From the Multiple Hoops dept. The other day I was tasked with setting up a Workspace Manager console on a jumpbox. You know, the typical setup for a client where you VPN into a non-domainmember computer, from where you RDS to the different servers you need to access. The wish is to have the RES WM console running on this box so you don’t have to do Inception-RDS to make a few changes in WM, thus preserving screen real estate. Note: this will of course only work if your jumpbox is allowed to hit the database directly If the jumpbox is firewalled to the hilt and only allows outbound RDS connections, stop reading right here.
Presuming you’re still with us, you might already have installed the WM console on your jumpbox and connected it to the relay server. When you launch it, you’ll get kicked right back out as the console looks for your local computername\username in the datastore and obviously it’s not there yet, so let’s add it:
The above sounds simple enough, but it appears there’s a few steps to go through, which incidentally left me wondering if there was an easier way to do it. I mean, under applications you can add users manually, but no such luck on Admin roles… (hint hint, nudge nudge dear product management ;)
- Assuming you already have WM running on one or more domain-enabled computers, go to one of these. Presuming it’s a Server 2012[R2], launch the Server Manager, goto the Tools menu and Computer Management.
- Go to System Tools | Local Users | Users and add a local user. The User name and password must be the same as for the jumpbox local user. This account is temporary and can be nuked at the end of the story.
- Now launch the WM console and go to User Context | Directory Services and chose New from the toolbar
- In the dialog, chose Local Computer from the Type dropdown and hit Ok. No further changes are necessary. WM now understands that local computer accounts can be used for access control, which also applies to Administrative Roles.
- Go to Administration | Administrative Roles | <your security role> | Access Control tab | Add button | Users/group
- From the directory services dropdown, chose local computer from the Directory Service dropdown, then search and select your username, which you added in step 2. Be sure the “Limit to this computer only (COMPUTERNAME)”-checkbox is NOT checked.
- If you did the above right, your account will be listed as .\username when you return to the previous dialog
- Now it’s time to return to your jumpbox and launch the WM console there. Since your username is now in the WM database it will let you. In practice you could stop here, however this would leave the jumpbox username able to launch the WM console from every computer. Let’s just add an ounce more of prevention by locking in the computername too:
- On the jumpbox’s WM console, go to Administration | Administrative Roles | <your security role> | Access Control tab
- Select your “.\username” and edit it. Repeat step 6, except make sure this to check the “Limit to this computer only (COMPUTERNAME)”-checkbox. When you return to the previous dialog, you’ll note that your account is listed correctly as your jumpboxcomputername\username
- As the last loose end to tie up, go back to the domain member computer where you created the temporary local user account and delete it.