Jump Server / VMWare Tools - Account Setup

Overview

This article will assist in configuring the minimum permissions required on your jump server or host to utilise the VMware tool connect method.  

Our module connects to the member server, copies over a powershell script and remotely invokes it to manage AD computer Objects/ MS DNS and MS IPAM.  The simplest thing to do would be to use a domain admin service account for the Microsoft Endpoint, but that's not always desirable.  In this article, I'll lay out how to enable a non-privileged user to perform these tasks.


Considerations

  1. User must be allowed to run remote PowerShell scripts on the Member Server (member server must be Windows 2012 or later)
  2. RSAT tools installed for AD administration (see Additional information for RSAT tools Installation)
  3. Must grant permissions to AD / DNS (See Additional information for permissions requirements)
  4. Must have Windows Service Configuration Manager Access.


Procedure

Give your service account permission to run remote powershell scripts.

  1. Run powershell on your DC or member server as Administrator


  2. At the prompt, type the following command

    Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI 



  3. Depending on your account, you may be asked to Confirm you want to run this command. If you are not move to the next step
    WARNING: This action could have a serious impact on your system so we ask you to confirm that you really want to do this.  This brings up the following dialog box which allows you to give others the ability to run commands on that machine

    Confirm    
    Are you sure you want to perform this action?      
    Performing operation "Set-PSSessionConfiguration" on Target "Name: Microsoft.PowerShell".      
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
  4. Add the account that will need to run this and give Full Control permissions, hit ok, then Confirm Yes to make the change.




Set WMI Control settings to allow the user to have access.

  1. From the Computer Management console on the Member Server, expand Service and Applications (1)  and right click on WMI Control (2) selecting properties (3)


  2. Open the Security tab


  3. Select the \Root\CIMV2 (1) namespace and click on Security (2)


  4. In the Security dialog box, click Add.


  5. In the Select Users, Computers, or Groups dialog box, enter the name of the object (user or group) you want to add and click OK


  6. Click Advanced to open the Advanced Security Settings dialog box


  7. On the Permissions tab, select the desired user in Permissions entries and click Edit


  8. Set Type to Allow (1), set Applies to to This namespace and subnamespaces (2), and select the Execute Methods (3), Enable Account (4) and Remote Enable (5) options then click OK (6)


  9. Click OK to close all windows and apply the changed settings.


Additional to : Set WMI Control settings to allow the user to have access

NOTE: May need to run this also if the above steps don't produce the desired result.  This was from a Windows 2003 article, so it may be out of date. 

  1. On the Member Server Open a Command Prompt as Administrator, and execute the following command: 

    sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Additional information

MS DNS Account Setup : https://support.sovlabs.com/a/solutions/articles/6000223780-microsoft-dns-account-setup
MS Active Directory Account Setup : https://support.sovlabs.com/a/solutions/articles/6000224740-active-directory-account-setup
MS AD Endpoint configuration (Jump Server / Win RM) : https://support.sovlabs.com/a/solutions/articles/6000223576-microsoft-ad-endpoint-configuration-jump-host-winrm-
RSAT Setup : https://support.sovlabs.com/a/solutions/articles/6000186846-setting-up-rsat-tools-for-remote-management-of-microsoft-ipam-dns-and-ad-using-vmware-tools

SovLabs MS DNS Accounts Setup : https://support.sovlabs.com/a/solutions/articles/6000223780-microsoft-dns-account-setup
SovLabs Active Directory Account Setup : https://support.sovlabs.com/a/solutions/articles/6000224740-active-directory-account-setup
SovLabs MS IPAM Account Setup : https://support.sovlabs.com/a/solutions/articles/6000224741-microsoft-ipam-account-setup
SovLabs Microsoft EndPoint Configuration (Jump Host / WinRM) : https://support.sovlabs.com/a/solutions/articles/6000223576-microsoft-ad-endpoint-configuration-jump-host-winrm-

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.