{"id":47905,"date":"2021-03-11T09:00:15","date_gmt":"2021-03-11T08:00:15","guid":{"rendered":"https:\/\/nolabnoparty.com\/?p=47905"},"modified":"2026-04-29T17:18:08","modified_gmt":"2026-04-29T15:18:08","slug":"vmware-horizon-grant-permissions-in-active-directory","status":"publish","type":"post","link":"https:\/\/nolabnoparty.com\/en\/vmware-horizon-grant-permissions-in-active-directory\/","title":{"rendered":"VMware Horizon: grant permissions in Active Directory"},"content":{"rendered":"<p><img decoding=\"async\" class=\"aligncenter wp-image-47911 size-full\" title=\"horizon-grant-permissions-ad-01\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2021\/03\/horizon-grant-permissions-ad-01.jpg\" alt=\"horizon-grant-permissions-ad-01\" width=\"602\" height=\"202\" \/><\/p>\n<p>When <a href=\"https:\/\/nolabnoparty.com\/en\/vmware-horizon-7-12-delete-instant-clones\/\">Instant Clones<\/a> are published, <a href=\"https:\/\/nolabnoparty.com\/en\/vmware-horizon-2006-upgrade-from-version-7-x\/\">VMware Horizon<\/a> needs the correct permissions in Active Directory to create the Computer Objects in the target OU.<\/p>\n<p>For security reasons, it is recommended to <strong>grant minimum permissions<\/strong> in Active Directory to the account used by Horizon to publish Instant Clones.<!--more--><\/p>\n<p>To avoid potentials permissions issues, sometimes some administrators grant the <strong>Domain Admin permissions<\/strong> to the account configured in Horizon to publish the machines. This of course opens serious security concerns in the network.<\/p>\n<p>&nbsp;<\/p>\n<h2>Grant permissions in Active Directory<\/h2>\n<p>The <strong>minimum set of permissions<\/strong> in Active Directory required by the service account used in <a href=\"https:\/\/nolabnoparty.com\/en\/vmware-horizon-7-deploy-unified-access-gateway\/\">VMware Horizon<\/a> are the following:<\/p>\n<ul>\n<li>List Content<\/li>\n<li>Read All Properties<\/li>\n<li>Write All Properties<\/li>\n<li>Read Permissions<\/li>\n<li>Reset Password<\/li>\n<li>Create Computer Objects<\/li>\n<li>Delete Computer Objects<\/li>\n<\/ul>\n<p>First step is the creation of the <strong>Active Directory service account<\/strong> (for example <em>vminstantclone<\/em>).<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-47913 size-full\" title=\"horizon-grant-permissions-ad-02\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2021\/03\/horizon-grant-permissions-ad-02.jpg\" alt=\"horizon-grant-permissions-ad-02\" width=\"437\" height=\"378\" \/><\/p>\n<p>Now <strong>create the Organizational Units<\/strong> where the Instant Clones will be created. From a Domain Controller, open <strong>Active Directory Users and Computers<\/strong> and create the requested OUs.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-47915 size-large\" title=\"horizon-grant-permissions-ad-03\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2021\/03\/horizon-grant-permissions-ad-03-600x439.jpg\" alt=\"horizon-grant-permissions-ad-03\" width=\"600\" height=\"439\" \/><\/p>\n<p>In the example an <em>Horizon<\/em> OU has been created with some OUs underneath (<em>Instant Clones<\/em> and <em>Users<\/em>).<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-47917 size-large\" title=\"horizon-grant-permissions-ad-04\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2021\/03\/horizon-grant-permissions-ad-04-600x374.jpg\" alt=\"horizon-grant-permissions-ad-04\" width=\"600\" height=\"374\" \/><\/p>\n<p>This article has been written for\u00a0<a href=\"https:\/\/www.starwindsoftware.com\/blog\/\" target=\"_blank\" rel=\"noopener noreferrer\">StarWind blog<\/a>\u00a0and can be found in\u00a0<a href=\"https:\/\/www.starwindsoftware.com\/blog\/vmware-horizon-grant-permissions-in-active-directory\" target=\"_blank\" rel=\"noopener noreferrer\">this page<\/a>. It covers the full procedure to <strong>grant permissions in Active Directory<\/strong><strong>\u00a0<\/strong>to limit security concerns.<\/p>\n<p>&nbsp;<\/p>\n<h2>Configure Domains in Horizon<\/h2>\n<p>Once the AD service account has been created and granted with the correct permissions, it must be configured in Horizon to<strong> create the computer objects<\/strong> in the selected OU.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-47949 size-large\" title=\"horizon-grant-permissions-ad-14\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2021\/03\/horizon-grant-permissions-ad-14-600x308.jpg\" alt=\"horizon-grant-permissions-ad-14\" width=\"600\" height=\"308\" \/><\/p>\n<p>The AD service account has been configured in Horizon.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-47951 size-large\" title=\"horizon-grant-permissions-ad-15\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2021\/03\/horizon-grant-permissions-ad-15-600x193.jpg\" alt=\"horizon-grant-permissions-ad-15\" width=\"600\" height=\"193\" \/><\/p>\n<p>If everything works as expected, Instant Clones will be published and configured in Active Directory in the <strong>specified OU<\/strong>.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-47955 size-large\" title=\"horizon-grant-permissions-ad-17\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2021\/03\/horizon-grant-permissions-ad-17-600x276.jpg\" alt=\"horizon-grant-permissions-ad-17\" width=\"600\" height=\"276\" \/><\/p>\n<p>The user can access the Horizon Desktop Pool.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-47957 size-large\" title=\"horizon-grant-permissions-ad-18\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2021\/03\/horizon-grant-permissions-ad-18-600x205.jpg\" alt=\"horizon-grant-permissions-ad-18\" width=\"600\" height=\"205\" \/><\/p>\n<p>Delegating the service account used by Horizon to publish Instant Clones with <strong>minimum permissions<\/strong> to the dedicated OU is the recommended configuration to <strong>limit potential security breaches<\/strong>.<\/p>\n<p>Read the\u00a0<a href=\"https:\/\/www.starwindsoftware.com\/blog\/vmware-horizon-grant-permissions-in-active-directory\" target=\"_blank\" rel=\"noopener noreferrer\">full article<\/a>\u00a0on StarWind blog.<\/p>\n<p><img decoding=\"async\" title=\"signature\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/images\/firma.jpg\" alt=\"signature\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>When Instant Clones are published, VMware Horizon needs the correct permissions in Active Directory to create the Computer Objects in the target OU. For security reasons, it is recommended to grant minimum permissions in Active Directory to the account used by Horizon to publish Instant Clones.<\/p>\n","protected":false},"author":3,"featured_media":47911,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rop_custom_images_group":[],"rop_custom_messages_group":[],"rop_publish_now":"initial","rop_publish_now_accounts":{"linkedin_93tdZWzMZc_93tdZWzMZc":"","facebook_2879994398731222_17841400390232720":"","twitter_113568041_113568041":"","mastodon_115463926174894442_115463926174894442":""},"rop_publish_now_history":[],"rop_publish_now_status":"pending","footnotes":""},"categories":[1025,2905],"tags":[688,2302,2303],"class_list":["post-47905","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-horizon-en","category-omnissa-en","tag-active-directory-en","tag-instant-clones-en","tag-permissions-en","has_thumb"],"_links":{"self":[{"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/posts\/47905","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/comments?post=47905"}],"version-history":[{"count":0,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/posts\/47905\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/media\/47911"}],"wp:attachment":[{"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/media?parent=47905"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/categories?post=47905"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/tags?post=47905"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}