Home / Nerdio Academy / Nerdio / Nerdio Fundamentals: Users

Nerdio Fundamentals: Users

0 commentsJune 12, 2019Videos

Joseph Landes
In this session, we’re going to talk about how to manage users in Nerdio for Azure. This is certainly one of the richest and most important topics as users form the basis of so much that happens when interacting with Nerdio for Azure. You’ll learn how to add a new user, edit a current user, and much more. Enjoy the session.

Vadim Vladimirskiy
Let’s move on to users. All right so a lot of things happen on the user screen or in the user’s module as we call it. You can see that’s the very top module in the product which means it gets used most commonly. You have your timestamp and the refresh button, which again indicates that this is a cash list. So always be mindful of that. If the list gets out of date, like if it gets old, I think after maybe 24 hours, I don’t forget, I don’t remember the exact time frame, but there is a certain amount of time frame when we mark this as stale in which case this will turn red. So if you come into a screen and this is red, something is not right, either the domain controllers is inaccessible or something is unable to refresh the list. So a red timestamp is an alert that you need to investigate.

Vadim Vladimirskiy
Okay, then the next thing I want to show you before we dig into the actions is this little settings here, up here on the top right, and what this does is it let’s you filter the view of this list. Okay, this a nonpersistent setting, which means you click on it and then any changes that you make, you want to make a change. But by default all of these are turned off, meaning any users who are disabled will not be visible, any users who are archived, any users who … and then, so archived and disabled users is if you want to show those in addition to the active users. The last two filters is if you want to show only admin users, or only people with desktops assigned.

Vadim Vladimirskiy
So we’ll go through what that means exactly in a bit, but just so you know if you’re not seeing somebody then you want to make sure that you’re filters are set correctly. Like if they’re a disabled or an archived user, you should not see them on the default list, you’d have to enable that.

Vadim Vladimirskiy
So let’s go ahead and turn on disabled, turn on archive, and boom we have a user named Sally Sales, she has a little icon right here that say she’s archived, it’s a different color, and that’s why she popped up on the list just now, and her actions are a little bit different than what you see for other users. Okay, so be aware of this filter right there.

Vadim Vladimirskiy
Okay, let’s look at editing or adding a new user. So to edit the user just click on the name or select edit from the screen. And the edit user screen and add user screen are pretty much the same. So let’s go ahead and add a new user and go through this in detail.

Vadim Vladimirskiy
So some of the things are pretty obvious, you know, there’s first name, last name, there’s email address, which is gonna be the primary. And then remember this is the default domain that I was referring to earlier. You look at the dropdown you’ll see our other email domain that’s available. Okay, so we can select either one. A mobile phone number here is just what it sounds, it’s goes into the mobile phone number field and active directory, and by default or if someone has turned on Windows to factor authentication, then this phone number will be used for SMS pass codes to be delivered to and will be enforced under desktop login specifically. Okay, so we’re going to … we’re gonna have that number there.

Vadim Vladimirskiy
Okay, the next thing is the user name. We spoke about this yesterday, but by default every public email address is also a UPN and the local domain. So it’s this check box, this check, which it is by default, is going to match the two, makes things really easy and simple. But it doesn’t have to be the case, there’s some situations where you may want to have an email address that doesn’t necessarily match the user name and active directory. In which case you can come in and look at that. We now only have these two public domains, which are visible under email, but we also have this internal domain which is not visible under email, right. So you can have a situation where you have a user that’s got an internal login and the email address that are not the same.

Vadim Vladimirskiy
The next thing is Office 365, this refreshes along with the AD cash that gets refreshed on a regular basis, it pulls in all the Office 365 licenses. And by … it will list anything that’s a supported license right here, allowing you to select and assign it. If you mouse over a particular skew of Office 365 it will tell you how many have been purchased and how many have been assigned. If you don’t have any available, which is obviously the difference between purchased and the assigned, this will be grayed out. In this case we have two available so we could select it.

Vadim Vladimirskiy
Now a word on the Office 365 licenses, Office 365 licenses come in two flavors in the nap. They could be supported or unsupported. And what we mean by supported is a license that can actually be assigned by the nap. For instance, anything that could be like, let’s say an E3 or E5, or exchange online plan one, those types of licenses can actually be managed in the nap. As opposed to some licenses that we call unsupported are ones that you can see them, meaning you can see that they’re assigned, but you can not actually assign or unassign them. So for example we have this NDAT admin, he’s go enterprise E3 assigned as a license, and then there’s a little more button. We click on more we’ll see that there’s another skew that’s assigned to Andy, which is visor client or whatever this is, the visor plan one, I believe. But you can only view that it’s assigned, you can not unassign it or assign it to someone else. Okay, so that’s what an unsupported license is all about.

Vadim Vladimirskiy
Okay, so let’s keep going through this. We’re adding a new user, phone number if needed, domain selection if we want, user name if preferred, Office 365. You can also add additional email aliases. What happens here is that these again, you have the option of which domain to use. And what’s gonna happen when this job is submitted, it’s going to add these emails address under the proxy addresses in the active directory object. And then when it sinks with Office 365 Azure AD, it’s going to make that an alias for that particular user. So really easy to add addition aliases, as many as you want.

Vadim Vladimirskiy
Then the next section is user permissions. Okay, there are two configurable options here. One is, what are the permissions for the user for the nap? What happens when the user logs into ap.nerdio.net or the white label you URL, which is something that adminportal.probe. When they go to that URL and they type in their credentials, so you know jsmith@test50009.nerdio.net and their password, what are they gonna see? So if this check box is not check, what they will get is a user portal, and we’ll look at that in a little bit. And on the user portal they have very limited options, they can download an RDP file, they can reset their session, but they can not do any management of anyone’s account other than their own.

Vadim Vladimirskiy
If you check the box then you basically designate them as an administrator and you’re giving them two option. You can either make them an IT admin, which will give them access to all of these options, so when they login with their credentials they’ll see everything here. Or you can make them a tier one support, which will give them everything up until servers but nothing below that point. Okay, so that’s what this check box is for.

Vadim Vladimirskiy
This check box is for granting the user admin rights on all the desktops. Okay, again, assuming that the configuration hasn’t been messed with, assuming that all the security groups are intact. The way we provision things out of box is there is a desktop admins domain group, that domain group is a member of the administrators group on each desktop resource, whether it’s a VDI machine or an RDS session host. And by checking this box we’re dropping this AD user object into that security group which then becomes a local administrator of all of the various desktops that are in play. So checking this box will make the user a local administrator of desktops.

Vadim Vladimirskiy
There is another check box that actually used to be here to grant user domain admin rights. We’ve decided to hide it. I’m gonna show you where it is so you know, it’s under extended attributes all the way on the bottom. There is a check box that says, grant domain admin rights. If you check it it’s gonna give you a little warning, but what this will do is it will actually add the user to the domain admins security group in AD making them a domain administrator. Okay, which has obvious repercussions and different things which is why we decided to hide it a little bit.

Vadim Vladimirskiy
Okay, then we get down to the desktop section. So the desktop section has three selections. None is obvious, okay, if you have none selected the user doesn’t consume a license of Nerdio. If you have a VDI selected, that’s also pretty straightforward. You have a selection of desktop sizes that are sort of curated by us for the customer, for the partner, kind of the most common one. You won’t see every single instance here, only the ones that they are likely to be desktops. And there’s a little validation going on, you’ll see some of these are grayed out because of insufficient, poor quotas, etc. But you can go ahead and you can change the instant size if you want it, and set it to whatever that user needs and always come back and change it later.

Vadim Vladimirskiy
Then there is a disk size. If you recall from our storage sessions, we have three types of storage. We have premium Ss, D standard Ss, D and standard HDD, you can select any one of those as a disk. And then if on-ramp regions are enabled, which is gonna be a whole separate section we’ll talk about in the future, you can decide what Azure region to place this specific desktop into. By default it’s gonna go into the primary region, which for this account it South Central US. There is also an East US two on-ramp region that’s been added, and you can actually check the box and select that region. And when the desktop VM gets created it’s gonna be created in the East US region, it’s gonna connected across a VPN to rest of the environment so the user can have it closer to where they are.

Vadim Vladimirskiy
Okay, that’s VDI. RDS, this comes from … this shows you a list of available desktop resources. There are two classes of resources, either individual session hosts, which are cloned from RDSHR1, which is the first one that we started with. And then there is also RDS collections, which is a collection of RDS session hosts that you can assign a user to. So you can select a resource to assign the user to and it will tell you what region that resource happens to be in, if on-ramp regions are enabled.

Vadim Vladimirskiy
Okay, the next section is more customizing the security rights and group membership for a user. This is a handy little box where you can type in a name of an existing user or maybe a template that you’ve set up that may be sitting disabled. So for instance we have template called New User Template, you click on it, it will pre-populate any groups that that template is a member of. Or let’s say we have a user that in accounting, we can select accounting, it will pre-populate all the user groups. The way this selection list works is you’re familiar with, it’s one of these things where you start typing and it matches it and then you can just add groups really easily and quickly like this.

Vadim Vladimirskiy
Okay, let’s expand … oh, when you do copy from, it doesn’t only copy the active directory groups, but it also copies certain parameters here. Like for example logins script, if there is work number or website or street address, any of those fields that are filled out, it’s going to copy certain ones of these that … the ones that make sense. Obviously the display name will not be copied.

Vadim Vladimirskiy
A quick word on display names, so you see this is basically first name, last name. As we change it, it should be changing it here, but sometimes you may want to override it. So let’s say the display name of John Smith, you maybe you just want it to be one word or whatever it is. Sometimes if you want to customize a display name, you don’t want it to match your first and last name, you can come in and change it here. Unlike in active directory users and computers where you actually have to click on the name, change the display name and then they prompt you, hey do you want to change first name, last name? Here, first name, last name shows up as the primary thing, and you have to go under extended attributes to change a display name.

Vadim Vladimirskiy
Login script, I think it’s pretty self-explanatory, we covered this organizational unit dropdown. So any OUs that reside within active users, maybe you configured it with custom GPOs, etc. would be available here. So you can go in and select a location for this object that we are currently creating.

Vadim Vladimirskiy
Okay, then X500, we’re not cover it, it’s more for kind of exchange migration situations, etc. Then we have some boxes down here, we already spoke about grant domain admin rights, so you can check that or uncheck it if you want. There is a password member expires, which is check right now because I’m copying from Angie accounting and I guess she had password member expired enabled. There’s also user can not change password that can be enabled if we want. There is this validation we spoke about earlier where it will validate that the user name and email address you’re adding does not conflict something that already exists in Azure AD. If it’s not in Azure AD but it’s in the Nerdio AD, it’s going to be able detect that right away. But if it’s in Azure AD it actually has to go into Azure AD and run the validation. So this box is checked by default. And if it’s there, if it conflicts your gonna get an error. If you want to override that validation you just have to uncheck the box. And then there’s also an option to hide the user from the global address list.

Vadim Vladimirskiy
And then finally there is an email, optional email section where if you’re adding a new user and you want to email them instructions on what to do next, you put in their personal email address, they get an email that could be white labeled for a particular partner that looks like this with some links, with an attached RDP file and with their user name, password and server settings. Although, because there is an RDP file, this is more just for their record rather than anything they have to configure because there’s an RDP file attached.

Vadim Vladimirskiy
Now if we don’t have a desktop assigned, you’ll notice that the optional email option grayed out, there’s nothing to send them because there’s really no desktop for them to login to.

Vadim Vladimirskiy
Okay, so that is adding a new user. When you edit a user the options are largely the same, they’re pretty similar, here you can see. A couple of things to point out, there’s something additional things you can do under extended attributes. You still have your domain admin rights, your validations [inaudible 00:16:57]. You also can disable [inaudible 00:17:00] and active sync, for whatever reason that was necessary. And if Office 365 MFA is enabled you have the option to now come in enable it for the user from this screen. We’ll deal with MFA in a bit as well. So I’m gonna skip that for now.

Vadim Vladimirskiy
Let’s look at a couple of additional things and then we’ll leave the rest for the next session. So enabling a user is an easy as selecting this dropdown. Right so selecting it, sorry disabling a user. Selecting disable and click and confirm will disable that user in active directory and because we’re using domain federation, then all sign-ins stop right away. If we’re not using the main federation, if the domain is managed, then at the next synchronization the user in Azure AD in Office 365 will be marked as blocked. Right, so a disabled user in AD translates to a blocked user in Azure AD.

Vadim Vladimirskiy
There is also, I mentioned this yesterday but I’ll repeat it, there’s a little lock next to each user’s name. If it’s gray and unlocked that means the user is unlocked, if it’s red and locked obviously it means it’s locked. You can click on it, even if it’s unlocked, because maybe it’s a list that hasn’t been refreshed or whatever, there maybe some reason to force an unlock. So clicking on this brings up this box and we can click okay and that’s going to go through and unlock that user.

Vadim Vladimirskiy
Now, note that I’m currently disabling this user. So given the fact that I have disabled users turned off, I am going to not … I’m not gonna see Andy once this process is done, it’s gonna be hidden from the list. Although when I want to enable him, I’m gonna go and show disabled users and then use the same method for enabling him.

Vadim Vladimirskiy
Now let’s do this, let’s select users who are admins only. So when we do that what you’ll see is Chad’s CEO popped up. The reason he popped up is because he has this little icon that’s kind of inverted from what you’ve seen for the other users. And if we click on Chad’s CEO you’ll notice that Chad’s CEO is an account IT admin with this box checked. So sometimes as a administrator you want to know, okay, well who’s got nap admin rights, and this little filter helps you filter down just to those users. And then sometimes you also want to see just the users that have desktops. You may have a thousand users and only 10 of them have desktops, so you check this box and it will hide everyone else. In this case all three of these users have a desktop assigned, which is why we are still seeing all of them on the screen.

Videos in the series