No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionAccess Desktop Solution V100R006C20 Application Virtualization User Guide 09 (FusionSphere V100R006C10 or Earlier)

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Checking AD Group Policies

Checking AD Group Policies

Scenarios

This section describes how to configure group policies on an AD server in the following scenarios.

  • The group policies for changing the password of a machine account need to be disabled in linked clone and full memory APS Server template creation scenarios.
  • If you select Configure user login when creating a template using the template tool, you need to configure the Allow log on locally policy.
    NOTE:
    • By default, only users or user groups that have been added to the local administrator group can log in to the APS Servers. In this scenario, selecting Configure user login indicates that users (including domain users) in the Users group can log in to the APS Servers. You need to configure the Allow log on locally policy for the AD server to make the login policy take effect.
    • After the local login group policy is configured, FusionCompute administrators may log in to any APS Servers in the system through the VNC by using any domain account.

Prerequisites

You have obtained the domain administrator account and password for logging in to the AD server in the user domain.

Data

For details about key data and parameters, see the description given in specific procedures.

Procedure

Disable machine account password changing.

  • Perform this operation in linked clone and full memory APS Server template creation scenarios to prevent APS Servers from being removed from domains and ensure successful system restoration.
  • The machine account password is used to establish a secure channel between the APS Server and domain controller. Disabling the machine account password results in security risks.
  1. Log in to the AD server in the user domain using the domain administrator account.
  2. On the AD server, click .

    The Windows PowerShell dialog box is displayed.

  3. Enter gpmc.msc and press Enter.

    The Group Policy Management window is displayed.

  4. In the navigation tree, choose User domain name > Domains > User domain name > Group Policy Objects, as shown in Figure 2-17.

    Figure 2-17 Group policy objects

  5. Select the group policy that has taken effect on the user VM.

    Right-click the group policy that has taken effect on the user VM, for example, right-click Default Domain Policy, and click Edit.

    The Group Policy Management Editor window is displayed.

  6. In the navigation tree, choose Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options, as shown in Figure 2-18.

    Figure 2-18 Disable account password changes

  7. In the right pane, view and record the value of Domain member: Disable machine account password changes and Domain controller: Refuse machine account password changes in the Policy Setting row.

    • If Policy Setting is set to Not Defined, go to Step 8.
    • If Policy Setting has been set but some values are not Enabled, set all the values to Enabled, go to Step 8.
    • If Policy Setting has been set and all the values are Enabled, go to Step 8.

Check the Allow log on locally policy of the AD server.

  1. During template creation, as shown in Figure 2-19.

    • If Configure user login is selected, go to Step 9.
    • If Configure user login is deselected, no further operation is required.
    Figure 2-19 Function

  2. In the navigation tree, choose Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. For details, see Step 1 to Step 6.
  3. In the right pane, view and record the value of Policy Setting in the Allow log on locally row.

    • If Policy Setting is set to Not Defined, no further operation is required.
    • If Policy Setting has been set but the value does not include the Users group, add the Users group to the value.
    • If Policy Setting has been set but the value includes the Users group, no further operation is required.

Download
Updated: 2019-09-29

Document ID: EDOC1000182383

Views: 15343

Downloads: 128

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next