Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

VMware Horizon: grant permissions in Active Directory

  • March 11, 2021
  • 6 min read
Cloud and Virtualization Architect. Paolo is a System Engineer, VCP-DCV, vExpert, VMCE, Veeam Vanguard, and author of the virtualization blog nolabnoparty.com
Cloud and Virtualization Architect. Paolo is a System Engineer, VCP-DCV, vExpert, VMCE, Veeam Vanguard, and author of the virtualization blog nolabnoparty.com

Рorizon grant permissions

When Instant Clones are published, VMware Horizon needs the correct permissions in Active Directory to create the Computer Objects in the target OU.

For security reasons, it is recommended to grant minimum permissions in Active Directory to the account used by Horizon to publish Instant Clones.

To avoid potentials permissions issues, sometimes some administrators grant the Domain Admin permissions to the account configured in Horizon to publish the machines. This of course opens serious security concerns in the network.

Grant permissions in Active Directory

The minimum set of permissions in Active Directory required by the service account used in VMware Horizon are the following:

  • List Content
  • Read All Properties
  • Write All Properties
  • Read Permissions
  • Reset Password
  • Create Computer Objects
  • Delete Computer Objects

First step is the creation of the Active Directory service account (for example vminstantclone).

Creation of the Active Directory service account

Now create the Organizational Units where the Instant Clones will be created. From a Domain Controller, open Active Directory Users and Computers and create the requested OUs.

Organizational unit

In the example a Horizon OU has been created with some OUs underneath (Instant Clones and Users).

Instant Clones and Users

Permissions granted to the user will be restricted to the specific OU only to keep security at highest level. Right click the just created OU and select Delegate Control.

Delegate Control

Click Next to proceed with the configuration.

Proceed with the configuration

 

Click Add and select the previously create User. This is the user that will be configured in Vmware Horizon. Click Next.

Add and select the previously create User

Select Create a custom task to delegate then click Next.

 

Create a custom task to delegate

Select Only the following objects in the folder option and select Computer objects. Enable also options Create selected objects in this folder and Delete selected objects in this folder. Click Next.

 

Select Only the following objects in the folder

Now select the following Permissions:

  • Read All Properties
  • Write All Properties
  • Reset password

Click Next.

Permissions

Click Finish to save the configuration and exit the wizard.

Save the configuration and exit the wizard

Check the granted permissions to the OU.

Check the granted permissions to the OU

Configure Domains in Horizon

Once the AD service account has been created, it must be configured in Horizon to create the computer objects in the selected OU.

In VMware Horizon this configuration is done in the Domains section in the Settings area. Click Add to add the AD service account to use.

Add the AD service account to use

Select the Full domain name, then enter Username and Password. Click OK to save the configuration.

Select the Full domain name

The AD service account has been configured in Horizon.

The AD service account has been configured in Horizon

During the configuration of the Desktop Pool, you must specify the correct target OU where Horizon will publish the Instant Clones. By default, when a computer is joined to the domain, Active Directory places the object in the Computer OU. Keep in mind that except the delegated OU (Horizon in the example), the service account does not have any permission to create computer objects anywhere else and an error will occur.

Specify the correct target OU

If everything works as expected, Instant Clones will be published and configured in Active Directory in the specified OU.

Instant Clones will be published and configured in Active Directory

 

The user can access the Horizon Desktop Pool.

Horizon Desktop Pool

Delegating the service account used by Horizon to publish Instant Clones with minimum permissions to the dedicated OU is the recommended configuration to limit potential security breaches.

Found Paolo’s article helpful? Looking for a reliable, high-performance, and cost-effective shared storage solution for your production cluster?
Dmytro Malynka
Dmytro Malynka StarWind Virtual SAN Product Manager
We’ve got you covered! StarWind Virtual SAN (VSAN) is specifically designed to provide highly-available shared storage for Hyper-V, vSphere, and KVM clusters. With StarWind VSAN, simplicity is key: utilize the local disks of your hypervisor hosts and create shared HA storage for your VMs. Interested in learning more? Book a short StarWind VSAN demo now and see it in action!