Forum Discussion
When and how often to run script for accessing FSLogix profile container?
1. Domain-joining your Storage-Account with the profiles File Share (easy with AADDS = flip a switch or via the manual script on an on-prem AD connected server)
2. Set the permissions on the file share (SMB contributor for users)
3. via a Domain-joined server connect to the share and set NTFS permissions (needs SMB elevated contributor rights on the share in order to be able to set NTFS)
4. Now your users can access the path (for example \\yourprofiles.file.core.windows.net\profiles) without having to provide an access key if they are Synced with AzureAD and have the SMB Contributor permissions on the share.
5. Now; either bake in the correct profile-path in the registry on the golden image: hklm\software\fslogix\profiles\VHDlocations (together with all the other settings like Enabled = 1, overwrite existing profiles, etc...)
or better: get the ADMX file from the FSlogix installer zip file and use the group policy settings to set the VHDlocation and all the other settings
1. For domain-joining the storage account, I have already set Identity-based access for files shares to Enabled for AADDS. But I haven't joined the storage account to AD DS. My ultimate goal is to eliminate on-prem AD (which isn't really on-prem anyway, it's on a cloud server not hosted by MS). Is enabling AADDS sufficient, if I don't plan to access the FSLogix share from an on-prem-domain-joined machine?
2. I have assigned the Storage File Data SMB Share Contributor role on the file share in Azure Files to my WVD users group. The members of AAD DC Administrators are not members of the WVD users group, though. Must I give an AADDS admin the SMB contributor role?
3. So far, I don't have any server VMs in Azure, just the WVD setup. I've been logging into a WVD session host using an AADDS admin account and setting the permissions that way. Will this work? See also #2 re: what role the AADDS admin needs.
4. I will try that once I get 1-3 figured out.
5a. I am only aware of two required registry settings: Enabled and VHDLocations (see https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-user-profile#configure-the-fslogix-profile-container). What other settings are required?
5b. I haven't fiddled with group policy in AADDS yet. As mentioned above, I have no server VMs. But that seems to be a prerequisite (https://docs.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy). I can create one ... but is that a requirement or can the group policy be managed via an add-on to a WVD Win10 session host?When you deployed the AADDS service you created a new AD Forest (with it's DNS root being something like contoso.onmicrosoft.com). That's forest is of course separate from your other on-prem Domain. I am assuming that you joined your WVD-hosts to that AADDS Domain so let's disregard the on-prem domain for now.
David Schrag wrote:1. For domain-joining the storage account, I have already set Identity-based access for files shares to Enabled for AADDS. But I haven't joined the storage account to AD DS. ?
If you've flipped this switch then the Storage Account is already joined to the AADDS domain:
You can check this by installing RSAT tooling on one of your hosts and using the Active Directory Users and Computers snap-in. The storage account should appear as a computer object there. That's also how you can create policies for your AADDS domain by using the Group Policy tool. Check here for into about the FSLogix GPO:
https://docs.microsoft.com/en-us/fslogix/use-group-policy-templates-ht
With regards to FSlogix registory settings; check this page:
https://docs.microsoft.com/en-us/fslogix/configure-profile-container-tutorial#configure-profile-container-registry-settings
(Additionally I'd also set the VolumeType key to VHDX.)
Also pay attention to the local FSlogix Profile Include and Exclude group. By default \everyone is given an FSlogix profile. You should probably place your administrators in the exclude group in case something is wrong (for example you can't access the share) so that you aren't locked out of your VM due to profile issues.
David Schrag wrote:2. I have assigned the Storage File Data SMB Share Contributor role on the file share in Azure Files to my WVD users group. The members of AAD DC Administrators are not members of the WVD users group, though. Must I give an AADDS admin the SMB contributor role?
Yes. Or give them the SMB Elevated Contributor role so they can also change NTFS permissions. Use SMB Contributor for your regular users that just need modify permissions in order to write to their profile.
David Schrag wrote:3. So far, I don't have any server VMs in Azure, just the WVD setup. I've been logging into a WVD session host using an AADDS admin account and setting the permissions that way. Will this work? See also #2 re: what role the AADDS admin needs.
That's fine since the WVD hosts are domain joined. wrt to role: Again, this doesn't come into play when you are mapping the share using the access key. You only do that during the initial setup when you are setting the NTFS permissions. Afterwards you can browse the share without using the access key and then those roles are checked.
YannickJanssens1986 The storage account is actually a User listed under AzureFilesConfig in ADUC:
Does that indicate something is wrong?
