«

»

Mar 08 2011

Addressing Self-Service Password Reset with VMware View 4.6

Advertisement

A common request from my customers is the ability to leverage password self-service from 3rd party tools. The idea behind such tools is to allow users to change and/or reset account passwords without having to ring the helpdesk.

VMware View Client supports the requirement to change password during logon time if the user account password is expired. However, if the user account is locked out for any reason VMware View will not let the user to login because it will not be able to validate user credentials.

These self-service password tools are usually web-based applications that exchange credentials with Windows Active Directory and then based on answers provided by the user will either unlock or allow the user to change the account password.

So far the only way to address this situation was to allow the user to open the self-service web application tool before launching VMware View Client. It has been common to see a shortcut to the web app sitting on the user’s physical desktop, Thin Device or laptop.

Some organisations prefer to lock-down the physical desktop environment and run VMware View Client as a shell, not allowing users to interact with local applications such Internet Explorer. This is an excellent way to reduce management and support footprint as users are not allowed to launch other applications but VMware View Client. You can find a guide on how to implement shell based access at VMware View Client as a shell for XPe and XP Pro clients.

In VMware View 4.6 there is a new GPO setting that help to overcome this shortcoming. It is possible to configure a URL for View Client online help that can now point to your self-service password tool or a web portal that will offer such options to the user. When Help is select the default browser is launched with the specified URL

image

The setting will only work for Windows Based devices running Windows or Windows Embedded. In the case of WES devices that are not connected to the AD domain it is possible to apply the settings via registry entries.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\VMware, Inc.\VMware VDM\Client]
"HelpURL"=http://onlinehelp.local

The screenshot below demonstrate the configuration utilising Windows Group Policies templates. The ADM templates can be found at c:\Program Files\VMware\VMware View\Server\extras\GroupPolicyFiles on VMware View Connection Servers.

clip_image004

For Teradici’s Zero-Client devices there is no easy solution to address self-service password reset tools since it is not possible to open a web browser before getting to the virtual desktop itself. I believe Teradici is working on a possible solution.

Thin devices based on Linux can leverage local integrated browsing capability to customize menus to achieve the same result. I have seen smart solutions using HP Thin Clients that allow users to select if he/she wants to open VMware View Client or a web-page with the self-service password tool.

Similar Posts:

Permanent link to this article: http://myvirtualcloud.net/?p=1754

1 comment

1 ping

  1. Paul Slager

    Very cool article, like you mentioned there is nothing for Zero Clients out yet which is a shame because that is where it is needed most.

  1. Technology Short Take #14 - blog.scottlowe.org - The weblog of an IT pro specializing in virtualization, storage, and servers

    [...] Andre Leibovici—who I had the pleasure of meeting in person at VMworld—has an article on how to modify the Windows Registry settings (or apply Group Policy) for the VMware View Client in order to integrate self-service password reset. [...]

Leave a Reply