The Active Directory (AD) Domain Join Account is a service account required by Workspot to enable Cloud Desktops and servers to join your organization’s domain, allowing domain policies to be applied and users to sign in with their domain credentials. This article covers the configuration and use of this service account.
Note: This article applies to Workspot desktops and application servers that join an Active Directory (AD) domain. If your Workspot desktops/servers do not join a domain or join a non-AD domain, such as Entra ID, this article does not apply.
Prerequisites
Create a normal domain user account with a strong password
Set the Service Account password to Never Expire
The Organizational Units (OUs) that you intend to contain the Workspot Cloud Desktops and the Workspot servers must already be created
Setting Permissions for the Service Account
The service account requires limited permissions to perform its limited functions. The use of a full-featured Domain Administrator account is not recommended: it is a bad security practice.
The permissions for the service account need to be set at the correct point in the AD hierarchy. We recommend that the permissions are applied to each of the individual OUs you intend to use with Workspot. For example, the Workspot Cloud Desktops OU and the Workspot Servers OU, if the two are separate.
The permissions also require two different scopes. The first is applied to “This object and all descendant objects”, and the second is applied to “Descendent Computer objects”.
Required Permissions
The effective permissions and scopes delegated to each OU for the Service Account are as follows:
Create Computer Objects - This object and all descendant objects
Delete Computer Objects - This object and all descendant objects
Read All Properties - Descendant Computer Objects
Write All Properties - Descendant Computer Objects
Read Permissions - Descendant Computer Objects
Modify Permissions - Descendant Computer Objects
Change Password - Descendant Computer Objects
Reset Password - Descendant Computer Objects
Validated write to DNS host name - Descendant Computer Objects
Validated write to service principal name - Descendant Computer Objects
There are two different methods to apply the permissions, one via the command line, and one via Active Directory “Users and Computers.”
Using “Active Directory Users and Computers”
The method to add the permissions in “Active Directory Users and Computers” (ADUC) is to manually grant each permission on the required OU using the Advanced Security Settings dialog.
Open ADUC with a user account that has permissions to delegate control. We recommend this is done by your Domain Administrator.
Be sure that you are viewing ADUC with Advanced Features turned on: “View > Advanced Features”
Right Click the OU you are setting permissions for and select “Properties.”
From the Properties page, click the “Security” tab and then the “Advanced” button.
Click “Add.”
Use the “Select principal” link to select the newly created service account.
From the “Applies to” dropdown, select “This object and all descendant objects.”
Under “Permissions,” check the two boxes for “Create Computer Objects” and “Delete Computer Objects.”
Click “OK” to save the changes.
Repeat steps 3-6, then:
From the “Applies to” dropdown, select “Descendent Computer objects.”
Under Permissions, check the boxes for:
List Contents
Read all properties
Write all properties
Read permissions
Modify permissions
Change password
Reset password
Validated write to DNS host name
Validated write to service principal name
Click “OK” to save the changes
Using Dscals
Dsacls is a command line tool from Microsoft that is installed as part of the Active Directory Domain Services Role, or the RSAT toolset for Active Directory. To run Dsacls, you need to open an administrative command prompt and have the appropriate privileges within Active Directory. We recommend running these commands as a Domain Administrator.
In the example commands below, the following is true:
The domain is example.com
The target OU for the permissions is
OU=WorkspotCloudDesktops,DC=example,DC=comThe Domain Join Service Account is
svc-wkspt-djoin
Open Command Prompt with “Run as Administrator” option
Grant rights to create and delete Computer objects
dsacls.exe “OU=WorkspotCloudDesktops,DC=example,DC=com” /G “example\svc-wkspt-djoin:CCDC;Computer” /I:T
Grant rights to list Computer objects
dsacls.exe “OU=WorkspotCloudDesktops,DC=example,DC=com” /G “example\svc-wkspt-djoin:LC;;Computer” /I:S
Grant rights to read security information from Computer objects
dsacls.exe “OU=WorkspotCloudDesktops,DC=example,DC=com” /G “example\svc-wkspt-djoin:RC;;Computer” /I:S
Grant rights to modify security information on Computer objects
dsacls.exe “OU=WorkspotCloudDesktops,DC=example,DC=com” /G “example\svc-wkspt-djoin:WD;;Computer” /I:S
Grant rights to read properties of Computer objects
dsacls.exe “OU=WorkspotCloudDesktops,DC=example,DC=com” /G “example\svc-wkspt-djoin:RP;;Computer” /I:S
Grant rights to write properties to Computer objects
dsacls.exe “OU=WorkspotCloudDesktops,DC=example,DC=com” /G “example\svc-wkspt-djoin:WP;;Computer” /I:S
Grant rights to reset password of Computer objects
dsacls.exe “OU=WorkspotCloudDesktops,DC=example,DC=com” /G “example\svc-wkspt-djoin:CA;Reset Password;Computer” /I:S
Grant rights to change password of Computer objects
dsacls.exe “OU=WorkspotCloudDesktops,DC=example,DC=com” /G “example\svc-wkspt-djoin:CA;Change Password;Computer” /I:S
Grant rights to write SPN of Computer objects
dsacls.exe “OU=WorkspotCloudDesktops,DC=example,DC=com” /G “example\svc-wkspt-djoin:WS;Validated write to service principal name;Computer” /I:S
Grant rights to wite DNS Host name of Computer objects
dsacls.exe “OU=WorkspotCloudDesktops,DC=example,DC=com” /G “example\svc-wkspt-djoin:WS;Validated write to DNS host name;Computer” /I:S
See Microsoft’s documentation For more information on Dsacls.