Implementing VMware Horizon 7.7
上QQ阅读APP看书,第一时间看更新

Horizon Composer AD permissions

The Horizon Composer AD account requires permission to manage the AD Computer objects for the virtual desktops that it creates. As there is some risk associated with granting accounts direct access to AD in order to create and delete computer objects, it is important to minimize the access granted to the Horizon Composer account.

To minimize risk, the following guidelines are recommended:

  • Create an AD organizational unit (OU) that will be used only to store linked-clone virtual machines created using Horizon Composer.
  • Grant the Horizon Composer AD account the minimum permissions required in order to manage the AD computer accounts contained within the OU.

To grant the necessary permissions, you need at a minimum full control over the OU, which will contain the Horizon linked-clone AD computer accounts. This gives you the ability to not only delegate the required permissions for Horizon Composer, but also to create additional child OUs to enable additional control over the various Horizon pools that you provision.

Separating the AD computer accounts of desktop pools into separate OUs enables us to customize the group policies for each.