Delegating permissions for Horizon Composer in AD

The following steps outline the process used to delegate the minimum permissions required for Horizon Composer. In our example, we will be granting to the svc-horizoncomp AD account the necessary permissions for the Horizon | Computers OU:

  1. From the Windows Start menu, select Administrative Tools | Active Directory Users and Computers.
  1. Right-click on the parent OU that will contain the virtual desktops created using Horizon Composer and select Delegate Control... as shown in the following screenshot to open the Delegation of Control Wizard. In our example, the OU is named Computers:
  1. In the Delegation of Control Wizard window, click Next >.
  2. In the Delegation of Control Wizard Users or Groups window, click Add...to open the Select Users, Computers, or Groups window as shown in the following screenshot:

  1. In the Select Users, Computers, or Groups window, type the name of the Horizon Composer service account (svc-horizoncomp), click OK to return to the Delegation of Control Wizard- Users or Groups window, and then click Next >.
  2. In the Delegation of Control Wizard Tasks to Delegate window, click the Create a custom task to delegate radio button and then click Next >.
  3. In the Delegation of Control Wizard | Active Directory Object Type window, click the Only the following objects in the folder radio button, then click the Computer objects, Create selected objects in this folder, and Delete selected objects in this folder checkboxes as shown in the following screenshot, and then click Next >:

  1. In the Delegation of Control Wizard | Permissions window, click the General, Property-specific, Read, Read All Properties, Write All Properties, and Change password checkboxes as shown in the following screenshot, and then click Next >:
  1. In the Delegation of Control WizardCompleting the Delegation of Control Wizard window, review the changes, making any changes if needed, and then click Finish.

The Horizon Composer service account now has the permissions needed to manage AD computer objects in the selected OU and any child OUs within it.