VERDE
requires an AD service account user in two places: In the LDAP Server
page to provide access to VERDE and in the Session Settings to provide dynamic
AD join capabilities to Windows guests. The easiest way to provide the right
amount of privileges to this service account is to give Domain Administrator
privileges to the account. If this is not desirable from a security standpoint,
you can limit the privileges to this service account. Here are the
instructions:
· Create
a new AD Security Group (let's call it "VERDE Admins")
· Find
the OU where new computer objects are created. This is the top-level
"Computers" OU ("CN=Computers,DC=example,DC=com") but if
you have a custom OU defined in your Session Settings, please set the following
permissions on this OU.
· In
"AD Users & Computers", right click on the "Computers"
OU and select "Delegate Control"
· In
the resulting wizard, select the newly created AD Security Group ("VERDE
Admins"), click next, and click "Create a custom task to
delegate", click next.
· Select
"Only the following objects in the folder" then tick “Account
objects”, "Computer objects" from the list and also tick "Create
selected object in folder" and "Delete selected object in
folder". click next.
· Select
"Full Control" from the list, click next. (selecting Full Control
will also check all other boxes)
· In
the summary screen you should now read the following summary:
You
chose to delegate control of objects
in the following Active Directory folder:
example.com/Computers
The
groups, users, or computers to which you
have given control are:
Verde Admins (EXAMPLE\verdeadmins)
They
have the following permissions:
Full Control
For
the following object types:
Computers
· Click
Finish.
· Create
a Service Account user and make it a member of two security groups:
· "Domain
Users"
· Your
newly created security group, in our example "VERDE Admins"
Now
you can use this newly created Service Account for both the LDAP Server and
Session Settings objects.