Permissions Required for Running the Parallels Configuration Manager Proxy Service

0 users found this article helpful

Introduction

To be able to run the Parallels Configuration Manager Proxy (CM Proxy) service you will need to have a domain user with a set of permissions in different areas:

  1. DCOM Remote Activation permissions are required to enable communication of CM Proxy with SMS Provider using DCOM.
  2. Full Administrator rights in SCCM are required for CM Proxy to make changes in WMI objects in SCCM.
  3. Read and write permissions on SCCM Network Share are required for CM Proxy for registering new devices in SCCM.

This article will provide you with a step-by-step guidance for preparing a domain user with necessary permissions to run the CM Proxy service.

Notes

  1. You can configure necessary permissions manually, as described below.
  2. Or you can use Parallels Mac Management Server Tools to automate this task.

Create a Domain User

The user configuring Parallels Configuration Manager Proxy must be a domain user. To create a domain user:

  1. On the computer running Active Directory, click Start > Administrative Tools > Server Manager:

  2. In the Server Manager window, navigate to Roles / Active Directory Domain Services / Active Directory Users and Computers / <domain-name>.
  3. Right-click Users and select New > User in the context menu:
  4. In the New Object - User dialog, type Full name, User logon name, and click Next:
  5. Type the password in Password and Confirm password fields and click Next:
  6. Click Finish.

Local Administrator Rights on the Computer Running the Parallels Configuration Manager Proxy

The user used for running Parallels Configuration Manager Proxy must have administrative rights on the computer where the Parallels Configuration Manager Proxy will be installed:

  1. Important note about doing this on a domain controller:
    1. Note that joining a user to the Administrators group on a Domain Controller gives that user Domain Admin privileges.
    2. The issue is that once a machine is a domain controller, it no longer has anything known as a local account.  Any account created on that system is a domain account.
    3. That's why Parallels Configuration Manager Proxy should never be installed on a Domain Controller.
  2. Log into the computer that will run the Proxy, click Start > Computer Management console:
  3. In the Computer Management console navigate to Computer Management / System Tools / Local Users and Groups / Groups, select  Administrators, right-click it, and then click Properties in the context menu:
  4. In the Administrators Properties dialog click Add.. button:
  5. Find the domain user which you have created for running the CM Proxy, and click OK button:
  6. Click OK button to close the dialog.

DCOM Remote Activation Permission

The user must have the DCOM Remote Activation permission:

  1. On the computer where the SMS Provider is installed, click Start > Administrative Tools > Component Services:

  2. In the Component Services window, navigate to Console Root / Component Services / Computers / My Computer / DCOM Config. Scroll down to Windows Management and Instrumentation, right-click it, and then click Properties in the context menu:
  3. Click the Security tab. The Launch and Activation Permissions section will have either the Use Default or the Customize option selected depending on your server configuration. Set the DCOM Remote Activation permission for the user as follows:

  4. If the Customize option is selected,
    1. click the Edit button:
    2. click the Add... button:
    3. Find the domain user which you have created for running the CM Proxy, and click OK button:
    4. Grant the user Remote Activation permission:
    5. Click OK to save changes and close the properties dialog.  
    6. The DCOM Remote Activation permissions are now configured. You can skip the remaining steps in this section (they describe the scenario where the Use Default option is selected in Windows Management and Instrumentation > Security).
  5. If the Use Default option is selected, then you need to configure the Remote Activation permissions in the COM Security settings on this computer.
    1. Press Cancel button to close Windows Management and Instrumentation Properties dialog:
    2. In the Component Services window, navigate to Console Root / Component Services / Computers. Right-click My Computer and click Properties in the context menu:
    3.  Click the COM Security tab. In the Launch and Activation Permissions section, click Edit Default:
    4. Click the Add... button.
    5. Find the domain user which you have created for running the CM Proxy, and click OK button:
    6. Grant the user Remote Activation permission:
    7. Click OK to close the Launch and Activation Permission dialog. 
    8. Click OK to close the dialog.

Administrative Rights in SCCM

The user must have Full Administrator rights in Configuration Manager:

  1. Log into the computer running the Configuration Manager console.
  2. In the Configuration Manager console, navigate to Administration / Overview / Security.
  3. Right-click Administrative Users and click Add User or Group in the context menu:

  4. In the Add User or Group dialog, click Browse, find the domain user that you created earlier, and then click OK:

  5. The user will appear in the User or group name field in the Add User or Group dialog.
  6. Click the Add... button in the Assigned security roles section.
  7. In the Available security roles list, select Full Administrator and click OK:
  8. Click OK to close the Add User or Group dialog:

Permissions in Active Directory

If the CN=System / CN=ParallelsServices / CN=PmaConfigMgrProxy-<site-code> container exists in Active Directory, the user must have Read, Write, and Create All Child Objects permissions on it.

Permissions on SCCM Network Share.

Service account must have read and write permission on the \\sccm-server\SMS_site-code\inboxes\ddm.box share:

Permissions on SMS_[site-code] Share

  1. Open \\sccm-server in a file browser:

  2. Right click the SMS_site-code folder and choose Properties:

  3. Click the Sharing tab. Click the Advanced Sharing... button:

  4. In the Advanced Sharing dialog, click the Permissions button:

  5. In the Permissions for SMS_site-code dialog, click the Add... button. Select a user that will be used to run the service and click OK.:

  6. Select the user that you’ve added in the previous step (if it's not selected automatically) in the Group or user names list:

    1. Select Full Control for the selected user in the Permissions for user-name section.

    2. Click OK in Permissions for SMS_site-code.

  7. Click OK in Advanced Sharing.

  8. Click Close in SMS_site-code properties

Permissions on SMS_[site-code]\inboxes\ddm.box Share

  1. Go to \\sccm-server\SMS_site-code\inboxes in a file browser:

  2. Right click on ddm.box and choose Properties:

  3. In the ddm.box Properties dialog, click the Security tab. Click the Edit... button under Group or user names:

  4. In Permissions for ddm.box, click the Add... button:

  5. Select the user that will be used to run the service and click OK.

  6. Select the user that you’ve added in the previous step (if it's not selected automatically) in the Group or user names list and grant Select the following permissions in the Permissions for user-name section:

  • Read & execute
  • List folder contents
  • Read
  • Write
  • Click OK in the Permissions for ddm.box dialog.
  • Click OK in the ddm.box Properties dialog.

Was this article helpful?

Tell us how we can improve it.