If using VMware App Volumes to deploy applications to your virtual desktops, you may encounter the following issue when logging into the VMware App Volumes management console:
“You must be in the Administrators group to login!?!?” App Volumes manager worked just fine the last time I used it so naturally you’ll check the status of your App Volumes server and services, the SQL server and services and assuming you find them running, you’ll start to wonder, “What has changed?”
It may lead you to the office of the primary IT administrator(s) to ask, in a nice soft voice for sure, “What the heck did you do? Did you make any changes?” Of course, the typical response is, “I swear I didn’t change anything….except move the VDI Admins security group to another OU….but surely that has nothing to do with this error right?”
Ordinarily moving groups across OUs is a pretty harmless process, but in this case, it does affect App Volumes. When moving security groups, specifically those security groups configured with App Volumes permissions, the SQL table containing the DN of those groups is not updated so the logon to App Volumes manager fails.
As an example, when App Volumes was initially configured, the VDI Admins group had a DN of CN=VDI Admins,OU=Groups,DC=domain,DC=com. If you move the VDI Admins group to a different OU to change its DN, you will receive the error shown above.
To resolve the login problem, you can:
- Move the VDI Admins group back to its original OU (which is what I did)
- Edit the SQL dbo.group_permissions table to change the DN value of the group name matching the DN in the new location