AD Configuration

Operation and use of the "AD Configuration" tab in the tenant view

The purpose of this article is to provide an explanation of the use and operation of the "AD Configuration" (Active Directory Configuration) tab in the tenant view.

AD Configuration

From version 3.3.0 onwards, there is an "AD Configuration" tab in each tenant which -depending on the tenant domain configuration in Flexxible|SUITE-  their content may or may not be editable.
In order to initialize the tenant successfully, the hierarchical structure of the Organizational Units should have been previously created in the Active Directory (which would contain groups, user and AD accounts, and the security groups for that tenant). This new tab offers the possibility, in non-multitenant domains, to select the organizational units that should contain the accounts and active directory security groups, designed for those domains where Flexxible|SUITE does not have the necessary permissions for this function.


The contents of this tab are not editable in multi-tenants domains. However, once the tenant has been initialized, the fields are automatically populated.


To keep in mind:

  • The "AD Configuration" tab is not visible if the tenant is new and has not been saved for the first time. Once saved, the tab becomes visible and editable (in domains not multitenant).
  • The tab can be configured in read-only mode leveraging a specific setting.

Settings

In the Settings area, the "EditADConfiguration" key can be set up to allow a Flexxible|SUITE user to edit the tenant OUs and Groups:


This parameter admits three values:

  1. None: Edits in the AD Configuration area are not allowed in any domain.
  2. OnlyNoMultitenant: Edits are only allowed over a not multitenant domain.
  3. All: Edits are allowed in every domain.


Specific behaviors

There are certain specific characteristics or behaviors:

  • After tenant initialization, the Template Designers, Managers, and Remote Support Team security group fields will remain as read-only.


  • If OUs Customizable Desktops, Persistent Desktops, and Professional Desktops are not populated with values, VDTs will be assigned to the OU Desktops, regardless of type. Otherwise, VDTs will be assigned to the corresponding OU according to type (customizable=>customizable desktops OU, persistent=>persistent desktops OU, or nonpersistent=>professional desktops OU).


Tenant OUs

Application server

The application server OU is required in versions up to 3.3.2. It will be required in later versions whenever the VDI Manager has permissions to create computer accounts in the tenant domain.

This is the OU where the application server computer accounts are stored. Applies to the new ASF automatically from the tenant of the interactive user, or when changing the template on which the ASF is based. If VDI Manager has permissions to create OUs in the tenant domain, this OU is created automatically when initializing the tenant or creating new Application Template definitions.

  • Items: AD accounts of the existing Application servers
  • Objective: This OU is selected automatically for the new ASF depending on the tenant of the current user, or the selected template. This OU is used during the process of creating new catalogs. It also allows applying specific GPOs for the Application Servers. The domain synchronization user should have permissions to create AD accounts in this OU.
  • Mandatory? Up to the 3.3.2 version. In later versions, it will be required whenever VDI Manager has permission to create AD accounts in the tenant domain.
  • Modifiable? Yes  


Application server template

This OU is required if the new Application Template Definitions are created from VM Models. It is used to locate the computer accounts of the new Application Template Definitions. If VDI Manager has permissions to create OUs in the tenant domain, this OU is created automatically when initializing the tenant or creating new Application template definitions.

  • Items: AD Accounts of the new Application template definitions
  • Objective: To have an OU where we can apply specific GPOs for the Application server templates. The domain synchronization user should have permissions to create AD accounts in this OU.
  • Mandatory? Whenever we are willing to create  Application template definitions choosing an option from the VM Models
  • Modifiable? Yes   


Customizable desktops

This OU is not required. If it is populated and VDI Manager has permission to create OUs in the tenant domain, it is used to place the computer accounts in a VDT of Customizable VMs (with PvDisk). If VDI Manager has permissions to create OUs in the tenant domain, this OU is created automatically when initializing the tenant.

  • Items: AD Accounts of the customizable desktops (including PVDisk)
  • Objective: To have an OU where we can apply specific GPOs for customizable desktops. The domain synchronization user should have permissions to create AD accounts in this OU.
  • Mandatory? Never, If the OU field is empty, the AD accounts will be created in the OU provided in the “Desktops” field included in the OUs section located in the AD Integration Tag.
  • Modifiable? Yes    


Desktops

This OU is required in versions up to 3.3.2. In later versions, it will be required whenever VDI Manager has permissions to create computer accounts in the tenant domain. Automatically applied to self-generated VDTs. If VDI Manager has permissions to create OUs in the tenant domain, this OU is created automatically when initializing the tenant.

  • Items: Desktops’ OUs per type or desktops AD accounts in case the OUs are not provided.
  • Objective: To have an OU where we can apply generic GPOs for desktops.
  • Mandatory? Up to the 3.3.2 version. For later versions, it will be required once VDI Manager has permission to create AD accounts in the tenant domain.
  • Modifiable? Yes    


Persistent desktops

This OU is not required. If it is populated and VDI Manager has permissions to create OUs in the tenant domain, it is used to locate the computer accounts in a VDT of persistent VMs. If VDI Manager has permissions to create OUs in the domain of the tenant, this OU is created automatically when initializing the tenant.

  • Items: Persistent desktops AD accounts
  • Objective: To have an OU where we can apply specific GPOs for persistent desktops. The domain synchronization user should have permissions to create AD accounts in this OU.
  • Mandatory? Never, If the OU field is empty, the AD accounts will be created in the OU provided in the “Desktops” field included in the OUs section located in the AD Integration Tag.
  • Modifiable? Yes  


Professional desktops

This OU is not required. If the OU is populated and VDI Manager has permissions to create OUs in the tenant domain, it is used to locate the computer accounts in a VDT of persistent VMs. If VDI Manager has permissions to create OUs in the domain of the tenant, this OU is created automatically when initializing the tenant.

  • Items: Non-persistent or professional desktops AD accounts
  • Objective: To have an OU where we can apply specific GPOs for professional desktops. The domain synchronization user should have permissions to create AD accounts in this OU.
  • Mandatory? Never, If the OU field is empty, the AD accounts will be created in the OU provided in the “Desktops” field included in the OUs section located in the AD Integration Tag.
  • Modifiable? Yes    


Servers

This OU is required when the VDI Manager has permissions to create computer accounts in the tenant domain. It is used to locate the server computer accounts created from VM Model. If VDI Manager has permissions to create OUs in the domain of the tenant, this OU is created automatically when the tenant is initialized.

  • Items: AD accounts of the new servers
  • Objective: To have an OU where we can apply specific GPOs for Servers. The domain synchronization user should have permissions to create AD accounts in this OU.
  • Mandatory? Whenever we need to create Servers choosing an option from the VM Models.
  • Modifiable? Yes    


Templates

This OU is required if the new Desktop Template Definitions are created from VM Models. Used to locate the computer accounts of the new Desktop template definitions. If VDI Manager has permissions to create OUs in the tenant domain, this OU is created automatically when initializing the tenant  or creating new Desktop Template definitions.

  • Items: AD Accounts of the desktop template definitions
  • Objective: This is an OU where we can apply specific GPOs for desktops templates. The domain synchronization user should have permissions to create AD accounts in this OU.
  • Mandatory? Whenever we decide to create Desktop template definitions choosing an option from the VM Models
  • Modifiable?  Yes    


Tenant

This OU is not required. It is the OU where the AD objects that need to be created during the initialization of Tenant (OUs, groups) are located. If it is not populated, the OU defined as the base in the domain in VDI Manager is used. If VDI Manager has permissions to create OUs in the tenant domain and this domain is marked as multi-tenant, this OU is created automatically when initializing the tenant.

  • Items: The OUs and Groups required for the good performance of Flexxible|SUITE
  • Objective: This is the OU where the AD objects that are required to be created during the initialization of the Tenant (i.e.. OUs, Groups) reside.
  • Mandatory? Never. If it is not provided, the primary OU defined in the VDI manager domain will be used
  • Modifiable? Yes   


Users

The users OU is required in versions up to 3.3.2. It is used to locate the differents user groups related to the tenant (users, managers, template designers, etc). If VDI Manager has permissions to create OUs in the tenant domain and this domain is marked as multi-tenant, this OU is created automatically when initializing the tenant.

  • Items: The User accounts created in VDI Manager
  • Objective: This is where the User groups related to the Tenant(Users, managers, template designers, etc) reside. The domain synchronization user should have permission to create user accounts in this OU.
  • Mandatory? Up to the 3.3.2 version. For later versions, it will be required only if new users will be created in the Users Tag of a specified Tenant.
  • Modifiable? Yes    


Shown below is the OUs structure recommended by Flexxible for a given tenant:


Tenant Groups

The tenant must have the following tenant groups for its proper functioning.

Application Servers

  • Included elements: The computer accounts of the application server of the tenant.
  • Group objective: Grants reading and writing permissions on the OU of the tenant.
  • Required: No.
  • Can it be modified once the tenant has been initialized? Yes.


Application Servers template

  • Included Elements:  The computer accounts of the application server templates.
  • Group objective: Grants reading permissions on this group and the OU of the tenant.
  • Required: It is required whenever the application server templates are created automatically.
  • Can it be modified once the tenant has been initialized? Yes.


Desktops

  • Included Elements: The desktops computer accounts of this tenant.
  • Group objective: Grants reading permissions on this group and the OU of the tenant.
  • Required: No
  • Can it be modified once the tenant has been initialized? Yes.


Managers

  • Included Elements: All the partner user accounts with VDI Manager access.
  • Group objective: Groups all the VDI Manager users and grants permissions to edit in tenant storages.
  • Required: Yes.
  • Can it be modified once the tenant has been initialized? No.


Professional users

  • Included elements: All the user accounts with assigned Desktop Professional.
  • Group objective: Groups all the Desktop Professional users.
  • Required: No.
  • Can it be modified once the tenant has been initialized? Yes.

 

Remote support team

  • Included elements: The user accounts who provide remote support.
  • Group objective: Grants remote support permissions to the VDI OS Manager users checked as "Allow Remote support".
  • Required: Yes.
  • Can it be modified once the tenant has been initialized? No.


Servers

  • Included Elements: The computer accounts of servers created automatically.
  • Group objective: Groups all the servers.
  • Required: It is required whenever the servers are automatically created.
  • Can it be modified once the tenant has been initialized? Yes.


Template designers

  • Included elements: User accounts with template edition permissions.
  • Group objective: Grants access via Citrix to the templates.
  • Required: Yes
  • Can it be modified once the tenant has been initialized? No.


Templates

  • Included elements: The desktop template computer accounts.
  • Group objective: Grants reading permissions to this group and the OU of the tenant.
  • Required: It is required whenever the tenant has desktop templates.
  • Can it be modified once the tenant has been initialized? Yes.


Users

  • Included elements: All the users of the tenant.
  • Group objective: Grants writing permissions to this group and the OU of the tenant. On the other hand, this group grants reading permissions for the storage of the tenant to these users.
  • Required: It is required whenever the users are created at the tenant level.
  • Can it be modified once the tenant has been initialized? Yes.