Automatic User Creation

I did some testing with Automatic User Creation and unfortunately have found that the user has to be in the immediate root level of the Domain Container (cannot be within a group within the container) for it to work.

I am sure I'm overlooking something and would appreciate any advice and help.

Key points:

• My group "Devolutions License Users" is within a domain container
• My group "Devolutions License Users" has users added within it that are pulled from another domain container
• Domain Diagnostics can find the group
• Domain Diagnostics can pull all users within the group using "Get users by group"
• Domain Diagnostics cannot find any users within the group within the domain container using the more generic "Get all users"
  • This last point is why Automatic User Creation is not working for users within the group within the domain container

Hello,

Thank you for reaching out!

My name is William and I'm here to assist you in any way I can.

I've verified and it is possible to search for a specific group within the Only From this Group:


As for your configuration, could you try the diagnostic Get All User with different strategies?

Also, could you confirm if your two domains are in a forest? If so, you should be able to configure one domain authentication in DVLS to the root domain and then read the subdomains for the authentication.

If the two domains are not related and only have a trust between them, then it is possible that it might not work. We will need to test using different strategies.

Best regards,

Hello,

Thank you for reaching out!

My name is William and I'm here to assist you in any way I can.

I've verified and it is possible to search for a specific group within the Only From this Group:


As for your configuration, could you try the diagnostic Get All User with different strategies?

Also, could you confirm if your two domains are in a forest? If so, you should be able to configure one domain authentication in DVLS to the root domain and then read the subdomains for the authentication.

If the two domains are not related and only have a trust between them, then it is possible that it might not work. We will need to test using different strategies.

Best regards,

@William Alphonso
The issue with the "Active Directory groups" search feature is that on very large domains, with numerous containers and groups, DVLS attempts to first read the entire directory instead of letting you search first instead. This results in numerous timeouts and waiting multiple minutes or longer. Attempting to use the search feature is painful and slow. You generally have to click and start typing while not seeing anything, then wait 30 to 60 seconds longer before you see your text. I would highly advice you to add a feature that allows you to search first and a button to poll if you want otherwise.

Hello,

Thank you for the confirmation. It is also possible to reduce the size of the search by Devolutions Server under Administration > Server Settings > Authentication > Domain > Advanced Settings > Domain Containers. This will limit what DVLS can see in your domain, which should accelerate the process in bigger environment.


Best regards,

Hello,

Thank you for the confirmation. It is also possible to reduce the size of the search by Devolutions Server under Administration > Server Settings > Authentication > Domain > Advanced Settings > Domain Containers. This will limit what DVLS can see in your domain, which should accelerate the process in bigger environment.


Best regards,

@William Alphonso

Thank you. I have previously done this and while that “helps” it’s still painful since our organization is extremely large. Having the option to decide between search or poll would be best. Please submit this as an improvement feature (or something similar).

Hi Team, I am making some progress:

1. From Administration > Server Settings > Authentication > Domains, I have our parent domain and the two sub-domains below it.
2. Using Diagnostics on the sub-domains, I can pull all users quickly from my "Devolutions License Users" group using strategy "Principal".
3. From Administration > Users, I can hit the "+" and single or mass import users from my "Devolutions License Users" group.
4. From Administration > Server settings > Authentication > Domains > Domain configuration, I have "Automatic User Creation" setup to the following:

From Administration > User groups, I have my "Devolutions License Users" group populated. It does read users from the group but only displays those that are already in Administrator > Users.

Currently I am getting this error with attempted logins by new users that are in "Devolutions License Users". I would expect the behavior would be to auto-create their account on first login. Am I thinking about this wrong here?

Hello,

Would it be possible to confirm if the Auto-create on first login enabled on the domain or subdomain configuration?

Also, it is not necessary to have the Devolutions License Users under the User Groups of Devolutions Server. The groups imported there will not automatically import the members and it is mainly used for permissions.

Best regards,

Hi @William Alphonso and thanks for the reply. My domain structure looks like this:

Master Domain

• Subdomain A
• Subdomain B > Automatic User Creation is set to "Auto-create on first login" and "Only from this group" is set to "Devolutions License Users" with "Username format" set to NetBios (we generally login domain\user).

Domain Settings:

• Subdomain A's Advanced Settings has two Domain Containers pointing to where users exist.
• Subdomain B's Advanced Settings has three Domain Containers pointing to where users exist and to where my "Devolutions License Users" group exists.
• Devolutions License Users group has users from both Subdomain A and B.

Strategy on both Subdomain A and B are set to like so:

On a second but similar topic, after manually adding users, I had two teammates log into DVLS via SSO to test the "Automatic License Assignment", then log out. Unfortunately for my case, auto license assignment is also not working. I ended up having to manually assign the licenses to them. I have it set to wide-open, so my thinking is that it should be automatically assigning these licenses.

Hello,

Just to be certain, here's how I see your configuration:

1. DomainAB
   1. No Auto-Creation on first login
   2. No Users
   3. No Groups
2. SubDomainA
   1. No Auto-Creation on first login
   2. Users in two OUs
   3. No Groups
3. SubDomainB
   1. Auto-creation on first login configured
   2. Users in three OUs
   3. Devolutions Licensed Users groups is here

Can you confirm if these works with your current configuration:

1. Is a user from DomainAB is automatically created?
2. Is a user from SubDomainA is automatically created?
3. Is a user from SubDomainB is automatically created?

What I'm expecting here is that users from DomainAB and SubDomainA will not be automatically created but users from SubDomainB are automatically created. If this is the case, could you try enabling the auto-create on first login on SubDomainA and see if users from SubDomainA can now be automatically created?

As for the automatic license assignment, it will be done when a user logs in from Remote Desktop Manager (RDM) and not from the web interface. I've tested this and the license is only assigned when I authenticated through Remote Desktop Manager (RDM) or Devolutions Launcher. I will poke our development team to see if this is the intended behaviour.

Best regards,

@William Alphonso

That is good to hear on auto assignment of license when logging in via RDM for the first time. I'll test that and let you know.

You are correct with #s 1, 2, and 3 on the configuration.

For 4, 5, and 6: No users are being automatically created. You would expect with #6 (SubdomainB) that users would be automatically created. DVLS diagnostics can see all users within my "Devolutions License Users" group. Both SSO and manual domain login is working for existing users to log into DVLS so that's not the issue.

Below are the errors I am setting on login attempts from two different users within that group:

@William Alphonso for the auto assigning of the license, it is not working with attempting to login with RDM:

Hello,

Just as a test, would it be possible to create the service accounts for AD authentication and the Devolutions Licensed Users in the root domain instead of one of the subdomain and see if the auto-create on first login works this way?

As for the auto assignment of license I would prefer to wait until we can fix the authentication first.

Best regards,

@William Alphonso, I left enabled "Automatic User Creation" and did not enable the "Only from this group" and I was successful in logging into DVLS with my alternate admin login! So that is some good news. Now we just need to figure out why not from groups and only from containers. :)

Hello,

Thank you for the confirmation. In that case, we would need to figure out where the search for the group and it's membership is failing.

Would it be possible to confirm the following:

1. on the Root Domain
   1. Run the Get users by group with the LDAP strategy for the Devolutions Licensed Users group.
   2. Run the Get users by group with the Principal strategy for the Devolutions Licensed Users group.
2. on Subdomain A
   1. Run the Get users by group with the LDAP strategy for the Devolutions Licensed Users group.
   2. Run the Get users by group with the Principal strategy for the Devolutions Licensed Users group.
3. on Subdomain B
   1. Run the Get users by group with the LDAP strategy for the Devolutions Licensed Users group.
   2. Run the Get users by group with the Principal strategy for the Devolutions Licensed Users group.
4. Confirm where the service account for the authentication is located for:
   1. Root Domain
   2. Subdomain A
   3. Subdomain B

Please don't hesitate to reach out if you have any questions or need further clarification.

Best regards,

@William Alphonso thank you, I will start testing this tomorrow.

Note, I was able to add my "Devolutions License Users" to another group I had (the one I informed you earlier worked for automatic user creation) and this allowed the automatic user creation to work with those in the "Devolutions License Users" group. At the very least, we have a workaround for now. :)

Hello,

Thank you for the confirmation. Would it be possible to confirm where that working user group is located in your AD (Root domain, subdomain A or B)?

Best regards,