Horizon Cloud requires use of two accounts in your Active Directory (AD) domain to use as service accounts. This topic describes the requirements that those two accounts must meet.
Horizon Cloud requires that you specify two AD accounts to use as these two service accounts.
- A domain bind account that is used to perform lookups in your AD domain.
- A domain join account that is used for joining computer accounts to the domain and performing Sysprep operations.
Note: For pods in Microsoft Azure, the system uses this domain join account in operations that require joining virtual machines to the domain, such as when importing an image from the Microsoft Azure Marketplace, creating farm RDSH instances, creating VDI desktop instances, and so on.
You must ensure that the Active Directory accounts you specify for these service accounts meet the following requirements that Horizon Cloud requires for its operations. After onboarding your first pod to your tenant, you use the cloud-based administrative console to provide the credentials for these accounts.
Important:
- Do not use these service accounts in configurations other than in the Horizon Cloud Active Directory domain registration. If you reuse these service accounts in other configurations, unexpected results can occur. For example, do not reuse this same domain bind account in your Workspace ONE Access connector configuration settings, or unexpected notifications about the domain bind account might appear in the Horizon Universal Console.
- You must ensure that your domain bind and domain join accounts continue to have the permissions as described here on all the OUs and objects that you are using and expect to use with the system. Horizon Cloud cannot pre-populate or predict in advance which Active Directory groups you might want to use in the environment. You must configure Horizon Cloud with the domain bind account and domain join account using the console.
Caution:
Although you can set Full Control on the accounts instead of setting all the permissions separately, it is still recommended that you set the permissions separately.
Domain Bind Account - Required Characteristics
- The domain bind account cannot expire, change, or be locked out. You must use this type of account configuration because the system uses the primary domain bind account as a service account to query Active Directory. If the primary domain bind account becomes inaccessible for some reason, the system then uses the auxiliary domain bind account. If both the primary and auxiliary domain bind accounts expire or become inaccessible, then you cannot log in to the cloud-based console and update the configuration.
Important: If both the primary and auxiliary domain bind accounts expire or become inaccessible, then you cannot log in to the console and update the configuration with working domain bind account information. If you do not set Never Expires on the primary or auxiliary domain bind accounts, you should make them have different expiration times. You must keep track as the expiration time approaches and update your Horizon Cloud domain bind account information before the expiration time is reached.
- The domain bind account requires the sAMAccountName attribute. The sAMAccountName attribute must be 20 characters or less and cannot contain any of the following characters: "/ \ [ ] : ; | = , + * ? < >
- The domain bind account is always assigned the Super Administrator role, which grants all the permissions to perform management actions in the console. You should ensure that the domain bind account is not accessible to users that you do not want to have Super Administrator permissions. For more information about the roles used by the console, see Best Practices about the Two Types of Roles You Give to People to Use the Horizon Universal Console to Work in Your Horizon Cloud Environment.
Domain Bind Account - Required Active Directory Permissions
The domain bind account must have read permissions which can look up AD accounts for all the AD organizational units (OUs) that you anticipate using in the Desktop-as-a-Service operations that Horizon Cloud provides — operations such as assigning desktop VMs to your end users. The domain bind account needs the ability to enumerate objects from your Active Directory. The domain bind account requires the following permissions on all the OUs and objects that you anticipate and expect to use with Horizon Cloud:
- List Contents
- Read All Properties
- Read Permissions
- Read tokenGroupsGlobalAndUniversal (implied by the Read All Properties permission)
Important: Generally speaking, the domain bind accounts should be granted the default out-of-the-box read-access-related permissions that are typically granted to
Authenticated Users in a Microsoft Active Directory deployment. In an out-of-the-box Microsoft Active Directory deployment, those default settings typically granted to
Authenticated Users usually give a standard domain user account the ability to do the required enumeration that
Horizon Cloud needs for the domain bind account. However, if your organization's AD administrators have chosen to lock down read-access-related permissions for regular users, you must request those AD administrators preserve the
Authenticated Users standard defaults for the domain bind accounts you will use for
Horizon Cloud.
Domain Join Account - Required Characteristics
- The domain join account cannot change or be locked out.
- The account's user name cannot contain white spaces. If the name contains a white space, unexpected results will occur in the system operations that rely on that account.
- The domain join account requires the sAMAccountName attribute. The sAMAccountName attribute must be 20 characters or less and cannot contain any of the following characters: "/ \ [ ] : ; | = , + * ? < >
- Ensure that you meet at least one of the following criteria:
- In your Active Directory, set the domain join account to Never Expires.
- Alternatively, configure an auxiliary domain join account that has a different expiration time than the first domain join account. If you choose this method, ensure that the auxiliary domain join account meets the same requirements as the main domain join account you configure in the console.
Caution: If the domain join account expires and you have no working auxiliary domain join account configured, Horizon Cloud operations for sealing images and provisioning farm RDSH VMs and VDI desktop VMs will fail.
Important: If your tenant has any
Horizon Cloud pods in Microsoft Azure that are running manifests older than 1600.0, you must ensure that the domain join account you enter when registering the domain is also in one of the Active Directory groups to which you assign the
Horizon Cloud Super Administrators role. The system's operations with those pods running those old manifest versions depend on the domain join account having the permissions granted by the
Horizon Cloud Super Administrators role. For a description of how to assign the role to a group, see
Assign Roles to Active Directory Groups that Control Which Areas of the Horizon Universal Console are Activated for Individuals in Those Groups After They Authenticate to Your Horizon Cloud Tenant Environment.
Domain Join Account - Required Active Directory Permissions
The domain join account is configured at a tenant level. The system uses the same domain join account that is configured in the Active Directory registration for all of its domain-join-related operations with all of the pods in your tenant's fleet.
The system performs explicit permission checks on the domain join account within the OU you specify in the Active Directory registration workflow (in the Default OU text box in that workflow) and within the OUs you specify in the farms and VDI desktop assignments you create, if those farm and VDI desktop assignment Computer OU text boxes are different from the default OU in the Active Directory registration.
To cover the cases where you might ever use a sub-OU, a best practice is for you to set these required permissions to apply for all descendant objects of the Computer OU.
Important:
- Some of the AD permissions in the list are typically assigned by Active Directory to accounts by default. However, if you have limited the security permission in your Active Directory, you must ensure that the domain join account has these permissions for the OUs and objects that you anticipate and expect to use with Horizon Cloud.
- In Microsoft Active Directory, when you create a new OU, the system might automatically set the
Prevent Accidental Deletionattribute which applies aDenyto the Delete All Child Objects permission for the newly created OU and all descendant objects. As a result, if you explicitly assigned the Delete Computer Objects permission to the domain join account, in the case of a newly created OU, Active Directory might have applied an override to that explicitly assigned Delete Computer Objects permission. Because clearing the Prevent Accidental Deletion flag might not automatically clear theDenythat Active Directory applied to the Delete All Child Objects permission, in the case of a newly added OU, you might have to verify and manually clear theDenypermission set for Delete All Child Objects in the OU and all child OUs before using the domain join account in the Horizon Cloud console.
Tip: For pod manifests of 2474.0 and later, the set of required Active Directory permissions for the domain join accounts is reduced from the previous set to provide more flexibility for tenants. However, because the domain join account is configured at a tenant level, the system uses the same domain join accounts in domain-join-related operations with all of the pods in your tenant's fleet. Therefore, when your fleet includes pods of manifests prior to 2474.0, you must ensure your domain join accounts have the prior set of permissions that those pods require. When all of your Horizon pods in Microsoft Azure are updated to pod manifest 2474.0 or later, then you can adopt the newer reduced set of Active Directory permissions for your domain join accounts.
| Access | Applies to |
|---|---|
| Read All Properties | This object only |
| Create Computer Objects | This object and all descendant objects |
| Delete Computer Objects | This object and all descendant objects |
| Write All Properties | Descendant Computer objects |
| Reset Password | Descendant Computer objects |
| Access | Applies to |
|---|---|
| List Contents | This object and all descendant objects |
| Read All Properties | This object and all descendant objects |
| Create Computer Objects | This object and all descendant objects |
| Delete Computer Objects | This object and all descendant objects |
| Write All Properties | All descendant objects |
| Read Permissions | This object and all descendant objects |
| Reset Password | Descendant Computer objects |
