VMware Horizon Community
Jeff808
Contributor
Contributor
‎04-01-2013 09:00 PM

View VM Logon Gives Incorrect Windows Permissions

We have a relatively new deployment using View 5.1 on vCenter 5.1, ESXi 5.1 In the last week, two of  our users who have elevated Windows permission in Active Directory have been unable to access their elevated folders and authenticate to our Exchange 2010 server while in their View vms. However, through their physical Windows machines, they continue to have normal access to their elevated folders and can authenticate to Exchange through Outlook.

When it happened to the first one, we thought it was some kind of weird fluke and just created a new Windows AD profile for her, but now it's happened with a second user and we have no idea why.

As far as we knew, a physical machine logon and a View vm logon should return the same permissions, but for some reason, the View vm logon is messing up their permissions.

We have no idea where to start looking for a cause for this. Can someone help us out?

FYI-- we run another View deployment with about 3 times as many users for another client and have never seen this issue there.

0 Kudos
4 Replies
mittim12
Immortal
Immortal
‎04-02-2013 08:15 AM

View doesn't have any control over a user's permissions since all domain type privileges would be controlled via Active Directory.    The first two things that came to mind for are listed below.  

Computer OU placement for View desktops may be different than a physical desktop resulting in a GPO being applied that could cause problems?

Possible optimization change in template is causing her issues?

These two things wouldn't affect permissions since AD controlls user permissions but could affect how things behave. 

0 Kudos
Jeff808
Contributor
Contributor
‎04-02-2013 11:51 AM

Thanks for the reply.

The VMs are in the same OU as the physical machines, and we don't have any GPO settings for them anyway.

We haven't done anything to the master template for at least a month, so I ruled that out, too.

It's almost as if the permissions for these 2 users are reverting back to a generic Domain User, which is enough to get them logged into the virtual but not to get any of their special permissions.

We're completely baffled by this whole thing...

0 Kudos
mittim12
Immortal
Immortal
‎04-02-2013 01:41 PM

So if you login with your account there is no problems?  

0 Kudos
Jeff808
Contributor
Contributor
‎04-02-2013 01:50 PM

You mean if I logon as administrator to the physical and then administrator to the virtual? I actually haven't tried this, but whether or not it worked wouldn't tell me anything since last week one of the users wasn't having any problems and now is (or was until I deleted her AD account, recreated it, and updated everything since the SID was different, which took a couple hours of moving shortcuts, bookmarks, files, the dirty work; really wanted to find a solution instead of solving with a hatched approach like this, but she needed access to some important stuff immediately, so no choice).

I have, however, tried logging onto her physical machine as administrator and then into her View machine as her, thinking maybe there was some problem with being logged into the physical and virtual as the same user at the same time (even though our other deployment does this daily for about numerous users and has never had an issue), but no change; her virtual logon just didn't give her any of the permissions she should have and Outlook wouldn't take her password.

0 Kudos