The Centrify Windows Agent package contains software to support auditing, access control, and privilege management on Windows computers. The Audit and Access features can be installed together or separately on the Windows computers you want to manage.

For auditing, the Centrify Windows Agent requires the Centrify DirectAudit feature set, which is available in Centrify Server Suite Enterprise Edition. DirectAudit enables detailed auditing of user activity on a wide range of UNIX, Linux and Windows computers. With DirectAudit, you can perform immediate, in-depth troubleshooting by replaying user activity that may have contributed to system failures, spot suspicious activity by monitoring current user sessions, and improve regulatory compliance and accountability by capturing and storing detailed information about the applications used and the commands executed. If you enable auditing, the Centrify Windows Agent records user activity on the Windows computer when it is installed. For a complete list of the platforms supported, see DirectAudit Supported Platforms.

For access control and privilege management, the Centrify Windows Agent requires the Centrify DirectManage and DirectAuthorize feature sets, which are available in Centrify Server Suite Standard Edition. With DirectManage and DirectAuthorize, you can configure and manage role-based access controls for Windows servers. The Centrify Windows Agent extends the access control and privilege management features available for Linux and UNIX computers, so that you can use a single console to manage multiple platforms. You can deploy the Centrify Windows Agent in a Windows-only environment or as part of a mixed environment that includes, Windows, Linux, and UNIX computers. For a complete list of the platforms supported, see DirectAuthorize UNIX Supported Platforms.

You can obtain information about previous releases from the Centrify Support Portal, in the Documentation & Application Notes page.

Centrify Server Suite is protected by U.S. Patents 7,591,005, 8,024,360, and 8,321,523.

2. Supported platforms and system requirements

For information about setting up a test environment for the Centrify Windows Agent, see the Centrify Server Suite Evaluation Guide for Windows. The Centrify Server Suite Evaluation Guide for Windows includes common tasks and usage scenarios.

2.1 Centrify Windows Agent - Access

The Centrify Windows Agent – Access feature supports the following operating systems:

Windows 2003 Server SP2 and later (64-bit)
Windows 2003 Server R2 (64-bit)
Windows 2008 Server (32-bit and 64-bit)
Windows 2008 Server R2 (64-bit)
Windows 2012 Server (64-bit)
Windows 2012 Server R2 (64-bit)
Windows 7 (32-bit and 64-bit)
Windows 8 (32-bit and 64-bit)
Windows 8.1 (32-bit and 64-bit)

Note:

Windows XP is no longer supported in Centrify Windows Agent 3.2.2 in Suite 2015.
Windows 2003, Windows 2003R2 will no longer be supported in the next release of Centrify Windows Agent 3.2.2.
32-bit Windows 7 and Windows 2008 will not be supported after the next release of Centrify Windows Agent 3.2.2.

2.2 Centrify Windows Agent - Audit

In addition, the Centrify Windows Agent – Audit feature supports the following platforms:

Windows 2003 Server SP2 and later (32-bit and 64-bit)
Windows 2003 Server R2 (32-bit and 64-bit)
Windows 2008 Server (32-bit and 64-bit)
Windows 2008 Server R2 (64-bit)
Windows 2012 Server (64-bit)
Windows 2012 Server R2 (64-bit)
Windows 7 (32-bit and 64-bit)
Windows 8 (32-bit and 64-bit)
Windows 8.1 (32-bit and 64-bit)

Note:

Windows XP is no longer supported in Centrify Windows Agent 3.2.2 in Suite 2015.
Windows 2003, Windows 2003R2 will no longer be supported in the next release of Centrify Windows Agent 3.2.2.

3. New Features

3.1 New Features in Windows Agent 3.2.2

3.1.1 Centrify Windows Agent – Access

Smart card support is added in this release for the following Smart Cards:

US DoD Common Access Card (CAC)
Personal Identity Verification (PIV)
PIV Transitional (also known as PIV CAC or CAC Transitional)
PIV Interoperable (PIV-I)
Alternate Token Card / Alternate Logon Token (ALT)
Alternate Identity Smart Card (a.k.a Smart Card User Name Mapping)

3.2 New Features in Windows Agent 3.2.1

Windows Server Core support is added in this release for both Audit and Access features on the following platforms:

Windows 2008 R2 Server Core
Windows 2012 Server Core
Windows 2012 Minimal Server Interface
Windows 2012 R2 Server Core
Windows 2012 R2 Minimal Server Interface

Note: Due to its reduced feature set in Windows Server Core, certain specific functions are not supported such as “Run as Role…” context menu, Centrify system tray, Centrify shortcut menus and privilege desktop. (Ref: 33467)

Windows 8.1 and Windows 2012 R2 are now supported for both Audit and Access features. (Ref: 62244)

3.3 New Features in Windows Agent 3.2.0

3.3.1 Centrify Windows Agent – Audit

Failed privilege elevation attempts by Run As Role and desktop creation are now recorded as an audit event in DirectAudit database and Windows event log. (Ref: 39166)

3.3.2 Centrify Windows Agent – Access

Offline support: When the computer is disconnected from Active Directory, users continue to be subject to the role based policy set for the computer
Windows 8 and Windows 2012 support: Windows Application right and Network Access right are fully supported in Windows 8 and Windows 2012. Desktop right is still not supported in this release.
Predefined application rights: More predefined applications rights, like Print Management, Services, ODBC, etc. are now built into the product.
Application right matching criteria enhancement: User can define the application right not only by the file name and file path but also by the file properties, like file owner, file version, signed certificate, file description, etc. User is also allowed to define more than one set of the matching criteria for the same application right.
Application right builder: Defining application right may be tricky in the previous release. It usually involves a lot of trial and error. In this release, user can use Application right builder to build the application right directly from the shortcut file, the application executable or even the running process.

3.4 New Features in Windows Agent 3.1.1

There is no new feature in Windows Agent in this release. For the new features in DirectAudit, please refer to DirectAudit Release Notes.

3.5 New Features in Windows Agent 3.1.0

3.5.1 Centrify Windows Agent - Audit

Optional video capture auditing: In this release, you can choose to enable or disable video capture auditing. By default, video capture auditing is disabled for new installations. Disabling video capture helps greatly to reduce the storage requirement for the audited sessions. To use this feature, however, you must upgrade both the collector service and the Centrify Windows Agent to the 2013.2 release or later.
Windows Vista is no longer supported in this release.

3.5.2 Centrify Windows Agent - Access

Re-authentication: When a user creates a new desktop, or switches to a desktop with elevated privileges, or deploys the “RunAs” role to execute an operation, administrators can optionally require re-authentication. If this option is enabled, users must re-enter their login password.
Group privilege right: When using DirectManage Access Manager to define a new Windows Application, Desktop, or Network Access right, you can select a specific user account (as before) or use the login user’s account credentials but with the elevated privileges of a specific Active Directory or built-in group. If the latter, the rights of the selected group will be added to the user’s account while still maintaining the user’s context.
Customize desktop: When users create a new desktop with elevated privileges, they can customize the desktop background. For example, users can select a different background color or an image to use as wallpaper.
Predefined application rights: Administrators can now easily assign a subset of Local Administrator application rights to a role. When using the DirectManage Access Manager to add rights to a role, you can now choose from a list of predefined rights such as the right to run Task Scheduler, Event Viewer, and Performance Monitor.
RunAs enhancements: When launching an application using “RunAs” role, the RunAs utility will start the target application and can optionally wait until the application terminates, passing back the application return code. If the application is a command line utility, the RunAs utility will start a console and application inputs/outputs will be redirected to it. This enhancement is intended to help scripting users synchronize and verify their actions.

3.6 New Features in Windows Agent 3.0.1

This is a maintenance release.

4. Bugs Fixed

4.1 Bugs Fixed in Windows Agent 3.2.2

4.1.1 Centrify Windows Agent – Access

Network right is not supported for local users. The authorization center in this release has been fixed not to show the network right for local users. (Ref: 58271)
File hash matching criteria in the Application right is not supported for a file larger than 100MB. This is to make sure DirectAuthorize does not spend too much CPU and memory resources to calculate the file hash. User trying to import a file with the size larger than 100MB will see an empty value for the file hash field. The file size limit has been increased to 500 MB in this release. (Ref: 56778)
Role assignment on local Windows group cannot take effect on Windows Agent from Centrify Server Suite 2014. This issue has been fixed in this release. (Ref: 59537)
Although DirectAuthorize for Windows product can control which smart card users are allowed to logon, the re-authentication won't work because the smart card user is expected to enter a PIN instead of a password and our re-authentication UI only asks for password. This issue has been fixed in this release. User can enter a PIN in re-authentication. (Ref: 65175)
Citrix XenApp is supported in this release. (Ref: 33786)
Network right does not take effect if there is a Windows computer with Centrify Windows Agent - Access installed and the computer's dnsHostName attribute has not set any value in the AD forest. This issue has been fixed in this release. (Ref: 72967)

4.1.2 Centrify Windows Agent - Audit

Remote logon failure audit trail message on Windows 7/8, Windows 2008/2012 and Windows 2008/2012 R2 cannot be recorded. This issue has been fixed in this release. (Ref: 47232)

4.2 Bugs Fixed in Windows Agent 3.2.1

There are some minor bug fixes.

4.3 Bugs Fixed in Windows Agent 3.2.0

Windows Agent from Centrify Server Suite 2014 is improved to have smaller CPU footprint. (Ref: 56460)
Desktop background group policy cannot take effect when Centrify Windows Agent is installed with Access feature turned on. This issue has been fixed in this Suite 2014. (Ref: 57539)
Some programs install and register a special shortcut called "advertised" shortcuts. Run As Role context menu cannot be shown on those special shortcuts icon. This issue has been fixed in this release. (Ref: 54274)
After installing Centrify Windows Agent, the desktop background set by group policy can no longer take effect. This issue has been fixed in this release. (Ref: 57539)

Centrify Windows Agent requires DirectAuthorize service to be always running. Starting from this release, administrative user can no longer stop the DirectAuthorize service directly. (Ref: 33632)

4.4 Bugs Fixed in Windows Agent 3.1.1

In rare cases, the Centrify Windows Agent might stop sending audit data to its collector because of a race condition. The problem only happens in an environment with two or more collectors. This issue has been resolved in this release. (Ref: 46885)

4.5 Bugs Fixed in Windows Agent 3.1.0

4.5.1 Installation

There is a one-minute delay in rebooting the computer after upgrading the Centrify Windows Agent from Suite 2013 or Suite 2013.1. The reboot delay is due to a bug in Suite 2013 Windows Agent installer. The issue has been fixed in this release. There will be no delay in rebooting the machine when upgrading Suite 2013.2 to a later release. (Ref: 44145)

4.5.2 Centrify Windows Agent - Audit

If some of the collectors are upgraded to Suite 2013 but other collectors are from an older version of the software, the Centrify Windows Agent from Centrify Server Suite 2013 or Server Suite 2013.1 might be unable to connect to the upgraded collectors. This issue has been fixed in this release. (Ref: 38255)
Centrify DirectAudit Agent Control Panel always shows “Initializing” on some computers because of corrupted performance counters. This issue has been fixed in this release. (Ref: 39077)

4.5.3 Centrify Windows Agent - Access

The workaround suggested in Microsoft KB 896861 is now compatible with the current version of Centrify Windows Agent - Access. (Ref: 37000)
Restart and shutdown menu was not working on the desktop with elevated privileges in the previous release. This issue has been fixed in this release. (Ref: 40659)
Starting from this release, reboot is not required after changing the zone configuration. (Ref: 38527)
Centrify Windows Agent has applied the workaround suggested in http://support.microsoft.com/kb/936707 to avoid the long start up time. (Ref: 36165)
Privilege elevation using Windows Rights for Internet Explorer (IE) 8 or above is now supported. (Ref: 32671, 37587)
If the UPN of the “Run as” user account included "/" or "\" in its name, RunAsRole.exe or desktop creation would fail. This issue has been fixed in this release. (Ref: 38407, 38450, 38683)

4.6 Bugs Fixed in Windows Agent 3.0.1

If both Audit and Access features are installed for the Centrify Windows Agent, the log off menu cannot be shown on some machines. This issue has been fixed in this release. (Ref: 34767)
Computers with Centrify Windows Agent - Access installed may lock out all users from using that machine, when one of the domain controllers in its domain reboots. This issue has been fixed in this release. (Ref: 40361)
Leading and trailing white spaces in the arguments specified in the Application right are now ignored. This is to make sure user can do Run As Role on the specified application even though the arguments don’t have matching leading or trailing white spaces. (Ref: 41178)

5. Known Issues

5.1 Installation and Uninstall

The Centrify Common Component should be the last Centrify Server Suite component uninstalled. If the component is uninstalled before other component, it must be reinstalled by the uninstall process to complete its task. (Ref: 36226a)
If you intend to install the software on the desktop with elevated privilege, you should not check the "Run with UAC restrictions" option when creating the desktop. (Ref: 39725b)

When you double-click on the Centrify Windows Agent msi and select the "repair" option, the existing files are replaced irrespective of their version number, even when they are identical. As a result, a prompt to restart the system is displayed as files that were in use were replaced. However, if you use the Easy Installer to do the repair and a file on the disk has the same version as the file that is part of the installer package, the installed file will not be replaced. Therefore, there will not be any prompt to restart the system. (Ref: 26561a)

When the Centrify Windows Agent is either installed or uninstalled and the prompt for a machine restart is deferred using the “restart later” option or ignored, other components of DirectManage may display errors due to an incomplete installation. A restart is mandatory if requested after install or uninstall operation. (Ref: 36307a)
The component selection page of the installer for the Centrify Windows Agent installer does not allow specifying separate installation locations for each individual component. All the components selected on this page get installed in the same location. Therefore, the Browse button remains disabled when user highlights individual components in the component selection tree. The Browse button is enabled only when the user highlights the top node of the component selection tree. (Ref: 34772a)
Users may notice a few "Side by side" configuration errors in the Event Viewer after installing the Centrify Windows Agent, if Microsoft KB945140 related components have been installed on the local machine previously. These errors will go away after you restart the computer and have no functional effect. (Ref: 35302a )
If you uninstall the Centrify Windows Agent while the DirectAudit Agent Control Panel is open, files needed by the uninstall process may be blocked. You should close the DirectAudit Agent Control Panel for a successful conclusion to the uninstall process. (Ref: 25753a)
If you have installed the Access feature of Centrify Windows Agent from Centrify Server Suite 2013 and are trying to upgrade the component to the latest version, you may see the following error during the installation process, "Service 'DirectAuthorize Agent' could not be installed. Verify that you have sufficient privileges to install system services." If you see this error message, it typically indicates that the existing service is taking longer time to stop and hence the new service is not getting installed. When you see this error, wait for some time (typically 30 seconds) and click on Retry button on the error message box. (Ref: 47270a)
Centrify Windows Agent and its installer are built on .NET 3.5. Therefore, .NET 3.5 is always installed as a pre-requisite before the agent is installed. If .NET 3.5 is removed from the system later, Centrify Windows Agent will not run properly. User will also experience problem when trying to remove Centrify Windows Agent from the system. To properly uninstall Centrify Windows Agent, please make sure Centrify Windows Agent is uninstalled before .NET 3.5. (Ref: 39051a)
The list of rescue users is stored in different places in Suite 2013.3 (or previous releases) and Suite 2014 and this list is not automatically migrated to its new location when upgrading from Suite 2013.3 or a previous release to Suite 2014. Because of this, it's highly recommended that Centrify Windows Agent should not be upgraded in disconnected mode (i.e. when the system cannot connect to the Active Directory). If a system is upgraded in disconnected mode, the list of rescue users will be lost and only local administrators will be able to login to the system after reboot. (Ref:57622a )
For earlier versions of Windows including XP, 2003 and 2003 R2, the uninstall of Centrify Windows Agent - Access component may not initiate an automatic reboot if one or more users are logged onto the system and at least one user's session is locked. This is a result of shutdown command not initiating reboot when it detects one or more locked user sessions. It is recommended that user manually reboots the system in such cases. (Ref: 58623a)
If you install Access feature of Centrify Windows Agent without installing the Audit feature, the registry key value for HKEY_LOCAL_MACHINE\SOFTWARE\Centrify\AuditTrail\AuditTrailTargets is set to zero as expected, which means the audit trail is not sent to DirectAudit Audit Store database. However, if you try to change the installed features list of Centrify Windows Agent and add the Audit feature later, the change process does not automatically set the AuditTrailTargets value to the expected new value of 1, which means to send audit trail data to DirectAudit Audit Store database. This is a known issue and workaround is to set this value manually to 1 after the installer finishes the process of adding new feature. (Ref: 59353b)
If you have installed the Access feature of Centrify Windows Agent from earlier version and then upgraded the component to the latest version while the Windows Agent is not currently connected to any Active Directory domain controller, only users who have been assigned a role with rescue rights will be able to log on to the computer until the connection to Active Directory is restored. (Ref: 58858b)

5.2 Centrify Windows Agent - Audit

Hardware acceleration may slow down console login. With Windows XP and Windows Server 2003, you may experience slow login performance if hardware acceleration is set to full. This issue only affects local logins. It does not affect Remote Desktop (RDP) sessions. To work around this issue, set hardware acceleration to none. (Ref: 24777a)
On audited Windows XP machines, the mouse cursor may flicker when DirectAudit is enabled. When using RDP to access the machine remotely, this issue may manifest itself by the RDP mouse pointer moving back a few pixels from where it was placed. This is a bug with Windows XP and is not expected to be fixed by Microsoft. (Ref: 24307a)
On Windows XP and Windows Server 2003, when a user is in screen-saver mode, a session will be suspended after ~20 seconds of monitoring and a new session will be started when the screen-saver is dismissed. However, if a user reactivates a session before the 20 second time period expires, the session should resume. (Ref: 25112a)
The offline data location (and subdirectories below it) is expected to be a location dedicated to spooling, for example c:\spool. If the offline data location is changed, all files in the old location (including subdirectories and their contents) are moved to the new location. This may cause problems if the old location was not exclusively for spooling use. For example, choosing c:\ as the original spool location and d:\spool as the new location would cause all files on the c:\ drive to be copied to d:\spool. (Ref: 26592a)
The optional video capture feature requires both the Collector and the DirectAudit Agent to use 2013.2 or later. If any of collectors or agents are running an older version, video data may still be recorded even though you have turned it off in Suite 2013 Update 2 Audit Manager. (Ref: 44064a)
If Centrify Windows Agent is auditing a Windows 8 or Windows 2012 system, the Indexed Event List of the corresponding audited session will not show any events for the applications that are using the Metro User Interface. The Metro UI is not supported by Suite 2014. (Ref: 56556b)
Upon making changes to Group Policy "Centrify Audit Trail Setting" > "Centrify Common Setting" > "Send audit trail to log file", it would require reboot of the client computer (agent) for this setting to be effective despite the Group Policy has already been refreshed on the client computer. (Ref: 73368b)

5.3 Centrify Windows Agent - Access

5.3.1 Configuration

Users with elevated privilege yet do not have sufficient permission to access "Security Settings" node in local group policy editor. This issue happens on Windows 8.1 and Windows 2012 R2 only. It will be fixed in future release. (Ref: 63609b)
Administrator should always leave the zone before joining the computer to a different domain. Otherwise, DirectAuthorize may not function correctly after the computer is joined to a different domain. (Ref: 54278b)
In some large environment with multiple domain controllers, it may take up to one minute for the new zone setting in DirectAuthorize control panel to take effect. (Ref: 58128b)
If one of the Global Catalog servers is unavailable, user may not be able to configure the zone for Centrify Windows Agent. (Ref: 58621b)

5.3.2 Environment

One-way trust environments and selective two-way external trusts are not supported. Both Windows machines and Centrify zones are required to be in the same forest or different forests with a two-way forest trust established. (Ref: 40713b, 44644b, 44647b, 44657b, 40643b, 40650b, 45341b, 45372b)

Environment with no Global Catalog is not supported. (Ref: 46577a)
DirectAuthorize for Windows requires machine time to be synchronized with domain controller. VMware virtual machine has a known issue that its time may not be synchronized with domain controller. This problem occurs more often on a overloaded virtual machine host. If the system clocks on the local Windows computer and the domain controller are not synchronized, DirectAuthorize for Windows does not allow any domain users to login. You can try the following KB from VMware to fix the time synchronization issue. http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189 (Ref: 47795b)

5.3.3 RunAsRole

The "RunAsRole.exe /wait" command line utility cannot redirect the input/output of the application if you log on remotely to a Windows XP, Windows 2003 or Windows 2003 R2 machine. (Ref: 45042a)
If you use the "RunAsRole.exe /wait" command to run a Python script, the input/output cannot be redirected for versions of Python below 3.0.0. (Ref: 45061a)
On Windows XP, Windows 2003 and Windows 2003 R2, PS1 file doesn't have a Run As role context menu unless PowerShell v2 or above is installed. (Ref: 56993a)
Run As Role menu is not available on the start screen in Windows 8 or Windows 2012 or later because Microsoft doesn't support any custom context menu on the start screen. User has to go to the Windows desktop in order to launch an application using Run As Role context menu. (Ref: 35487a)
On Windows 8, Windows 8.1, Windows Server 2012 and Windows Server 2012 R2, the “Run as role” for Windows Explorer and Control Panel is not supported. The launching as well as some operations in the Control Panel may take a longer time than usual. (Ref: 68826a)
The "Run as role” for Windows Media Player is not recommended. Please use privilege desktop instead. (Ref: 55615a)
When running "RunAsRole.exe /wait sc.exe" with no argument provided to sc.exe, sc.exe will prompt

Would you like to see help for the QUERY and QUERYEX commands? [ y | n ]:

Typing ‘y’ or ‘n’ doesn’t do anything because the input cannot be successfully redirected to sc.exe. (Ref: 47016b)

It is not recommended to change zone via Run As Role since the role that is in use may no longer be available once after leaving from the previous zone during the change zone process. (Ref: 58043a)
On Window Server 2003, current logon user is always prefilled under the "Username" field in re-authentication dialog. If a smart card reader is connected to the system, additional option on selecting the inserted smart card would be available in the re-authentication dialog. However, the original prefilled username option would be removed from this particular dialog instance once user has selected the smart card. Despite this, the "Username" field is editable and one could manually fill in the current logon user for re-authentication. (Ref: 72990a)
Role run with Domain Admins group privilege does not have enough permission to Domain Admins group shared folder which is created on Windows Server 2003. Role would need to run as a domain administrator. (Ref: 74974a)

5.3.4 Desktop with Elevated Privileges

On a desktop with elevated privileges, if you open the Task Manager and select “File > New Task” to run an application without selecting the "Create this task with administrative privileges" option, the application will be launched on the default desktop. This issue occurs when User Account Control (UAC) is enabled. (Ref: 32169a)
Sometimes the Centrify icon cannot be shown in the notification area of the taskbar if a user logs onto the computer immediately after starting the computer. This issue does not happen if a remote desktop is used to access the computer. This issue happens on Windows XP, Windows 2003, and Windows 2003 R2. Log in again later to resolve the issue. (Ref: 37119a)
If the sAMAccountName attribute of an Active Directory account is changed while the old account name is still cached on the computer, you may see the following error message when creating a new desktop or using “Run as role” with a right configured to run as the modified user account:

==================================================================

Failed to open new desktop. Right xxx references bad user account.

==================================================================

The workaround is to restart the computer. (Ref: 35124a )

On a desktop with elevated privileges, if you use “Control Panel > Programs > Programs and Features” to uninstall a program, you may see the following warning message and cannot uninstall the software.

========================================================================

The system administrator has set policies to prevent this installation.

========================================================================

This issue happens when User Account Control (UAC) is enabled and when "Run with UAC restrictions" is selected when creating the new desktop. (Ref: 33384a)

When you open the Start menu "Help and Support" item on a desktop with elevated privileges, the Windows Help and Support is launched on the default desktop. Switch to the default desktop to view the information. (Ref: 32147a)
If you shut down, restart, or log off from a desktop with elevated privileges, all running applications are terminated forcibly without being prompted to save any open documents. (Ref: 40749a)
You cannot launch Windows Security Options using “Start menu -> Windows Security” on a privilege desktop with elevated privileges when using a remote desktop connection. You must switch back to the default desktop to continue. (Ref: 45995b)
Installation of IE9 on desktops with elevated privileges may cause the privileged desktop to become unusable. Use “RunAsRole” for installation of IE9 instead. (Ref: 44930a)
You cannot use the Start menu option "Switch User" while you are using a role-based, privileged desktop. To use the "Switch User" shortcut, change from the privileged desktop to your default Windows desktop. From the default desktop, you can then select Start > Switch User to log on as a different user. (Ref: 39011b)
On a DirectAuthorize desktop using a role with local administrator privilege, the Stand By option in the shutdown menu does not work. This is a known issue and will be addressed in future release. (Ref: 58280a)
The operations on a new desktop with a role using a different user account may become unresponsive if it is a VMware Virtual Machine. This problem is found on Windows XP, Windows 2003 or Windows 2003 R2 only and it is not observed on later Windows version.
VMWare registers to run VMwareUser.exe on the guest operating system to enable user to copy and paste text between the guest and managed host operating systems. Creating multiple desktops with different user accounts causes multiple VMwareUser.exe are run in different user accounts in the same logon session. VMwareUSer.exe cannot support this scenario and therefore an error message is displayed on the default desktop which blocks all the UI operation on the new desktop. To workaround this problem, user can disable the VMWare user program on the guest machine by deleting the registry value name "VMware User Process" from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. (Ref: 49268a)
Unsuccessful launching privilege desktop may relate to its desktop name. By default, the privilege desktop name is the selected role name, users can also customize it. The privilege desktop name does not support Unicode; it will be converted to the encoding corresponding to the computer system locale. If unsupported character is found during the conversion, the privilege desktop will not be launched successfully. Therefore, suggest using common alphanumeric characters as the privilege desktop name. (Ref: 75700b)

5.3.5 Roles and Rights

Windows Network Access rights do not take effect on a Linux or UNIX machines. If you select a role to start a program or create a desktop that contains a Network Access right, you can only use that role to access Windows computers. The Windows computers you access over the network must be joined to a zone that honors the selected role. The selected role cannot be used to access any Linux or UNIX server computers on the network. (Ref: 32980a)
Network Access rights are not supported on the Windows 2008 R2 Terminal Server if “RDC Client Single Sign-On for Remote Desktop Services” is enabled on the client side. (Ref: 34368b)
To elevate privileges to the "Run as" account specified in a Windows right, the “run as” account must have local logon rights. If you have explicitly disallowed this right, you may receive an error such as "the user has not been granted the requested logon type at this computer" when attempting to use the right. (Ref: 34266a)
If your computer network is spread out geographically, there may be failures in NETBIOS name translation. If a NETBIOS name is used, Active Directory attempts to resolve the NETBIOS name based on the domain controller that the user belongs to, which in a multi-segment network might fail. Therefore, Network Access rights might not work as expected if the remote server is located using NETBIOS name. You may need to consult your network administrator to work around this issue. (Ref: 39087a)
File hash matching criteria in the Application right is not supported for a file larger than 500MB. This is to make sure DirectAuthorize does not spend too much CPU and memory resources to calculate the file hash. User trying to import a file with the size larger than 500MB will see an empty value for the file hash field. (Ref: 56778a)
For a small set of application, enabled matching criterion - "Product Name", "Product version", "Company", "File Version" or "File Description" of a Windows Application Right may fail to match after upgrading agent under the following conditions: - Any value for the enabled matching criteria is defined by either import from a process or file - The matching criteria is defined by 5.1.3 or 5.2.0 DirectManage Access Manager since the number of affected application is expected to be relatively low, proactively updating the defined matching criteria of Windows Application Right is not necessary. (Ref: 60053a)

5.3.6 Compatibility With 3^rd Party Products

The startup path for “SharePoint 2010 Management Shell” and “Exchange Management Shell” may set to C:\Windows instead of user home directory if it is launched via RunAsRole.exe or from a desktop with elevated privilege. (Ref: 38814b, 46943b)
If "Windows Security Essentials" software is installed, an error message appears after you create a new desktop.

===========================================================================

Microsoft Security Client

An error has occurred in the program during initialization. If this program

continues, please contact your system administrator

Error code: 0x80070005

===========================================================================

This issue happens on Windows XP, Windows 2003, and Windows 2003 R2. This error message can be safely ignored. (Ref: 37687b)

On a desktop with elevated privileges, if you install McAfee Security Scan products and click "View Readme", the Readme.html is shown on the default desktop. Similar issues may happen with other third party programs. The alternate way to view the Readme.html on the desktop of a managed computer is to open the Readme.html file directly. (Ref: 34642a)
Attempting to enable Kerberos authentication for Oracle databases will fail. This issue is being brought to the attention of Oracle Support for a resolution in upcoming releases. (Ref: 33835b)
For SQL Server clusters used with Windows 2003 Servers, the SQL Network Name resource must have Kerberos Authentication enabled before you install the Centrify Windows Agent – Access feature. For information about how to enable Kerberos Authentication of virtual servers, refer to this article: http://technet.microsoft.com/en-us/library/cc780918%28v=ws.10%29.aspx. (Ref: 38333a)
The Microsoft Snipping Tool utility has a bug that prevents it from running on a desktop with elevated privileges. (Ref: 31931a)
Some applications do not use the process token to check the group membership. They check the user’s group membership on its own. Therefore, any Windows rights configured to use a privileged group will not take effect in these applications. The workaround is to use a privileged user account instead of a privileged group. Here is the list of known application with this issue:

vCenter Server 5.1
SQL Server
Exchange 2010 or above
SCOM 2007

(Ref: 45318a, 45218a, 43779a, 38016a)

Privilege elevation using Windows Rights for Internet Explorer (IE) 7 is not supported. (Ref: 33425a)
Privilege elevation using Windows rights for "File Server Management" is not supported on Windows 2003 or Windows 2003 R2. (Ref: 45797b)
Privilege elevation using Windows rights for "Remote Desktop" is not supported. (Ref: 45222b)
VirtualDesktop is not compatible with Centrify Windows Agent – Access. Users should use the Centrify system tray applet to create virtual desktop instead. (Ref: 44641b)
Privilege elevation using Windows rights for taskmgr.exe, explorer.exe, and cmd.exe are not recommended. A user granted privileges with Windows rights is implicitly granted to run any executable under the same privilege. (Ref: 45861a, 40525a )
Users may notice an error and cannot install ActivClient after installing Centrify Windows Agent. During the installation of ActivClient, it attempts to change the local security setting. However, there is a known issue for Centrify Windows Agent of blocking the local security setting (Ref: 63609b). Therefore, users may not be able to install ActivClient successfully after installing Centrify Windows Agent. We suggest installing ActivClient before installing Centrify Windows Agent. If Centrify Windows Agent has been installed, please uninstall it and follow the installation sequence suggested. This issue happens on Windows 8.1 and Windows 2012 R2 only. (Ref: 76016b)

6. Additional information and support

In addition to the documentation provided with this package, see the Centrify Knowledge Base for answers to common questions and other information (including any general or platform-specific known limitations), tips, or suggestions. You can also contact Centrify Support directly with your questions through the Centrify Web site, by email, or by telephone.

To contact Centrify Support or to get help with installing or using this version of Centrify Windows Agent software, send email to Support or call 1-669-444-5200, option 2.

For information about purchasing or evaluating Centrify products, send email to info.

1. About Centrify Windows Agent