Can we remove Role Assignments per user

Showing results for 
Search instead for 
Do you mean 
Participant II
Posts: 2
Registered: ‎02-09-2018
#1 of 3 148
Accepted Solution

Can we remove Role Assignments per user

Can we remove Role Assignments per user based on samaccountname in powershell?


I saw this article ( which made it seem that you can delete the profile, but even with the profile deleted the role assignments still show up in Centrify and the AD Object.


I know that I can loop through every iteration of computer roles to accomplish this, but I was hoping to do it more directly.


Could something like this be done by GPO on a group/OU? "Every member of this group/OU loses all role assignments" type thing?



Centrify Guru I
Posts: 2,452
Registered: ‎07-26-2012
#2 of 3 143

Re: Can we remove Role Assignments per user

[ Edited ]



Welcome to the Centrify community.


Basics on DirectAuthorize - how do users get access or privileges to a Centrify Zone-joined system:

  • In UNIX/Linux, an end user needs a UNIX identity and a role assignment of a role that allows login to be able to have access to a system.  In order for them to have elevated privileges, those have to be added to the role or roles.
  • In Windows, there's no need for Identity.  A role assignment for a role that allows Console or Remote login, and optionally elevation for Apps or Desktops.


This being said, looks like you're trying to do some housekeeping (cleanup) of direct-to-user role assignments.   If this is the case, note that we always encourage the use of AD group membership to prevent all these issues.  If your provisioning and roles are driven by AD group membership, cleanup issues are significantly eliminated.  An alternative, if direct role assignments must be used, is to make them temporary.  This makes this easier to cleanup (because your housekeeping only needs to look for expired role assignments).


Cleaning-up Permanent and Direct Role Assignments - An example

If you want to clean-up direct and permanent role assignments, you have to iterate through all the role assignments in all scopes (Zone, Child Zone, Computer Role or System) searching for a matching assignee.


For example:  I have a zone called Global that has several permanent role assignments for a user named Jeremy.  I have removed the UNIX profile for the user, but I'm also interested in removing the indidual assignments at this level.



Import-Module Centrify.DirectControl.PowerShell

# What I'm looking for scope: zone, user: jeremy.
$zone = Get-CdmZone -Name 'Global'
$user = (Get-ADUser 'jeremy').SamaccountName

# initialize a role-assignment array
$userRoleAssignments = @()

# filter for RA's for specific user (via samaccountname) $userRoleAssignments = Get-CdmRoleAssignment -Zone $zone | Where-Object {$_.AdTrustee.SamAccountName -eq $user} $userRoleAssignments |Out-GridView | FT TrusteeType, Role, Zone foreach ($userRoleAssignment in $userRoleAssignments) { Remove-CdmRoleAssignment -RoleAssignment $userRoleAssignment }

Some results:



The additional logic needed is to drill into any child zones, computer roles or even systems.   With PowerShell you have all the tooling to get this accomplished.


If you have expired role assigments, there are other cleanup methods as well:


I hope this helps.

Want to learn more about practical Centrify examples? Check out my blog at
Follow Centrify:
Participant II
Posts: 2
Registered: ‎02-09-2018
#3 of 3 101

Re: Can we remove Role Assignments per user

Okay, so for my situation I'll need to iterate through all of them, as expected.


Thank you!