Manage virtual desktops using your existing enterprise tech ecosystem with the Room Directory and Domain Join

Pol Desmarais

Pol Desmarais

May 6, 2021


5 min read time

Manage virtual desktops using your existing enterprise tech ecosystem with the Room Directory and Domain Join

Tehama’s Room Directory and Domain Join are two powerful tools that can be optimized by enterprises that need to support a large number of employees and contractors working remotely. These features enable organizations to securely manage their employee’s security, user experience, and access settings at scale and extend user’s corporate identities to virtual desktops. These capabilities allow businesses that have shifted to a hybrid workforce to consistently manage all types of devices with the same set of tools, regardless of user location.

Tehama Room Directory: Manage Group Policy out-of-the-box/with no integration required

By default, every Tehama Room has its own independent directory, called a Room Directory. This allows administrators to review, control and modify Group Policy settings within the Room in order to help provide a consistent user experience for both remote and in-office workers, while also enforcing key security settings. Administrators just need to configure Group Policy settings once, with all settings automatically applied across every desktop in the Room.

This capability comes out-of-the-box with a Tehama Room; no integration, infrastructure or additional IT administration effort required. Whether your organization isn’t using Active Directory, or isn’t ready to facilitate an integration yet, the Tehama Room Directory allows organizations to benefit from the ability to centrally manage Group Policy for a Room without needing to wait for approval or resources to assist in an integration.

The Tehama Room Directory is designed to add flexibility and agility for all organizations using Tehama, especially those that:

  • Regularly onboard users (such as contractors or third parties) who aren’t in their domain, but still need to manage what these users can do within the system;
  • Want to treat Tehama virtual desktops separately from desktops in their domain; or
  • Need more agility when making Group Policy changes (by isolating these changes to a Tehama Room, if required, which only affects the desktops of users in that particular Room).

Domain Join

Tehama’s Domain Join feature goes a significant step further by connecting your Tehama environments with your standard corporate user management capabilities.

Domain Join, when enabled in Tehama Gateway Rooms, allows enterprises to integrate a Room with their existing Active Directory implementation. In a Room with Domain Join turned on, the Tehama directory interfaces with your Windows domain. This provides a central authentication point for Windows users on the network, allowing them to log into a Tehama desktop using their corporate credentials and automatically inherit their domain user settings.

This facilitates centralized management (within your central Active Directory) of critical security, user experience and access settings on Tehama desktops, including those configured with Group Policy, using the same tools you use to manage the rest of your desktop estate.

Organizations who will likely see the most value from Domain Join include:

  • Those who want to centrally manage their entire desktop fleet (physical and virtual) and leverage their existing Group Policy settings, without having to duplicate this setup within Tehama;
  • Organizations whose security stack requires users to be part of their domain; and
  • Organizations with software that needs to run as a specific domain user for proper functioning.


How Tehama’s Domain Join works (and why it’s better)

Ease of Administration with no Additional Infrastructure

When leveraging Tehama’s Domain Join, the act of connecting with your On-Premises Active Directory(AD) is a simple process that can be set up through the Tehama web interface. There is no replication or duplication of your directory required and no additional infrastructure to manage, reducing the amount of IT administration effort involved.

In contrast, other standard methods of connecting DaaS or VDI desktops to your domain have added costs or complexity, often requiring you to buy and support additional infrastructure, pay for yet another cloud resource, or expend significant effort to support this integration.

One-way Trust for Optimal Security

In establishing an integration with your Domain, Tehama establishes a one-way trust, rather than the two-way trust required by some other solutions.

In general, Domain Trusts allow users in one domain to access and use resources in another domain. It’s generally accepted that one-way trusts are more secure than two-way trusts.

Here’s how one- and two-way trusts work:

  1. In a one-way trust between two domains, Domain A is the trusted domain and Domain B is the trusting domain. That means Domain A users can access Domain B’s resources, but Domain B’s users can’t do the same with Domain A
  2. In a two-way trust, all users can access resources from both domains

Two-way trust (4)

(Named after Willy Wonka’s legendary Golden Tickets guaranteeing the owner a lifetime supply of chocolate, Golden Ticket attacks use a sort of digital golden ticket to access any resource on the domain. Golden Ticket attackers can then escalate their own privileges, moving laterally on enterprise networks without triggering security alerts.)

Unfortunately, some DaaS vendors require a two-way trust. That means your DaaS environment can access resources in your on-prem AD – not an ideal configuration. Two-way domain trusts can introduce unintended access paths between environments – just like the Golden Ticket attacks – when not properly managed and monitored, putting your domain at higher risk for exploitation.

Tehama’s Domain Join leverages a one-way trust relationship with your on-prem AD, which makes the Tehama Room look to the enterprise directory (accessed across an encrypted channel through the Tehama Gateway) as its controller to authenticate users.

To again use the example we mentioned above, your on-prem AD can query and access resources (desktops) in the Tehama Room, but the Tehama Room can’t do the same in your on-prem AD. This limits your AD’s exposure to external threats.

Visit our Platform Overview page to learn more about our product features, or get a demo.

Shape line

Read More

Why organizations hate owning laptops, and what your IT team can do about it

Why organizations hate owning laptops, and what your IT team can do about it

In part 1 of this blog post series, I shared why organizations often have a three to five-year laptop refresh strategy. But refreshing a host of laptops across an organization has always held its fair share of challenges. We’ve already mentioned the extra problems Covid-19 has created when it comes to sourcing hardware, but there are other issues. The strategy of refreshing devices every few years, for example, has always been an issue for organizations with a remote workforce using company hardware. Company equipment can sometimes be difficult to recover from remote workers, especially when employees aren’t in the same…
Replacing the need for a laptop refresh strategy with DaaS

Replacing the need for a laptop refresh strategy with DaaS

If you’re an IT manager or leader, you know full well the organizational strain, security issues, and lack of productivity – for everyone across an organization, including IT staff – that comes from having out-of-date laptops and other hardware. Aging devices don’t guard particularly well against the latest viruses and malware, for example. They also have a hard time running advanced, up-to-date software applications. They’re usually not under warranty and often face compatibility issues. They can also be slow and more prone to failures, requiring more IT support to keep up and running to avoid potential data loss. In this…
Exploring remote work solutions: The variabilities of Virtual Desktop Infrastructure (VDI)

Exploring remote work solutions: The variabilities of Virtual Desktop Infrastructure (VDI)

The societal and workplace changes caused by COVID-19 are major reasons why enterprises are increasingly transitioning to cloud-based virtual desktop solutions. In my previous blog post, I examined one of the more traditional ways to facilitate remote work: company-owned laptops. In this post, I will be looking at another option: Virtual Desktop Infrastructure (VDI). With an on-premises VDI solution, the organization is committed to purchasing hardware and having everything run and managed on company servers. With cloud-based VDI, on the other hand, the cloud provider owns the infrastructure. The reality, however, is that both options can take a long time to…
Subscribe Here!
Get Tehama insights sent straight to your inbox!
By submitting this form, I consent to receive e‑newsletters, helpful information and promotional messages and can withdraw consent at anytime.
Subscribe Here!

Get Tehama insights sent straight to your inbox!