission to create UNIX profiles-- that is, the service connection points in each zone where it needs to perform provisioning operations. The service account that runs the Zone Provisioning Agent requires the Log on as a service right set as a local computer security policy, or in the default domain policy.|
Create a service account for the Zone Provisioning Agent
The Zone Provisioning Agent must run using a valid Windows user account with the right to Log on as a service. In most cases, you should create a dedicated user account, called the service account, for the service to run as rather than use an existing user account.
- Open Active Directory Users and Computers.
- Select the UNIX Service Account organizational unit.
- Right-click, then select New > User.
- Type a display name and logon name for the service account, then click Next.
Type and retype a password for the service account and modify the account options as follows, then click Next:
- Uncheck User must change password at next logon
- Check User cannot change password
- Check Password never expires
- Click Finish to add the service account.
Configure the local or domain group policy to allow the account to log on as a service
After you have created the service account, you must edit either a local security policy or the default domain group policy to grant the service account the Log on as a service right.
If you edit the default domain policy, the Zone Provisioning Agent can run on any Windows computer. If you need to move the service from one computer to another, no additional configuration is required.
Alternatively, you can edit the local security policy specifically on the computers that run the Zone Provisioning Agent. If you use the local policy, however, you may need to investigate whether other group policies are applied to the computer running the Zone Provisioning Agent to see if inheritance disables your local policy setting.
- Open the Group Policy Object Editor and navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Log on as a service.
- Right-click Log on as a service, then select Properties.
- Select Define these policy settings, then click Add User or Group.
- Click Browse to search for the service account you created.
- Select the service account, then click OK to add the account and OK again to apply the policy.