Why Is It Important to Be a Local Admin in PVS?

My Friends,

Today we are going to talk about permissions in PVS and why it is important for the Soap service user to be a member of Local Administrators on your Provisioning Servers.

For the most part in PVS you can get by with just letting the Configuration Wizard do its thing during initial setup. It enables the different services that make the PVS functionality possible (Soap, Stream, etc.) and turns on the necessary permissions on the database. For KMS, however, every time you switch modes from Private to Standard and select Key Management Service on the vDisk, PVS performs a volume operation on the server that requires elevated privileges, specifically the ability to perform volume maintenance tasks and if you are running Soap/Stream under, say, Network Service or a custom=made account, it will likely lack those rights. While there is a GPO that you can enable called “Perform Volume Maintenance Tasks” under \Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ in GPEDIT.msc and add your account to the member list, you will definitely be better off just adding Soap user to the Local Administrators group on all Provisioning Servers in the farm. You will save yourself a lot of headaches down the road – permissions are always tricky!


– The PVS Guy

Which AD Groups Have Access to Your Farm?

If you ever get locked out of your PVS Console because someone in your organization changed Active Directory membership groups around, you will need to find out what security groups have permission to access the farm. It’d be super-easy if you could just open your Console…Security tab under Farm Properties. But what if you lost access?

…Fortunately there is a way because it’s all in the database. All you need to do is login to your SQL server, launch SQL Management Studio, expand the PVS database, right-click on the dbo.AuthGroup table, select top 1000 rows, and you will see a list of all the AD user groups that have permissions to access the farm. Then you will most likely realize that your Console user is NOT a member of any of those groups!