VMware Horizon Community
w00005414
Enthusiast
Enthusiast

local administrator access on persistent desktops

Hi all,

On our physical desktops we give the owner of the PC local administrator access in case they need to install applications etc... etc...

How would we do this using a persistent pool? I would hate to add the staff AD security group to the local administrator's group within the master image that gets snapshotted to make the persistent desktop pool-- then anyone who could log in would have admin access to that desktop!

Also, if we do log into a user's virtual desktop as the domain Administrator and add the machine owner to the local Administrators group, won't that change in security be wiped out after a recompose to update the desktop from a new snapshot?

How are other people dealing with this?

Also what is the best practice for allowing users to install their own applications, have them remain on the machine, and also allow new snapshots to be rolled out via recompositions?

5 Replies
siglert
Enthusiast
Enthusiast

You can actually accomplish this using Group policy. If you set all of your persistent desktops in the same container the create a new policy that sets the $username% variable as an administrator. Because it's a persistent desktop when the users log on they will always get there same desktop and will have admin rights.

siglert
Enthusiast
Enthusiast

Another way is to use RingCube's Vdesk tool over a nonpersistent desktop pool. This lets you assign local administrator right to a VHD and and run it on top of a nonpersistent pool. Basically making a non-persistent pool persistent.

Reply
0 Kudos
w00005414
Enthusiast
Enthusiast

Hi Siglert,

Thanks for the info on this. I am testing out the Group Policy "Restricted Groups" feature to accomplish what you suggested (to add the locally logged in user into the Local Administrator's group through Group Policy). I can use the GPO effectively to add a specific domain username or group to the local administrators group but I can't seem to use environment variables like %USERNAME%. I also tried to full qualify the domain user's name by using %USERNAME%@wheatonma.edu but with no luck. Can you tell me what GPO you are using to add the currently logged in user to the local administrators group.

Thanks again,

Brian

Reply
0 Kudos
RayOlander
Contributor
Contributor

Instead of trying to use %username% in a policy, I would suggest you either create a domain security group, and your members to that and add that group to the local admins group on the base image, or just add your "domain\domain users" group to the local admins group of the base image. Either way you limit domain admin rights on the machine to a group of people. Creating a specific group and controlling permissions through membership would be more administration overhead, but would give you greater control of who is "in" or "out". Using that method, you could revoke their membership and the next time they logged in they would not have rights, or if they were already logged in, you could force them to log out and when they try to get back in they wouldn't have the rights. Conversely, using the "domain\domain users" group would be much less overhead in managing, but you lose the control aspect since you can't really revoke someone's domain membership (without other significant consequences).

david615
Enthusiast
Enthusiast

Adding domain group to the gold image is bad idea because it will give users access across the desktop in the pool.

You can add "NT Authority\Interactive" user account to the local Administrator's group.  This will grant admin previlege to the user who is logged in.

David

http://powerclinic.blogspot.com/