In their latest release Centrify has added some restrictions to their, up until now, great product. Changes are listed here http://www.centrify.com/express/changes-centrify-express-unix-linux.asp where they state this.

Centrify Express for UNIX/Linux and Centrify Express for Mac no longer support access controls. We made this change to clearly delineate between the intended premium versus free features.

While I do understand why they have done that I have had to find a way to limit login rights for Active Directory users. First you will have to edit /etc/security/access.conf file and add to bottom

+ : linux_admins : ALL
+ : linux_users : ALL
+ : josip: ALL
- : ALL : ALL

As you can see we are adding here list of users and groups that will have login permissions on Linux box. linux_admins and linux_users are Active Directory groups, while josip is my local user. You can add here local groups aswell. At the end we deny everyone else login permissions.

Now open /etc/pam.d/common-auth and add at the top this line

auth required pam_access.so

It is important that this line should be at the top, atleast above lines that are added by Centrify installer. You should end up with something like this.

I assume you will want to add some AD users to have sudo privileges. Open visudo and add this line

%linux_admins ALL=(ALL:ALL) ALL

This will grant DOMAIN\linux_admins group sudo privileges.

I have tested this on Ubuntu 14.04 LTS, one would assume that on other distros similar setup should work. Enjoy your Centrify Express enabled machine.