Zone delegation permissions

Showing results for 
Search instead for 
Do you mean 
Participant II
Posts: 2
Registered: ‎05-02-2016
#1 of 3 3,880
Accepted Solution

Zone delegation permissions

[ Edited ]



In our setup we have granted zone permissions to users and to groups.
Now, I would like to create a report in orde to list out those permissions.


Is there a standard way to retrieve/list out thes kond of permissions?
Does any one has a report or or a tcl script to do so?


Thank you for a reply.


Erwin Mellaerts

Centrify Guru I
Posts: 2,430
Registered: ‎07-26-2012
#2 of 3 3,867

Re: Zone delegation permissions

[ Edited ]

Hello @KBC10976,


Welcome to Centrify.


Zone Delegation Report

The quickest answer is that you can leverage the "Zone Delegation Report" from the Access Manager report center.

zone delegation report.png

PROS:  This will give you a granular report per principal and the rights they have.  You can export to pdf, excel, xml, etc.

CONS:  It will be slow in a large AD environment.  It's using LDAP.


Reporting by other Means

Using the recommended best practices.

This makes reporting a simple exercise on listing AD group memberships.


The Centrify OU structure pre-creates AD groups ready for delegations,  Centrify OU > Zone Administration.  The lastest best practice establishes 4 groups:



Centrify Administrators have all rights

Authorization Managers have the rights related to rights, roles and role assignments (Add/remove/modify)

UNIX Data managers have the rights related to user/group & local user/local groups  as well as NIS maps (add/remove/modify)

Computer Managers have the rights related to computers (add/remove/modify).


From that point on, you can simply report on group membership.  E.g. PowerShell

Get-ADGroupMember "Centrify Administrators" | Select-Object name

John Doe
Diana Wirth

E.g using adquery group

$ dzdo adquery group -A "Centrify Administrators"  | grep members
Demo Password: 
members:centrify.vms/Staff/IT/John Doe, centrify.vms/Staff/IT/Diana Wirth

Alternatively, you can use the attached PowerShell script to generate the report.

PS C:\.\ZoneDelegationReport.ps1  -Trustee dba@centrify.vms -Zone Global

Permission                              Trustee                                 Zone
----------                              -------                                 ----
ModifyZone                              dba@centrify.vms                        Global
AddUsers                                dba@centrify.vms                        Global
AddGroups                               dba@centrify.vms                        Global
AddLocalUsers                           dba@centrify.vms                        Global
AddLocalGroups                          dba@centrify.vms                        Global
JoinComputers                           dba@centrify.vms                        Global
DeleteZones                             dba@centrify.vms                        Global
RemoveUsers                             dba@centrify.vms                        Global
RemoveGroups                            dba@centrify.vms                        Global
RemoveLocalUsers                        dba@centrify.vms                        Global
RemoveLocalGroups                       dba@centrify.vms                        Global
RemoveComputers                         dba@centrify.vms                        Global
ModifyUsers                             dba@centrify.vms                        Global
ModifyGroups                            dba@centrify.vms                        Global
ModifyLocalUsers                        dba@centrify.vms                        Global
ModifyLocalGroups                       dba@centrify.vms                        Global
ModifyComputers                         dba@centrify.vms                        Global
ComputersAsNisServers                   dba@centrify.vms                        Global
Import                                  dba@centrify.vms                        Global
ManageRolesAndRights                    dba@centrify.vms                        Global
ModifyComputerRoles                     dba@centrify.vms                        Global
AddRemoveNisEntry                       dba@centrify.vms                        Global
ModifyNisEntry                          dba@centrify.vms                        Global
AddProfilesToComputers                  dba@centrify.vms                        Global
RemoveProfilesFromComputers             dba@centrify.vms                        Global
ModifyProfilesInComputers               dba@centrify.vms                        Global
DelegateMachineOverridePermissions      dba@centrify.vms                        Global
CreateNismap                            dba@centrify.vms                        Global
CreateComputerZonesComputerRoles        dba@centrify.vms                        Global
ManageRoleAssignments                   dba@centrify.vms                        Global


I hope this highlights the benefits of using the best practices.


Writing your own

I am not an adedit or TCL expert, but I'd look under the samples folder (/usr/share/centrifydc/samples/adedit) or look at the script I attached to this post.  That is the PowerShell version of the Zone Administration report included with the PowerShell samples.  If you are versed in adedit, you should be able to see the logic and translate it into it.


Also, maybe one of the PS folks will chime-in to this thread.



Want to learn more about practical Centrify examples? Check out my blog at
Follow Centrify:
Participant II
Posts: 2
Registered: ‎05-02-2016
#3 of 3 3,840

Re: Zone delegation permissions

Thank you.
I'll give it a try.