In any secure environment (and in my opinion, in any environment) permissions should be set up for the least privilege. When it comes to PVS there is a bit of confusion, as there are several accounts that are used in the process of creating VMs, deleting VMs, and any other operation that is within the PVS realm. So, the first thing is to define these accounts involved within PVS.
- Login Account (log_acct) – account used to login to the VM that has PVS console installed or on the PVS server.
- Console Account (con_acct) – account used to login to the PVS console (in most cases same as log_acct).
- SOAP and Stream service accounts (pvs_svc_acct) – accounts used for running PVS SOAP and Stream services. Can be defined as a Network service account or a domain user account (Service account).
- Hypervisor account (hyp_acct) – account used for PVS-required operations within hypervisor.
Each of these accounts are used within the process of creation, deletion, and management of the PVS environment. So, let’s look at what account is responsible for what operation.
Login Account (log_acct) must have the following permissions assigned:
- Local Admins for the installation of the PVS server
- SQL Server Roles: dbcreator and securityadmin for the installation and configuration of the SQL database. If these permissions are not achievable, please use the scripts for SQL database creation.
- Join the computer to the domain
- Create Computer Objects
- Delete Computer Objects
NOTE: Reference: Step 12 in the Run the Wizard within Deploying virtual desktops to VMs using the XenDesktop Setup Wizard (citrix.com) article defines Console Account as the one to create objects within defined OU, which is misleading, as SDKs are run in the context of the Login Account (the account you logged into the server with) and as such the Login Account is used for the VM creation within OU.
Citrix DaaS integration will ask for the account with the permissions to create VMs within AD.
Console Account (con_acct) must have the following permissions:
- Required PVS, AD, and Hypervisor permissions for the defined role (Farm, Site, Collection Administrator). Unless you must differentiate between a login account and a console account I would recommend logging into to the console with your login account and making sure your login account has the appropriate permissions defined above.
Service Accounts must have the following permissions:
- SQL Permissions:
- db_datareader
- db_datawriter
- File and Share Permissions:
Reference: Configuring for high availability with shared storage (citrix.com)
- Local Admin on the PVS servers (or perform volume maintenance in the user rights assignment within the local secpol.msc).
Hypervisor account depends on either hypervisor or cloud platform and it is responsible for VM operations within the hypervisor. The following link defines permissions for the hypervisor account: Create and manage connections and resources | Citrix Virtual Apps and Desktops 7 2311
So, in conclusion, when it comes to PVS accounts my recommendation would be to use your Login Account as a Console Account to avoid any issues that may arise when creating/deleting VM accounts from AD.
For the service account, make sure that it has access to the database, PVS server and vDisk store location, and do not use the service account to create objects in the AD.
A hypervisor account should be created with only the required permissions for the hypervisor or cloud platform. If you have more than one location, each location should have its own hypervisor account to limit the blast radius resulting from an account being locked out, deleted, or compromised. Sharing accounts between locations, especially those intended to provide site resiliency (DR) imperils the integrity of the solution’s availability.
This would be a quick overview of the accounts required for the Citrix PVS implementation. I hope it provided a bit more insight into the PVS requirements.
