Current position:  Home > Default > Creating Active Directory Accounts for vSphere 5.1 Services

Creating Active Directory Accounts for vSphere 5.1 Services

Time:October 11
Advertisement
To set up the management pieces of vSphere, I need to have an account or accounts created in Active Directory.  I need to determine how many to create and what permissions they need.
In Single Sign on Server, I need to choose an account that vCenter server will use when it connects to SSO.  I can use the default [email protected]  Or I can add an account that is configured in Active Directory.  Or, I can also use an active directory group instead of an individual user.  What is the best way to do this and if I use an AD account, what permissions does it need at the domain level and at the local level on the Single Sign on Server?  (I'm using multisite mode, so I can't use local accounts)
In SQL Server, I need to choose an account to use for the SQL server service.  Should this account be an active directory account or a local user account?  If so, what permissions should be assigned to the account in Active Directory and what permissions should be assigned to it on the local machine?  What AD group, if any should it be a part of?  What local permissions does it need?
In vCenter Server, I need to choose an account to run the "vCenter Server Service" in.  Is it best to use the default "system" account or to use an account from Active Directory, or a local account?
I'm trying to get a big picture of an AD account/group strategy to use that covers the main management pieces of vSphere - vCenter Server, Single Sign on, Inventory Service, Web Client Services.
For example, create one group called "vSphere Services", then create separate accounts for each management piece, and assign them specific permissions on specific systems.  Or create separate groups for each management piece and assign permissions to the groups.  Is it better to consolidate some of these user names or split them out?  Any experiences / suggestions welcome.  Thanks.
Advertisement
Hello,
For general services I use a service specific account within AD. This was before SSO and I use the same after SSO. SSO is used by only two services that I know about at the moment (Inventory Service and perhaps vCloud). However, there are many other service accounts that should be created. You want one account per service and I use AD for this, this way I can create a service account group and give it the appropriate roles and privileges. FOr example I have service accounts for:
VMware View
XenDesktop
vCops
HPSIM
Solarwinds
VMTurbo
NetApp
etc.
One service, one service account, each with either a general role or custom role depending on access requirements to vCenter.
For SSO, I to am waiting on general information, but I set mine up fairly basically to cover only those resources that make use of SSO. Since the vast majority of items do not use SSO, the rule still applies.  Once SSO is supported by more than one or two tools, you still need to maintain that separation.
So I say yes, tie SSO to AD and do everything in one place, unfortunately, that is not very clear, or at least was not to me and these SSO issues are either beng fixed, documented, or both.
Best regards,
Edward L. Haletky aka Texiwill

How to avoid duplicate DN exception when creating Active Directory Account

2015-10-11

I am using OIM 9.1.0.2 to provision Active Directory accounts. I run into issues when the DN of the user to be created already exists and I would like to know if anyone has some logic I can use to generate a different DN for new user by adding a numb

Powershell Active Directory Account Expiration Script

-0001-11-30

I am putting together a script that creates a user account in AD, sets the password, adds groups, etc.  The part I am having problems with is when the user selects the Contractor employee option and is prompted for the expiration date of the AD accou

Creating active directory users with dscl

2015-10-11

Our mac workstations (OSX 10.8) are bound to a 2008 Active Directory server.  We are attempting to use some existing dscl scripts on the mac client computer to create Active directory users.  We can successfully read and change AD attributes of an ex

'Public' Active Directory account no longer works w/Tiger?

2015-10-11

We have approx 20 public Macs that all log onto our Windows 2003 server using the same Active Directory account - 'Public' This has worked fine until Tiger - Now when we attempt to log onto one of our network drives with this account name I'm told by

ActiveSync mail/contacts/calendars removed after Active Directory account is locked out?

2015-10-11

Hey guys, Wondering if anybody has seen an issue like this.  This is a new Exchange 2010 deployment (8+ CAS servers) and the devices are all iPhones/iPads running the latest version of iOS (7.1.2).  The CAS servers are behind a load-balancer. Basical

Active Directory account lockout from OS X Server

2015-10-11

I'm looking for assistance in tracking down why our 10.9 Mac server is constantly trying to use my Active Directory account. I changed my password a week ago and have been getting locked out constantly, and it appears the lockouts are coming from inv

Error in creating activity from Account application ( from activity tab)

-0001-11-30

Hi Experts, We are getting this error when try to create Activity from Account application in PCUI. But the same thing is working fine in at GUI level & actions profile assigned to Activity transaction is also working fine at GUI level. But in PCUIit

Time Machine Backup using Active Directory account

-0001-11-30

I have two macbook pros (running 10.6.4) using Active Directory accounts and I am trying to backup them up to an Active Directory integrated XServe (running 10.6.4) with a shared Time Machine backup point. I open Time Machine preferences, select the

Snow leopard Active directory account taking a long time to verify password

-0001-11-30

Hi, My mac is configured to use an active directory account (windows small biz server 2008), i configured a mobile account when i was still under leopard and it was working fine. Since i upgraded to snow leopard i started experience the following iss

Adobe Form that Creates Active Directory User Account

-0001-11-30

Hello all!  Hopefully someone can help me with this.  I am using Adobe LiveCycle Designer ES 8.2 to create a user account request form.  I have the form created and now am working on a submit button that will email the form to the approving officials

Bulk create Active Directory Users and Groups in PowerShell using Excel XLSX source file instead of CSV

2015-10-11

Hi Scripting Guy.  I am a Server Administrator who is very familiar with Active Directory, but new to PowerShell.  Like many SysAdmins, I often need to create multiple accounts (ranging from 3-200) and add them multiple groups (ranging from 1 - 100).

Setting up Wiki Calendars in iCal with Active Directory Accounts

2015-10-11

I'm Having a little trouble wrapping my head around our Wiki Calendar Solution, Id like to find a way to get the 10.6 Wiki Server Calendar's in iCal Client - using our active directory authentication. I have a test 10.6 Server bound to our Active Dir

Creating Active directory

2015-10-11

Hi Geeks, i need to develope an interface which is run every day and will send SAP HR data to Microsoft Active directory. It will handle 3 scenarios 1. create new accounts in Active directory for all new hires on the current date ( ie the date on whi

What is involved in going from local user accounts to active directory accounts with CCM 9.1.2?

-0001-11-30

We are currently using local user accounts with CUCM 9.1.2 and are looking at integrating it into the active directory structure. We do utilize the same structure for user ID's. I am looking to find out what the changeover will entail and if anything

Migrate local OS X profile to Active Directory account

-0001-11-30

I need to add our MACs to our Active Directory domain. How do I go about migrating their settings, preferences, and files to the new AD account? On my test system, when I signed on, it created a new profile and everything had to be reconfigured. How

Active Directory accounts no longer connect to Server

2015-10-11

I administrate a small office network. We have a Windows 2000 Server with active directory and a Windows 2003 Storage Server Appliance. (From Iomega) After upgrading to 10.4.8 (it seems), our Mac integrated to the Active Directory has had problems co

Cannot login with Active Directory Account

2015-10-11

Hello, I am testing SnowLeopard (10.6.1) for deployment in my labs for the Spring 2010 semester. We use local home directories. This is a brand new fresh install of SL, on a freshly formatted Hard Drive. When bound to Active Directory I can get any A

Active Directory accounts problem logging in to Mavericks

2015-10-11

We have twenty iMacs in a lab and five in an Internet café, all wired to a multiple subnet network. OS X Mavericks is bound to Active Directory.  Frequently OS X Mavericks behaves as if the network user account password is entered incorrectly until t

Unable to login with an Active Directory account on 10.6.7

2015-10-11

I just got a Mac Airbook and I'm trying to connect with my AD account. I was able to bind my computer to the domain succesfully but when I try and logon with my AD account I get the shakes. I verified my binding with the green light next to "Network