VMware Horizon: grant permissions in Active Directory

horizon-grant-permissions-ad-01

When Instant Clones are published, VMware Horizon needs the correct permissions in Active Directory to create the Computer Objects in the target OU.

For security reasons, it is recommended to grant minimum permissions in Active Directory to the account used by Horizon to publish Instant Clones.

To avoid potentials permissions issues, sometimes some administrators grant the Domain Admin permissions to the account configured in Horizon to publish the machines. This of course opens serious security concerns in the network.

 

Grant permissions in Active Directory

The minimum set of permissions in Active Directory required by the service account used in VMware Horizon are the following:

  • List Content
  • Read All Properties
  • Write All Properties
  • Read Permissions
  • Reset Password
  • Create Computer Objects
  • Delete Computer Objects

First step is the creation of the Active Directory service account (for example vminstantclone).

horizon-grant-permissions-ad-02

Now create the Organizational Units where the Instant Clones will be created. From a Domain Controller, open Active Directory Users and Computers and create the requested OUs.

horizon-grant-permissions-ad-03

In the example an Horizon OU has been created with some OUs underneath (Instant Clones and Users).

horizon-grant-permissions-ad-04

This article has been written for StarWind blog and can be found in this page. It covers the full procedure to grant permissions in Active Directory to limit security concerns.

 

Configure Domains in Horizon

Once the AD service account has been created and granted with the correct permissions, it must be configured in Horizon to create the computer objects in the selected OU.

horizon-grant-permissions-ad-14

The AD service account has been configured in Horizon.

horizon-grant-permissions-ad-15

If everything works as expected, Instant Clones will be published and configured in Active Directory in the specified OU.

horizon-grant-permissions-ad-17

The user can access the Horizon Desktop Pool.

horizon-grant-permissions-ad-18

Delegating the service account used by Horizon to publish Instant Clones with minimum permissions to the dedicated OU is the recommended configuration to limit potential security breaches.

Read the full article on StarWind blog.

signature