Before you deploy instant clones, you must create a user account that has the permission to perform certain operations in Active Directory.

Select this account when you add an instant-clone domain administrator before deploying instant clone desktop pools. For more information, see Add an Instant-Clone Domain Administrator.


  1. In Active Directory, create a user account in the same domain as the Connection Server or in a trusted domain.
  2. Add the Create Computer Objects, Delete Computer Objects, and Write All Properties permissions to the account on the container for the instant clone computer accounts.
    The following list shows the required permissions for the user account, including permissions that are assigned by default:
    • List Contents
    • Read All Properties
    • Write All Properties
    • Read Permissions
    • Reset Password
    • Create Computer Objects
    • Delete Computer Objects

    Make sure that the permissions apply to the correct container and to all child objects of the container.

    It is important to follow these steps to create a user account with correct permissions. Using a user account with insufficient permissions might result in domain join failure if you applied Microsoft security update KB5020276 as described in KB 92214.