Tag Archive for ad

Software rollout via Group Policy

May 14, 2015 Group Policy No comments

Softwareicon

How can we install software remotely from Group Policy?

  • Assigning Software

You can assign a program distribution to users or computers. If you assign the program to a user, it is installed when the user logs on to the computer. When the user first runs the program, the installation is completed. If you assign the program to a computer, it is installed when the computer starts, and it is available to all users who log on to the computer. When a user first runs the program, the installation is completed. Assigned means that the application appears on the start menu.

  • Publishing Software

You can publish a program distribution to users. When the user logs on to the computer, the published program is displayed in the Add or Remove Programs dialog box, and it can be installed from there

What type of software file can we deploy?

The Group Policy Management Console’s job is to deploy MSI files. GPMC can also deploy other kinds of files, but I’m going to skip over that for today and focus only on MSI files.

Remember: MSI files are application packages that come from manufacturers (or, you can also create them yourselves with 3rd party MSI repackaging tools.

Step 1 Create a Distribution Point

  • Log on to the server as an administrator (I am using my Test Lab)
  • Create a shared network folder where you will put the Microsoft Windows Installer package (.msi file) that you want to distribute

SoftwareDistribution

  • Set permissions on the share to allow access to the distribution package.
  • You must add Authenticated Users with Read Access to the Share and NTFS permissions if you are applying this to Computer OUs as Computers are Authenticated Users in AD

authusers

  • Copy or install the package to the distribution point.
  • I’m going to use the Google Chrome 32bit .msi

Step 2 Create a Group Policy Object

  • I am just going to test this on a Windows 7 machine
  • Open Group Policy Management Console
  • Find the OU which contains the computer/computers you want to apply the policy to and right click and select Create a GPO in this domain and link it here

CreateanewGPO

  • Put in a name. Mine is Software_Distribution_GPO

NameGPO

  • Click on the policy and select it.
  • In my policy I am going to set the security filtering to just my Windows 7 test machine (dacvmed001)

GPOSecurityFiltering

  • Click Edit on your GPO
  • Under Computer Configuration expand Policies to see Software Settings

SoftwareSettings

  • Right click and select New Package
  • Type in the full (UNC) path to your Software Distribution share. In my case \\dacvads001\SoftwareDistribution

SelectSoftware

  • You should now see your .msi software

softwarerepository

  • Click Assigned. If you click Advanced, it gives you options to configure Published or Assigned Options and to apply modifications to a package
  • NOTE: The Published option is greyed out as it is only available if I deploy my package to a User Container. Software deployed to computers does not support publishing

DeploySoftware

  • You can now see your package in your GPO

gposoftware

  • If you right click on your package and select Properties, you can see further information. Note I have screenprinted the properties of the SQL Client
  • The General Tab

Properties1

  • The Deployment tab
  • Basic means that the user will see few / no screens when the application installs.
  • Maximum means that the user will have full interaction when the application installs.

Properties2

  • Advanced Options

Properties3

  • Upgrades

Properties4

  • Categories

Properties5

  • Modifications

Properties6

  • Security

Properties7

  • Next do a gpupdate /force on the Domain Controller and reboot your PC.

gpupdate

  • Check that the software has been installed in Control Panel > Programs and Features

chrome

Redeploy a MSI package

Sometimes you may need to redeploy a package (for example when doing an upgrade). For redeploying a package you can follow these steps:

  • Open Group Policy tab, select the object you used to deploy the package and click Edit
  • Expand the Software Settings element (per-user or per-machine) which contains the deployed package
  • Expand the Software Installation element which contains the deployed package
  • Right-click the package in the right pane of the Group Policy window
  • Select the All Tasks menu and click Redeploy application
  • Click the Yes button for reinstalling the application wherever it is installed
  • Close the Group Policy snap-in, click OK and exit the Active Directory Users and Computers snap-in

Remove an MSI package

Group Policy also allows you to remove packages which have been deployed in the past. Here are the steps for removing a package:

  • Open Group Policy, select the object you used to deploy the package and click Edit
  • Expand the Software Settings element (per-user or per-machine) which contains the deployed package
  • Expand the Software Installation element which contains the deployed package
  • Right-click the package in the right pane of the Group Policy window
  • Select the All Tasks menu and click Remove
  • Select from the following options:
    • Immediately uninstall the software from users and computers
    • Allow users to continue to use the software but prevent new installations
  • Click the OK button to continue
  • Close the Group Policy snap-in, click OK and exit the Active Directory Users and Computers snap-in

What can we do about .exe’s that we want to turn into usable .msi’s?

You will need to get a packaging utility to turn that .exe file into .msi file. Many of them are available for instant download from internet

One of the best one’s I have trialled is http://www.exetomsi.com/

Tips and Advice on EXE to MSI Repackaging

http://exe-to-msi.com/

Using WMI Filters in Group Policies

April 1, 2015 Active Directory No comments

filtericon

What are WMI Filters?

Windows Management Instrumentation (WMI) filters allow you to dynamically determine the scope of Group Policy objects (GPOs) based on attributes of the target computer. When a GPO that is linked to a WMI filter is applied on the target computer, the filter is evaluated on the target computer.

When a GPO that is linked to a WMI filter is applied on the target computer, the filter is evaluated on the target computer. If the WMI filter evaluates to false, the GPO is not applied (except if the client computer is running Windows 2000, in which case the filter is ignored and the GPO is always applied). If the WMI filter evaluates to true, the GPO is applied.

WMI makes data about a target computer available for administrative use. Such data can include hardware and software inventory, settings, and configuration information. For example, WMI exposes hardware configuration data such as CPU, memory, disk space, and manufacturer, as well as software configuration data from the registry, drivers, file system, Active Directory, the Windows Installer service, networking configuration, and application data.

GPOs are processed in the following order

The WMI filter is a separate object from the GPO in the directory.

To apply a WMI filter to a GPO, you link the filter to the GPO. This is shown in the WMI filtering section on the Scope tab of a GPO. Each GPO can have only one WMI filter, however the same WMI filter can be linked to multiple GPOs.

WMI filters, like GPOs, are stored on a per-domain basis. A WMI filter and the GPO it is linked to must be in the same domain.

  •     The local GPO is applied.
  •     GPOs linked to sites are applied.
  •     GPOs linked to domains are applied.
  •     GPOs linked to organizational units are applied. For nested organizational units, GPOs linked to parent organizational units are applied before GPOs linked to child organizational units are applied

A practical GPO and WMI example.

We had a requirement to have separate GPOs for Windows 7 Internet Explorer 10 users than Windows XP Internet Explorer 8 users. This is where we can have a policy which is filtered by Windows 7.

  • First of all log into your Group Policy Management Console
  • Create a new Group policy which will need to be assigned at the domain level, OU level or sub OU level depending on your design.
  • Modify the Group Policy with the settings you require
  • Now have a look at where WMI Filters are located by scrolling down to the bottom of the GPMC

wmi1

  • Right click and select New

wmi2

  • Put in a name and description

wmi3

  • Next Click Add and you will get a new box where we can then add our WMI filter code

wmi4

It is probably worth talking a little about the Namespace and WMI language at this point.  The queries are written using the WMI Query Language (WQL), a SQL-like language. Queries can be combined with AND and OR logical operators to achieve whatever effect the administrator wants. Each query is executed against a particular WMI namespace. When you create a query, you must specify the namespace. The default is root\CIMv2, which is appropriate for most WMI queries.

I downloaded a small free program from Microsoft called WMI Code Creator. The tool also allows you to browse through the available WMI namespaces and classes on the local computer to find their descriptions, properties, methods, and qualifiers.

As an example below, I can look at the Operation System properties and find the version and also the name if I look at the Caption Properties

wmi5

Note: This piece of software is useful for delving into the WMI information but you need to be able to use the WMI query in a way Active Directory understands.

SELECT [property] from [wmi class]

  • Have a look at the table below. Both Windows Server 2012 and Windows 8 return version numbers that begin with 6.2. To   differentiate between the client and server versions, include the clause to check the ProductType field. This value returns 1 for client versions of Windows such as Windows 8, 2 for server versions of Windows operating as domain controllers, and 3 for server versions of Windows that are not operating as domain controllers.

wmi6

  • You can also create combination filters when required by your design. The following table shows query statements for common operating system combinations.

wmi7

  • As an example we wanted our policy to apply to Windows 7, Windows 8 and Windows 8.1 so this was our filter

wmi8

  • Click Save and go back to your Group Policy
  • Click on Scope and look at the bottom of the Scope Page where you will see WMI Filters
  • Here you will need to select your WMI Filter and apply it

wmi10

  • Next click start run and type gpupdate /force on your DC to push out the settings.
  • If you want to test that your GPO and WMI filters work then you can go back to your Group policy management console and look right down the bottom again where you have an option – Group Policy Results

wmi11

  • Right click and select Group Policy Results wizard and you can run through this and select a target computer and user to test whether then WMI works.
  • At the end you will get a Summary, Details and Policy Events and you want to scroll down and check Details where it will say whether the WMI Filter came out as True or False!

wmi13

  • And that’s it. It’s worth having a look through the many ways you can filter and write queries.

An interesting point to finish

What takes precedence when multiple, conflicting GPOs apply to the same OU?

“Links to a specific site, domain, or organizational unit are applied in reverse sequence based on link order. For example, a GPO with Link Order 1 has highest precedence over other GPOs linked to that container.”

What takes precedence when multiple, conflicting enforced GPOs apply to the same OU?

Setting a GPO to enforced effectively moves it to the end of the processing order, meaning it always wins. If you have multiple conflicting Enforced GPOs they go in reverse order. (The ‘higher’ one in the OU structure wins,) But if it ever got that complex, you would need to rethink your overall GPO strategy in the long term.

Standard GPO Inheritance Rules in Organizational Units

Any unconfigured settings anywhere in a GPO are ignored, and only configured settings are inherited. There are three possible scenarios:

  • A higher-level GPO has a value for a setting, and a lower-level GPO does not.
  • A GPO linked to a parent OU has a value for a setting, and a GPO linked to a child OU has a non-conflicting value for the same setting.
  • A GPO linked to a parent OU has a value for a setting, and a GPO linked to a child OU has a conflicting value for the same setting.

If a GPO has settings configured for a parent organizational unit and the same policy settings are unconfigured for a child organizational unit, the child inherits the parent’s GPO settings. That makes sense.

If a GPO has settings configured for a parent organizational unit that do not conflict with the settings in a GPO configured for a child organizational unit, the child organizational unit inherits the parent GPO settings and applies its own GPOs as well. A good example of this is two logon scripts; these scripts don’t conflict, so both are run

If a GPO has settings configured for a parent organizational unit that conflict with the same settings in another GPO configured for a child organizational unit, the child organizational unit does not inherit those specific GPO settings from the parent organizational unit. The settings in the GPO child policy take priority

Understanding Active Directory Domain Services (AD DS) Functional Levels

March 1, 2014 Active Directory 2 comments

level

What are Functional Levels?

Functional levels determine the available Active Directory Domain Services (AD DS) domain or forest capabilities. They also determine which Windows Server operating systems you can run on domain controllers in the domain or forest. However, functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest.

When you deploy AD DS, you need to set the domain and forest functional levels to the highest value that your environment can support. This way, you can use as many AD DS features as possible. For example, if you are sure that you will never add domain controllers that run Windows Server 2003 to the domain or forest, select the Windows Server 2008 functional level during the deployment process. However, if you might retain or add domain controllers that run Windows Server 2003, select the Windows Server 2003 functional level.

When you deploy a new forest, you are prompted to set the forest functional level and then set the domain functional level. You cannot set the domain functional level to a value that is lower than the forest functional level. For example, if you set the forest functional level to Windows Server 2008, you can set the domain functional level only to Windows Server 2008. In this case, the Windows 2000 native and Windows Server 2003 domain functional level values are not available. In addition, all domains that you subsequently add to that forest have the Windows Server 2008 domain functional level by default.

You can set the domain functional level to a value that is higher than the forest functional level. For example, if the forest functional level is Windows Server 2003, you can set the domain functional level to Windows Server 2003or higher.

Guidelines for raising domain and forest functional levels

  • You must be a member of the Domain Admins group to raise the domain functional level.
  • You must be a member of the Enterprise Admins group to raise the forest functional level.
  • You can raise the domain functional level on the primary domain controller (PDC) emulator operations master only. The AD DS administrative tools that you use to raise the domain functional level (the Active Directory Domains and Trusts snap-in and the Active Directory Users and Computers snap-in) automatically target the PDC emulator when you raise the domain functional level.
  • You can raise the forest functional level on the schema operations master only. Active Directory Domains and Trusts automatically targets the schema operations master when you raise the forest functional level.
  • You can raise the functional level of a domain only if all domain controllers in the domain run the version or versions of Windows Server that the new functional level supports.
  • You can raise the functional level of a forest only if all domain controllers in the forest run the version or versions of Windows Server that the new functional level supports.
  • You cannot set the domain functional level to a value that is lower than the forest functional level, but you can set it to a value that is equal to or higher than the forest functional level.
  • With versions of Windows Server that are earlier than Windows Server 2008 R2, you cannot roll back or lower a functional level under any circumstances. If you have to revert to a lower functional level with a version of Windows Server that is earlier than Windows Server 2008 R2, you must rebuild the domain or forest or restore it from a backup copy.
  • After you set the domain functional level, you cannot roll back or lower the domain functional level except in the cases listed in the following table. The domain functional level can be lowered only by using Windows PowerShell

Rollback

  • Make sure replication is working properly

Checking Replication

  • repadmin /replsum

replication1

  • repadmin /showrepl

replication2

  • repadmin /bridgeheads

replication3

  • dcdiag /v (checking overall health of the domain)

replication4

Checking what Domain Controllers and FSMO roles you have

fsmo

Features available at Forest Function Levels

Windows 2003

  • Domain rename
  • Linked-value replication. Linked-value replication makes it possible for you to change group membership to store and replicate values for individual members instead of replicating the entire membership as a single unit. Storing and replicating the values of individual members uses less network bandwidth and fewer processor cycles during replication, and prevents you from losing updates when you add or remove multiple members concurrently at different domain controllers.
  • The ability to deploy a read-only domain controller (RODC)
  • Improved Knowledge Consistency Checker (KCC) algorithms and scalability. The intersite topology generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than AD DS can support at the Windows 2000 forest functional level. The improved ISTG election algorithm is a less-intrusive mechanism for choosing the ISTG at the Windows 2000 forest functional level.
  • The ability to create instances of the dynamic auxiliary class named dynamicObject in a domain directory partition
  • The ability to convert an inetOrgPerson object instance into a User object instance, and to complete the conversion in the opposite direction
  • The ability to create instances of new group types to support role-based authorization.
    These types are called application basic groups and LDAP query groups.
  • Deactivation and redefinition of attributes and classes in the schema. The following attributes can be reused: ldapDisplayName, schemaIdGuid, OID, and mapiID.
  • Domain-based DFS namespaces running in Windows Server 2008 Mode, which includes support for access-based enumeration and increased scalability.

Windows 2008

All of the features that are available at the Windows Server 2003 forest functional level, but no additional features are available. All domains that are subsequently added to the forest, however, operate at the Windows Server 2008 domain functional level by default.

Windows 2008 R2

  • All of the features that are available at the Windows Server 2003 forest functional level, plus the following features:
  • Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running.
  • All domains that are subsequently added to the forest will operate at the Windows Server 2008 R2 domain functional level by default.
  • If you plan to include only domain controllers that run Windows Server 2008 R2 in the entire forest, you might choose this forest functional level for administrative convenience. If you do, you will never have to raise the domain functional level for each domain that you create in the forest.

Windows 2012

  • All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.
  • All domains that are subsequently added to the forest will operate at the Windows Server 2012 domain functional level by default

Windows 2012 R2

  • All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.
  • All domains that are subsequently added to the forest will operate at the Windows Server 2012 domain functional level by default

Features available at Domain Function Levels

Windows Server 2003

  • Universal groups for both distribution and security groups.
  • Group nesting
  • Group conversion, which allows conversion between security and distribution groups
  • Security identifier (SID) history
  • The domain management tool, Netdom.exe, which makes it possible for you to rename domain controllers
  • Logon time stamp updates
    The lastLogonTimestamp attribute is updated with the last logon time of the user or computer. This attribute is replicated within the domain.
  • The ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects
  • The ability to redirect Users and Computers containers
    By default, two well-known containers are provided for housing computer and user accounts, namely, cn=Computers,<domain root> and cn=Users,<domain root>. This feature allows the definition of a new, well-known location for these accounts.
  • The ability for Authorization Manager to store its authorization policies in AD DS
  • Constrained delegation
    Constrained delegation makes it possible for applications to take advantage of the secure delegation of user credentials by means of Kerberos-based authentication.
    You can restrict delegation to specific destination services only.
  • Selective authentication
    Selective authentication makes it is possible for you to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest

Windows Server 2008

  • All of the default AD DS features, all of the features from the Windows Server 2003 domain functional level, and the following features are available:
  • Distributed File System (DFS) replication support for the Windows Server 2003 System Volume (SYSVOL)
    DFS replication support provides more robust and detailed replication of SYSVOL contents.
  • Beginning with Windows Server 2012 R2, File Replication Service (FRS) is deprecated. A new domain that is created on a domain controller that runs at least Windows Server 2012 R2 must be set to the Windows Server 2008 domain functional level or higher
  • Domain-based DFS namespaces running in Windows Server 2008 Mode, which includes support for access-based enumeration and increased scalability. Domain-based namespaces in Windows Server 2008 mode also require the forest to use the Windows Server 2003 forest functional level.
  • Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol. In order for TGTs to be issued using AES, the domain functional level must be Windows Server 2008 or higher and the domain password needs to be changed.
  • Last Interactive Logon Information
  • Fine-grained password policies make it possible for you to specify password and account lockout policies for users and global security groups in a domain
  • Personal Virtual Desktops

Windows Server 2008 R2

  • All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus the following features:
  • Authentication mechanism assurance, which packages information about the type of logon method (smart card or user name/password) that is used to authenticate domain users inside each user’s Kerberos token. When this feature is enabled in a network environment that has deployed a federated identity management infrastructure, such as Active Directory Federation Services (AD FS), the information in the token can then be extracted whenever a user attempts to access any claims-aware application that has been developed to determine authorization based on a user’s logon method.
  • Automatic SPN management for services running on a particular computer under the context of a Managed Service Account when the name or DNS host name of the machine account changes

Windows Server 2012

  • The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level.

Windows Server 2012 R2

  • DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer: Authenticate with NTLM authentication, Use DES or RC4 cipher suites in Kerberos pre-authentication, Be delegated with unconstrained or constrained delegation, Renew user tickets (TGTs) beyond the initial 4 hour lifetime
  • Authentication Policies: New forest-based Active Directory policies which can be applied to accounts in Windows Server 2012 R2 domains to control which hosts an account can sign-on from and apply access control conditions for authentication to services running as an account.
  • Authentication Policy Silos: New forest-based Active Directory object, which can create a relationship between user, managed service and computer, accounts to be used to classify accounts for authentication policies or for authentication isolation.

NTDSUTIL

This tool can remove old AD DC metadata which can stop the raising of Functional Levels

https://technet.microsoft.com/en-us/library/cc728068%28WS.10%29.aspx

ntdsutil

The GUI Metadata Cleanup Utility

The GUI Metadata Cleanup Utility removes Active Directory domain controller metadata left behind after a domain controller is removed improperly or unsuccessfully

https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3

Forest Recovery Information

https://technet.microsoft.com/en-us/library/8e3e4377-ef54-4a70-9215-a5d2ba4d0eb9%28v=ws.10%29#BKMK_ResetTrustPassword

http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx

Useful Microsoft Link

https://technet.microsoft.com/library/understanding-active-directory-functional-levels%28WS.10%29.aspx

Questions?

  • Once you have upgraded the Domain functional level, how long should you wait before upgrading the forest functional level?

The change should take effect immediately as soon as the operation completes on the server. if you have multiple DC’s or domain, it may take longer. If you have plenty of time and want to play it safe, wait 24 hours but normally 15 minutes is fine. if you have multiple DC’s, you can log into each DC and verify the functional level.

  • By raising the root domain functional level, will this automatically raise any child domains or do we need to raise the level on the PDC of the root domain then raise the level on the PDC in the child domain? Or do we do the child first then the root domain?

Each individual domain PDCe is responsible for maintaining it’s domain functional level.  Because of this, where you raise the domain functional level first, does not matter (parent domain or child domain).  Each domain’s DC’s will operate at the domain functional level of it’s PDCe (so long as it is supported).  The Forest Functional Level affects all domains.  As such all domains must be operating at or above the proposed Forest Functional Level.

  • What is the best way to recover if things don’t go to plan? For e.g With a root domain with 2 DCs and a child domain with 5 DCs?

Before Windows Server 2008 R2, the only ways to recover are rebuild or restore from backup.

As the PDCe is responsible for the Domain Functional Level and the Schema Operations Master is responsible for the Forest Functional Level, first, you would have to restore the server that holds the Schema Operations Master in the Parent domain (if you will be reverting to a Domain Functional Level less than allowed by the Forest Functional Level). Then you would restore the server that holds the PDCe FSMO role for each child domain.

  • If we are running at Windows 2000 native domain level with all Windows 2008 R2 servers, can we raise the domain functional level straight to Windows Server 2008 R2?

If all of your DC’s are running Windows Server 2008 R2 then yes.

Powershell Script to get Active Directory User Logon Information

January 22, 2013 Active Directory, PowerShell No comments

PowerShell

To get the last logon Date/Time of Users in AD

$Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$ADSearch = New-Object System.DirectoryServices.DirectorySearcher
$ADSearch.PageSize = 100
$ADSearch.SearchScope = “subtree”
$ADSearch.SearchRoot = “LDAP://$Domain”
$ADSearch.Filter = “(objectClass=user)”
$ADSearch.PropertiesToLoad.Add(“distinguishedName”)
$ADSearch.PropertiesToLoad.Add(“sAMAccountName”)
$ADSearch.PropertiesToLoad.Add(“lastLogonTimeStamp”)
$userObjects = $ADSearch.FindAll()

foreach ($user in $userObjects)
{
$dn = $user.Properties.Item(“distinguishedName”)
$sam = $user.Properties.Item(“sAMAccountName”)
$logon = $user.Properties.Item(“lastLogonTimeStamp”)
if($logon.Count -eq 0)
{
$lastLogon = “Never”
}
else
{
$lastLogon = [DateTime]$logon[0]
$lastLogon = $lastLogon.AddYears(1600)
}

“””$dn””,$sam,$lastLogon”
}

Script explained by David Hoelzer

Many Thanks for this excellent explanation

Scripting Video

 

ESXi 4.1 Active Directory Integration

May 18, 2012 Active Directory Integration, VMware No comments

Although day-to-day vSphere management operations are usually done on vCenter Server logged in through the vSphere Client, there are instances when users must work with ESXi directly, such as with configuration backup and log file access.  Then there are monitoring solutions, which sometimes require direct access to the ESXi host; these would typically be configured to use service accounts. Prior to ESXi 4.1, you could only create local users, which each had separate locally-stored passwords per host.  Since this is cumbersome and doesn’t scale, VMware decided to address this in the vSphere 4.1 release.

With ESXi 4.1, you can configure the host to join an Active Directory domain, and any user trying to access the host will automatically be authenticated against the centralized user directory.   Any time you are asked to provide credentials (e.g., logging in directly to the ESXi host using vSphere Client, or running a vCLI command or script), you can enter the username and password of a user in the domain to which the host is joined. The big advantage of this is that you can now continue to manage user accounts using Active Directory, which is significantly easier and more secure than trying to manage accounts independently on a per-host basis.

You can still have local users defined and managed on a host-by-host basis and configured using the vSphere client, vCLI or PowerCLI. This can be used in place of, or in addition to, the Active Directory integration.  I’m not sure if there is really a good reason to do this if the host is already joined to an AD domain, but this capability is available.

If the host is integrated with Active Directory, local roles can also be granted to Active Directory users and groups. For example, an Active Directory group can be created to include users who should have an administrator role on a subset of ESXi servers. On those servers, the administrator role can be granted to that Active Directory group; for all other servers, those users would not have an administrator role. ESXi 4.1 also automatically grants administrator access to the Active Directory group named “ESX Admins,” which allows the creation of a global administrators group.  (If you want to override this behavior, simply configure the roles on the ESXi host to give the “No Access” role to the “ESX Admins” group — this will override the default behavior).

Instructions

  • Select a Host > Click Configuration > Click Authentication Services

 

  • Click Properties and choose Active Directory from thr Drop Down Option and then type in the domain. In this example, it is domain.local

  • Click Join Domain and Enter  a username and password which has authority to join machines to the domain

  • You have now joined the host to the AD Domain
  • Log into Active Directory and you now need to create a new Global Security Group called ESX Admins. This is the default security group that the ESX host is going to be looking for
  • Right Click Group and Add Members
  • Now you can test this by opening up the vSphere client and test this

  • If you then click on the Hosts and click on Permissions, you will see the ESX Admins Group Listed
  • You can then add other Permissions by right clicking in the screen and selecting Add Permission
  • Choose your AD user and then select the VMware Role you want this AD user to have