Adding users to standard zones

In a standard Centrify zone when the functional level of the forest is Windows Server 2003 or later, adding a user account with an Active Directory security group as the primary group to a zone requires the following permissions:

Select this target object To apply these permissions

Parent container object for the user profile

For example, if you use classic zones, the default Users container in the Finance zone:

domain/UNIX/Zones/Finance/Users

On the Object tab, select Allow to apply the following permission to this object only:

  • Create serviceConnectionPoint Objects

This permission is required for both standard zones and RFC 2307‑compliant zones.

For standard zones, you need to apply additional permissions. Click the Properties tab and select serviceConnectionPoint objects from the object list, then select Allow to apply the following properties to this object:

  • Read Name
  • Read name
  • Read displayName

User account object in Active Directory

For example:

domain/Users/user_name

Click the Properties tab and select Allow to apply the following properties to this object only:

  • Read objectCategory
  • Read objectClass
  • Read objectGUID
  • Read objectSid
  • Read userAccountControl

Parent container object for the individual zone

For example, if you are adding a user to the Finance zone:

domain/UNIX/Zones/Finance

Click the Properties tab and select Allow to apply the following properties to this object only:

  • Read objectGUID
  • Write Description