Zone delegation permissions
Hello @KBC10976,
Welcome to Centrify.
Zone Delegation Report
The quickest answer is that you can leverage the "Zone Delegation Report" from the Access Manager report center.
PROS: This will give you a granular report per principal and the rights they have. You can export to pdf, excel, xml, etc.
CONS: It will be slow in a large AD environment. It's using LDAP.
Reporting by other Means
Using the recommended best practices.
This makes reporting a simple exercise on listing AD group memberships.
The Centrify OU structure pre-creates AD groups ready for delegations, Centrify OU > Zone Administration. The lastest best practice establishes 4 groups:
Centrify Administrators have all rights
Authorization Managers have the rights related to rights, roles and role assignments (Add/remove/modify)
UNIX Data managers have the rights related to user/group & local user/local groups as well as NIS maps (add/remove/modify)
Computer Managers have the rights related to computers (add/remove/modify).
From that point on, you can simply report on group membership. E.g. PowerShell
Get-ADGroupMember "Centrify Administrators" | Select-Object name name ---- John Doe Diana Wirth
E.g using adquery group
$ dzdo adquery group -A "Centrify Administrators" | grep members Demo Password: members:centrify.vms/Staff/IT/John Doe, centrify.vms/Staff/IT/Diana Wirth
Alternatively, you can use the attached PowerShell script to generate the report.
PS C:\.\ZoneDelegationReport.ps1 -Trustee dba@centrify.vms -Zone Global Permission Trustee Zone ---------- ------- ---- ModifyZone dba@centrify.vms Global AddUsers dba@centrify.vms Global AddGroups dba@centrify.vms Global AddLocalUsers dba@centrify.vms Global AddLocalGroups dba@centrify.vms Global JoinComputers dba@centrify.vms Global DeleteZones dba@centrify.vms Global RemoveUsers dba@centrify.vms Global RemoveGroups dba@centrify.vms Global RemoveLocalUsers dba@centrify.vms Global RemoveLocalGroups dba@centrify.vms Global RemoveComputers dba@centrify.vms Global ModifyUsers dba@centrify.vms Global ModifyGroups dba@centrify.vms Global ModifyLocalUsers dba@centrify.vms Global ModifyLocalGroups dba@centrify.vms Global ModifyComputers dba@centrify.vms Global ComputersAsNisServers dba@centrify.vms Global Import dba@centrify.vms Global ManageRolesAndRights dba@centrify.vms Global ModifyComputerRoles dba@centrify.vms Global AddRemoveNisEntry dba@centrify.vms Global ModifyNisEntry dba@centrify.vms Global AddProfilesToComputers dba@centrify.vms Global RemoveProfilesFromComputers dba@centrify.vms Global ModifyProfilesInComputers dba@centrify.vms Global DelegateMachineOverridePermissions dba@centrify.vms Global CreateNismap dba@centrify.vms Global CreateComputerZonesComputerRoles dba@centrify.vms Global ManageRoleAssignments dba@centrify.vms Global
I hope this highlights the benefits of using the best practices.
Writing your own
I am not an adedit or TCL expert, but I'd look under the samples folder (/usr/share/centrifydc/samples/adedit) or look at the script I attached to this post. That is the PowerShell version of the Zone Administration report included with the PowerShell samples. If you are versed in adedit, you should be able to see the logic and translate it into it.
Also, maybe one of the PS folks will chime-in to this thread.
R.P
Follow Centrify:
