requires an AD service account user in two places: In the LDAP Server
page to provide access to VERDE and in the Session Settings to provide dynamic
AD join capabilities to Windows guests. The easiest way to provide the right
amount of privileges to this service account is to give Domain Administrator
privileges to the account. If this is not desirable from a security standpoint,
you can limit the privileges to this service account. Here are the
a new AD Security Group (let's call it "VERDE Admins")
the OU where new computer objects are created. This is the top-level
"Computers" OU ("CN=Computers,DC=example,DC=com") but if
you have a custom OU defined in your Session Settings, please set the following
permissions on this OU.
"AD Users & Computers", right click on the "Computers"
OU and select "Delegate Control"
the resulting wizard, select the newly created AD Security Group ("VERDE
Admins"), click next, and click "Create a custom task to
delegate", click next.
"Only the following objects in the folder" then tick “Account
objects”, "Computer objects" from the list and also tick "Create
selected object in folder" and "Delete selected object in
folder". click next.
"Full Control" from the list, click next. (selecting Full Control
will also check all other boxes)
the summary screen you should now read the following summary:
chose to delegate control of objects
in the following Active Directory folder:
groups, users, or computers to which you
have given control are:
Verde Admins (EXAMPLE\verdeadmins)
have the following permissions:
the following object types:
a Service Account user and make it a member of two security groups:
newly created security group, in our example "VERDE Admins"
you can use this newly created Service Account for both the LDAP Server and
Session Settings objects.