Forum Discussion

Stefan Georgiev's avatar
Stefan Georgiev
Iron Contributor
Dec 14, 2020

MSIX app attach Azure portal integration public preview

MSIX app attach is an application layering solution that allows you to dynamically attach an application (that is an MSIX package) to a user session. Separating the application from the operating sys...
msix app attach
msxi
WVD
whittd's avatar
whittd
Copper Contributor
Jan 11, 2021

Stefan Georgiev 

I’m running into an error adding WVD computers to an AADDS group.

Step 2 in Step by Step Guide on Computer Account Authorization for Azure Files:

Process overview

  1. Create AD DS security group.
    2. Add the computer accounts for all session hosts as members of the group

 

The error is: "Active Directory Domain Services

Object WVD-xxx cannot be added to group xxx because:

Insufficient access rights to perform the operation."

 

The user is the global admin.

 

Environment is AADDS. No on premise AAD. No Azure AD Connect.

AADDS is managed via a Windows 2012 server joined to AADDS domain with Active Directory admin tools installed: ADAC, AD PowerShell, AD Users & Computers, etc.

 

Have created several vms in Windows Virtual Desktop all of which were added to AADDC Computers group in ADU&C on the management server.

 

However, of several Windows Virtual Desktops vms in AADDC Computers group only one is listed in the Azure Active Directory portal, Devices, All Devices. There are over 100 Azure AD Registered devices in the portal Devices group but they are not shown in the AADDC group on the management server – only the WVD vms are shown. However, all users and groups in the portal are shown in the AD Users & Computers group on the management server.

 

Synchronization for AADDS is set for “All” and Health shows recent synchronization.

 

The vms are able to ping the AADDS domain controllers and the Windows management server and the management server is able to ping the devices.

 

Event Viewer shows the following error:

 

"The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID

{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}

 and APPID

{F72671A9-012C-4725-9D2F-2A4D32D65169}

 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool."

 

Enabled Local Computer Policy, Computer Config, Security Settings, User Rights Assignment to allow global admin account to "Add workstations to domain" without effect.

 

I’ve opened an SR on the issue. Thanks in advance for any advice.

 

 

 

Resources