If you use View Composer, you must create a user account in Active Directory that allows View Composer to perform certain operations in Active Directory. View Composer requires this account to join linked-clone virtual machines to your Active Directory domain.
To ensure security, you should create a separate user account to use with View Composer. By creating a separate account, you can guarantee that it does not have additional privileges that are defined for another purpose. You can give the account the minimum privileges that it needs to create and remove computer objects in a specified Active Directory container. For example, the View Composer account does not require domain administrator privileges.
Procedure
- In Active Directory, create a user account in the same domain as your Connection Server host or in a trusted domain.
- Add the Create Computer Objects, Delete Computer Objects, and Write All Properties permissions to the account in the Active Directory container in which the linked-clone computer accounts are created or to which the linked-clone computer accounts are moved.
The following list shows all the required permissions for the user account, including permissions that are assigned by default:
- List Contents
- Read All Properties
- Write All Properties
- Read Permissions
- Reset Password
- Create Computer Objects
- Delete Computer Objects
Note: Fewer permissions are required if you select the
Allow reuse of pre-existing computer accounts setting for a desktop pool. Make sure that the following permissions are assigned to the user account:
- List Contents
- Read All Properties
- Read Permissions
- Reset Password
- Make sure that the user account's permissions apply to the Active Directory container and to all child objects of the container.
What to do next
Specify the account in Horizon Administrator when you configure View Composer domains in the Add vCenter Server wizard and when you configure and deploy linked-clone desktop pools.
