Horizon Cloud requires use of two accounts in your Active Directory (AD) domain to use as service accounts. This topic describes the requirements that those two accounts must meet.
Horizon Cloud requires that you specify two AD accounts to use as these two service accounts.
- A domain bind account that is used to perform lookups in your AD domain.
- A domain join account that is used for joining computer accounts to the domain and performing Sysprep operations.
Note: For pods in Microsoft Azure, the system uses this domain join account in operations that require joining virtual machines to the domain, such as when importing an image from the Microsoft Azure Marketplace, creating farm RDSH instances, creating VDI desktop instances, and so on.
You use the cloud-based administrative console to provide the credentials for these accounts to Horizon Cloud.
You must ensure that the Active Directory accounts you specify for these service accounts meet the following requirements that Horizon Cloud requires for its operations.
Domain Bind Account Requirements
- The domain bind account cannot expire, change, or be locked out. You must use this type of account configuration because the system uses the primary domain bind account as a service account to query Active Directory. If the primary domain bind account becomes inaccessible for some reason, the system then uses the auxiliary domain bind account. If both the primary and auxiliary domain bind accounts expire or become inaccessible, then you cannot log in to the cloud-based console and update the configuration.
Important: If both the primary and auxiliary domain bind accounts expire or become inaccessible, then you cannot log in to the console and update the configuration with working domain bind account information. If you do not set Never Expires on the primary or auxiliary domain bind accounts, you should make them have different expiration times. You must keep track as the expiration time approaches and update your Horizon Cloud domain bind account information before the expiration time is reached.
- The domain bind account requires the sAMAccountName attribute. The sAMAccountName attribute must be 20 characters or less and cannot contain any of the following characters: "/ \ [ ] : ; | = , + * ? < >
- The domain bind account must have read permissions which can look up AD accounts for all the AD organizational units (OUs) that you anticipate using in the Desktop-as-a-Service operations that Horizon Cloud provides — operations such as assigning desktop VMs to your end users. The domain bind account needs the ability to enumerate objects from your Active Directory. The domain bind account requires the following permissions on all the OUs and objects that you anticipate and expect to use with Horizon Cloud:
Important: Generally speaking, the domain bind accounts should be granted the default out-of-the-box read-access-related permissions that are typically granted to Authenticated Users in a Microsoft Active Directory deployment. In an out-of-the-box Microsoft Active Directory deployment, those default settings typically granted to Authenticated Users usually give a standard domain user account the ability to do the required enumeration that Horizon Cloud needs for the domain bind account. However, if your organization's AD administrators have chosen to lock down read-access-related permissions for regular users, you must request those AD administrators preserve the Authenticated Users standard defaults for the domain bind accounts you will use for Horizon Cloud.
- List Contents
- Read All Properties
- Read Permissions
- Read tokenGroupsGlobalAndUniversal (implied by the Read All Properties permission)
- The domain bind account is always assigned the Super Administrator role, which grants all the permissions to perform management actions in the console. You should ensure that the domain bind account is not accessible to users that you do not want to have Super Administrator permissions.
Domain Join Account Requirements
- The domain join account cannot change or be locked out.
- Ensure that you meet at least one of the following criteria:
Caution: If the domain join account expires and you have no working auxiliary domain join account configured, Horizon Cloud operations for sealing images and provisioning farm RDSH VMs and VDI desktop VMs will fail.
- In your Active Directory, set the domain join account to Never Expires.
- Alternatively, configure an auxiliary domain join account that has a different expiration time than the first domain join account. If you choose this method, ensure that the auxiliary domain join account meets the same requirements as the main domain join account you configure in the console.
- The domain join account requires the sAMAccountName attribute. The sAMAccountName attribute must be 20 characters or less and cannot contain any of the following characters: "/ \ [ ] : ; | = , + * ? < >
- The domain join account needs the AD permissions in the following list.
- Some of the AD permissions in the list are typically assigned by Active Directory to accounts by default. However, if you have limited the security permission in your Active Directory, you must ensure that the domain join account has these permissions for the OUs and objects that you anticipate and expect to use with Horizon Cloud.
- In Microsoft Active Directory, when you create a new OU, the system might automatically set the
Prevent Accidental Deletionattribute which applies a
Denyto the Delete All Child Objects permission for the newly created OU and all descendant objects. As a result, if you explicitly assigned the Delete Computer Objects permission to the domain join account, in the case of a newly created OU, Active Directory might have applied an override to that explicitly assigned Delete Computer Objects permission. Because clearing the Prevent Accidental Deletion flag might not automatically clear the
Denythat Active Directory applied to the Delete All Child Objects permission, in the case of a newly added OU, you might have to verify and manually clear the
Denypermission set for Delete All Child Objects in the OU and all child OUs before using the domain join account in the Horizon Cloud console.
The system performs explicit permission checks on the domain join account within the OU you specify in the Active Directory registration workflow (in the Default OU text box in that workflow) and within the OUs you specify in the farms and VDI desktop assignments you create, if those farm and VDI desktop assignment Computer OU text boxes are different from the default OU in the Active Directory registration.
To cover the cases where you might ever use a sub-OU, a best practice is for you to set these permissions to apply for all descendant objects of the Computer OU. The AD permissions required on the domain join account are shown in the table below.
Access Applies to List Contents This object and all descendant objects Read All Properties This object and all descendant objects Write All Properties All descendant objects Read Permissions This object and all descendant objects Reset Password Descendant Computer objects Create Computer Objects This object and all descendant objects Delete Computer Objects This object and all descendant objects
Although you can set Full Control instead of setting all the permissions separately, it is still recommended that you set the permissions separately.