When Instant Clones are published, VMware Horizon needs the correct permissions in Active Directory to create the Computer Objects in the target OU.
For security reasons, it is recommended to grant minimum permissions in Active Directory to the account used by Horizon to publish Instant Clones.
To avoid potentials permissions issues, sometimes some administrators grant the Domain Admin permissions to the account configured in Horizon to publish the machines. This of course opens serious security concerns in the network.
Grant permissions in Active Directory
The minimum set of permissions in Active Directory required by the service account used in VMware Horizon are the following:
- List Content
- Read All Properties
- Write All Properties
- Read Permissions
- Reset Password
- Create Computer Objects
- Delete Computer Objects
First step is the creation of the Active Directory service account (for example vminstantclone).
Now create the Organizational Units where the Instant Clones will be created. From a Domain Controller, open Active Directory Users and Computers and create the requested OUs.
In the example a Horizon OU has been created with some OUs underneath (Instant Clones and Users).
Permissions granted to the user will be restricted to the specific OU only to keep security at highest level. Right click the just created OU and select Delegate Control.
Click Next to proceed with the configuration.
Click Add and select the previously create User. This is the user that will be configured in Vmware Horizon. Click Next.
Select Create a custom task to delegate then click Next.
Select Only the following objects in the folder option and select Computer objects. Enable also options Create selected objects in this folder and Delete selected objects in this folder. Click Next.
Now select the following Permissions:
- Read All Properties
- Write All Properties
- Reset password
Click Next.
Click Finish to save the configuration and exit the wizard.
Check the granted permissions to the OU.
Configure Domains in Horizon
Once the AD service account has been created, it must be configured in Horizon to create the computer objects in the selected OU.
In VMware Horizon this configuration is done in the Domains section in the Settings area. Click Add to add the AD service account to use.
Select the Full domain name, then enter Username and Password. Click OK to save the configuration.
The AD service account has been configured in Horizon.
During the configuration of the Desktop Pool, you must specify the correct target OU where Horizon will publish the Instant Clones. By default, when a computer is joined to the domain, Active Directory places the object in the Computer OU. Keep in mind that except the delegated OU (Horizon in the example), the service account does not have any permission to create computer objects anywhere else and an error will occur.
If everything works as expected, Instant Clones will be published and configured in Active Directory in the specified OU.
The user can access the Horizon Desktop Pool.
Delegating the service account used by Horizon to publish Instant Clones with minimum permissions to the dedicated OU is the recommended configuration to limit potential security breaches.