add AD users and AD groups

Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Participant II
Posts: 5
Registered: ‎12-04-2017
#1 of 8 792
Accepted Solution

add AD users and AD groups

We have multiple child zones under Global and I'm wondering what the best practice would be to add AD users and groups to a child zone. We started by using ZPA on the global zone, but then all the groups added were visible to all servers in our environment. At least for adding user to the ZPA provisioning group, they were only visible to servers if we explicitly added them to that zone. Also, for the users, some of those users would only be in one or two child zones, so should we enable ZPA on those child zones? As a note, this child zone has a different default user group than what is used for all global users.

Posts: 961
Topics: 3
Kudos: 256
Blog Posts: 6
Ideas: 0
Solutions: 126
Registered: ‎07-06-2010
#2 of 8 787

Re: add AD users and AD groups

Thank you for using Centrify!

 

The recommendation is the following:

  • UNIX enable all users at the Global Zone level
  • In addition, UNIX enable users at the child zone level, if attributes need to be different for users on the systems in the child zones (ie.different primary group)
  • UNIX enable groups at the Child Zone vs. the Global Zone unless the groups need to be visible across all servers
  • Always enable ZPA to automate UNIX profile provisioning across all Zones that will have user/group UNIX profiles

 

Hope this helps.  Let us know if you have any questions.

 

Regards,

Felderi Santiago
VP of Enterprise Solutions
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify:
Participant II
Posts: 5
Registered: ‎12-04-2017
#3 of 8 783

Re: add AD users and AD groups

That all makes sense. So, I'm guessing there's no easier way to make sure the users in the groups added to the child zones are also added to the Centrify environment? We've tried just adding the groups to the child zones, but we've noticed that unless those users were individually added, they are not visible on the servers.

 

It's my understanding the ZPA should only be configured on the global zone and not the child zones, is that correct?

 

To make sure I understand correctly: I have UserA, so I use ZPA at the global zone to get a default profile, but since UserA has a different primary unix group on ChildZoneB, I should also add UserA to ChildZoneB with the correct primary unix group?

Posts: 961
Topics: 3
Kudos: 256
Blog Posts: 6
Ideas: 0
Solutions: 126
Registered: ‎07-06-2010
#4 of 8 779

Re: add AD users and AD groups

Good to hear. 

 

You can add the groups to the child zones and as long as members have UNIX profiles defined in the zone hiearchy, the users will be members of those groups on the systems they have access.  In short, the groups and the users must have UNIX profiles since UNIX requires it.

 

Now, what I recommend customers do is use ZPA with a provisioning group and make the groups they use to grant access, members of the provisioning group.  This way as they change the membership of access groups, users will be part of the provisioning group as well and ZPA creates UNIX profiles for them.

 

 

I always recommend automating the UNIX profile creations with ZPA at both the Global Zone and Child Zone levels, if applicable.  

 

You're understanding is correct.  You can either setup ZPA for ChildZoneB to automate profile creation or manually add userA to ChildZoneB.

 

Let us know if you have any questions.

 

Regards,

 

Felderi Santiago
VP of Enterprise Solutions
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify:
Participant II
Posts: 5
Registered: ‎12-04-2017
#5 of 8 777

Re: add AD users and AD groups

My apologies, I think I'm following. So, we have two provisioning groups for the global zone, 'cfyP_Global_Groups' and 'cfyP_Global_Users'. Right now, users go in 'cfyP_Global_Users' to get their Unix Profile, and 'cfyP_Global_Groups' is just for groups (which I've noticed only creates Unix group profiles, it does not create Unix user profiles for the members of those groups). Are you suggesting we put our users in the access groups, which is required for login or listing access, then put those access groups in the 'cfyP_Global_Users' provisioning group?

 

For example, the 'cfyR_childA_LinuxServers_UnixLogin' group allows access to our ChildA Linux servers, so instead of putting all the users currently in the group 'cfyR_childA_LinuxServers_UnixLogin' into the 'cfyP_Global_Users', we'd put the group 'cfyR_childA_LinuxServers_UnixLogin' in 'cfyP_Global_Users' and make sure all the users are in the group access group 'cfyR_childA_LinuxServers_UnixLogin'?  (that's all clear as mud)

 

If that is what you're saying I was under the impression that was bad practice? Although, it certainly would simply everything.

Posts: 961
Topics: 3
Kudos: 256
Blog Posts: 6
Ideas: 0
Solutions: 126
Registered: ‎07-06-2010
#6 of 8 775

Re: add AD users and AD groups

No worries.  This is what we're here for. 

 

Great job summarizing!  That's exactly the recommendation and a best practice.  As you noted, this will simplify your setup.  We do recommend the provisioning groups are created as AD distribution groups vs. security groups.

 

Regards,

 

 

Felderi Santiago
VP of Enterprise Solutions
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify:
Participant II
Posts: 5
Registered: ‎12-04-2017
#7 of 8 773

Re: add AD users and AD groups

I assume that if a user was in more than one access group, Centrify is smart enough not to create multiple Unix profiles for them.

 

Thank you for all your help

Posts: 961
Topics: 3
Kudos: 256
Blog Posts: 6
Ideas: 0
Solutions: 126
Registered: ‎07-06-2010
#8 of 8 766

Re: add AD users and AD groups

That's exactly right!

 

Glad we were able to help.

Felderi Santiago
VP of Enterprise Solutions
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify: