How to create a limited-privilege AD user for VERDEs LDAP integration

How to create a limited-privilege AD user for VERDE's LDAP integration

Product Line:  VERDE

VERDE requires an AD service account user in two places:  In the LDAP Server page to provide access to VERDE and in the Session Settings to provide dynamic AD join capabilities to Windows guests. The easiest way to provide the right amount of privileges to this service account is to give Domain Administrator privileges to the account. If this is not desirable from a security standpoint, you can limit the privileges to this service account. Here are the instructions:


  • · Create a new AD Security Group (let's call it "VERDE Admins")

  • · Find the OU where new computer objects are created. This is the top-level "Computers" OU ("CN=Computers,DC=example,DC=com") but if you have a custom OU defined in your Session Settings, please set the following permissions on this OU.

  • · In "AD Users & Computers", right click on the "Computers" OU and select "Delegate Control"

  • · In the resulting wizard, select the newly created AD Security Group ("VERDE Admins"), click next, and click "Create a custom task to delegate", click next.

  • · Select "Only the following objects in the folder" then tick “Account objects”, "Computer objects" from the list and also tick "Create selected object in folder" and "Delete selected object in folder". click next.

  • · Select "Full Control" from the list, click next. (selecting Full Control will also check all other boxes)

  • · In the summary screen you should now read the following summary:

 

You chose to delegate control of objects 
in the following Active Directory folder:

    example.com/Computers

The groups, users, or computers to which you
have given control are:

    Verde Admins (EXAMPLE\verdeadmins)

They have the following permissions:

    Full Control

For the following object types:

    Computers

  • · Click Finish.

  • · Create a Service Account user and make it a member of two security groups:

  • · "Domain Users"

  • · Your newly created security group, in our example "VERDE Admins"

 

Now you can use this newly created Service Account for both the LDAP Server and Session Settings objects.

 


    • Related Articles

    • How Does AD Connection Work with VERDE, LDAP and Domain

      Product Line:  VERDE Verde VDI System Design Guide (Active Directory Connection and Authentication)   This System Design Guide explains the integration of Active Directory with Verde VDI. The following configurations are required for logging into ...
    • LDAP Authentication (NoTouch Center)

      LDAP Authentication (NoTouch Center) NoTouch Center is a tool for system administrators to manage their endpoints. It not only maintains a list of local user accounts, but it also supports user authentication via LDAP using either Microsoft Active ...
    • Configuring LDAP (OpenLDAP) only. No Active Directory

      Product Line:  VERDE It's rare to have a customer NOT use AD/Domain.  But, it is supported.  We've tested with OpenLDAP and JumpCloud LDAP.  This article covers the VERDE Configuration to support OpenLDAP only authentication.  
    • LDAP - Active Directory - Global Catalog

      Authenticating users from Active Directory forests (not only from a single domain) is possible in NoTouch Center. The NTC appliance needs to be configured to talk with the Active Directory Global Catalog server then though. The LDAP Server URL in ...
    • Configuring LDAP (JumpCloud) only. No Active Directory

      Product Line:  VERDE It's rare to have a customer NOT use AD/Domain.  But, it is supported.  We've tested with OpenLDAP and JumpCloud LDAP.  This article covers the VERDE Configuration to support JumpCloud only authentication. Or, depending on your ...