Skip to main content
Service Accounts Used by itopia CAS

Learn how CAS securely leverages elevated privileges in your deployment.

Craig Medland avatar
Written by Craig Medland
Updated over a week ago


itopia uses privileged service accounts for all of the management tasks performed by the CAS automation service. These accounts, referred to as the itoadmin accounts, are created in the “Users” container of the Active Directory (AD) domain in each CAS deployment.

NOTE:  Additional administrative accounts are also created for administrators of the CAS deployment, and are created in the Admin Accounts/Level 2 OU. Any admin that is added to CAS and granted Editor rights (or higher) to the deployment will have a Domain Admins account created in the deployment.

itopia Service Accounts

In order to create and manage a Remote Desktop Services (RDS) deployment, the itopia CAS provisions several service accounts within the Active Directory domain; these accounts are used to perform various administrative functions within the operating system, Active Directory, and the RDS environment. 

The service accounts are programmatically generated and used by the itopia Proxy Execution Service (PES) using the unique deployment key stored in Google Cloud KMS. The accounts' credentials are encrypted and periodically rotated in accordance with itopia's Key Vault design.

Account Permissions

In a standard Active Directory environment (configured as either a "new domain" or "existing domain" in the RDS Deployment wizard), CAS creates a standard set of 6 (six) service accounts, which are granted specified permissions and used to perform specific tasks.

Below is a list of the Itoadmin accounts with the corresponding groups that they need to belong to in order to ensure proper CAS functionality.

itoadmin01 Group: Administrators

itoadmin02 Group: Delegated

itoadmin03 Group: Domain Admins

itoadmin04 Group: Enterprise Admins

itoadmin05 Group: Administrators

itoadmin06 Group: Collections

Password Policy

itopia protects the security of these service accounts by automatically generating a strong, secure password every 90 days. Passwords are stored using unique encryption keys for each deployment.


Account Function:

  • This account is used to perform the initial creation of the deployment and the creation of the remaining itoadmin accounts. Once a deployment is created, this account is disabled by CAS. For extra security, customers can delete this account if they desire.


  • Membership in the Domain Admins group

  • Membership in the Enterprise Admins group


Account Function:

  • RDS administration tasks: creating and managing RDS Collections, configuring the RD Broker, adding RD Session Hosts, and controlling autoscale functions.


  • Membership in the local Administrators group on all RDS servers (RD Broker, RD Gateway, RD Session Host, RD Web Access)


Account Function:

  • AD object administration. Creation, management, and deletion of user and group objects as well as linking GPOs.


  • Delegated read/write permissions to the CAS Deployment OU (e.g. OU=XYZ-Company,DC=company,DC=local)


Account Function:

  • Domain-related functions: joining and unjoining servers, creating GPOs and linking/unlinking them from the deployment OU


  • Membership in the Domain Admins group


Account Function:

  • AD Site topology management: Creating and configuring AD sites for each region of the CAS deployment.


  • Membership in the Enterprise Admins Group


Account Function:

  • Performs most tasks related to server-level management: Restarting servers, managing file shares, health and configuration checks, configuring Windows Roles, and Features.


  • Membership in the local Administrators group on all member servers (RDS servers, file servers, application servers)

Related Articles

Did this answer your question?