VMware Horizon Community
jooji
Enthusiast
Enthusiast
Jump to solution

Instant Clones - user full local admin rights

o/

I have a customer that has a legacy app that requires the logged in user to have full admin rights to their VM. What is best practise for if you wanted to grant full local administrator rights for users on their instant clone VM. I dont want to grant say domain users full local access rights on the golden image, anyone every crossed this question/Dilemma?

Really i want the customer to understand their application better so we can determine why it needs full admin rights and apply whatever it needs or whatever its modifying to the golden image. Do you think ThinApp or possibly AppVolumes could help in this instance? I've deployed App Stacks before but not used ThinApp, it looks really cool though!.

Thanks

Reply
0 Kudos
1 Solution

Accepted Solutions
jooji
Enthusiast
Enthusiast
Jump to solution

After looking back at my notes from the Horizon course for something completely different i noticed a line in the UEM section "privileged elevation" and with a bit of digging it does offer this functionality yes! Exactly what i need.

VMware User Environment Manager 9.2: Privilege Elevation - Feature Walk-through - YouTube

View solution in original post

Reply
0 Kudos
5 Replies
BenFB
Virtuoso
Virtuoso
Jump to solution

We don't allow any local admins so we instead leverage Liquidware ProfileUnity to grant per process privilege escalation. I believe UEM can do the same.

Reply
0 Kudos
jooji
Enthusiast
Enthusiast
Jump to solution

Assuming that isn't a free solution?

Reply
0 Kudos
mchadwick19
Hot Shot
Hot Shot
Jump to solution

I wouldn't recommend doing this without a level above you's permission, but you could add NTAUTHORITY\Authenticated Users to the local admins group on your desktop and then restrict access east/west using GPO's or Windows firewall. Turn off the admin shares or restrict access to them using GPO's so admins can still pull logs from the View desktops if needed.

Just a thought - but again not recommended and not very secure. Make sure you have a defined refresh policy (hopefully within 24 hours of user login, if not shorter).

VDI Engineer VCP-DCV, VCP7-DTM, VCAP7-DTM Design
Reply
0 Kudos
jooji
Enthusiast
Enthusiast
Jump to solution

After looking back at my notes from the Horizon course for something completely different i noticed a line in the UEM section "privileged elevation" and with a bit of digging it does offer this functionality yes! Exactly what i need.

VMware User Environment Manager 9.2: Privilege Elevation - Feature Walk-through - YouTube

Reply
0 Kudos