Forum Discussion

limaecho's avatar
limaecho
Copper Contributor
Jun 11, 2020

Shared WVD Environment

Hi All   Just lab testing WVD environment to match our current RDS Farms environment.   We run a shared RDS Farms servers where multiple clients connect up to our RDS Servers. We lock down the RD...
CMurphyUSA's avatar
CMurphyUSA
Brass Contributor
Jun 13, 2020

limaecho 

 

I've found that most our on-prem RDS GPOs can apply to the pools host, you may just be able to publish similar GPOs to these new pool hosts.

 

The storage location of the fslogix vhds will be locked down via these permissions so users cannot see or access other user folders:
https://docs.microsoft.com/en-us/fslogix/fslogix-storage-config-ht

Are you wanting to restrict them from accessing C:\Users so they do not see usernames of others? Similar folder permissions above applied to the pool host may allow access to C:\Users and limit to only visibility\access to their user folders (username and local_username) but not others. Not sure though as the C:\Users folders are removed with the session ends.

 

On the pool host I would imagine you do not have them as admins. They may be able to access the C:\Users directory but they will not be able to access those folders.

limaecho's avatar
limaecho
Copper Contributor
Jun 15, 2020

CMurphyUSA 

 

Thank you. Users can still "see" other users folders under C:\Users - permissions just prevent access to getting into the folders.

 

I have semi-solved the issue now by restricting access to C: Drive and setting up hub mode for file explorer. This still shows the user his profile folders and prevents access to C: drive completely. The issue is when you use an application that allows open location (i.e. in outlook data file) - the C:\ does open up and a user can get to C:\Users and see other users folders in there.

  • CMurphyUSA's avatar
    CMurphyUSA
    Brass Contributor
    Jun 15, 2020

    limaecho 

     

    I believe all you can do is restrict visibility by, say hiding the C:\ drive from file explorer via registry or GPO (Amazon Workspaces does this be default for example). A user is going to have to be granted permission to the C:\ and C:\Users directory in order to do their work on any Windows PC. Third party file explorers, they will be able to view C:\.

     

    Sounds like you just need to confirm the folder and sub-folder permissions on the C:\Users directory.

     

    There is a GPO under User Config > Admin Templates > Windows Comp > Windows Expl > 'Prevent Access to Drives'.

     

    Hopefully this is somewhat helpful, but I may be misunderstanding the need.

Resources