For Horizon DaaS the Tenant environment needs 2 types of domain service accounts. A domain bind account that is used to perform lookups in your AD domain and a domain join account that is used for joining computer accounts to the domain and performing Sysprep operations.
The domain bind account is rather simpel. Just create a normal user account, provide a password and if the CISO allows you, set the password to never expire.
The domain join account is a little bit different. If you you want to do it quick and dirty you can make the account domain admin and set the password to never expire and you’re done. This however is not recommended. So we need to do delegation of control on the OU where the computer accounts will be created. The following “allow” permissions are needed for Horizon DaaS 9.1 tenants:
|Read All Properties||This object only|
|Create Computer Objects||This object and all descendant objects|
|Delete Computer Objects||This object and all descendant objects|
|Write All Properties||Descendant Computer objects|
|Reset Password||Descendant Computer objects|
Things to keep in mind
When creating a new OU in Active Directory the Protect container from accidental deletion is enable by default.
By leaving this attribute enable the group Everyone gets a Deny on Delete and Delete Subtree.
In the Horizon DaaS tenant configuration, the check for the Domain Join will fail because of the Deny on Everyone. The error message “Unable to perform Domain Join – The domain join user “Username” lacks the following permission in the OU: Delete Computer.” will be shown.
In order to solve this problem either remove the everyone user with the Deny permissions or create a new OU and deselect the “Protect container from accidental deletion” attribute.
I hope this helps you in creating proper service account without the Domain Admin permissions.
Leave a comment