Horizon Cloud requires use of two accounts in your Active Directory (AD) domain to use as service accounts. This topic describes the requirements that those two accounts must meet.

Horizon Cloud requires that you specify two AD accounts to use as these two service accounts.

  • A domain bind account that is used to perform lookups in your AD domain.
  • A domain join account that is used for joining computer accounts to the domain and performing Sysprep operations.
    Note: For pods in Microsoft Azure, the system uses this domain join account in operations that require joining virtual machines to the domain, such as when importing an image from the Microsoft Azure Marketplace, creating farm RDSH instances, creating VDI desktop instances, and so on.

You use the Administration Console to provide the credentials for these accounts to Horizon Cloud.

You must ensure the Active Directory accounts you specify for these service accounts meet the following requirements that Horizon Cloud requires for its operations.

Important: You must ensure that your domain bind and domain join accounts continue to have the permissions as described here on all the OUs and objects that you are using and expect to use with the system. Horizon Cloud cannot pre-populate or predict in advance which Active Directory groups you might want to use in the environment. You must configure Horizon Cloud with the domain bind account and domain join account using the Administration Console.

Domain Bind Account Requirements

  • The domain bind account cannot expire, change, or be locked out. You must use this type of account configuration because the system uses the primary domain bind account as a service account to query Active Directory. If the primary domain bind account becomes inaccessible for some reason, the system then uses the auxiliary domain bind account. If both the primary and auxiliary domain bind accounts expire or become inaccessible, then you will not be able to log in to the Administration Console and update the configuration.
    Important: If both the primary and auxiliary domain bind accounts expire or become inaccessible, then you will not be able to log in to the Administration Console and update the configuration with working domain bind account information. If you do not set Never Expires on the primary or auxiliary domain bind accounts, you should make them have different expiration times. You will have to keep track as the expiration time approaches and update your Horizon Cloud domain bind account information before the expiration time is reached.
  • The domain bind account requires the sAMAccountName attribute. The sAMAccountName attribute must be 20 characters or less and cannot contain any of the following characters: "/ \ [ ] : ; | = , + * ? < >
  • At a minimum, the domain bind account must have read permissions which can look up AD accounts for all of the AD organizational units (OUs) that you anticipate using in the Desktop-as-a-Service operations that Horizon Cloud provides, such as assigning desktop VMs to your end users. The domain bind account needs the ability to enumerate objects from your Active Directory.
    Important: The typical default settings in Active Directory give a standard domain user account the ability to do that enumeration. However, if you have limited the security permission in your Active Directory, you must ensure that the domain bind account has read permissions for all the OUs and objects that you anticipate and expect to use with Horizon Cloud.

Domain Join Account Requirements

  • The domain join account cannot change or be locked out.
  • Ensure that you meet at least one of the following criteria:
    • In your Active Directory, set the domain join account to Never Expires.
    • Alternatively, configure an auxiliary domain join account that has a different expiration time than the first domain join account. If you choose this method, ensure that the auxiliary domain join account meets the same requirements as the main domain join account you configure in the Administration Console.
    Caution: If the domain join account expires and you have no working auxiliary domain join account configured, Horizon Cloud operations for sealing images and provisioning farm RDSH VMs and VDI desktop VMs will fail.
  • The domain join account requires the sAMAccountName attribute. The sAMAccountName attribute must be 20 characters or less and cannot contain any of the following characters: "/ \ [ ] : ; | = , + * ? < >
  • The domain join account needs the AD permissions in the following list.
    Important: Some of the AD permissions in the list are typically assigned by Active Directory to accounts by default. However, if you have limited the security permission in your Active Directory, you must ensure that the domain join account has these permissions for the OUs and objects that you anticipate and expect to use with Horizon Cloud.

    The system performs explicit permission checks on the domain join account within the OU you specify in the Active Directory registration workflow (in the Default OU field in that workflow) and within the OUs you specify in the farms and VDI desktop assignments you create, if those farm and VDI desktop assignment Computer OU fields are different from the default OU in the Active Directory registration.

    To cover the cases where you might ever use a sub-OU, a best practice is for you to set these permissions to apply for all descendant objects of the Computer OU. The AD permissions required on the domain join account are shown in the table below.

    Access Applies to
    List Contents This object and all descendant objects
    Read All Properties This object and all descendant objects
    Write All Properties All descendant objects
    Read Permissions This object and all descendant objects
    Reset Password Descendant Computer objects
    Create Computer Objects This object and all descendant objects
    Delete Computer Objects This object and all descendant objects
Caution:

Although you can set Full Control instead of setting all the permissions separately, it is still recommended that you set the permissions separately.