Overview
itopia uses privileged service accounts for all of the management tasks performed by the CAS automation service. These accounts, referred to as the itoadmin accounts, are created in the “Users” container of the Active Directory (AD) domain in each CAS deployment.
NOTE: Additional administrative accounts are also created for administrators of the CAS deployment, and are created in the Admin Accounts/Level 2 OU. Any admin that is added to CAS and granted Editor rights (or higher) to the deployment will have a Domain Admins account created in the deployment.
itopia Service Accounts
In order to create and manage a Remote Desktop Services (RDS) deployment, the itopia CAS provisions several service accounts within the Active Directory domain; these accounts are used to perform various administrative functions within the operating system, Active Directory, and the RDS environment.
The service accounts are programmatically generated and used by the itopia Proxy Execution Service (PES) using the unique deployment key stored in Google Cloud KMS. The accounts' credentials are encrypted and periodically rotated in accordance with itopia's Key Vault design.
Account Permissions
In a standard Active Directory environment (configured as either a "new domain" or "existing domain" in the RDS Deployment wizard), CAS creates a standard set of 6 (six) service accounts, which are granted specified permissions and used to perform specific tasks.
Below is a list of the Itoadmin accounts with the corresponding groups that they need to belong to in order to ensure proper CAS functionality.
itoadmin01 Group: Administrators
itoadmin02 Group: Delegated
itoadmin03 Group: Domain Admins
itoadmin04 Group: Enterprise Admins
itoadmin05 Group: Administrators
itoadmin06 Group: Collections
Password Policy
itopia protects the security of these service accounts by automatically generating a strong, secure password every 90 days. Passwords are stored using unique encryption keys for each deployment.
itoadmin
Account Function:
This account is used to perform the initial creation of the deployment and the creation of the remaining itoadmin accounts. Once a deployment is created, this account is disabled by CAS. For extra security, customers can delete this account if they desire.
Privileges:
Membership in the Domain Admins group
Membership in the Enterprise Admins group
itoadmin01
Account Function:
RDS administration tasks: creating and managing RDS Collections, configuring the RD Broker, adding RD Session Hosts, and controlling autoscale functions.
Privileges:
Membership in the local Administrators group on all RDS servers (RD Broker, RD Gateway, RD Session Host, RD Web Access)
itoadmin02
Account Function:
AD object administration. Creation, management, and deletion of user and group objects as well as linking GPOs.
Privileges:
Delegated read/write permissions to the CAS Deployment OU (e.g. OU=XYZ-Company,DC=company,DC=local)
itoadmin03
Account Function:
Domain-related functions: joining and unjoining servers, creating GPOs and linking/unlinking them from the deployment OU
Privileges:
Membership in the Domain Admins group
itoadmin04
Account Function:
AD Site topology management: Creating and configuring AD sites for each region of the CAS deployment.
Privileges:
Membership in the Enterprise Admins Group
itoadmin05
Account Function:
Performs most tasks related to server-level management: Restarting servers, managing file shares, health and configuration checks, configuring Windows Roles, and Features.
Privileges:
Membership in the local Administrators group on all member servers (RDS servers, file servers, application servers)