none
Runas Account Permissions

    Question

  • Hi,

    I have got a user role, which has deploy rights in VMM and has a runas account in the background, which is in the Domain Administrator Group.

    I don't really want the runas account to have domain admin rights, are there any specific permissions that I can grant to this particular runas account so that the user role can function correctly?

    I haven't come across a blog post that addresses this question, so I am hoping someone here will be able to help.

    Thank You

    Thursday, February 13, 2014 3:03 PM

All replies

  • Hi Mayur,

    RunAs accounts are used in the VM Creation for performing a specific task.

    Eg: RunAs account for Domain Join. This account needs to have permission to Join computer objects to the domain. You could delegate only the minimal permission to perform this activity.

    I dont recommend to use Domain Admin accounts as a run as account.

    Please let us know if you did so for accomplishing any specific task which cant be done through a delegated admin account.


    Optimism is the faith that leads to achievement. Nothing can be done without hope and confidence.


    InsideVirtualization.com

    Friday, February 14, 2014 7:58 AM
  • Hi,

    At the moment the runas account is set to domain admin in the test environment. I am trying to figure out what permissions are required on the runas account so that the Self-Service User is able to deploy, manage checkpoints etc in VMM.

    Thank You

    Friday, February 14, 2014 10:07 AM
  • Run As account dont have any relation with what the self service user is entitled to do.

    Run As account is a saved user name and password which can be accessed by self service user for performing a specific task. If the self service user wants the computer to be joined to the domain along with the VM deployment, the template or the gust OS profile can be set with the appropriate run as account to domain join process. By doing so, we are allowing the self service user to perform an activity using an elevated account which has the right to do that - but without sharing the credentials with the self service user.


    Optimism is the faith that leads to achievement. Nothing can be done without hope and confidence.


    InsideVirtualization.com

    Friday, February 14, 2014 6:06 PM
  • Shabarinath is spot on. Run as Accounts in VMM contains credentials you can call and delegate to other user roles, who need some specific permissions to perform tasks in the VMM sphere.

    Domain Join is one example, where this is a domain account that has rights to add computers to domain.

    Other examples is local admin Run as Account, where the user should not know the pwd, but rather have the possibility to provide the OS requirements in the templates in order to deploy the guest OS.

    -kn


    Kristian (Virtualization and some coffee: http://kristiannese.blogspot.com )

    Saturday, February 15, 2014 5:08 PM
    Moderator
  • I understand the concept of a runas account. I also know that the end user doesn't need to know the password to the runas account as it is used in the background and Self-service is unaware of this.

    What I want to do is grant only specific AD permissions a account which will be used as a runas account that allows the users to have Deploy and Manage Checkpoint rights.

    If I create a user account in AD with no domain admins rights and create a runas account based of this user, the functionality doesn't work.

    I hope you understand what I am trying to solve here.

    Thanks

    Monday, February 17, 2014 2:38 PM