Welcome to the Centrify Forums!
Note that you're posting on the Express forum but are asking a question about our commercial features. If you are a commercial customer, we can arrange for you to post in the Server Suite forum and have access to the KB.
Background
With Zone provisioning agent, you can simplify the UNIX-enablement of AD user accounts or AD groups (into primary/secondary groups) as well as group membership.
ZPA makes the process as simple as:
- add a user principal to an AD security group, and they get access/privileges to systems;
- remove a user principal from an AD security group, and they lose access/privileges to systems;
- nest an AD group to a provisioning group and the group becomes visible as a UNIX/Primary or secondary group on a system or group of systems. (un-nest to remove)
- add/remove members of a UNIX-enabled group, they are added/removed from a primary/secondary UNIX group.
Note: ZPA design is usually covered by Centrify Professional Services.
The permissions required for the zone provisioning service account (aside from the log on as a service on the Windows system running ZPA), depend on your design and what you want to accomplish; for example, if you are using ZPA to provision user profiles, the only permissions needed at the Zone level are:
- Change zone properties - if you're using auto-incremented UIDs
- Add users - to add unix identities to AD users (login,uid,primarygroup,gecos,home,shell)
- Remove users - to remove unix identities from AD users
- Modify user profiles - to modify existing profiles
This wizard is found when you right-click the zone in question (Delegate Zone Properties). Also, if working with groups, you need to add the corresponding entries for groups (e.g. add groups to the zone).
If you have parallel zones (you must have good reason for this), you have to do this in all zones you want to provision.
ZPA Documentation Resources
Planning and Deployment Guide: https://docs.centrify.com/en/css/suite2016/centrify-unix-deployment-guide.pdf
UNIX administration guide: https://docs.centrify.com/en/css/suite2016/centrify-unix-adminguide.pdf
Elsewhere on the Web
Centrify The Show: https://www.youtube.com/watch?v=zp6CEai_npo
I also covered this topic in my personal blog:
Users: http://centrifying.blogspot.com/2014/01/basics-automatic-unix-profile.html
Groups: http://centrifying.blogspot.com/2014/03/basics-automatic-unix-profile.html
Understanding Time: http://centrifying.blogspot.com/2014/06/troubleshooting-understanding-how-time.html
Alternatives to ZPA
Centrify DirectManage PowerShell
I hope this helps.
R.P