Automatic User Creation
Teleport's Desktop Service can be configured to automatically create local Windows users upon login.
Configuration
Automatic user provisioning is only supported for local users, and does not take effect in Active Directory environments.
This feature is disabled by default, and can be enabled by setting the
create_desktop_user role option on one of the user's roles.
kind: role
version: v7
metadata:
name: allow-user-provisioning
spec:
options:
create_desktop_user: true
allow:
windows_desktop_labels: { '*': '*' }
windows_desktop_logins: jane
When a Teleport user connects to a desktop, Teleport checks each of the user's
roles that match the desktop. If at least one role matches the desktop but does
not include create_desktop_user: true, automatic user creation will be
disabled. Roles that do not match the desktop's labels will not be checked.
In order to create the user, the requested username must be present in one of
the role's windows_desktop_logins.
User management
By default, the newly-created user will be placed in two Windows groups:
Remote Desktop Users: a built-in Windows group allowing remote desktop accessTeleport Users: a custom group that Teleport places all automatically-created users in
To add the user to additional groups, specify the desktop_groups role option:
kind: role
version: v7
metadata:
name: allow-user-provisioning
spec:
options:
create_desktop_user: true
allow:
windows_desktop_labels: { '*': '*' }
windows_desktop_logins: jane
desktop_groups:
- developers
# to make the newly-created user an administrator
- Administrators
# IdP trait templating is also supported
- '{{external.desktop_groups}}'
Teleport will never delete users that are created via automatic user provisioning. This ensures that the user's profile is preserved for future logins. The account will be disabled to ensures that it can only be accessed via Teleport.
Stored credentials
Version Warning: Before 15.3
Teleport versions prior to 15.3 don't support storing credentials.
You can store credentials for users created by Teleport using Control Panel\User Accounts\Credential Manager or
using cmdkey CLI utility.
Teleport will generate encryption keys for these credentials and store them securely on the machine for each user, using mechanisms in LSA. If a password is ever created for the user managed by Teleport and login is attempted using user/password method (outside of Teleport), these keys will get overwritten and all stored credentials will be removed by Windows.
Teleport will never generate keys for users created outside of Teleport to avoid deleting already present credentials. For these users, credentials can't be used at all when logging on via Teleport, as the user's password is required to decrypt them and Teleport doesn't have access to it.