Home Blog Amazon WorkSpaces - Administration

4sysops - The online community for SysAdmins and DevOps

Amazon WorkSpaces - Administration

    , ,   1
In today’s post of my WorkSpaces series, I will show you what administration tasks await you if your organization decides to run a VDI in Amazon’s cloud.
Latest posts by Michael Pietroforte (see all)
Contents of this article

Administrator rights ^

By default, a WorkSpaces user is a local administrator and a domain admin. However, you can change this default setting. In my test, a WorkSpace worked fine with standard user rights. However, if you remove the WorkSpaces user from all administrator groups, you can no longer log on with administrator rights.

WorkSpace user is administrator by default

WorkSpace user is administrator by default

I wasn’t able to log on with a domain admin I created in the WorkSpaces Active Directory. You also can’t log on as a local administrator. Thus, if you have to perform administration tasks on a WorkSpace, you have to add the WorkSpaces user to the domain admin group again and then log on with the user’s account.

Active Directory ^

You can’t RDP to the domain controllers that provide the WorkSpaces Active Directory. However, it is possible to manage Active Directory with the standard Windows administration tools. You either use a dedicated WorkSpaces machine for your administration tasks or you install your admin tools on an EC2 Windows server for this purpose. I will explain in a separate post how you can join an EC2 Windows server to a WorkSpaces Active Directory domain.

WorkSpaces Active Directory domain controllers

WorkSpaces Active Directory domain controllers

You can essentially do everything in the WorkSpaces AD as in your on-prem AD domain. You have access to Group Policy, you can install WSUS for patch management, and you can also install third-party management tools for software deployment or whatever you need to manage your WorkSpaces.

By the way, it appears Amazon pre-provisions WorkSpaces. I saw several computer objects of workstations in the computer’s containers I didn’t provision through the WorkSpaces interface. I was even able to connect to those machines with the Computer Management console. I also saw two domain controllers, but access was denied when I tried to connect to them with the Computer Management console.

Password reset ^

Of course, there are also differences if you run virtual desktops in the cloud. I am afraid that many of those differences will become obvious only when you work a while with WorkSpaces. For instance, when I tried to reset the password of my WorkSpaces user in Active Directory, I could no longer log on. I figured that problem was related to the “User must change password at next logon” option of the password reset applet. After I reset the password without this checkbox enabled, I could log on again.

Reset password of WorkSpace user

Reset password of WorkSpace user

I guess the WorkSpaces client simply doesn’t allow the user to enter a new password. However, users can change their password once they log on using the common methods. For example, a user can send a “CTRL+ALT+Del” through the WorkSpaces menu and then select the “change password” option. Users who forget their password can reset it by clicking a link in the WorkSpaces client.

Forgot WorkSpaces password

Forgot WorkSpaces password

After the user solves a captcha, an email with a link for resetting the password is sent to the user’s email address.

Please reset your WorkSpaces credentials

Please reset your WorkSpaces credentials

WorkSpace rebuild ^

There are some obvious differences in the way things work with WorkSpaces. For instance, you can’t deploy desktops with your imaging tools. Instead, you use the Amazon web interface to add new WorkSpaces. If a user messed up a desktop, you can rebuild the WorkSpace through Amazon’s management console.

Rebuild WorkSpace

Rebuild WorkSpace

Data in the user profile will be restored after the desktop is rebuilt; however, user data that was saved within the last 12 hours may be lost. Thus, if you have to rebuild a WorkSpace and want to ensure that all user data is restored, you should wait at least 12 hours after the user last logged on, or you should create a backup of the user data yourself. Also notice that data stored in locations other than the user profile, for example in a folder on C, will not be restored.

Some directory-related settings will not be affected when you rebuild a WorkSpace. For instance, the user name and password of the WorkSpace will stay the same. The user object will remain in the Active Directory container to which you moved it. However, after the rebuild, the computer will have a different name and will appear in the computer’s OU. Thus, if you moved the computer object to another container, you have to change the OU again. WorkSpaces also doesn’t remove the old computer object from Active Directory; you have to delete it manually.

Rebuilding WorkSpace

Rebuilding WorkSpace

In my tests, rebuilding a WorkSpace took between 12 and 20 minutes. As expected, applications I previously installed disappeared. However, since the user profile was restored, the corresponding shortcuts were still on the desktop. Thus, installing applications manually after provisioning a WorkSpace is not really advisable. You can use a software deployment solution that ensures that applications are automatically deployed after you provisioned a new WorkSpace, or you create your own WorkSpaces bundles with all your applications installed.

Advanced options ^

In the WorkSpaces interface, the Custom WorkSpace Bundles feature is listed under Advanced Options. However, when I contacted Amazon about it, I was informed that it is not yet available in the limited preview.

Amazon WorkSpaces - Advanced Options

Amazon WorkSpaces - Advanced Options

Another advanced option that is still unavailable will allow you to use your on-prem Active Directory instead of Amazon’s directory. You will also be able to run your own “cloud only” Active Directory. I suppose you will then have to install your own domain controllers on EC2 instances.

The third advanced option is about “on-premise administration tools” that “allow you to monitor the health of your WorkSpaces, approve patches, and schedule updates.” I will have a closer look at these advanced options as soon as they are available.

In the next post of my WorkSpaces series, I will summarize my overall impression and outline why I think that Amazon’s DaaS, for the first time, makes VDI an interesting option.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads by becoming a member!

1+
Share
Articles in series

Amazon WorkSpaces

1 Comment
  1. Magheswari 3 years ago

    i am getting error in AWS Workspace while login like """ Directory unavailable  your directory  could not be reached at this time . Please contact your administration for more details"""" could you please tell whats the issues and solution for this error.

    3+

    Reply

Leave a reply

Your email address will not be published. Required fields are marked *

*

Follow 4sysops

Twitter Facebook Linkedin RSS

Subscribe to post notfications

Leaderboards

Member Leaderboard – Month

Member Leaderboard – Year

Author Leaderboard – 30 Days

Author Leaderboard – Year

Reviews

Site Wide Activities [RSS]

Viewing 1 - 5 of 5 items
  • Profile picture of David Figueroa

    David Figueroa replied to the topic Write output to file within a PowerShell foreach loop in Group logo of PowerShellPowerShell Forum 3 hours, 8 minutes ago

    I'm not sure how you could manage passwords without PwdLastSet - that's a value automatically written by AD when you set your password.  Now -- they modified the security on that attribute, then the queries would fail, and basically turn up nothing.  There isn't any other way I know of to obtain that piece of information directly.  If you can't see PwdLastSet, then adding a year won't make a difference, unless you mess with the clock and figure out bit by bit when it expires, but that's messy and certainly not easy or stable.

    I can't figure out why in the world someone would block security on that attribute? It's certainly not an easy thing to do.  I can think of numerous circumstances where that would break things?

    Anyway.. if you have a Domain Admin or Enterprise Admin account, you could use PSexec to launch a process as the System account on the Domain Controller and basically give yourself true full control of the AD database.  But, if you have that AD level permission, it wouldn't/shouldn't block you from seeing PwdLastSet.

    But, you made it sound like you *can* get it for the output? or not get it?

     

    David F.

    0
    Share

  • Wolfgang Sommergut commented on ESXi 7.0 Free: New features, limitations, upgrade 10 hours, 1 minute ago

    Most commercial backup programs don't support ESXi Free. In the past Trilead VM Explorer could do the job, but that doesn't exist any more. One free option still available is GhettoVCB.

    0
    Share
  • Profile picture of Leos Marek

    Leos Marek commented on ESXi 7.0 Free: New features, limitations, upgrade 10 hours, 2 minutes ago

    My mistake, sorry. This is not supported for a longer time.

    0
    Share
  • Profile picture of Leos Marek

    Leos Marek commented on ESXi 7.0 Free: New features, limitations, upgrade 10 hours, 18 minutes ago

    Damn, I havent noticed the storage API being disabled. Not sure if Veeam uses it.

    0
    Share
  • Profile picture of Leos Marek

    Leos Marek liked ESXi 7.0 Free: New features, limitations, upgrade. (So far, This post has 3 likes) 10 hours, 20 minutes ago

    0
    Share
© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account