Using Centrify for Windows group policy

Posted on 2013-01-30
Last Modified: 2013-02-18
I was reading an article on this link:

Actually I would like to have our Mac computers under control of windows AD GPOs.
the article states that I need :
- Installing the Centrify DirectManage tools and using Centrify Deployment Manager
but it does not say if It has to be installed on windows domain controller or on another system.

-Using Deployment Manager to install the Centrify DirectControl Agent on target systems and join them to Active Directory.

any prior configuration on Non-windows computers before installing the Centrify DirectControl Agent on them ?

Thank you.
Question by:jskfan
  • 4
  • 2
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 250 total points
ID: 38838641
It is installed on the client only, you will have to create an OU for centrify.

Author Comment

ID: 38838801
Can you clarify it.
What to install on the client (Mac computers) and what to install in the DC.
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 250 total points
ID: 38838823
You install the client on the MAC and NOTHING on the DC
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.


Author Comment

ID: 38838841
the link says:
Deploying the Centrify Suite consists of two steps:

¦Installing the Centrify DirectManage tools and using Centrify Deployment Manager to discover network non-Windows systems in your environment
¦Using Deployment Manager to install the Centrify DirectControl Agent on target systems and join them to Active Directory

it is confusing

Author Comment

ID: 38846454
any clarification based on the link , please?

how do the MAC specific settings become available in AD Group policy ?

LVL 61

Accepted Solution

btan earned 250 total points
ID: 38850784
Extracted a couple of useful info and para to aid understanding...hope it helps

On UNIX, Linux and Macintosh computers, there is no equivalent to the Windows registry. The de-facto standard for configuration is through text-based configuration files. To enforce Active Directory's Group Policies on these non-Microsoft platforms, DirectControl creates a "virtual registry" to hold the Group Policy configuration settings that apply to that managed system and the users logging in to it.

For each configurable application that a policy applies to, DirectControl provides a specific mapping program that translates these virtual registry settings and updates the appropriate configuration file for that application with the settings defined by the policy.

On each DirectControl-managed computer, the DirectControl Agent is responsible for contacting Active Directory to determine the relevant policies and copying them down to a set of virtual registry files. These policy files are refreshed in the same way they are on Windows systems: when a user logs in, on computer restart, and at periodic intervals defined by Group Policy. Administrators can also update Group Policy on demand.

The Deployment Manager automatically detect Mac OS X systems within your environment and test them for readiness to join Active Directory, helping you identify and eliminate many common issues (such as DNS configuration problems) that slow down deployment of the Centrify DirectControl agent. Deployment Manager can then remotely install DirectControl on these Mac systems, automatically downloading the most current version for you from the Centrify website. You can also centrally update DirectControl on these systems as new releases become available.

The Centrify DirectControl for Mac OS X installation program is also provided in universal binary format, making it easy to deploy DirectControl on individual systems or across the enterprise.

Mac OS X workstations can be treated just like Windows workstations for access control purposes, permitting anyone with an Active Directory account to log in once the Mac has joined the domain. For those organizations, DirectControl's workstation mode streamlines installation using the same methodology to add a Mac workstation to an Active Directory domain as that used to add Windows workstations. The interactive installation program offers users the option to add the Mac in workstation mode. Remote installations can specify workstation mode through command-line parameters.

A major advantage of workstation mode is that the installation process has been streamlined. You do not need to install the Centrify Administrator's Console first. You simply install DirectControl on a Mac and it is automatically joined to Active Directory and appears as a computer object in Active Directory Users and Computers. During workstation installation, Macs are not added to a DirectControl Zone, but if you want to use patented Zone technology to limit access to Macs to a select set of users or groups, it is easy enough to install the Centrify Administrator Console and add those Macs to a Zone. You can have a mixture of Macs in workstation mode and standard mode in Active Directory, giving you the flexibility to apply tighter access controls to select systems as needed.

If you have ~30 min to spare, catch this video

Author Closing Comment

ID: 38904398
Thank you!!

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now