Horizon Client User Accounts

In Active Directory, configure user accounts for users that need to access remote desktops and published applications. If you plan to use the RDP protocol, the user accounts must be members of the Remote Desktop Users group.

As a general rule, do not make end users administrators. If an administrator must verify the user experience, create and entitle a separate test account. On remote desktops, do not make end users members of privileged groups, such as Administrators. These users can modify locked-down configuration files and the Windows Registry.

System Accounts Created During Installation

Horizon Client does not create service user accounts on any type of client. For the services that Horizon Client for Windows creates, the login ID is Local System.

On Mac clients, users must grant Local Admin access to start the USB service the first time that Horizon Client starts. After the service starts for the first time, the standard user has execution access. Similarly, on a Linux client, if a user clicks the Register and start the service(s) after installation check box during installation, the vmware-usbarbitrator and vmware-view-used daemons start automatically. These processes run as root.

Horizon Agent does not create any service user accounts on Windows desktops. On Linux desktops, it creates a system account called vmwblast. On Linux desktops, the StandaloneAgent daemon runs with root privileges and the VmwareBlastServer daemon runs with vmwblast privileges.