Managing domain computer accounts
The tasks documented here must be performed using the Provisioning Server, rather than in Active Directory, in order to take full advantage of product features.
This configuration is similar to the cross-domain scenario. However, in this configuration the Citrix Provisioning console, user, and administrator group are in a domain that is in a separate forest. The steps are the same as for the parent-child scenario, except that a forest trust must be established first.
Microsoft recommends that administrators do not delegate rights to the default Computers container. The best practice is to create accounts in the OUs.
Giving provisioning services administrator privileges to users from another domain
Citrix recommends the following method. For role-based administrators where the PVS is in one domain and the PVS administrator is in another domain, a two-way trust is required.
- Add the user to a universal group in their own domain (not the Citrix Provisioning domain).
- Add that universal group to a local domain group in the Citrix Provisioning domain.
- Make that local domain group the Citrix Provisioning admin group.
Adding target devices to a domain
The machine name used for the virtual disk image must not be used again within your environment.
- Right-click on one or more target devices in the Console window. You can alternatively right-click on the device collection itself to add all target devices in this collection to a domain. Select Active Directory, then select Create machine account. The Active Directory Management dialog appears.
- From the Domain scroll list, select the domain that the target device belongs to. Or, in the Domain Controller text box, type the name of the domain controller that the target devices are added to. If you leave the text box blank, the first Domain Controller found is used.
- From the Organization unit (OU) scroll list, select, or type the organization unit to which the target device belongs. The syntax is ‘parent/child,’ lists are comma separated. If nested, the parent goes first.
- Click the Add devices button to add the selected target devices to the domain and domain controller. A status message displays to indicate if each target device was added successfully. Click Close to exit the dialog.
Removing target devices from a domain
- Right-click on one or more target devices in the console window. Alternatively, right-click on the device collection itself to add all target devices in this collection to a domain. Select Active Directory Management, then select Delete machine account. The Active Directory Management dialog appears.
- In the Target Device table, highlight those target devices that are removed from the domain, then click the Delete Devices button. Click Close to exit the dialog.
Reset computer accounts
An Active Directory machine account can only be reset when the target device is inactive.
To reset computer accounts for target devices in an Active Directory domain:
Right-click on one or more target devices in the Console window. Alternatively right-click on the device collection itself to add all target devices in this collection to a domain. Then select Active Directory Management, then select Reset machine account. The Active Directory Management dialog appears.
In the Target Device table, highlight those target devices to reset, then click the Reset devices button.
Add this target device to your domain while preparing the first target device.
Click Close to exit the dialog.
Disable Windows Active Directory automatic password renegotiation. To disable automatic password renegotiation on your domain controller, enable the following group policy: Domain member: Disable machine account password changes.
To make this security policy change, you must have sufficient permissions to add and change computer accounts in Active Directory. You have the option of disabling machine account password changes at the domain level or local level. If you disable machine account password changes at the domain level, the change applies to all members of the domain. If you change it at the local level (by changing the local security policy on a target device connected to the virtual disk in Private Image mode), the change applies only to the target devices using that virtual disk.
Boot each target device.