You can configure permissions for the registered domains in Flexxible|SUITE, so the SUITE will not try to perform unauthorized operations in the domain.
You can find the permissions in the “Permissions” tab of a domain's detail view. In this tab, you can specify the permissions that the SYNC USER user has on that domain.
To change the value of one permission, you must click on the checkbox of the permission that you want to modify.
This action changes the color of the column you have edited to green to help you see if you have changed several permissions, and it activates the "Save Changes" button that was disabled up until now.
For domains where Flexxible|SUITE does not have permissions, the "Create and delete computer accounts" permission checkbox must be cleared.
To apply the changes it will be necessary to save the changes by clicking on the "Save changes" button under the list of permissions to make sure the changes made are not lost. Once you have saved the changes, you will notice the 'Save Changes' button will be disabled again and the changed columns have recovered their original color. Finally, you must click on the "Save" button in the domain detail view.
Indicating that a Flexxible|SUITE domain does not have permissions on computer accounts enables the ability to import and manage computer accounts in Virtual Desktop Templates and Application Server Farms based on templates that are associated with that domain.
Optional machine account creation permissions are also required, depending on the level of permissions in the domain the solution will either use pre-created accounts or automatically create them.
- Check AD account existence: this indicates that the sync user can perform LDAP queries against the domain to find out if an account exists.
- Create & edit group policies: this indicates that the sync user has permission to create and edit group policies in the domain. When this permission is checked, some features become available, like defining AD groups for local administrators and their members in the Tenant detail view.
- Create and delete computer accounts: This permission refers to the ability to create and delete computer accounts in the client's Active Directory. This is used to create new machines and remove them. If you do not have permission to create computer accounts exists a list at the Delivery Group level where could extract the machine accounts. If there are no accounts, the job shows one error explaining that there are no available machine accounts.
- Create and update users: In the same way as the previous ones, this setting allows the creation or updating of user data in the Active Directory. This permission allows importing AD users who have any resource managed with Flexxible|SUITE.
- Create internal groups: This allows the creation or not of groups in the client's Active Directory.
- Create OUs in BaseOU: This parameter specifies whether the service account has permission to create Organizational Units in the client's Active Directory. If you do not have permissions, you can create new tenants in that domain in this way: You must configure manually in the 'AD Configuration' tab the OU's previously created in the Active Directory. Otherwise, it will not work.
- Delete users: Specifies if the configured credentials have permission to permanently delete, or disable user accounts in AD.
- Force AD Replication: This only affects the DC that the controller is not the same as the one pointing at the worker. It forces the replication to all the DCs of the AD. In case this permission is not marked, the SUITE waits up to 1.5 hours for the automatic replication of AD to be executed.