VMware vCenter Setup 1 of 6

I’ve setup two service accounts in the Active Directory as follow:
  • “testdomain\app-vcenter” for VMware vCenter Server
  • “testdomain\app-mssql” for Microsoft SQL Server
This article describes the way to create domain account and to set up group policy to deny local logon.

Create domain service accounts in AD

  1. Open the [Active Directory Users and Computers] window at AD server, and open the [<domain-name>]-[Users] folder.
    After that, open the right click menu, and select the [New]-[User] menu item.
  2. After opening the [New Object – User] dialog, input “app-vcenter” domain user account name as following, and push the [Next] button.
    • Input first name into [First name name] text box.
    • Input full name into [Full name name] text box.
    • Input user logon name into “User logon name” text box and [User logon name (pre-Windows 2000)] text box.
    note: In order to simplify the user management, the [pre-Windows 2000] user logon name should be made the same as the [post-Windows 2000] user logon name.
  3. Input the following, and push the [Next] button.
    • Input the user password into the [Password] text box.
    • Uncheck the [User must change password at next logon] check box.
    • Check the [User cannot change password] check box.
    • Check the [Password never expires] check box.
  4. Push the [Finish] button. The [New Object – User] dialog will be closed.
  5. Check that the domain user account is created.
    After that, select the domain user account created, open the right-click menu, and select [Properties] menu item. (Or double-click the domain user account).
  6. After opening [app-vcenter Properties] dialog, input the description of the domain user account into [Description] text box.
  7. Furthermore, set up the domain user “app-mssql” in the same manner as above.

Configure the GPO to deny logon via consoles and remote desktops.

  1.  Open [Group Policy Management] windows, and select the [Forest: <forest-name>]-[Domains]-[<domain-name>] in the tree at the left side of window.
    After that, open the right-click menu and select [Create a GPO in this domain, and Link it here…] menu item.
  2. After opening [New GPO] dialog, input the GPO name as a “Application User Account Access Control”.
    After that, push [OK] button.
  3. Check that the GPO is created.
    After that, select the GPO, open the right-click menu, and select [Edit…] menu item.
  4. Select [Deny log on locally] policy at [Policies]-[Windows Settings]-[Security Settings]-[Local Policies]-[User Rights Assignment].
    After that, open the right-click menu, and select [Properties] menu item. (Or Double clock the policy.)
  5. After opening [Deny log on locally Properties] dialog, check [Define these policy settings] check box, and push [Add User or Group] button.
  6. After opening [Add User or Group] dialog,  input “<domain name>\app-vcenter” domain username, and push [OK] button.
  7. Check that the domain user account is added in the pane.
  8. Furthermore, add “<domain name>\app-mssql” domain user account in the same manner, and push [OK] button.
  9. Check that the accounts are listed in [Policy Settings].
  10. Furthermore, add those domain accounts to [Deny log on through Remote Desktop Services] policy in the same manner as above.
  11. Finally, run gpupdate /force at the AD server’s command prompt to update the group policy immediately.
    PS C:\Users\Administrator> gpupdate /force Updating policy… Computer policy update has completed successfully. User policy update has completed successfully. PS C:\Users\Administrator>

Tags: , , ,


Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>