VMware Horizon Community
pdallecarbonare
Contributor
Contributor
‎03-02-2009 04:40 AM
Jump to solution

View Composer Domain Administrator Service Account

The administration guide and the wizard for creating a automated dekstop pool with linked clone technology both have other information conerning the rights of the domain administrator account.

The administration guide says:

"View Composer requires the credentials of domain user account with the requisite level of domain administration authority to add systems to a domain. While you may use an xisting domain administrator account for this role, it is strongly recommended that your Active Directory administrator creates a user account specifically for this purpose."

while the wizard says:

"In order to join desktops to a domain, QuickPrep requires domain administrator

credentials for the target domain. Select the desired domain\administrator entry

from the Domain Administrator Account drop down menu. QuickPrep can also execute

scripts on power-off and after creating new desktops or after a recomposition or

refresh event. Enter paths (located on the Parent VM) to the scripts."

So far I have created a service account with no domain admin rights but the right to join computers do domain. But the deployement of the desktop within view manager failed.

Does the service account really need to have FULL domain admin rights? The problem is that no bigger company would create a service account with full domain admin rights as vmware mention in the wizard. Or do I need more rights (maybe creating OU in the Active Directory)??

0 Kudos
1 Solution

Accepted Solutions
admin
Immortal
Immortal
‎03-02-2009 01:50 PM
Jump to solution

You do not need full admin. The account needs to have both the create and remove computer objects ACE. The following steps should help you.This also needs to be applied at the correct OU level if you have OUs

Grant the "Create Computer Objects" and "Delete Computer Objects" Access Control Entries (ACEs) to the User

loadTOCNode(2, 'resolution');

  1. From the Active Directory Users and Computers snap-in, click Advanced Features on the View menu so that the Security tab is exposed when you click Properties.

  2. Right-click the Computers container, and then click Properties.

  3. On the Security tab, click Advanced.

  4. On the Permissions tab, click Authenticated Users, and then click View/Edit.



    NOTE: If the Authenticated Users group is not listed, click Add and add it to the list of permission entries.

  5. Make sure the This object and all child objects option is displayed in the Apply onto box.

  6. From the Permissions box, click to select the Allow check box next to the Create Computer Objects and Delete Computer Objects ACEs, and then click OK

View solution in original post

0 Kudos
4 Replies
admin
Immortal
Immortal
‎03-02-2009 01:50 PM
Jump to solution

You do not need full admin. The account needs to have both the create and remove computer objects ACE. The following steps should help you.This also needs to be applied at the correct OU level if you have OUs

Grant the "Create Computer Objects" and "Delete Computer Objects" Access Control Entries (ACEs) to the User

loadTOCNode(2, 'resolution');

  1. From the Active Directory Users and Computers snap-in, click Advanced Features on the View menu so that the Security tab is exposed when you click Properties.

  2. Right-click the Computers container, and then click Properties.

  3. On the Security tab, click Advanced.

  4. On the Permissions tab, click Authenticated Users, and then click View/Edit.



    NOTE: If the Authenticated Users group is not listed, click Add and add it to the list of permission entries.

  5. Make sure the This object and all child objects option is displayed in the Apply onto box.

  6. From the Permissions box, click to select the Allow check box next to the Create Computer Objects and Delete Computer Objects ACEs, and then click OK

0 Kudos
pdallecarbonare
Contributor
Contributor
‎03-04-2009 04:16 AM
Jump to solution

Thanks for your response the information helped me a lot, but even if I allow both, to create and remove Computer objects ACE there is stil the error while provisioning: Domain Administrator account has insufficient permission for QuickPrep.

By the way where can I get this detailed Information about which privileges the service account needs? Even in the new Administration Guide 3.0.1 there is only written: "Your Active Directory administrator must create a user with the requisite level of authority to be used by the View Composer service to create linked clone desktops and add them to your domain."

0 Kudos
admin
Immortal
Immortal
‎03-04-2009 06:21 AM
Jump to solution

The steps are not documented in the admin guide. There is a KB article http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=1007697&sl...

Those rights are what you need. It can be a bit tricky if they are not applied to the right level of AD or the OU when done manually.

I have a service account View Composer who is a Domain User. I also have an OU that is View Desktops. View Composer has these permissions and is the service account used in View Manager.

If you tried this manually. You might want to try the Delegation Control wizard in AD. You can set the same permissions at the right level need and it will set things properly.

WP

pdallecarbonare
Contributor
Contributor
‎03-05-2009 01:52 AM
Jump to solution

Thanks for your help, the problem is solved now. We used the standard "Computers" OU to add the computer objects ACE to the domain. However it seems like other permissione have been overwritten our permission (I will check out later). With creating a fresh OU container and add the permissions it worked finally.

To the KB article: Wouldn't it be better giving the right to a service group (e.g.: ViewTechnicalUsers) because authenticated User = every Domain User -> This would mean that every authenticated User could create and delete computer objects -> security issue!?

0 Kudos