For security reasons, it is recommended to grant minimum permissions in Active Directory to the account used by Horizon to publish Instant Clones.
To avoid potentials permissions issues, sometimes some administrators grant the Domain Admin permissions to the account configured in Horizon to publish the machines. This of course opens serious security concerns in the network.
Grant permissions in Active Directory
The minimum set of permissions in Active Directory required by the service account used in VMware Horizon are the following:
- List Content
- Read All Properties
- Write All Properties
- Read Permissions
- Reset Password
- Create Computer Objects
- Delete Computer Objects
First step is the creation of the Active Directory service account (for example vminstantclone).
Now create the Organizational Units where the Instant Clones will be created. From a Domain Controller, open Active Directory Users and Computers and create the requested OUs.
In the example an Horizon OU has been created with some OUs underneath (Instant Clones and Users).
Configure Domains in Horizon
Once the AD service account has been created and granted with the correct permissions, it must be configured in Horizon to create the computer objects in the selected OU.
The AD service account has been configured in Horizon.
If everything works as expected, Instant Clones will be published and configured in Active Directory in the specified OU.
The user can access the Horizon Desktop Pool.
Delegating the service account used by Horizon to publish Instant Clones with minimum permissions to the dedicated OU is the recommended configuration to limit potential security breaches.
Read the full article on StarWind blog.