In an environment where security is delegated, you may need to know at a granular level just which permissions are needed to accomplish tasks within Provisioning Services. This is often the case when working in larger environments where the vCenter admin may be separate from the AD Team and Citrix Teams. This blog post will explain which permissions are used at various points in the console. The specific list of required permissions vary by task and screen.<\/p>\n
First things first \u2013 PVS doesn\u2019t have the greatest Role Based Access Control, but it does offer some. You can add administrators to the PVS Farm, the Site, and Devices. The groups you add here will be used for the farm as it relates to PVS itself. You can find more information on these roles in the official documentation<\/a>. The important takeaway is that you can only<\/i><\/b> add groups \u2013 no direct assignments here!<\/p>\n PVS can automate the task of managing the Active Directory Computer Account Password changes<\/a>. In order to accomplish changing these passwords, the account responsible for running the Stream Service requires the RESET PASSWORD permission in Active Directory for the computer object. It is recommended you apply this at the OU where your target devices reside.<\/p>\n When managing devices, you may from time to time need to manually reset a computer account. This can only be accomplished when a VM is marked as down (so shutdown in advance, or if you\u2019re a daring lad or lass, right click and choose \u2018mark as down\u2019). Right click a VM and choose \u2018Reset\u2019. All of the functions under this menu, including delete computer account and create computer account require permissions from the account of the user who launched the console.<\/i><\/b> This takes advantage of the integrated Windows Security to access AD, similar to how other MMC\u2019s like Active Directory Users and Computers operate. This means that the user account who launched the console would require reset password, create computer account, or delete computer account<\/i><\/b>. Note: There is information online that states the service account needs create and delete \u2013 this is not the case.<\/i><\/p>\n One of the criticisms of PVS is that it \u201cis very complex\u201d when compared against MCS. That isn\u2019t something I am here to refute because it isn\u2019t entirely untrue. However, the XenDesktop Setup Wizard makes it fairly easy to provision machines once everything is up and running. With that said, it can be a bit confusing which permissions are needed.<\/p>\n The initial permission required is PVS Site Admin. The SOAP service account user should have \u201cFull Administrator\u201d in XenApp\/XenDesktop.<\/p>\n The first screen you are greeted with is connecting to XenDesktop \u2013 you will require XenApp \/ XenDesktop site permissions for this initial step. Immediately following that, you are presented with XenDesktop host resource selection \u2013 this screen represents resources you defined under \u201cHosting\u201d in Citrix Studio. When you are prompted for credentials here, you are being asked for credentials to connect to the resources <\/b>\u2013 aka the vCenter\/XenCenter\/SCVMM that is defined. You can use the service account if that has permissions or any account that has the mandatory minimum permissions<\/a>. Finally, if you are opting to use the wizard to create the computer accounts rather than \u201cimport\u201d, the user running the console must have permission to create computer accounts in the selected OU.<\/p>\n Last but not least, the trusty config wizard. The user running the config wizard should have DBCreator and securityadmin at a minimum. Although it will use the logged in user, if you do not have those permissions, it should prompt for a user account that does, in fact, have those permissions. Conventional wisdom for running this wizard has long been to run as the account that will run the stream service, but in the more recent days of 7.x, we\u2019ve found that to be unnecessary as the prompt seems to handle things gracefully.<\/p>\n","protected":false},"excerpt":{"rendered":" In an environment where security is delegated, you may need to know at a granular level just which permissions are needed to accomplish tasks within Provisioning Services. This is often the case when working in larger environments where the vCenter admin may be separate from the AD Team and Citrix Teams. This blog post will […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[10,43],"tags":[101,106],"_links":{"self":[{"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/posts\/4444"}],"collection":[{"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/comments?post=4444"}],"version-history":[{"count":0,"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/posts\/4444\/revisions"}],"wp:attachment":[{"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/media?parent=4444"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/categories?post=4444"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/tags?post=4444"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}vDisk Administration \u2013 Active Directory Password Management<\/h4>\n
Device Administration \u2013 Active Directory<\/h4>\n
XenDesktop Setup Wizard \u2013 An amalgamation of awesomeness<\/h4>\n
Provisioning Services Configuration Wizard<\/h4>\n