Integration in restrictive domains integrated with limited permissions

Management of active directory objects with limited permissions

This article describes the use of computer accounts previously created for desktop or application servers in domains where Flexxible|SUITE is installed.

Both Tenants and Partners can modify the value of these permissions, but they can not create new permissions or delete.


Integration in restrictive domains

A domain-level field has been added that allows you to specify the start time for synchronization with the Active Directory. This option is only visible if you set the domain to sync automatically.

The option to specify whether you have permissions to perform specific actions in the Active Directory has been added at the domain level. The options are:

  • Create internal groups

  • Create or update user information

  • Create OUs in Base OU

Below there is the description of how to enable automatic synchronization and how to configure domain-level permissions.


Automatic synchronization

Active directoy objects of domains registered in Flexxible|SUITE that are in use (for example, groups configured, users assigned to a template, etc.) are cached in the Flexxible|SUITE database and re-synchronized every 4 hours. Objects that are no longer in use are removed from the cache.


Domain and Computer Account Permissions

You can find the computer account permissions in the tab section of the Domain view. In this tab, you can specify the permissions that the SYNC USER user has on that domain.


To change the value of one permission, you must click on the checkbox of the permission that you want to modify.


This action changes the color of the column you have edited to green to help you see if you have changed several permissions, and it activates the "Save Changes" button that was disabled up until now.


For domains where Flexxible|SUITE does not have permissions, the "Create and delete computer accounts" permission checkbox must be cleared.

To apply the changes it will be necessary to save the changes by clicking on the "Save changes" button under the list of permissions to make sure the changes made are not lost. Once you have saved the changes, you will notice the 'Save Changes' button will be disabled again and the changed columns have recovered their original color. Finally, you must click on the "Save" button in the domain detail view.

Indicating that a Flexxible|SUITE domain does not have permissions on computer accounts enables the ability to import and manage computer accounts in Virtual Desktop Templates and Application Server Farms based on templates that are associated with that domain.

Optional machine account creation permissions are also required, depending on the level of permissions in the domain the solution will either use pre-created accounts or automatically create them.


Permissions

Next, the available permission will be described.

Create and delete computer accounts: This permission refers to the ability to create and delete computer accounts in the client's Active Directory. This is used to create new machines and remove them. If you do not have permissions to create computer accounts exists a list at Delivery Group level where could extract the machine accounts. If there are no accounts, the job shows one error explaining that there are no available machine accounts.

Create internal groups: This allows the creation or not of groups in the client's Active Directory.

Create or update user information: In the same way as the previous ones, this setting allows the creation or updating of user data in the Active Directory. This permission allows importing AD users who have any resource managed with Flexxible|SUITE, 

Create OUs in BaseOU: This parameter specifies whether the service account has permissions to create Organizational Units in the client's Active Directory. If you do not have permissions, you can create new tenants in that domain in this way: You must configure manually in the 'AD Configuration' tab the OU's previously created in the Active Directory. Otherwise, it will not work.

Force AD Replication: This only affects if the DC that the controller is not the same as the one pointing at the worker. It forces the replication to all the DCs of the AD. In case this permission is not marked, the SUITE does is wait up to 1.5 hours for the automatic replication of AD to be executed.


Computer Account Status in a Delivery group

In the Virtual Desktop Templates and the Application Server Farms views, you can find the list of delivery groups in the tab section. These can be used to serve users on desktops or applications.


If Flexxible|SUITE does not have permission to create and delete computer accounts over the template domain, this list will display additional columns to view the status of the computer accounts assigned to the delivery group for creating new VMs:

  • The "Avail" column indicates how many computer accounts are available for assigning to the new VMs. If this number is less than the set minimum (column "Min"), the value will be highlighted in red.
  • The "Used" column indicates how many computer accounts are in use in the VMs in the delivery group.
  • The "Susp" column indicates the number of accounts in "Suspect" status, meaning that they are incorrectly formatted, do not exist in Active Directory, or could not be verified. Also flagged as suspicious are the accounts available in the correct format and existing in the domain, but which produce an error when added to a delivery group to create a new VM.
    The suspicious accounts will not be used to create new VMs. If there are any accounts in this state, the box is highlighted in red to make the users aware.
  • The Accts box indicates the total number of team accounts associated with the delivery group, including those available, used and suspicious.


Adding Computer Accounts to a Delivery Group

When the template associated with a Virtual Desktop Template or Application Server Farm belongs to a domain for which Flexxible|SUITE does not have permissions on computer accounts, a new "Computer accounts" tab is enabled in the detail view of a delivery group. In this tab you could manage these accounts:



Flexxible|SUITE will activate an alert when the "Minimum available computer accounts" is reached. If you set up this number, these additional accounts can be provisioned.

The list shows the computer accounts associated with the delivery group, grouped by state:

  • Available: The computer accounts available to create new VMs. Their format and existence in Active Directory have been validated by adding them to the delivery group, but they are validated again when used during the creation of VMs. If they do not pass the validation, are marked as "Suspect".
  • Used: The accounts that are being used by VMs in this delivery group. When you delete the VMs, your computer accounts reappear as available.
  • Suspect: The computer accounts that will be displayed as suspects in the "Notes" column because
    • do not have the correct name format
    • do not exist in the active directory
    • did not produce an error when trying to use them for new VMs, or 
    • could not be validated.

The catalog and hosting unit using an account is displayed in the list and, if the catalog or hosting unit are excluded, the "Excluded" column will be highlited, indicating that this account might never be used while it is assigned to an excluded catalog or hosting unit.


You can mark one or more suspect or used computer accounts and set them as available again by checking their checkboxes and pressing the "Set as available" button. A new job for each used account will be enqueued. 

The operation will fail if:

  • the account name format is wrong.
  • the account is being used by an existing VM, in this case the VM must be specifically deleted.


You can also delete the computer accounts by checking their checkboxes and clicking the "Delete" button in the toolbar:


The "Import" button allows you to import new computer accounts using two methods: loading them from an Excel file, or copying/paste them from the clipboard:



The imported accounts that do not have a correct name format, do not exist in the Active Directory, or cannot be verified, will be imported in "Suspect" status.

Remember: Before exiting the domain details, you must save the changes.


Alert “Computer accounts minimum reached for delivery group”

If a delivery group reaches the minimum available accounts configured, an alert is activated indicating the number of available accounts and the minimum for the delivery group and Application Server Farm or Virtual Desktop Template.


If an alert subscription has been set up, you will receive email notifications when the alert is activated.


Tenant AD configuration options

The Flexxible AD Configuration settings can be modified to enable the edition of OUs and Groups for the tenants. To do this, click on any of the Settings options in the left side menu and search for "AD Configuration" in the search box as illustrated below:


The EditADConfiguration Settings key can be set to three values:

  1. "None" if you don´t want the users to have permissions to edit OUs and Groups in any tenant
  2. "All" if you want the users to have permissions to edit the OUs and Groups in all the tenants
  3. "NoMultitenant" if you want the users to have permissions to edit OUs and Groups on tenants that are Not linked to a Multitenant domain but not on tenants that are linked to a Mutitenant domain
Was this article helpful?