Objective 1.5 Prepare Active Directory for Installation
For this objective I used the following resources:
- VMware View Installation Documentation
- VMware View Security Documentation
- VMware KB Article 1028287 “Configuring kiosk mode in VMware View Manager 4.5″
Describe characteristics of required Active Directory domain accounts (e,g., permissions).
vCenter Server User Account – Required account that is specified when adding vCenter in View Administrator. User account must be in the same domain as your View Connection Server or in a trusted domain. If utilizing View Composer, account needs to be added to the local Administrators group on the vCenter Server.
View Composer User Account – Needed only if using View Composer and linked-clones. This account is used to join desktops to the domain. Create the account in the OU/Container that will house your linked-clone machine accounts. The account created requires the following Active Directory permissions:
- List Contents
- Read All Properties
- Write All Properties
- Read Permissions
- Create Computer Objects
- Delete Computer Objects
View Client – Configure user accounts in Active Directory for the users who have access to View desktops. The user accounts must be members of the Remote Desktop Users group, but the accounts do not require View administrator privileges
View Client with Local Mode – Configure user accounts in Active Directory for the users who have access to View desktops in local mode. The use accounts do not require View administrator privileges. As a standard best practice for desktops, make sure that a unique password is created for the local Administrator account on each View desktop that you plan to use in local mode.
View Connection, Security, or Transfer Server – Initially, all users who are members of the local Administrators group (BUILTIN\Administrators) on the View Connection Server computer are allowed to log in to View Administrator.
Account information provided from page 8 of the “VMware View Security” and page 23 of the “View Installation” documentation
Identify and describe the GPO template files
VMware View includes Active Directory administrative template files (ADM) for optimizing and securing your View desktops. The ADM files are located in the install_directory\VMware\VMware View\Server\Extras\GroupPolicyFiles on the View Connection Server. The following templates are included:
|Template Name||Template File||Description|
|VMware View Agent Configuration||vdm_agent.adm||Contains policy settings related to the authentication and environmental components of View Agent|
|VMware View Client Configuration||vdm_client.adm||Contains policy settings related to View Client configuration. Clients that connect from outside the View Connections Server host domain are not affected by policies applied to View Client|
|VMware View Server Configuration||vdm_server.adm||Contains policy settings related to View Connection Server|
|VMware View Common Configuration||vdm_common_adm||Contains policy settings that are common to all View components|
|VMware View PCoIP Session Variables||pcoip.adm||Contains policy settings related to the PCoIP display protocol|
|VMware View Person Management Configuration||ViewPM.adm||Contains policy settings related to View Persona Management|
Describe Organizational Units (OUs) for machine accounts and kiosk mode client accounts
The use of Active Directory (AD) Organizational Units (OUs) is strongly recommended when implementing VMware View. The use of OUs will allow you to separate your View desktops from other systems in your environment and apply View specific GPOs to them. If Kiosk Mode is to be used the “vdmadmin” command line utility will need to be leveraged to specify the OU to be used.
For full details on setting up Kiosk Mode read VMware KB Article 1028287 “Configuring kiosk mode in VMware View Manager 4.5”