When you register the first Active Directory domain with your Horizon Cloud environment, one auxiliary domain-bind account is required in the configuration. Having at least one auxiliary domain-bind account prevents the situation of locking out your administrator users from the administrative console if the primary bind account becomes inaccessible in the Active Directory domain. You can optionally configure additional auxiliary bind accounts for the cloud-configured Active Directory domains. Then if both the primary and first auxiliary bind accounts configured for a domain become inaccessible, the system uses the next auxiliary bind account to connect to that Active Directory domain.


Verify that the Active Directory domain is one of your Horizon Cloud account's cloud-configured domains by navigating to Settings > Active Directory and seeing if the domain is listed on that page.

Verify that you have the user name and password information for the following accounts that are already configured in the console for the domain, because the user interface requires you confirm the existing passwords when performing this task:

  • Password for the already configured bind account
  • Password for the domain join account already configured in the user interface

Verify that you have the user name and password information for the bind account you are adding and that it adheres to the requirements described in Domain Bind Account - Required Characteristics. As described in that section, the primary and auxiliary domain bind accounts are always assigned the Super Administrator role, which grants all the permissions to perform management actions in the console. You should ensure that the domain bind account is not accessible to users that you do not want to have Super Administrator permissions.

Caution: To prevent accidental lockouts over time, ensure that your domain-bind account meets the stated criteria, especially that the account password cannot expire, change, or be locked out. You must use this account configuration because the system uses this account as a service account to query Active Directory.


  1. In the console, click Settings > Active Directory.
  2. Click the Active Directory domain for which you want to add the auxiliary bind account.
  3. Click Edit next to the displayed domain bind settings.
  4. In the Edit Active Directory dialog box, entering the password for the primary bind account.
    Entering the password here makes the Domain Bind button available to click to save the changes.
  5. Expand the advanced properties and click Add Auxiliary Bind Account.
    A section for the auxiliary account information is added to the dialog box.
  6. Type the account credentials.
    Note: In the field for the user name, only provide the user name itself, for example ourbindaccount2. Do not include the domain name here.
  7. Click Domain Bind.
  8. In any subsequent windows that appear, confirm the existing settings by clicking Save in each window.
    If the Domain Join window appears, type the password of the domain-join account before clicking Save.


The auxiliary bind account is available for the system to use if the primary an auxiliary bind accounts become inaccessible.

You can add multiple auxiliary bind accounts by repeating the steps. To change an auxiliary bind account's password or to remove it, use the corresponding links displayed in the Edit Active Directory window's advanced properties area.