This article describes the minimum permissions required by an Active Directory (AD) user that will be used to connect a VDI-in-a-Box grid to the domain. The minimum permissions are described as well as an example of how to delegate permissions to a certain Organization Unit (OU) within AD.

Background

VDI-in-a-Box requests for AD information during grid setup time, at which these credentials are entered. The credentials are then used to read the directory for users or groups, and create or delete computer objects in the domain. Additional permissions can be given to the user if other tasks, such as creating group policies or user accounts are required. These other tasks can be relevant to VDI-in-a-Box administrator’s duties; however, these are not technical requirement for the VDI-in-a-Box software for joining computers to the domain.

VDI-in-a-Box grids that use Active Directory typically connect to the domain using a Domain Administrator account. This is sufficient and meets the requirements of many customers. However, there are deployments where a VDI-in-a-Box administrator might not be given Domain Administrator accounts, and/or is only given control over a certain part of Active Directory.

VDI-in-a-Box 5.1 and newer only requests for one set of credentials, which will be used for all operations. In VDI-in-a-Box 5.0 and earlier, credentials are requested at grid setup time for reading user information in the domain. Then another set of credentials are requested during the prepare stage of each golden image, used to join and remove computers in the domain.

For VDI-in-a-Box administrators that do not have control over AD, you must pass this CTX article to your domain administrator so they can create the necessary permissions for an account.

Required Permissions

The AD user must be able to do the following tasks for the OUs where VDI-in-a-Box images and desktops will be joined. Minimum requirements to join and remove VDI-in-a-Box images and desktop to an OU in Active Directory:

• Read Active Directory user information (Domain Users all have the ability to do this by default without any modification).

• Create Computer Objects in the OU the golden images and desktops are placed into.

• Delete Computer Objects from the OU the golden images and desktops are placed into.

Using a Domain Administrator account will be sufficient and no modification is required in most cases. This information particularly applies to those using credentials that are not part of the Domain Admins group.

Note: By default, standard Domain Users, who are part of the Authenticated Users group, are able to join 10 desktops to the domain. VDI-in-a-Box grid using these credentials appears to work initially. After the threshold is reached, VDI-in-a-Box desktop fails to join the domain with error code 8557 and goes into a broken state. It is possible that in some environments the threshold is lower or higher (it is possible to change threshold to 0).

Refer to the following Microsoft KB articles for more information and details about these permissions and how to modify them if required:

http://support.microsoft.com/kb/251335

http://support.microsoft.com/kb/243327/en-us

Delegating Permissions Example

In this example, we will create a Domain User account and give the account appropriate permissions using the Delegated Control Wizard. The example is using a Windows 2008 R2 Domain Controller (DC). A Domain Administrator creates the OUs for VDI-in-a-Box and then provides the VDI-in-a-Box account information to the VDI-in-a-Box administrator to configure the grid.

Creating Organization Unit and User Account

This section is only used when an OU and User Account in the domain does not already exist for VDI-in-a-Box.

1. Log on to the DC using domain administrator account.

2. Open the Active Directory Users and Computers console.

3. If an OU does not already exist for VDI-in-a-Box, right-click the domain or an existing OU under which the VDI-in-a-Box OU will be created.

   Example: An OU named ViaB was created in the domain company.com. The Distinguished Name is OU=ViaB,DC=company,DC=com

4. Create a new user account in the domain if there is not one already that will be used for VDI-in-a-Box. Location of this user does not need to be in the same OU as the VDI-in-a-Box desktops.

   Example: A user named VIABservice was created in the default Users container using the New User Object wizard. A complex password was selected, the User must change password at next logon option is cleared, and the Password never expires option is selected. Opening this new user object and going to the Membership tab confirms that the user is not a Domain Admin, but is a member of the Domain Users group.

Delegate Control Wizard

This section covers options required as a minimum for VDI-in-a-Box, but an administrator might be given additional permissions as authorized by the domain administrator (such as being able to create user accounts). Steps and functionality of the Delegate Control wizard might differ between versions of Windows Server:

1. Log on to the DC using domain administrator account.

2. Open the Active Directory Users and Computers console.

3. Right-click the OU in which VDI-in-a-Box images and desktops will be created and select the Delegate Control option, as displayed in the following screen shot:

   

4. Click Next to skip the wizard overview page.

5. Click Add in the Users or Groups section. Type the name of the account that will be used by the VDI-in-a-Box grid, click OK, and then click Next.

   

   Note: This step goes over the minimum requirements to successfully create or delete computer accounts. If the VDI-in-a-Box administrator will also need to do other tasks, such as create user accounts, reset passwords, manage group policy, etc, you can instead select the Delegate the following common tasks option and select the boxes for all the necessary tasks. Otherwise, Select Create a custom task to delegate and click Next, as displayed in the following screen shot:

   

   Note: This step also provided minimal permission to the VDI-in-a-Box administrator account. You might be required to select the Delegate control of This folder, existing objects in this folder, and creation of new objects in this folder. Otherwise select the following options:

   1. Delegate control of Only the following objects in the folder.

   2. Select Computer objects.

   3. Select Create selected objects in this folder and Delete selected objects in this folder.

   4. Click Next to continue.

      

   Note: By default, General should be selected, if not, enable it and select Full Control permission (this will in turn enable all the other Permissions).
   Similar to the previous two steps, these permissions can be very granular and can be changed based on the domain security policies.

6. Click Next.

   

7. Review the Delegation of Control summary and click Finish. The user will now be able to accomplish all the required tasks using the permissions delegated using the wizard.

   

8. After completing the account permissions steps, for setting up a new grid, you must just use these credentials when prompted during the grid setup wizard. If an existing VDI-in-a-Box grid exists, ensure to change and synchronize these settings in appropriate sections (VIAB 5.1 later admins access Users tab > User Database: Configure):

   

Remember that by default even Domain User accounts are allowed to join 10 computers to the domain, so even if the wizard was used improperly, VDI-in-a-Box might function for the first 10 desktops (or any number domain administrator might have changed it to).

For a quick test to ensure the user can only join desktops to the specified OU, you can change the domain settings to not allow any desktops to be joined to the domain unless the user meets specific requirements (either a Domain Admin or delegated permission to add or remove computer objects to specified OUs). Visit the links at the top of this article for more information and instructions from Microsoft on these settings.

Additional Resources

Several rounds of testing were completed using a VDI-in-a-Box 5.2 grid, a Windows 2008R2 Service Pack 1 domain controller, and golden images specified to join different OUs in the domain. The tests were performed after changing the domain controller settings to not allow any computer accounts to be created. At that point, desktop templates for each golden image were created with several desktops spun up on each one. The desktops in the OU (and child OU) which the VDI-in-a-Box domain user had delegated controller over were created, used, and removed as expected. The desktops in an OU the VDI-in-a-Box domain user did not have delegated control over all failed to join the domain and went into broken states. Error messages in VDI-in-a-Box Tasks and Event show a message similar to: Desktop VM ‘w7test-00’ intentionally called broken by desktop agent communication: Join domain: Domain join failed with error code 8557 reason).

This software application is provided to you as is with no representations, warranties or conditions of any kind. You may use and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that: (a) the software application may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the software application fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the software application. In no event should the software application be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SOFTWARE APPLICATION, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the software application.

This article describes the minimum permissions required by an Active Directory (AD) user that will be used to connect a VDI-in-a-Box grid to the domain.