AD Configuration required for various Windows RDSH or Desktop pools

From Notes_Wiki
Revision as of 02:59, 20 May 2022 by Saurabh (talk | contribs) (Created page with "Home > VMWare platform > VMWare Horizon > AD Configuration required for various Windows RDSH or Desktop pools For users to be able to remotely login into the VMs created as part of Horizon, we need to create following OUs, groups and policies: # Open Active Directory users and computers ## Create OU for VDI ## Create new sub=OU for VMs ## Create group for Desktop pool users under main VDI OU. If you are planning to create five different VDI po...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Home > VMWare platform > VMWare Horizon > AD Configuration required for various Windows RDSH or Desktop pools

For users to be able to remotely login into the VMs created as part of Horizon, we need to create following OUs, groups and policies:

  1. Open Active Directory users and computers
    1. Create OU for VDI
    2. Create new sub=OU for VMs
    3. Create group for Desktop pool users under main VDI OU. If you are planning to create five different VDI pools then ideally create five different groups so that we can give access to users to pool by making them join the corresponding groups.
    4. Optionally create a few test users to test each pool and add them to respective groups
    5. Optionally as per https://kb.vmware.com/s/article/1026786 add these groups as member of "Remote Desktop Users" built-in group.
  2. Open "Group Policy management"
    1. Right click on OU for VDI and select "Create a GPO in this domain and link it here". Choose name VDI-GPO. Source Starter GPO none.
    2. Right click VDI-GPO click edit
      1. Computer Configuration > Policies > Administrative Templates > System > Group Policy
        Select "Configure user Group Policy loopback processing mode". Enable and Set Mode to Replace
      2. Computer Configuration > Policies > Administrative Templates > System > Logon
        Select "Always wait for the network at computer startup and logon". Enable
      3. Deactivate the Local Administrator User Account
        1. Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups
        2. Right click -> New -> Local User
        3. Select Administrator (built-in).
        4. De-select User must change password at next logon.
        5. Select Account is disabled.
        6. Click OK.
      4. Add Users to the Local Remote Desktop Users Group
        1. Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups.
        2. Right click in right pane and Select Add Group.
        3. In the Add Group dialog box, enter "Remote Desktop Users" Click OK.
        4. Click Add against "members of this group". Add groups of end users created for VDI Pools as suggested above.
        5. Click OK in the Add Member dialog box.
        6. Click OK in the Remote Desktop Users Properties dialog box.
        7. Right-click the Remote Desktop Users group that you just added to Restricted Groups and select Properties. Validate all required user groups are visible as members
    3. Close VDI-GPO editing popup
  3. Right click on VDI-GPO and ensure enforced is enabled



Home > VMWare platform > VMWare Horizon > AD Configuration required for various Windows RDSH or Desktop pools