VMware Horizon Community
vmsf
Contributor
Contributor

Dedicated desktop - User permission assignment

Hi,

We are in the process of deploying Dedicated Desktops and I am trying to find the best way to assign the users access to their desktops. What is the best way to grant access to the desktop so that only the user who is assigned a dedicated desktop has limited access to it.

Thx,

-sf

Reply
0 Kudos
5 Replies
Meph1234
Enthusiast
Enthusiast

Hi

I'm not exactly sure what you are asking but here goes...

When you create a dedicated pool you can set it to either automatically assign users or you can do it manually.

When they are set to automatically assign then a user logs into the pool, they are assigned a machine and that stays theirs. No-one else via View can log into that machine.

If you set it to manual then you need to manually assign each user to the desktops but essentially the same. Once assigned to a desktop then its theirs until you unassign the user/delete the machine.

In terms of access well if you haven't given anyone admin rights to the base image (except domain admins and administrator) then the user will have limited access. If you have set up the machine for RDP access (allow access via remote desktop, added domain users into the remote users group) then really anyone with an RDP client will be able to log in.

I hope this has cleared up at least something. If ive misinterpreted what you are after please let me know

Cheers

Phil

VCA4-DT
Reply
0 Kudos
vmsf
Contributor
Contributor

Thanks for the response Phil.

The way to assign permissions to the pool is via a Active Directory group which essentially gives the same access to all users to all desktops in that pool. A little savvy user can jump from one machine to another and gain the same type of access to another users machine.

What I am really looking for is a way to restrict a users access to their assigned desktop only.

I know we can disable RDP access via GPO but from security perspective it is still not a good idea to have users access to machines other than their own.

Thanks,

-sf

Reply
0 Kudos
mittim12
Immortal
Immortal

What do you do in the physical world to keep people from walking up to another PC and logging in?

Reply
0 Kudos
vmsf
Contributor
Contributor

Physical machines are manually assigned to individual users at the time of delivery by Level 1 Support.

Users only have access to their machines and cannot log in to other machines.

Reply
0 Kudos
mittim12
Immortal
Immortal

How do they restrict access to the machines?  Maybe you can do the same thing in the VDI sessions.  

Reply
0 Kudos