VMware Horizon Community
James_McCartin
Contributor
Contributor
Jump to solution

VDI & Active Directory Computer Accounts

I am experimenting with VMware's VDI product. Users connect to XP VMs from Wyse terminals. A pool of VMs are created and available. When the VMs are created, they are configured and powered on. During the configuration, they are joined to the domain. I have pre-populated computer accounts in an OU in Active Directory that correspond to the these VM computer names. This allows me to apply group policy to the VMs. This group policy is necessary because certain firewall rules need to be in place for users to be able to connect (remote desktop). For some reason, the computer accounts become disabled sometime after joining the domain. Once I enable the computer account and restart the VM, it works fine and the computer account does not disable anymore. I have tried enabling "Domain member: Disbale machine account password changes" in group policy and this did not fix the problem. Anyone have any ideas?

Reply
0 Kudos
1 Solution

Accepted Solutions
admin
Immortal
Immortal
Jump to solution

I've seen something very similar. The workaround was to use "username@domain" as the user in the customization specification.

The first time the join is done, it is done just with the username, if this fails then username@domain is used. It may be that the first failed attempt is locking the account in AD.

View solution in original post

Reply
0 Kudos
11 Replies
mittim12
Immortal
Immortal
Jump to solution

I really don't have any ideas but more or less I am curious if this happens if you don't use the pre populated AD computer account and just let the VM create a brand new account when joining the domain?

If you found this or any other post helpful please consider the use of the Helpful/Correct buttons to award points

Reply
0 Kudos
gclinch
Contributor
Contributor
Jump to solution

Did you get any further with this problem?

We're having the same issue where the guest joins the domain ok but then the account gets disabled when the vm reboots after the guest customisation.

Reply
0 Kudos
markvr80
Enthusiast
Enthusiast
Jump to solution

Am also seeing this. The VM joins domain OK, but then after everything has settled after the sysprep reboots, the AD account is disabled. We are pre-creating AD accounts so they go into the correct OUs. The accounts are created using my credentials, but sysprep has different credentials to join the VMs to the domain, if that is relevant.

Anyone have any ideas before I raise this with VMWare?

Reply
0 Kudos
knudt
Hot Shot
Hot Shot
Jump to solution

I've seen this even without precreated computer accounts.

~If you find this or any other post helpful, please award points. Also mark thread as answered if question was answered successfully.~ Brian Knudtson vExpert, VCP, VCAP
Reply
0 Kudos
markvr80
Enthusiast
Enthusiast
Jump to solution

Using a custom .cmd file that calls netdom with domain joining credentials and then self destructs (well, deletes anyway Smiley Happy ) as part of the sysprep seems to work OK, so that's what I'm doing instead.

Reply
0 Kudos
fastbrainfood
Contributor
Contributor
Jump to solution

Echo =======================================

Echo Joining computer to mydomain Domain, please standby...

Echo =======================================

netdom join %ComputerName% /domain:yourdomain /userd:yourdomain\youruserwithpermissions /passwordd:yourpassword /ou:OU=XP,OU=VIRTUALDESKTOPS,OU=COMPUTERS,DC=YOURDOMAIN,DC=com /reboot:10

DEL %0

Reply
0 Kudos
fastbrainfood
Contributor
Contributor
Jump to solution

Setup your sysprep for a workstation do not add to domain

Tell custom configuration to use VMname as computername

use netdom as an added command in the custom config process.

You may have to add the sleep command before the netdom command if your AD is slow to replicate the computername.

admin
Immortal
Immortal
Jump to solution

I've seen something very similar. The workaround was to use "username@domain" as the user in the customization specification.

The first time the join is done, it is done just with the username, if this fails then username@domain is used. It may be that the first failed attempt is locking the account in AD.

Reply
0 Kudos
Erik_Bussink
Hot Shot
Hot Shot
Jump to solution

I've gone another way, because our deploed Windows XP Pro are going in a dedicated Domain. I've used the redircmp command on a Domain Controller, so all new Computer accounts are directly created in a specific OU.

redircmp ou="Virtual Desktops",ou="Production",DC=domain,DC=local

And we also use the configuration to use the VM Name as the computername.

Erik Bussink Solution Architect @VMware CISSP, VCP#67, RHCE, DCUCD
MartijnLo
Enthusiast
Enthusiast
Jump to solution

You hit the nail right on the head. Thanks for solving this Smiley Happy

Reply
0 Kudos
fastbrainfood
Contributor
Contributor
Jump to solution

Was your problem ever resolved?

Reply
0 Kudos