Provisioning Services – Permissions A’hoy!


In an environment where security is delegated, you may need to know at a granular level just which permissions are needed to accomplish tasks within Provisioning Services. This is often the case when working in larger environments where the vCenter admin may be separate from the AD Team and Citrix Teams. This blog post will explain which permissions are used at various points in the console. The specific list of required permissions vary by task and screen.

Provisioning Services Console – General

First things first – PVS doesn’t have the greatest Role Based Access Control, but it does offer some. You can add administrators to the PVS Farm, the Site, and Devices. The groups you add here will be used for the farm as it relates to PVS itself. You can find more information on these roles in the official documentation. The important takeaway is that you can only add groups – no direct assignments here!

vDisk Administration – Active Directory Password Management

PVS can automate the task of managing the Active Directory Computer Account Password changes. In order to accomplish changing these passwords, the account responsible for running the Stream Service requires the RESET PASSWORD permission in Active Directory for the computer object. It is recommended you apply this at the OU where your target devices reside.

Device Administration – Active Directory

When managing devices, you may from time to time need to manually reset a computer account. This can only be accomplished when a VM is marked as down (so shutdown in advance, or if you’re a daring lad or lass, right click and choose ‘mark as down’). Right click a VM and choose ‘Reset’. All of the functions under this menu, including delete computer account and create computer account require permissions from the account of the user who launched the console. This takes advantage of the integrated Windows Security to access AD, similar to how other MMC’s like Active Directory Users and Computers operate. This means that the user account who launched the console would require reset password, create computer account, or delete computer account. Note: There is information online that states the service account needs create and delete – this is not the case.

XenDesktop Setup Wizard – An amalgamation of awesomeness

One of the criticisms of PVS is that it “is very complex” when compared against MCS. That isn’t something I am here to refute because it isn’t entirely untrue. However, the XenDesktop Setup Wizard makes it fairly easy to provision machines once everything is up and running. With that said, it can be a bit confusing which permissions are needed.

The initial permission required is PVS Site Admin. The SOAP service account user should have “Full Administrator” in XenApp/XenDesktop.

The first screen you are greeted with is connecting to XenDesktop – you will require XenApp / XenDesktop site permissions for this initial step. Immediately following that, you are presented with XenDesktop host resource selection – this screen represents resources you defined under “Hosting” in Citrix Studio. When you are prompted for credentials here, you are being asked for credentials to connect to the resources – aka the vCenter/XenCenter/SCVMM that is defined. You can use the service account if that has permissions or any account that has the mandatory minimum permissions. Finally, if you are opting to use the wizard to create the computer accounts rather than “import”, the user running the console must have permission to create computer accounts in the selected OU.

Provisioning Services Configuration Wizard

Last but not least, the trusty config wizard. The user running the config wizard should have DBCreator and securityadmin at a minimum. Although it will use the logged in user, if you do not have those permissions, it should prompt for a user account that does, in fact, have those permissions. Conventional wisdom for running this wizard has long been to run as the account that will run the stream service, but in the more recent days of 7.x, we’ve found that to be unnecessary as the prompt seems to handle things gracefully.

Leave a Reply