Creating Licensing Reports with the Licensing Report Wizard

The Licensing Report wizard collects information about the Delinea software you have deployed, including how many licenses you have installed, where they are used, where they are inactive, and the number of licenses that remain available in the forest. Information is reported for audit and monitoring service, authentication and privilege elevation licenses.

The wizard is installed by default when you install Server Suite on a Windows computer. You can also download and install the wizard separately using a standalone setup program as described in Installing the Licensing Report Wizard.

Depending on the version of your installed Delinea software, the following nomenclature caveats could apply:

  • Licenses for authentication and privilege elevation might be shown as DirectControl and DirectAuthorize licenses in examples and command output.
  • Licenses for audit and monitoring service might be shown as DirectAudit licenses in examples and command output.

Permissions Required to Generate a Licensing Report

You must have the following privileges to generate a licensing report:

For this Delinea software You must have
Delinea Server Suite Express for UNIX/Linux A user account in a domain that is trusted by other domains in the forest, or an account that can search and read information from all of the domains in the forest.
Authentication & Privilege A user account in a domain that is trusted by other domains in the forest, or an account that can search and read information from all of the domains in the forest.
Audit & Monitor A user account with the permissions required for Authentication & Privilege plus the “Manage License” or “View” permission for the audit and monitoring service installation.

You can specify different user accounts when you run the wizard, if needed. For example, you might need to use different accounts to collect information about one or more audit and monitoring service installations.

Information Required to Produce the Licensing Report

Before you run the wizard, verify that you have the following information available:

What you need Here’s why
Folder location

The Licensing Report wizard can be installed with Server Suite or downloaded and installed as a separate executable file.

If you download the file from the Centrify website, it is saved by default in your Downloads folder. This folder is usually located on the drive where Windows is installed in a folder with your user name. For example, the path to the file might be similar to this:

 

C:\Users\your_name\Downloads

Domain controller

Centrify products are licensed for the entire forest. Therefore, the wizard must be able to connect to a domain controller that can access Active Directory information for the entire forest.

You are prompted to specify the domain controller and credentials for connecting to the domain when you start the wizard. Alternatively, you can specify the name of a domain that is trusted to access other domains in the forest.
User credentials for authentication and privilege elevation (DirectControl and DirectAuthorize)

The wizard must be able to read license and deployment information from the domain controller that has access to all domains in the forest. By default, your logon account credentials are used to connect to the domain controller.

If your logon account does not have the List Objects permission to access the domain controller, you can specify a different user name and password when prompted to specify the account credentials for connecting to the domain.
User credentials for audit and monitoring service (DirectAudit)

The licensing report wizard attempts to retrieve usage information from Active Directory before attempting to retrieve information from audit store databases. The wizard attempts to connect to audit store databases only if the information is not found in Active Directory. If the wizard needs to connect to an audit store database, user credentials and the “Manage License” or “View” permission for each installation are required.

By default, the same user credentials are used to get all deployment information. However, if the user account does not have the “Manage License” or “View” permission, you can specify a different user name and password for audit installations when prompted.
Report output configuration

You need to specify the file name and folder location for the licensing report generated by the wizard.

You must also decide whether the report output should show or hide information about the computers where you have deployed Centrify software. If you choose to hide zone, computer, and installation names, the information will be replaced with a one-way hash of the text to prevent the computers from being identified in the report. If you choose this option, you will not be able to review and validate license information for specific computers.

The report output is saved as comma-separated values (CSV) in a text file.

Preparing to run the Licensing Report wizard

To keep the report output concise, Delinea recommends that you check for and remove orphaned computer accounts and decommissioned computers before generating a licensing report.

To check for and remove orphaned and decommissioned computers:

  1. Open Active Directory Users and Computers and delete the computer objects associated with the decommissioned computers.

  2. Open Access Manager.

  3. Right-click Access Manager in the navigation pane, then select Analyze.

  4. Select Orphan zone data objects and invalid data links, then click Next.

  5. Click Finish.

  6. Select Analysis Results to check whether any orphan information was found.

    If there are deleted computer objects with an orphan zone profile listed in the Analysis Results, select the issue, right-click, then select Remove orphan profile.

Running the Licensing Report Wizard

After you have installed the Licensing Report wizard as part of Server Suite or as a separate standalone installation package, you can run the wizard to generate a licensing report. You can start the wizard from within Access Manager or by navigating to it from the Start menu.

To run the wizard from within Access Manager:

  1. Open Access Manager.

  2. Right-click Access Manager, then select either Centrify Licensing Report (DirectControl) or Centrify Licensing Report (DirectControl & DirectAudit).

    If you select DirectControl, the licensing report utility automatically checks the current forest for authentication and privilege elevation information using your current account credentials. If you need to specify different credentials or check audit and monitoring service licenses, select Centrify Licensing Report (DirectControl & DirectAudit) or from the Start menu select Centrify Licensing Report.

  3. Click Next to accept the default domain controller and your current credentials to retrieve deployment information.

    If necessary, you can specify a different domain controller and select the option to specify a different user if your current account does not have permissions to retrieve deployment information, then click Next.

  4. If the Audit Management service is not running, or if DirectManage Audit version 2015.1 or earlier is installed, or if you do not have the necessary audit and monitoring service permissions, you are prompted to specify credentials to retrieve audit installation information.

    If you see this prompt, click Next to use your current credentials to retrieve audit installation information.

    If necessary, you can select the option to specify a different user, then specify a different user name and password if your current account does not have the “Manage Licenses” or “View” permission for the audit Installation, then click Next.

    If you do not see this prompt, go to Step 6 and continue from there.

  5. If the Audit Management service is not running, or if DirectManage Audit version 2015.1 or earlier is installed, or if you do not have the necessary audit permissions, you are prompted to specify whether your current credentials can be used to retrieve audit and monitoring service installation information.

    If you see this prompt, click Next if the credentials specified in Step 4 can retrieve information for all of the audit installations listed.

    If necessary, you can select an audit and monitoring service installation and click Change Credentials to specify a different user name and password for connecting to a specific installation, then click Next.

    If you do not see this prompt, go to Step 6 and continue from there.

  6. Specify the name and folder location for the licensing report and whether to hide host, zone, and installation names in the report output, then click Next.

    • By default, the licensing report output is located in your Documents folder with a name in the format of Centrify_Licensing_Report_yyyymmdd.txt, where yyyymmdd is the year, month, and date indicating when you are generating the report. If a report of the same name already exists in that location, a version number suffix is added to the default report name.
    • Select the option to Hide host, zone, and installation names from the report to keep this information private. The wizard will generate random strings to replace host, zone, and installation names in the report output. Note that selecting this option does not obfuscate the Active Directory forest name. The forest name is required to send the report output to Delinea. All other names included in the report can be replaced with random strings.

  7. Review the output location and file name, then click Next to generate the report.

  8. To preview the report before saving it or sending it to Delinea, click Preview Report.

    To open the report for editing or to save it as a different file name, leave the Open the output report option selected and click Exit.

    To send the report output directly to the Delineay Support portal, click *Send to Delinea.

  9. Click OK to acknowledge that the report will be sent and continue.

    You will be given a reference number for communicating with support about the report and prompted to log in using your Delinea account user name and password. After logging in, click Continue to display details about your report.

Running the utility as a separate package

You can access the shortcut for the licensing report executable directly from the Start menu. If Licensing Report is not pinned to the Start menu, use Start menu searching to locate and start the licensing report utility. After you open the utility, the steps for generating the report are the same as the steps in the previous section. Follow the instructions in the wizard to generate the report output.

Running the utility from the command line.

As an alternative to running the licensing report utility as a wizard, you can use the command-line interface to run the wizard in a Command Prompt window. To use the command-line interface for the utility, navigate to the directory where the CentrifyDeploymentReport.exe file is located (the default location is C:\Program Files\Centrify\Deployment Report). Open a Command Prompt window, and execute the command using the following syntax:

CentrifyDeploymentReport.exe [/standardmode] [/server=server] [/plaindata] [/silent /output=filepath [/force]] [/help] [/?]

You can use the following options with the utility:

Use this option To do this
/standardmode Run CentrifyDeploymentReport.exe with standard edition support only.
/server=server Specify the name of a domain controller in the forest for which you want to run the report.
/plaindata Include host, zone, and installation names in the report. By default, host, zone, and installation names are not included in the report.
/silent Run CentrifyDeploymentReport.exe in silent mode. You can use this option when generating the report for Server Suite standard edition using the /standardmode option, or without the /standardmode option to generate an report that includes audit and monitoring service information.
/output=filepath Specify output file path and file name of the licensing report. You can use this option only when you are using the /silent option.
/force Force the generation of a new licensing report even if the output file specified already exists. You can use this option only when you are using the /silent option.
/help, /? Display command syntax and usage information.

Reviewing the Licensing Report Output

The Licensing Report wizard generates a report formatted as a set of comma separated values (CSV) in a text file. The report contains two main sections:

  • The first section contains summary information about the counted computers where you have Delinea software deployed.

  • The second section contains detailed information about the computers where you have Delinea software deployed, including separate areas for counted and uncounted computers. If a computer is uncounted, a comment explains the reason why it is uncounted.

    See How Computers are Counted for Licensing Reports for more information about which computers in the forest are counted, and how their licenses count against the total number of available licenses.

The first and second report sections are separated from each other as follows:

alt

Just before the end of Section 1, a checksum is included to validate the authenticity of the report. For example:

Checksum,1,"frACfH0SRjhEDxPFU5ZAbfoZ5ISMKm1ZFqssWG79V4Wr3QC4Fp1wneQG03U26C+lU0608J5PdrV2vuH0nMJLxcdi6cV4nerrZPhmhlIf7MU="

Editing the checksum or any other part of Section 1 invalidates the report. If you make any changes in this section, you will need to generate a new report.

You should also note that the last lines in the report are a report identifier string and the version number of the Licensing Report wizard that generated the report. For example, you might see lines similar to this at the end of the report:

Report ID,"8OY5i6p0LZtePMYTAg0PqcImIZA="
Version,"5.4.0.118"

You should not modify or delete the report identifier or the version number.

How Computers are Counted for Licensing Reports

To generate a report, the licensing report software first determines which computers in the forest are validly using Centrify software. These “valid usage” computers are considered “counted” computers. Licenses for counted computers are subtracted from the total number of available permanent workstation or server licenses, and their licensing summary information is reported in Section 1 of the licensing report.

Counted Computer Scenarios

A computer is counted if the following scenarios are true:

  • The computer’s zone status is Auto Zone or Zoned. This scenario applies only to computers where authentication and privilege elevation features are installed.
  • The computer has a status of Active.

Uncounted Computer Scenarios

Uncounted computers are included (together with counted computers) in Section 2 of the licensing report, but are not shown in Section 1 because their licenses are not subtracted from the total number of available licenses.

A computer is uncounted if any one of the following scenarios is true:

  • The computer’s zone status is Express or Zoneless. This scenario applies only to computers where authentication and privilege elevation features are installed.
  • The computer is using an authentication and privilege elevation license, and is joined to the Null Zone. Note that computers using audit and monitoring service licenses are counted even if they are joined to the null zone.
  • The computer has a status of Inactive.
  • The computer is using an authentication and privilege elevation license, and is Orphaned (the computer profile exists in the zone but the corresponding Active Directory computer object has been removed). Note that computers using audit and monitoring service licenses are counted even if they are orphaned.
  • The computer has a Duplicated audit and monitoring service license (the audit and monitoring service agent was migrated from one installation to another, and the time stamp of the agent from the earlier installation has not expired).
  • The computer has an Unknown logon time (the computer has never joined the domain).

License Type Information for Managed and Audited Computers

If you have authentication and privilege elevation features or audit and monitoring service features deployed, the summary in report Section 1 includes information about the type of Delinea license in use on each computer.

License type can be one of the following values:

  • Server
  • Workstation
  • None (The license type cannot be determined from the Active Directory object, as is the case when the computer is orphaned, or the agent is from a release earlier than 2015.1.)

See Understanding License Types for more information about license types.

Zone information for managed computers

If you have authentication and privilege elevation features deployed, report Section 1 includes zone mode information in the “DirectControl/DirectAuthorize Agent Type” string shown in Example 2: Zone Mode and Number of Agents.

Zone mode applies only to computers where authentication and privilege elevation features are installed. Zone mode does not apply to computers using audit and monitoring service licenses.

Depending on the nature of your deployment, the zone mode information displays one of the following values:

  • Auto Zone if the computer is in a Centrify Auto Zone.

    You cannot use Centrify rights and roles on computers joined to an Auto Zone.

    If the Zone mode for a computer is Auto Zone, the computer is included in the authentication service (DirectControl) license count.

  • Zoned if the computer is in a standard Centrify zone.

    All authentication and privilege elevation features are supported for computers in Centrify zones on most platforms. However, the Centrify Agent for Mac OS does not support Centrify rights and roles.

    If the Zone mode for a computer is Zoned, the computer is included in the authentication service (DirectControl) license count.

  • Express if the computer has a Delinea Server Suite Express agent installed.

    Computers with a Delinea Server Suite Express agent have limited functionality. For example, you cannot apply group policies or use Centrify rights and roles on computers with the Delinea Server Suite Express agent.

    If the Zone mode for a computer is Express, the computer is not included in the authentication service (DirectControl) license count.

  • Zoneless if a computer has the Centrify Agent installed but is not connected to a zone.

    This agent type is primarily for computers that use Centrify MFA for Windows login authentication.

    If the Zone mode for a computer is Zoneless, the computer is not included in the authentication service (DirectControl) license count.

  • Null Zone if a computer is joined to the null zone.

    If the Zone mode for a computer is Null Zone, the computer is not included in the authentication service (DirectControl) license count.

See Example 2: Zone Mode and Number of Agents for details about how zone mode information is displayed in the report.

Status information for managed and audited computers

If you have authentication and privilege elevation features or audit and monitoring service features deployed, the counted/uncounted information in report Section 2 indicates the status of the computer as Active or Inactive:

  • Active if the computer has been used for authentication and privilege elevation, or for audit and monitoring service, within 45 days prior to the date that the report was run.

    Computers with an active status are included in the license count.

    For authentication and privilege elevation licenses, the time stamp of the managed computer logon to the domain controller is monitored if the functional level of the domain controller is Windows Server 2003 or later. The licensing report uses the time stamp of the LastLogonTimestamp attribute to determine whether there has been logon activity within 45 days prior to the date that the report was run.

    For audit and monitoring service licenses, the licensing report uses the most recent time that the managed computer has communicated with a collector to determine whether there has been auditing activity within 45 days prior to the date that the report was run.

  • Inactive if the computer has not been used for authentication and privilege elevation, or for audit and monitoring service, within 45 days prior to the date that the report was run.

    Inactive computers are not included in the license count.

See Example 6: Counted Identity and Privilege Elevation Computers for an example of computer status information.

Remarks for Managed and Audited Computers

If you have authentication and privilege elevation features or audit and monitoring service features deployed, the counted/uncounted information in report Section 2 includes remarks about the following computers:

  • Uncounted computers with authentication and privilege elevation licenses.
  • Counted and uncounted computers with audit and monitoring service licenses.

Remarks provide additional information about why a computer is uncounted, and other significant information to be aware of. See Example 7: Counted Audit and Monitoring Service Computers and Example 8: Uncounted Computers of All License Types for examples of remarks strings.

The Remarks string can have the following values:

  • Duplicated if an audit and monitoring service agent was migrated from one installation to another (such as during an upgrade), and the time stamp of the agent from the earlier installation has not expired.

    Computers with duplicated licenses are not counted. That is, the license is only counted once.

  • Excluded due to null zone if the computer was not counted because it is joined to the null zone.

    Computers with authentication and privilege elevation features (DirectControl and DirectAuthorize licenses) are not counted if they are joined to the null zone.

    Computers with audit and monitoring service features (DirectAudit licenses) are included in the auditing license count even if they are joined to the null zone.

  • Excluded due to zoneless mode if the computer has a zone mode of Zoneless (that is, the computer has the Centrify Agent installed but is not connected to a zone).

  • Excluded due to express mode if the computer has a Delinea Server Suite Express agent installed.

  • Inactive if the computer has a status of Inactive as described in Status Information for Managed and Audited Computers.

  • None if no additional information is required.

  • Orphaned if the computer profile exists in the zone but the corresponding Active Directory computer object has been removed.

    Orphaned computers with authentication and privilege elevation features (DirectControl and DirectAuthorize licenses) are not included in the license count. You can use Access Manager to delete orphan profiles as described in Preparing to run the Licensing Report wizard.

    Orphaned computers with audit and monitoring service features (DirectAudit licenses) are included in the auditing license count if the computer has communicated with a collector within 45 days prior to the date that the report was run.

  • Unknown logon time if the computer has never joined the domain. This situation typically occurs when you use Access Manager to prepare a UNIX computer prior to joining the computer to the domain. Computers with an unknown logon time are not included in the license count.

  • Vault-based systems are your Windows, UNIX, and/or network devices that are managed by and audited by the Server Suite.

Evaluation Licenses for Managed and Audited Computers

If a computer has a valid evaluation license, the detailed section of the licensing report (Section 2) indicates the licensing status as Evaluation (Valid). In the case of valid evaluation licenses, the summary section of the report (Section 1) might show the “Available” licenses as a negative number. You can ignore negative available licenses if you have valid unlimited evaluation licenses. However, if the licensing status indicates an expired evaluation license, you should remove the expired evaluation license key.

Status Information for Zoneless Computers

If a computer has the Centrify Agent installed but is not connected to a zone, its agent type is listed as Zoneless in the licensing report. This agent type is primarily for computers that use Centrify MFA for Windows login authentication.

Examples

This section contains examples of a hypothetical licensing report.

Depending on the version of your installed Centrify software, the following nomenclature caveats could apply:

  • Licenses for authentication and privilege elevation are shown as DirectControl and DirectAuthorize licenses.

  • Licenses for audit and monitoring service are shown as DirectAudit licenses.

    "Join Time" is the point in time when the computer joined to the zone. Because Join Time is a feature introduced in Release 2020, if the agent is older than Release 2020, the Join Time displays as "Unknown."

Example 1: Agent, License Type and Count

The following example shows the first portion of report Section 1, containing summary system information. Colored lines indicate how entries in each section relate to each other. Different line colors are for readability only.

Note that this example shows the agent (DirectControl, DirectAudit, and/or DirectAuthorize), the license type (UNIX, Windows, or combined UNIX and Windows), licenses found, licenses used, and licenses available.

Depending on what types of Centrify licenses you have in your environment, your own licensing report could contain fewer entries than the example shown here.

alt

Example 2: Zone Mode and Number of Agents

The following example shows the next portion of report Section 1, displaying the deployment quantities for each type of DirectControl/DirectAuthorize agent based on zone mode. This example shows the layout of this section rather than example data. Depending on what types of Centrify licenses you have in your environment, your own licensing report might not use all of the layout entries shown here.

DirectControl/DirectAuthorize Agent Type,Deployed Agents
"Zoned Server Windows",#
"Zoned Server Mac",#
"Zoned Server zLinux",#
"Zoned Workstation",#
"Zoned Workstation Windows",#
"Zoned Workstation Mac",#
"Zoned Workstation zLinux",#
"Zoned (Workstation or Server)",#
"Zoned Mac (Workstation or Server)",#
"Zoned zLinux (Workstation or Server)",#
"Auto Zone Server",#
"Auto Zone Server Mac",#
"Auto Zone Server zLinux",#
"Auto Zone Workstation",#
"Auto Zone Workstation Mac",#
"Auto Zone Workstation zLinux",#
"Auto Zone (Workstation or Server)",#
"Auto Zone Mac (Workstation or Server)",#
"Auto Zone zLinux (Workstation or Server)",#
"Null Zone Server",#
"Null Zone Server Mac",#
"Null Zone Server zLinux",#
"Null Zone Workstation",#
"Null Zone Workstation Mac",#
"Null Zone Workstation zLinux",#
"Null Zone (Workstation or Server)",#
"Null Zone Mac (Workstation or Server)",#
"Null Zone zLinux (Workstation or Server)",#
"Zoneless Server Windows",#
"Zoneless Workstation Windows",#
"Express",#
"Express Mac",#
"Express zLinux",#

Example 3: Zone Names and Deployment Details

The following example shows the next portion of report Section 1. Information for DirectControl/DirectAuthorize deployments is sorted by zone. Information for DirectAudit deployments is sorted by agent type and by installation. This example shows the layout of this section rather than example data. Depending on what types of Centrify licenses you have in your environment, your own licensing report might not use all of the layout entries shown here.

Number of Zones,#
DirectControl/DirectAuthorize Zone,Deployed Agents,Location
"Whi8ewrOe/",#,"Z0QApzH7++"
"4eS3i2Cccq",#,"cWepjBPNZ5"
...
DirectAudit Agent Type,Deployed Agents
"Server UNIX/Linux",#
"Server zLinux",#
"Server Windows",#
"Workstation UNIX/Linux",#
"Workstation zLinux",#
"Workstation Windows",#
"UNIX/Linux (Workstation or Server)",#
"AuditedMachine",#
DirectAudit Installation,Version,Status,Deployed Agents
"kiXnFshYnq","2.0 or later","OK",#
"Nt+njcALLE","2.0 or later","OK",#
"2y8grBYVHP","1.3 or earlier","OK",#
...

Example 4: License Detail Summaries

The following example shows the final portion of report Section 1. It displays a summary for authentication and privilege elevation (DirectControl/DirectAuthorize) licenses, and a summary for audit and monitoring service (DirectAudit) licenses.

The Count string in this section is especially useful to check the total number of installed licenses. Other details include license keys, serial numbers, and expiration dates.

If the Shared string displays Yes, the license key is being shared by more than one audit and monitoring service installation.

At the end of Section 1 is a checksum that validates the authenticity of the report. Do not edit the checksum or any other content preceding it before sending the report to Centrify for analysis. This example shows the layout of this section rather than example data. Depending on what types of Centrify licenses you have in your environment, your own licensing report might have more or fewer entries than the layout shown here.

License Report for DirectControl/DirectAuthorizeAgent
Type,License Key,Count,Serial Number,Expiry Date
Evaluation (Valid),XXXXXXXX-XXXXXXXX-XXXXXXX,#,None,"d MM yyyy"
UNIX Server,XXXXXXXX-XXXXXXXX-XXXXXXX,#,######,"None"
UNIX Workstation,XXXXXXXX-XXXXXXXX-XXXXXXX,#,######,"None"
...
License Report for DirectAudit
Agent Type,License Key,Count,Serial Number,Expiry Date,DirectAudit Installation,Shared
Evaluation (Valid),XXXXXXXXXXXXXXXXXXXXXXXX,#,0,"d MM yyyy","GmZ9u0po4M",No
UNIX Server,XXXXXXXXXXXXXXXXXXXXXXXX,#,######,"None","g/qJ26pGdk",No
...
Checksum,1,"frACfH0SRjhEDxPFU5ZAbfoZ5ISMKm1ZFqssWG79V4Wr3QC4Fp1wneQG03U26C+lU0608J5PdrV2vuH0nMJLxcdi6cV4nerrZPhmhlIf7MU="
==== END OF REPORT SUMMARY. DO NOT MODIFY ANYTHING ABOVE THIS LINE =====

Example 5: Counted and Uncounted Computers

The following example shows the first portion of report Section 2, containing information about whether a computer is or is not counted in usage calculations. The counted summary section is a copy of the summary from Section 1 for reference.

Counted Usage Summary
===== END OF REPORT SUMMARY. DO NOT MODIFY ANYTHING ABOVE THIS LINE =====
Counted Usage Summary
Agent Type,Licenses Found,Counted Usage,Licenses Available
DirectControl/DirectAuthorize Server - UNIX,#,#,#
DirectControl/DirectAuthorize Server - Windows,#,#,#
DirectControl/DirectAuthorize Workstation - UNIX,#,#,#
DirectControl/DirectAuthorize Workstation - Windows,#,#,#
DirectControl/DirectAuthorize Server - ALL (summary),#,#,#
DirectControl/DirectAuthorize Workstation - ALL (summary),#,#,#
DirectAudit Server - UNIX,#,#,#
DirectAudit Server - Windows,#,#,#
DirectAudit Workstation - UNIX,#,#,#
DirectAudit Workstation - Windows,#,#,#
DirectAudit Server - ALL (summary),#,#,#
DirectAudit Workstation - ALL (summary),#,#,#
Uncounted Usage Summary
Uncounted DirectControl/DirectAuthorize Usage,#
Uncounted DirectAudit Usage,#

Example 6: Counted Identity and Privilege Elevation Computers

The following example shows the next portion of report Section 2, containing information about counted computers where authentication and privilege elevation (DirectControl and DirectAuthorize) features are used. Information includes the system name, the timestamp of the most recent Active Directory update, OS and agent versions, zone mode (see Zone Information for Managed Computers), status (see Status Information for Managed and Audited Computers), current zone, and license type (see License Type Information for Managed and Audited Computers.

Information about these counted computers is collected and reported in Section 1 of the report, as shown in Example 1: Agent, License Type and Count through Example 4: License Detail Summaries.

This example shows the layout of this section and example data. Depending on what types of Centrify licenses you have in your environment, your own licensing report might not use all of the layout entries shown here.

System Report of Counted Usage for DirectControl/DirectAuthorize  
Number of Systems - Counted DirectControl/DirectAuthorize Server - ALL (summary),#
Number of Systems - Counted DirectControl/DirectAuthorize Workstation - ALL (summary),#
Number of Systems - Counted DirectControl/DirectAuthorize - Grand Total,#
System,Last Computer AD Timestamp,OS,OS Version,Agent Version,Zone Mode,Status,Current Zone,License Type,Join Time,Postal Address
"gqxYNiU4cB","dd MMM yyyy HH:mm:ss zzz","CentOS","6.2","5.3.1-394","Zoned,Active,"28eQ86egjQ"",Server,"dd MMM yyyy HH:mm:ss zzz","JoinTime:xxxxxxxxxx;Key:value"
"ob6eV5JqUa","dd MMM yyyy HH:mm:ss zzz","Windows 7 Enterprise","6.1 (7601)","3.3.0-161","Zoned",Active,"dkXp8d1Bhp",Workstation,"dd MMM yyyy HH:mm:ss zzz","JoinTime:xxxxxxxxxx;Key:value"
"8m3DWH/ixr","dd MMM yyyy HH:mm:ss zzz","Red Hat Enterprise Linux","7.2","5.3.1-339","Zoned",Active,"KiWfCdeOIm",Server,"dd MMM yyyy HH:mm:ss zzz","JoinTime:xxxxxxxxxx;Key:value"
"CGAeslRVqB","dd MMM yyyy HH:mm:ss zzz","Scientific Linux","6.0","5.3.1-382","Auto Zoned",Active,"nQ+FzJZiGI",Workstation,"dd MMM yyyy HH:mm:ss zzz","JoinTime:xxxxxxxxxx;Key:value"
...

Example 7: Counted Audit and Monitoring Service Computers

The following example shows the next portion of report Section 2, containing information about counted computers where audit and monitoring service (DirectAudit) features are used. Information includes the system name, the timestamp of the most recent communication with a collector, OS and agent versions, status (see Status Information for Managed and Audited Computers), license type (see License Type Information for Managed and Audited Computers), and remarks (see Remarks for Managed and Audited Computers).

Vault-based systems are your Windows, UNIX, and/or network devices that are managed by and audited by the Server Suite.

Note that the remarks string for one computer states “Orphaned,” but the computer is still counted because audited computers are counted even when they are orphaned (unlike DirectControl/DirectAuthorize computers).

Information about these counted computers is collected and reported in Section 1 of the report, as shown in Example 1: Agent, License Type and Count through Example 4: License Detail Summaries.

This example shows the layout of this section and example data. Depending on what types of Centrify licenses you have in your environment, your own licensing report might not use all of the layout entries shown here:

System Report of Counted Usage for DirectAudit
Number of Systems - Counted DirectAudit Server - ALL (summary),#
Number of Systems - Counted DirectAudit Workstation - ALL (summary),#
Number of Systems - Counted DirectAudit - Grand Total,#
System,Last Connection,OS,Agent Version,Status,DirectAudit Installation,License Type,Join Time,Remarks,Postal Address,Audit Type,Advanced Monitoring,Role Based Audit,Session Reviews,Deployment Type
"ORiVwQ8knZ","dd MMM yyyy HH:mm:ss zzz","Windows",3.3.1-391,Active,"Rc6xacwgT4",Workstation,"dd MMM yyyy HH:mm:ss zzz","None","JoinTime:xxxxxxxxxx;Key:value","Agent Based","Enabled","Unknown","No","Local"
"vRGdi5XdYd","dd MMM yyyy HH:mm:ss zzz","UNIX/Linux",3.3.0-161,Active,"xiAKQayRc0",None,"dd MMM yyyy HH:mm:ss zzz","Orphaned","JoinTime:xxxxxxxxxx;Key:value","Agent Based","Enabled","Unknown","No","Local"
"DzFIs6sbyG","dd MMM yyyy HH:mm:ss zzz","UNIX/Linux",3.3.0-161,Active,"zP0V7QsMEG",Workstation,"dd MMM yyyy HH:mm:ss zzz","None","JoinTime:xxxxxxxxxx;Key:value","Agent Based","Disabled","Unknown","Yes","Local"
"o3oXhLNF8Q","dd MMM yyyy HH:mm:ss zzz","UNIX/Linux",Unknown (2.0 or later),Active,"0Z9opN8afT",None,"dd MMM yyyy HH:mm:ss zzz","Vault-based system","JoinTime:xxxxxxxxxx;Key:value","Gateway Based","Enabled","Unknown","No","Cloud"
"LNFVToyG16","dd MMM yyyy HH:mm:ss zzz","Windows",Unknown (2.0 or later),Active,"MOYdPMpxJk",Server,"dd MMM yyyy HH:mm:ss zzz","Vault-based system","JoinTime:xxxxxxxxxx;Key:value","Gateway Based","Enabled","Unknown","Yes","Cloud"
"xnSXEWuUPM","dd MMM yyyy HH:mm:ss zzz","UNIX/Linux",Unknown (1.3 or earlier),Active,"qZ3cKtElMz",None,"dd MMM yyyy HH:mm:ss zzz","None","JoinTime:xxxxxxxxxx;Key:value","Agent Based","Enabled","Unknown","No","Local"
...

Example 8: Uncounted computers of all license types

The following example shows the last portion of report Section 2, containing information about uncounted computers (considered “invalid usage” computers) where authentication and privilege elevation (DirectControl, DirectAuthorize) features, and audit and monitoring service (DirectAudit) features might be deployed.

DirectControl and DirectAuthorize information includes the system name, the timestamp of the most recent Active Directory update, OS and agent versions, zone mode (see Zone Information for Managed Computers), current zone, license type (see License Type Information for Managed and Audited Computers), and remarks (see Remarks for Managed and Audited Computers).

Note that the Remarks string shows that DirectControl and DirectAuthorize computers were not counted because the were inactive, had an unknown logon time, were orphaned, or were joined to the null zone.

DirectAudit information includes the system name, the timestamp of the most recent Active Directory update, OS and agent versions, license type (see License Type Information for Managed and Audited Computers), and remarks (see Remarks for Managed and Audited Computers).

Note that the Remarks string shows that DirectAudit computers were not counted because they were inactive or duplicated.

The Active Directory attribute of postalAddress is repurposed to store the agent join date as well as additional information for UNIX/Linux systems. The postalAddress field does not store data such as zip codes. Because postalAddress is a multi-value string, the format displayed in the report is like "JoinTime:xxxxx;LicenseType:xxxx".

This example shows the layout of this section and example data. Depending on what types of Centrify licenses you have in your environment, your own licensing report might not use all of the layout entries shown here:

System report of uncounted usage for DC/DZ
System Report of Uncounted Usage for DirectControl/DirectAuthorize
Number of Systems - Uncounted DirectControl/DirectAuthorize Usage,#
System,Last Computer AD Timestamp,OS,OS Version,Agent Version,Zone Mode,Current Zone,License Type,Join Time,Remarks,Postal Address
"jWSNWAVqSE","dd MMM yyyy HH:mm:ss zzz","Red Hat Enterprise Linux","6.2","5.3.0-127","Zoned","7TKshsizX+",Workstation,"dd MMM yyyy HH:mm:ss zzz","Inactive","JoinTime:xxxxxxxxxx;Key:value"
"BQ74st+6DY","dd MMM yyyy HH:mm:ss zzz","Windows Server 2012 Standard","6.2 (9200)","3.3.0-161","Zoned","IXcmEK0/GA",Server,"dd MMM yyyy HH:mm:ss zzz","Inactive","JoinTime:xxxxxxxxxx;Key:value"
"iRuAXmdP8R","None","Unknown","Unknown","None","Zoned","DcXp7iwKdT",None,"dd MMM yyyy HH:mm:ss zzz","Unknown logon time","JoinTime:xxxxxxxxxx;Key:value"
"a52fpZViDQ","None","Unknown","Unknown","None","Unknown","MWbqK6NgEg",None,"Orphaned","JoinTime:xxxxxxxxxx;Key:value"
"didvGnjncv","dd MMM yyyy HH:mm:ss zzz","Red Hat Enterprise Linux","6.4","5.2.2-186","Null","Wrhxp83dy6",None,"dd MMM yyyy HH:mm:ss zzz","Excluded due to null zone","JoinTime:xxxxxxxxxx;Key:value"
"vvoJLHbwEz","dd MMM yyyy HH:mm:ss zzz","Windows 7 Enterprise","6.1 (7601)","3.4.0-100","Zoneless","None",None,"dd MMM yyyy HH:mm:ss zzz","Excluded due to zoneless mode","JoinTime:xxxxxxxxxx;Key:value"
"qNi04XTWUH","dd MMM yyyy HH:mm:ss zzz","SUSE Linux","12.0","5.3.1-369","Express","None",None,"dd MMM yyyy HH:mm:ss zzz","Excluded due to express mode","JoinTime:xxxxxxxxxx;Key:value"
System Report of Uncounted Usage for DirectAudit
Number of Systems - Uncounted DirectAudit Usage,#
System,Last Connection,OS,Agent Version,DirectAudit Installation,License Type,Join Time,Remarks,Postal Address,Audit Type,Advanced Monitoring,Role Based Audit,Session Reviews,Deployment Type
"Fw/yiZD26M","dd MMM yyyy HH:mm:ss zzz","Windows",3.3.0-129,"JLcHyjSGTO",Workstation,"dd MMM yyyy HH:mm:ss zzz","Inactive","JoinTime:xxxxxxxxxx;Key:value","Agent Based","Enabled","Unknown","No","Local"
"ouS7+ZC6qt","dd MMM yyyy HH:mm:ss zzz","UNIX/Linux",3.2.2-246,"hcZs4xQ80F",None,"dd MMM yyyy HH:mm:ss zzz","Inactive","JoinTime:xxxxxxxxxx;Key:value","Agent Based","Disabled","Unknown","No","GP"
"vsJgzxtg6A","dd MMM yyyy HH:mm:ss zzz","UNIX/Linux",3.3.0-161,"FjuO9D63g2",Workstation,"dd MMM yyyy HH:mm:ss zzz","Duplicated","JoinTime:xxxxxxxxxx;Key:value","Gateway Based","None","Unknown","Yes","Cloud"
...

Example 9: List of Zones and Special Profiles

The following examples show the additional sections of the report that show detailed information about zones and special user profiles.

The Zone report lists detailed information about each zone. Below is a sample.

Zone Report
CN,Type,Parent Zone,Tenant ID,Tenant URL,Is ZPA provisiong,Is agentless client supported,Number of user profiles,Number of group profiles,Number of local user profiles,Number of local group profiles,Number of local Windows user profiles,Number of local Windows group profiles,Number of cross domain users,Number of cross forest users,Number of NIS maps,Number of roles,Number of PAM rights,Number of Command rights,Number of Windows Desktop rights,Number of Windows Application rights,Number of Windows Network Access rights,Number of role assignments,Number of computer roles,Number of roles with "MFA required",Number of roles with "audit if possible",Number of roles with "audit required",Number of roles with "audit not required"
keJg5xag6R,$CimsZoneVersion7,FbiyaZP2IT,AAQ0527,http://xxxxxxxxxxx,
Yes,No,#,#,#,#,#,#,#,#,#,#,#,#,#,#,#,#,#,#,#,#,#
...

In the next section of the licensing report lists the Special AD User Profiles Defined Report. This report lists out any special user profiles (SCP) that have been defined; profiles are detected based on pattern matching such as "oracle", "hadoop", "hdfs", "hive", and so forth.

You can configure the pattern match my modifying the registry value (value name: "SpecialUserProfilePattern"; type: multi string). Each row stands for a defined name pattern (from all zones).

If there is no name pattern configured, this section is not displayed in the report.

Special AD User Profiles defined Report
"oracle": #
"hadoop": #
"hdfs": #
"hiv$": #
...

The next section of the licensing report is the Special Local User Profiles Defined Report, which is very similar to the previous section. This report lists out any special local user profiles (SCP) that have been defined; profiles are detected based on pattern matching, such as "oracle", "hadoop", "hdfs", "hive", and so forth.

You can configure the pattern match my modifying the registry value (value name: "SpecialUserProfilePattern"; type: multi string). Each row stands for a defined name pattern (from all zones).

If there is no name pattern configured, this section is not displayed in the report.

Special Local User Profiles defined Report
"oracle": #
"hadoop": #
"hdfs": #
"hiv$": #
...