Configuring permissions for the Domain Join account
The Domain Join account is a requirement for the Horizon DaaS platform to facilitate the joining of VDI to the domain following the deployment of a VDI and successful Sysprep.
You can easily give the Domain Join user full admin access which will give it the required access needed to join VDI to the domain, however we do not recommend this as it poses a serious security risk.
Our recommendation is to delegate the required access to the Domain Join user to limit its access to what is required. To do this edit the OU that you have configured in the Desktop Assignment that will house all of the VDI, alternatively configure the below permissions on the Computer OU for each tenant if using a 'Super Tenant' configuration.
The required permissions are:
Access | Applies to |
---|---|
List Contents | This object and all descendant objects |
Read All Properties | This object and all descendant objects |
Write All Properties | All descendant objects |
Read Permissions | This object and all descendant objects |
Reset Password | Descendant Computer objects |
Create Computer Objects | This object and all descendant objects |
Delete Computer Objects | This object and all descendant objects |
The Horizon Admin portal will validate that it has the required access when saving the Domain Join account details.
Last updated