Overview

Regardless of the Active Directory option you choose, CAS will create several objects in the Active Directory domain in order to manage the deployment:

Active Directory is a hierarchical directory system that allows administrators to create a structure of cascading sub-objects for security and logical organization. The security hierarchy consists of the AD forest, domains, and security groups; the logical hierarchy consists of AD sites, container objects, and groups.

The most common container object type is an organizational unit (OU). OUs allow administrators to arrange objects in a way that resembles the organization's structure in managerial or geographical terms, or with whatever other criteria is necessary.

CAS deploys one organizational unit (OU) in the root of the AD domain and creates a sub-OU structure beneath this OU. The root OU is named based on the deployment code and deployment name in the CAS console and contains computer accounts, security groups, and end-user accounts as provisioned in the CAS console.

In Active Directory, group policy objects (GPOs) are used to define and enforce various settings on computers and user accounts in the domain. GPOs can define security controls, settings for the operating system and supported software, and user experience customizations.

In each deployment, CAS creates a set of GPOs that define various settings for the RDS environment; these GPOs are assigned only to the OUs and sub-OUs created by CAS and only affect the resources created by CAS. When certain settings are configured in CAS, CAS may link or unlink GPOs to the appropriate OU to enforce those settings on the resources in the deployment.

You can create additional GPOs in your Active Directory environment to enforce certain settings in the RDS environment as long as the settings do not interfere with RDS functionality. For example, certain GPOs that enforce very strict security parameters may disrupt CAS management connectivity or end-user authentication. Any manual changes to the RDS environment should be performed in a controlled manner, with each individual change being fully tested before being applied to the production environment.

It is not supported to manually edit the GPOs created by CAS; while it may be possible to do so, CAS is unaware of any modifications and this may result in unintended consequences when CAS links or unlinks GPOs as part of regular administration.

When creating and managing an RDS deployment, itopia CAS provisions a set of service accounts within the AD domain. These accounts are used to perform various administrative functions within the operating system (OS), AD domain, and the RDS environment. These accounts, referred to as itoadmin accounts, are created in the default “Users” container of the Active Directory (AD) domain in each CAS deployment.

The service accounts are programmatically generated and used by the itopia Proxy Execution Service (PES) using the unique deployment key stored in Google Cloud KMS (see this section for more details). The accounts' credentials are encrypted and periodically rotated in accordance with itopia's Key Vault design.

In any CAS deployment regardless of the domain type, CAS creates 6 (six) service accounts which are granted scoped permissions and are used to perform various administrative functions. These accounts differ slightly in deployments that use Managed Microsoft AD due to the modified structure of built-in permissions in those environments.

The table below provides the function and privileges of each itoadmin service account.