Active Directory (AD) Groups

  • Updated on Aug 4, 2025
  • Published on Jul 16, 2024
  • 2 minute(s) read
  • Robert Plamondon
  • d
 Prev Next

This article describes the Active Directory (AD) groups used by Workspot Control. AD groups are central to the operation of most Workspot deployments. To use AD groups in Control, you must configure Workspot Enterprise Connector.

There are two types of groups in Active Directory: Security Groups and Distribution Groups. Only Security Groups are used by Workspot to assign permissions and access to resources.

Security groups can: 

  • Assign user rights to security groups in Active Directory to determine what members of that group can do within the scope of a domain. 

  • Assign permissions to security groups for resources. Permissions are different from user rights. Permissions are assigned to the security group for the shared resource. Permissions determine who can access the resource and the level of access. 

Note: AD Groups and Workspot Groups are not the same. A Workspot Group can be defined to have the same members as an AD group, but it controls different features.

Windows Remote Desktop Users Group

This is a standard Windows group. Any user who is not a member of this group is denied access to remote devices via the RDP protocol (the Workspot Client uses the RDP protocol).  Thus, any users who will be granted access to Workspot desktops and apps should be members of the Remote Desktop Users Group. 

Control AD Groups

After AD integration has been enabled in Control, A Control Admin can go to “Users > Groups” and add a group with the “Use AD Group” option set to “yes.” This group will have the same name as the AD group and every member of the AD group is eligible for this Workspot group.

A user’s group membership determines which desktop pools, policies, application bundles, plugins, and more are assigned to the user.

Form for adding a new user group with various configuration options displayed.

Add Group Page.

Assigning Applications

The App bundle is a list of Workspot Cloud and Web application that its users are entitled to use. These are shown on the user’s Client dashboard.

Assigning Desktops

The Group definition includes a list of desktop pools that its users are entitled to use. By having different Workspot Groups based on different AD groups, different kinds of users receive different resources.

Security Policy

See Control: Security Policies.

Network Policy

Allows the administrator to manage web URLs for users. 

Precedence Order

Users can only have one policy assigned. For users who are part of multiple groups, the group listed highest in the order of precedence will be applied to the user. Precedence is controlled on the “Users > Groups > Precedence Order” page.

Non-AD Control Groups

Control also allows creating non-AD groups, often consisting of Control Administrators and other special-case users.

Syncing Between Control AD

See How Workspot Control Handles AD Account Status and Group Membership Changes.