This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
On-premises Active Directory service accounts
An on-premises Active Directory service account is a container to store the user name and password of a privileged domain user account. The user account must have sufficient permissions to manage computer accounts in an Active Directory. Machine Creation Service can use this service account to do computer accounts related operations without entering the domain credentials every time.
Create an on-premises Active Directory service account
Create an on-premises Active Directory service account using Studio or PowerShell.
Prerequisite
To create an on-premises Active Directory service account, make sure to complete the following task:
- Create a domain user account in your Active Directory with sufficient permissions to create, update, and delete computer objects in your Active Directory or specific OUs.
Use Studio
- In the DaaS tile, click Manage.
- In the left pane, select Administrators.
- In the Service Accounts tab, click Create Service Account.
- On the Identity Type page, select On-premises Active Directory. Click Next.
- On the Credentials page, click Enter credentials to provide the username and password of a privileged domain user account which you want to use as the service account.
- Set the password expiration date or leave it as never expired.
- Select one or more scopes for this service account.
- Enter a friendly name and a description (optional) for the service account.
- Click Finish to complete the creation.
Use PowerShell
You can use PowerShell commands to create an on-premises Active Directory service. For example:
$credential = ConvertTo-SecureString -String $password -AsPlainText -Force
New-AcctServiceAccount -IdentityProviderType ActiveDirectory -IdentityProviderIdentifier test.local -AccountId test\svcacct_mcs -AccountSecret $credential -SecretExpiryTime 2030/08/15 -DisplayName 'scvacct_mcs' -Description 'Service account for test.local'
<!--NeedCopy-->
Note:
The
$passwordis the matching password for the provided domain user account.
Associate on-premises Active Directory service account with machine catalog
The MCS machine catalogs with on-premises Active Directory or Hybrid Azure Active Directory joined machine identities can be associated with an on-premises Active Directory service account. Machine catalogs can use the capabilities provided by the service account to do machine identity-related actions without asking for domain credentials every time.
Use Studio or PowerShell commands to associate an on-premises service account with an MCS machine catalog.
Use Studio
The following information is a supplement to the guidance in Create machine catalogs.
- Sign in to Citrix Cloud.
- In the DaaS tile, click Manage to open Studio.
- In the left pane, select Machine Catalogs.
- Select Create Machine Catalog. The catalog creation wizard opens.
-
On the Machine Identities page, click Select service account and select an available service account from the list. If a suitable service account is not available for the selected domain, you can create a service account.
Note:
Selecting a service account for catalogs with on-premises Active Directory or Hybrid Azure Active Directory joined machine identities is optional. You can enter domain credentials manually.
Modify the service account association
To change the associated service account or add an association to an existing MCS machine catalog, use the Edit Machine Catalog page.
- To add a service account, click Select service account on the Service Account page.
- To change the service account association, click the edit icon on the Service Account page.
Use PowerShell
To associate an on-premises service account with an MCS created machine catalog, associate it with the identity pool that is used by the machine catalog. You can create an identity pool or update an existing identity pool to associate it with a service account.
For example: To create a new identity pool and associate it with a service account, run the following:
New-AcctIdentityPool -IdentityType ActiveDirectory -IdentityPoolName MyPool -NamingScheme Acc#### -Domain MyDomain.com -NamingSchemeType Numeric -OU "CN=MyOU,DC=MyDomain,DC=com" -ServiceAccountUid $serviceAccountUid
<!--NeedCopy-->
For example: To update an existing identity pool to associate it with a service account, run the following:
$identityPoolUid = (Get-ProvScheme -ProvisioningSchemeName "MyProvScheme").IdentityPoolUid
Set-AcctIdentityPool -IdentityPoolUid $identityPoolUid -ServiceAccountUid $serviceAccountUid
<!--NeedCopy-->
Note:
The
$serviceAccountUidmust be a valid UID of an on-premises service account.
Perform machines identity-related actions
After an Active Directory or a Hybrid Azure AD based identity pool is associated with a service account, you can do various machines identity-related actions without requiring to enter the domain credentials.
-
To create a new identity account using a service account
New-AcctADAccount -IdentityPoolName MyPool -Count 2 -UseServiceAccount <!--NeedCopy--> -
To repair the identity accounts using a service account
Repair-AcctADAccount -ADAccountName "Domain\account","Domain\account2" -UseServiceAccount <!--NeedCopy--> -
To remove identity accounts using service account
Remove-AcctADAccount -IdentityPoolName MyPool -RemovalOption Delete -ADAccountName "Domain\account","domain\account2" -UserServiceAccount <!--NeedCopy-->
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.