Royal Server can be installed on a domain-joined server. This way, the administrator can manage the users that have access to Royal Server in a flexible way using domain groups.
The following tips will help you configure your Royal Server in an Active Directory environment.
Configuring the Worker Account
If you plan to add domain groups to your local Royal Server groups (these are "Royal Server Users", "Royal Server Administrators" and "Royal Server Gateway Users") the worker account has to have sufficient rights to enumerate group memberships of these domain groups. This is best achieved with a Worker Account that is
- in the local Administrators group (aka it is an administrator of the machine where Royal Server is installed) and
- a domain user.
Configuring Access to Royal Server and the Secure Gateway
Membership in the following groups grant access to the following Royal Server functionality:
- Being a member of the group "Royal Server User" enables users to use Royal Server modules like Windows Events, Processes, Services, etc.
- Being a member of the group "Royal Server Gateway User" enables users to use Secure Gateway functionality (e.g. RDP connections, Terminal, (S)FTP, etc.)
- Being a member of the group "Royal Server Administrators" enables users to administer the Royal Server
We recommend using domain groups to configure these memberships. This means that you add domain groups to the local Royal Server groups to give the specified members access.
Attention: Please try to not use groups with too many users or nested groups as this slows down Royal Server querying group memberships.
Currently, only domain users/groups are supported. Users from other domains and/or forests might work but are not supported by Royal Server.
The Royal Server Configuration Tool will display all the users it finds in the "Royal Server Users" or "Royal Server Gateway Users" groups. If this list is not complete, please configure logging to a file and check the log for any hint on why Royal Server could not enumerate all users.
Configuring Access to Documents via Access Rules (ACLs)
Similar to the group memberships, you can use domain users and groups to define ACLs for documents.
Summary
- The Worker Account has to be a domain user and member of the local "Administrators" group
- It is recommended to add domain groups/users to the local Royal Server groups for a flexible administration
- Avoid using domain groups with a huge number of users or nested groups to improve performance