The authorization mechanism that allows a user to access desktops and applications directly is controlled within a local entitlement group called View Agent Direct-Connection Users (Windows) or vmwvadc (Linux).
If a user is a member of this entitlement group, that user is authorized to connect to the virtual machine-based desktop, published desktop, or published applications.
When Horizon Agent Direct-Connection Plug-In (formerly View Agent Direct-Connection Plug-In) is first installed on a Windows machine, the View Agent Direct-Connection Users local entitlement group is created and contains the Authenticated Users group. Anyone who is successfully authenticated by the plug-in is authorized to access the desktop or applications.
vmwvadc local entitlement group is created without any members. To authorize a user to access the desktop or applications based on the machine, add a user entitlement through one of the following methods:
- Add the user to the default
vmwvadcentitlement group as described in Install Horizon Agent Direct-Connection Plug-In. - Add an existing user group to the list of Horizon Agent Direct-Connection Plug-In entitlements by modifying the /etc/vmware/vadc/viewagent-vadc.conf configuration file as described in Horizon Agent Direct-Connection Plug-In Configuration Settings. All members of the user group are then authorized to access the desktop or applications.
To restrict access to a desktop or multi-session host, you can modify the membership of the entitlement group to specify a list of users. These users can be local or domain users and user groups. If the user is not in this group, the user gets a message after authentication saying that the user is not entitled to access this virtual machine-based desktop or the published desktop and applications that are hosted on this multi-session host.
