Horizon Cloud requires use of two accounts in your Active Directory (AD) domain to use as service accounts. This topic describes the requirements that those two accounts must meet.

Horizon Cloud requires that you specify two AD accounts to use as these two service accounts.

  • A domain bind account that is used to perform lookups in your AD domain.

  • A domain join account that is used for joining computer accounts to the domain and performing Sysprep operations.

You use the Administration Console to provide the credentials for these accounts to Horizon Cloud.

You must ensure the AD accounts you specify for these service accounts meet the following requirements that Horizon Cloud requires for its operations.

Important:

You must ensure that your domain bind and domain join accounts continue to have the permissions as described here for all of the OUs and objects that you are using and expect to use with the system. Horizon Cloud cannot pre-populate or predict in advance which Active Directory groups you might want to use in the environment. You must configure Horizon Cloud with the domain bind account and domain join account using the Administration Console.

Domain Bind Account Requirements

  • The domain bind account cannot expire, change, or be locked out. You must use this type of account configuration because the system uses the primary domain bind account as a service account to query Active Directory. If the primary domain bind account becomes inaccessible for some reason, the system then uses the auxiliary domain bind account. If both the primary and auxiliary domain bind accounts expire or become inaccessible, then you will not be able to log in to the Administration Console and update the configuration.

    Important:

    If both the primary and auxiliary domain bind accounts expire or become inaccessible, then you will not be able to log in to the Administration Console and update the configuration with working domain bind account information. If you choose not to set Never Expires on the primary or auxiliary domain bind accounts, you should make them have different expiration times. You will have to keep track as the expiration time approaches and update your Horizon Cloud domain bind account information before the expiration time is reached.

  • The domain bind account requires the sAMAccountName attribute.

  • At a minimum, the domain bind account must have read permissions which can look up AD accounts for all of the AD organizational units (OUs) that you anticipate using in the Desktop-as-a-Service operations that Horizon Cloud provides, such as assigning desktop VMs to your end users. The domain bind account needs the ability to enumerate objects from your Active Directory.

    Important:

    The typical default settings in Active Directory give a standard domain user account the ability to do that enumeration. However, if you have limited the security permission in your Active Directory, you must ensure that the domain bind account has read permissions for all of the OUs and objects that you anticipate and expect you will use with Horizon Cloud.

Domain Join Account Requirements

  • The domain join account cannot change or be locked out.

  • Ensure you meet at least one of the following criteria:

    • In your Active Directory, set the domain join account to Never Expires.

    • Alternatively, configure an auxiliary domain join account that has a different expiration time than the first domain join account. If you choose this method, ensure that the auxiliary domain join account meets the same requirements as the main domain join account you configure in the Administration Console.

    Caution:

    If the domain join account expires and you have no working auxiliary domain join account configured, Horizon Cloud operations for sealing images and provisioning farm server VMs and VDI desktop VMs will fail.

  • The domain join account requires the sAMAccountName attribute.

  • The domain join account needs the AD permissions in the following list.

    Important:

    Some of the AD permissions in the list are typically assigned by Active Directory to accounts by default. However, if you have limited the security permission in your Active Directory, you must ensure that the domain join account has these permissions for the OUs and objects that you anticipate and expect to use with Horizon Cloud.

    The AD permissions required on the domain join account are:

    • List Contents

    • Read All Properties

    • Write All Properties

    • Read Permissions

    • Reset Password

    • Create Computer Objects

    • Delete Computer Objects

Caution:

If you are going to use Instant Clone images, there are additional requirements on the domain join account. In addition to the OU that you specify in the Administration Console when you register the Active Directory domain, the domain join account must also have these permissions listed on any OU or sub-OU in which you want to place a desktop built from an Instant Clone image.

  • List Contents

  • Read All Properties

  • Write All Properties

  • Read Permissions

  • Reset Password

  • Create Computer Objects

  • Delete Computer Objects