Creating display specifiers for Centrify profiles

To display the Centrify Profile properties in Active Directory Users and Computers, you must be an enterprise administrator or a domain administrator for the forest root domain because adding the Centrify Profile to Active Directory Users and Computers requires you to add display specifiers to Active Directory.

Note:   A display specifier is an Active Directory object that allows you to add components to the Active Directory Users and Computers (ADUC) Microsoft management console (MMC) snap-in.

If you want to make the Centrify Profile available in Active Directory Users and Computers, an enterprise administrator can manually define the display specifiers (under domain/Configuration/DisplaySpecifiers/LanguageID/) for computer, group, and user properties by modifying the adminPropertyPages attribute with the appropriate GUID. For example, if the Active Directory domain is ajax.org and the language you support is US-English (CN=409), you would define the display specifiers in:

ajax.org/Configuration/DisplaySpecifiers/409

Note:   Adding the display specifiers for Centrify properties is an optional step you can perform manually using ADSI Edit or by running the displayspecifier.vbs script. If you manage all Centrify objects through Access Manager, you do not need to perform this task.

To use the displayspecifier.vbs script to set up the display specifiers:

  1. Log on using an enterprise administrator account or a domain administrator for the forest root domain.
  2. Open a Command Prompt window and change to the Centrify installation directory. For example:

    cd C:\Program Files\Centrify\Access Manager
  3. Run the displayspecifier.vbs script.

    If you want to manually add the display specifiers to display property pages in Active Directory Users and Computers, you must create the following entries using ADSI Edit, where n is the next number in the index of values for the attribute:

For this target object Set this attribute To
computer-Display displaySpecifier
adminPropertyPages
n,{DB5E4BE1-A0F0-4e6c-AD8A-B46475D727CB}
group-Display displaySpecifier
adminPropertyPages
n,{0CDC9AD0-E870-483f-8D16-17EAB3B7F881}
user-Display displaySpecifier
adminPropertyPages
n,{543DBFE3-317D-4493-8D00-84591E4EDCDE}
inetOrgPerson-Display
adminPropertyPages
n,{543DBFE3-317D-4493-8D00-84591E4EDCDE}

For example, if the Active Directory domain is ajax.org and the language you support is US-English (CN=409), you would add these entries to the objects in:

ajax.org/Configuration/DisplaySpecifiers/409

In most cases, you only need to set up the display specifiers once for the Active Directory forest. If you support multiple languages, you can manually add the display specifiers to each language you support. For example, if your organization supports US-English (CN=409), Standard French (CN=40C), and Japanese (CN=411), you would add the display specifiers to these three containers. Once you have updated Active Directory by running the displayspecifier.vbs script or by manually adding the display specifiers, you can access the Centrify Profile properties using Active Directory Users and Computers.