VCP5-DT Objective 1.5–Prepare Active Directory for Installation

Objective 1.5 Prepare Active Directory for Installation

For this objective I used the following resources:

  • VMware View Installation Documentation
  • VMware View Security Documentation
  • VMware KB Article 1028287 “Configuring kiosk mode in VMware View Manager 4.5″

Knowledge

Describe characteristics of required Active Directory domain accounts (e,g., permissions).

vCenter Server User Account – Required account that is specified when adding vCenter in View Administrator. User account must be in the same domain as your View Connection Server or in a trusted domain. If utilizing View Composer, account needs to be added to the local Administrators group on the vCenter Server.

View Composer User Account – Needed only if using View Composer and linked-clones. This account is used to join desktops to the domain. Create the account in the OU/Container that will house your linked-clone machine accounts. The account created requires the following Active Directory permissions:

  • List Contents
  • Read All Properties
  • Write All Properties
  • Read Permissions
  • Create Computer Objects
  • Delete Computer Objects

View Client – Configure user accounts in Active Directory for the users who have access to View desktops. The user accounts must be members of the Remote Desktop Users group, but the accounts do not require View administrator privileges

View Client with Local Mode – Configure user accounts in Active Directory for the users who have access to View desktops in local mode. The use accounts do not require View administrator privileges. As a standard best practice for desktops, make sure that a unique password is created for the local Administrator account on each View desktop that you plan to use in local mode.

View Connection, Security, or Transfer Server – Initially, all users who are members of the local Administrators group (BUILTIN\Administrators) on the View Connection Server computer are allowed to log in to View Administrator.

Account information provided from page 8 of the “VMware View Security” and page 23 of the “View Installation” documentation

Identify and describe the GPO template files

VMware View includes Active Directory administrative template files (ADM) for optimizing and securing your View desktops. The ADM files are located in the install_directory\VMware\VMware View\Server\Extras\GroupPolicyFiles on the View Connection Server. The following templates are included:

Template Name Template File Description
VMware View Agent Configuration vdm_agent.adm Contains policy settings related to the authentication and environmental components of View Agent
VMware View Client Configuration vdm_client.adm Contains policy settings related to View Client configuration. Clients that connect from outside the View Connections Server host domain are not affected by policies applied to View Client
VMware View Server Configuration vdm_server.adm Contains policy settings related to View Connection Server
VMware View Common Configuration vdm_common_adm Contains policy settings that are common to all View components
VMware View PCoIP Session Variables pcoip.adm Contains policy settings related to the PCoIP display protocol
VMware View Person Management Configuration ViewPM.adm Contains policy settings related to View Persona Management

 

Describe Organizational Units (OUs) for machine accounts and kiosk mode client accounts

The use of Active Directory (AD) Organizational Units (OUs) is strongly recommended when implementing VMware View. The use of OUs will allow you to separate your View desktops from other systems in your environment and apply View specific GPOs to them. If Kiosk Mode is to be used the “vdmadmin” command line utility will need to be leveraged to specify the OU to be used.

For full details on setting up Kiosk Mode read VMware KB Article 1028287 “Configuring kiosk mode in VMware View Manager 4.5”

Speak Your Mind

*