This article provides information about accounts used and permissions required by various VDI-in-a-Box (ViaB) components. Components also include the hypervisors, desktops, and Active Directory (AD) components. A list of the accounts and explanations are available in this article.

Background

There have been cases when accounts required by various ViaB components did not have the correct permissions to perform a specific action. One example is the AD credentials an administrator provides for ViaB does not have permission to create computer accounts. This results in failures to join the domain and causes the images/desktops to go into a broken state. In other cases, a ViaB administrator might be able to successfully set up a ViaB grid and import an image, but the image and/or desktops will fail to join the domain. A group policy, which removes ViaB service account(s) from the local administrators group might be one reason for such failures.

Account Permissions

This section goes through account permissions in logical order of setting up a new ViaB grid.
Note: For those with existing ViaB grids, skip to the Overview Chart of Account Permissions for a quick glance at all the accounts and permissions.

• Connecting vdiManager to the hypervisor: Must use an account with local administrative privileges on the hypervisor. It is not required to be the default administrator/root account, but should have the same permissions. Domain accounts are not recommended as group policies might remove this user as a local administrator on the hypervisor:
  • Citrix XenServer: Default root account is sufficient.
  • Microsoft Hyper-V: Default local administrator account is sufficient.
  • Hyper-V Connector: The HVConnector service is only installed onto the Hyper-V hypervisor using a local service account kaviza. This account is a local administrator and must remain this way.
  • VMWare ESXi: Default root account is sufficient.
  • VMWare vCenter: If using vCenter with ESX and VDI-in-a-Box, you will be required to enter a domain administrator account with permission to manage with vCenter.
• Connect the grid to AD: If using AD instead of workgroup mode, you must specify a domain account. In general, a domain administrator account can be used, but in same environments, this is not possible because of IT security policies. For those not able to use a domain administrator account, ensure a user account has delegated permissions to do the following tasks:
  • Read Active Directory database to search for user accounts for the entire directory or a specific OU where ViaB user accounts reside.
  • Create Computer Objects in the OU(s) where ViaB desktops reside.
  • Delete Computer Objects in the OU(s) where ViaB desktops reside.
  • Optional: If using Citrix User Profile Manager, Citrix HDX Policies, or any other Group Policies must be used, and ensure that the user has ability to do so for the OU(s) where ViaB desktops reside.

  Refer to the Knowledge Center article CTX136282 - Active Directory Permissions for VDI-in-a-Box Grids for more information on delegated permissions.

• Automated VDI-in-a-Box Agent Installer: When importing a Virtual Machine into ViaB as a golden image, it is highly recommended that a local administrator account be used. Although it is possible to use a domain administrator account, it is highly recommend against doing so as some of the components might get installed. It is important to understand that this account is only required for the initial automated installation but can be disabled/removed upon completion.
  • In addition, there are several Citrix services that must run on the virtual desktops. These services must all have local admin rights on the desktops, such as Citrix VDI-in-a-Box Agent, Citrix VDI-in-a-Box Agent Monitor, and Citrix VDI-in-a-Box HDX Connector Service.
  • Check for any group policies that are applied to ViaB computer objects and hypervisors that might remove required accounts from local administrator groups. Make exceptions for these accounts to ensure they remain as local administrators.

Overview Chart of Account Permissions

This chart contains the same account permissions as described in the preceding sections, but is designed to be used as a quick reference.