What Permissions Does the Workspace Domain Administrator Account Need?
The domain administrator account configured for Workspace must be assigned the following permissions on the OU of domain users or VMs to create virtual desktops, add desktops to a domain, authenticate domain accounts of end users, and query user and user group information.
- Create computer objects: Allows the service account to create new computer accounts in the OU.
- Delete computer objects: Allows the service account to delete computer accounts (optional and configurable on the GUI).
- Reset passwords: Allows the service account to reset the computer account password, which may be required during configuration or maintenance.
- Read and write account restrictions: Allows the service account to view and modify account restrictions, ensuring that computer objects are correctly configured.
- Validate write to DNS host name: Allows the service account to update the DNS host name attribute on computer accounts, which is essential for correct DNS registration during domain join.
- Validate write to service principal name (SPN): Allows the service account to update the SPN, which is required for Kerberos authentication and domain functions.
Permissions Configuration Example 1
- Log in to the AD server using the account and password.
- Press Win + R. In the displayed Run dialog box, enter dsa.msc. The Active Directory Users and Computers page is displayed.
- Right-click the domain name (for example, vdesktop.huawei.com) and choose Delegate Control from the shortcut menu.
- On the Delegation of Control Wizard page, click Next.
- Click Add. In the text box, enter the account (domain administrator account), and click Check Names. Then, click OK.
- Click Next.
- Select Create a custom task to delegate and click Next.
- Select Only the following objects in the folder to configure the required permissions.
- Select Computer objects. You can configure the permissions Create Computer Objects and Delete Computer Objects.
- Select account objects. You can configure the permissions Read/Write Account Restrictions.
- Select msDNS-ServerSettings objects. You can configure the Validated write to DNS host name.
- Click Next.
- Under Permissions, configure the following permissions as required.
- Create computer objects: Select Read, Write, Create All Child Objects, and Read All Properties.
- Delete computer objects: Select Read, Write, Delete All Child Objects, and Read All Properties.
- Read/Write account restrictions: Select Read, Write, and Read All Properties.
- Validated write to DNS host name: Select Full Control.
- Click Next and then Finish.
Permissions Configuration Example 2
- Log in to the AD server using the account and password.
- Press Win + R. In the displayed Run dialog box, enter dsa.msc. The Active Directory Users and Computers page is displayed.
- Right-click the domain name (for example, vdesktop.huawei.com) and choose Properties from the shortcut menu.
- On the Security page, click Advanced.
- Click Add, and click Select a principal. In the text box, enter the account (domain administrator account), and click Check Names. Then, click OK twice.
- Retain the default value (Allow) for Type, and select Descendant computer objects for Applies to.
- Resetting password: Select Reset password.
- Validating write to service principal name (SPN): Select Validated write to service principal name.
- Click OK.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot