Forum Discussion
Having trouble with FSLogix user profile sharing - any good troubleshooting steps to follow?
Hello all,
I my case, I worked with a Microsoft expert on this and we got it to work for my account just fine. All other users trying to login got the error that many people have seen here. I figured it was a permissions issue....but where?
Here is the Microsoft doc for setting up the Azure Files Shares:
Step 4 in the 'Configure NTFS permissions' section: (This is done on one of the VM's in the host pool.)
After running all four icacls lines for the first user, you will need to run the first icacls line for EVERY USER INDIVIDUALLY for BOTH the Windows profile and the Office profile local VM shares. Oddly, you only need to do this on the on VM. I tried on the second and it was already done 🙂
The 'net use' commands in step 2 creates the links to the Azure File shares, but you need to apply permissions to the shares that are consistent to the permissions on the shares in Azure Files (Storage File Data SMB Share Contributor). Also so users are not not able to access other users profiles.
Example for LOCAL share permissions:
(O and R drive letters are what I used on Step 2)
icacls O: /grant john.doe@contoso.com:(M)
icacls R: /grant john.doe@contoso.com:(M)
I hope this helps!
Mark Plantenberg Is there not a way to use Security groups instead? I mean I have 3,000 users I have to set this up for, Does this mean I Have to script it for all the users, and then when we get new employees gotta remember to do this for them as well? That's crazy to maintain.
- Jp8701Sep 28, 2023Copper Contributor
You can use groups. Its described here:
Set up FSLogix Profile Container with Azure Files and AD DS or Azure AD DS - Azure Virtual Desktop | Microsoft Learn - knicksonMay 05, 2023Copper Contributor
AliGomaa, Not sure if you ever got an answer to this? I'm in the process of migrating to Blob and am having the same issue. Any information would be greatly appreciated.
- Jp8701Sep 28, 2023Copper Contributor
You can use groups. Its described here:
Set up FSLogix Profile Container with Azure Files and AD DS or Azure AD DS - Azure Virtual Desktop | Microsoft Learnicacls <mounted-drive-letter>: /grant "<DOMAIN\GroupName>:(M)"
icacls <mounted-drive-letter>: /grant "Creator Owner:(OI)(CI)(IO)(M)"
icacls <mounted-drive-letter>: /remove "Authenticated Users"
icacls <mounted-drive-letter>: /remove "Builtin\Users"I am using the same group that assigns access to the AVD Workspace