Parallels recommends for consideration the usage of the following Active Directory abilities.
Note: More information on Active Directory Domain Services can be found at https://technet.microsoft.com/en-us/library/bb742424.aspx.
A particularly useful type of directory object contained within domains is an organizational unit (OU). OUs are Active Directory containers into which you can place users, groups, computers, and other organizational units. An organizational unit cannot contain objects from other domains.
An OU can be used to assign Group policy settings for centralized management and configuration of operating systems, applications, and user settings in an AD environment.
Parallels recommends the use of OUs for the following:
Terminal Servers/Remote Desktop Session Hosts (RDSH) hosting applications and desktops should be set in their own OUs. Usually TS/RDSH require various group policies applied to them. For example, in a multi-user environment, policies may be required to optimize user experience and/or add security.
Different OUs for different TS/RDSH groups identified from the Parallels RAS Console can also be used to organize different application groups.
Servers in the same Parallels RAS site should reside in the same domain or in different domains with a full trust relationship between domains.
More information on Domain trusts can be found at https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx.
All servers that load-balance applications/desktops must be in the same domain if a domain security group is authorized to use the application.
Note: For the information on how to design an OU structure which works for your organization, visit https://technet.microsoft.com/en-us/library/2008.05.oudesign.aspx.
Security Groups
Security groups are used to assign permissions to shared resources. Different resources (virtual applications, desktops, VDI machines) can be assigned to different users/groups. Parallels recommends the use of Active Directory Security groups for better manageability if filtering is done via user/groups.
Once security groups are created in Active Directory and members are added to them, group-based filtering can be carried out from the Parallels RAS Console. This will ensure that all members of that particular security group will have access to same published resources. For example, if a new user joins the company, they only need to be added to the Active Directory security group to have access to given published resources.
Examples of logical security group segregation can be based on the department user resides in or based on application/desktop that is to be delivered.
More details about Active Directory Security Groups can be found at https://technet.microsoft.com/en-us/library/dn579255(v=ws.11).aspx.
Note: By default, in RAS published resources are available to all users in the domain if not restricted by filtering (User/group, Client, IP Address, MAC or Gateway access).
Group Policy is an infrastructure that allows you to implement specific configurations for users and computers. Group Policy settings are contained in Group Policy objects (GPOs), which are linked to the following Active Directory service containers: sites, domains, organizational units (OUs). The settings within GPOs are then evaluated by the affected targets using the hierarchical nature of Active Directory. Consequently, Group Policy is one of the top reasons to deploy Active Directory because it allows you to manage user and computer objects.
Apart from the Parallels RAS policies, which allow IT administrators to manage Parallels Client policies for all users on the network who connect to a server in the farm, Parallels recommends the additional use of group policies to manage different users and computer objects accessing the infrastructure. Group policies relating to user experience and/or security are to be linked with their respective OUs mentioned in the previous sections.
Some recommended group policies include but not limited to listed below.
Logging in remotely requires users to have remote access rights to the remote server.
This can be carried out from Group Policy Management Console (GPMC), which is an administrative feature that can be installed via Server Manager or through PowerShell as described at https://technet.microsoft.com/en-us/library/cc725932(v=ws.11).aspx.
Once GPMC is opened, navigate to Computer Configuration / Policies / Windows Settings / Security Settings / Restricted Groups. Right-click on Restricted Groups and click on Add User Group that should have access to log in on to the remote machine (TS/RDSH/VDI).
More information on how to add Domain Users/Group to the Remote Desktop Users group via Group policy can be found at https://technet.microsoft.com/en-us/library/cc725932(v=ws.11).aspx.
You can use the Group Policy Loopback feature to apply Group Policy objects that depend only on which computer the user logs in to. This is ideal when users already reside in their respective OUs and new OUs have been created to handle Terminal Server/RDSH from where the applications and desktops are published. Essentially, we are applying user settings when they log in to those computer objects, in this case to the Terminal Servers/RDSH.
This can be carried out from Group Policy Management Console (GPMC). Navigate to Computer Configuration\Administrative Templates\System\Group Policy and then enable the Loopback Policy option (Merge or Replace).
More information on loopback processing can be found at https://support.microsoft.com/en-us/kb/231287.