AD Group

  • Published on Jul 16, 2024
  • 3 minute(s) read
  • d

Overview 

This article describes the Active Director (AD) groups used by Workspot Control. AD groups are central to the operation of most Workspot deployments. To use the AD group in Control, you must perform AD integration should be done first. See Workspot Enterprise Connector.

Active Directory Groups

Active Directory Group enables the Administrator to collect user accounts, computer accounts, and other groups into manageable units. Working with groups instead of individual users helps simplify management, maintenance, and administration.

There are two types of groups in Active Directory: 

  • Distribution groups:  Used to create email distribution lists. 

  • Security groups:  Used to assign permissions to shared resources.

Distribution groups: 

Distribution groups can be used only with email applications (such as Exchange Server) to send emails to collections of users. Distribution groups are not security enabled, which means that they cannot be listed in discretionary access control lists (DACLs). 

Security Groups:  

Security groups can provide an efficient way to assign access to resources on your network. By using security groups: 

  • Assign user rights to security groups in Active Directory to determine what members of that group can do within the scope of a domain. 

  • Assign permissions to security groups for resources. Permissions are different than user rights. Permissions are assigned to the security group for the shared resource. Permissions determine who can access the resource and the level of access. 

Where AD Groups are used in a Workspot Environment

As mentioned, the AD group simplifies management and administration. In Workspot Environment AD group being used in multiple places to support enterprise solution. Here are the places where the AD group can be used: 

Built-In Remote access Group in Template VDI: 

This is a built-in group in Windows VDI Desktops/Servers. Any user/group member of this group will have access to a machine to access remotely through RDP. As an example- As an administrator, we deployed a pool of 10 machines for sales users. In AD sales users are part of an AD group. To enable sales users to access VDI, the administrator needs to add the AD sales group to the Remote access Group of VDI machines. The best practice is to add through AD policy instead of adding in a template or locally. 

Add a New Group in Control: 

After AD integration has been done in control. A control Admin can go to Users-> Groups and add AD groups to assign permission on resources. 

Assigning App Bundle: 

It is relevant to add here another component of Control called App bundle. This enables the administrator to create a bundle of applications based on the requirement or User grouping and assign app bundle to an AD group, thus a member of the AD group will have a set of applications assigned as per app bundle. 

Manage Resources: 

To provide access to an application or VDI Desktops, instead of adding users one by one. It is recommended to add a group. Create a group, as an example for a sales team and add sales users in the group and then through control assign sales-based application through group. 

Assigning Security/Network Policy to Group: 

Control provides quite a few policies for the administrator to manage users.  There are 2 types of policy available through control: 

Network Policy - This allows the administrator to manage web URLs for users. 

Security policy - This has multiple policies integrated: 

  • Workspot PIN 

  • Online Authentication 

  • Offline Access 

  • Utility Rules 

An administrator can configure policy settings based on their requirements and assign the relevant policies to a set of users by selecting groups that users are a member of. 

Login Message:  

It enables the administrator to assign a message to be displayed to the users for the relevant group when they login on their device. 

Assigning Wallpaper: 

The administrator can upload a Wallpaper and assign to an AD group thus all the users’ member of the group will have the same Wallpaper. Wallpaper assigned to a group overrides the company wallpaper setting. We recommend 768x1004 pixel size Wallpaper. 

Precedence Order: 

Users can only have one policy assigned. For users who are part of multiple groups, the group listed highest in the order of precedence will be applied to the user. 

Control Group (Non-AD group): 

It is worth adding that Control also allows creating non-AD groups in control, which can be used for managing users in control by control Administrators. 

How the syncing between Control & AD occurs: 

Manual Process: 

An administrator can manually trigger a sync by clicking on “Refresh Entitlements” as shown below. All user AD group entitlements will be updated when the user launches the Workspot client next time. 

Automatic: 

Control is configured to sync with Active Directory every 24 hours automatically. Once a new User activates the Workspot client and connects through Workspot client, user’s details get populated in control.  

What Syncs: 

Control communicates with customer AD through Workspot Enterprise connector installed in customer premise. Enterprise connecter does not require any modifications or writen permissions to AD. Control keeps information of User Email, Domain, Username, ID and account status disabled or enabled. Here is the EC log for reference: 

02:51:51|["com.workspot.control.eccommon.plugin.ad.UserAndID",{"userEmail":"[email protected]","domain":"abc.com","username":"Ashisha","id":"ae2accf8-698e-4f6b-ae6f-d706a243fef0","disabled":false}] 

Best Practices: 

  • Instead of managing single users to allocate resources, it is recommended to manage through Groups. 

AD Group

 

09/15/2020/11:45 pm