Apr 03 2019 05:12 AM
I followed the steps in https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-user-profile.
The problem I have is that the profile is not shared. Also I see no files in share folder when I logon to the file server. It appears to be an access issue to the file share for FSLogix.
Basically I am asking: If this is an access issue to the share for FSLogix, what am I missing in my setup?
Possibly also interesting if there is a tool to check what is wrong or a manual check-list.
Browsed Get-RdsDiagnosticActivities - No relevant info
Browsed Applications/FSLogix App/Operational Event Log:
- FindFile failed for path: \\prod-fs-vm00\rdsavprofiles\<SID>\Profile*.VHDX (Access is denied.)
- No Create access: \\prod-fs-vm00\rdsavprofiles\<SID>_<USER>-test (Access is denied.)
- Unable to find parent path of "" ({Application Error} The exception s (0x)
I did the following in the my domain:
1. Added a file share server in the domain (Using an Azure AD DS domain)
2. Shared a folder according to the steps and gave all "Domain Computers" access to share and NTFS folder (Get-ADGroupMember -Identity "Domain Computers": Includes both hostpool hosts as expected)
3. Created a "custom image" where I followed the steps in configuring FSLogix before running sysprep
4. Created a host pool with two servers from this custom image in the same domain as file server
5. Logged in with a user and checked what host the user was routed to.
6. Created a .txt document in my documents
7. Logged off
8. Stopped the machine the user logged on to to see if profiles are saved of file server
9. Logged on again and got routed to the other (only running) server
10. Looked for the .txt file in my documents - not there - profile sharing not working...
Apr 03 2019 11:30 AM
@Johan_Eriksson sorry for the stupid question but did you follow the steps to enable FSLogix and point that agent to the path you have created
Apr 03 2019 10:12 PM
No questions are stupid when troubleshooting: I specified the UNC path to the share.
My suspicion is that step 5. under https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-user-profile#prepare-the-vi... is perhaps lacking some permissions that FSLogix require.
On a hunch, I gave "Domain Users" full control to the share and it started to work. I then removed "Domain Users" and FSLogix was unable to load the profile. My wild guess is therefore that "Domain Computers" full control permissions are insufficient for proper operations.
(Also note that the link FSLogix documentation at the end of that section only leads to a login prompt for me. I tried to get a user account from FSLogix, but it was not accepted.)
Apr 03 2019 11:36 PM
Apr 04 2019 04:09 AM
Thanks, makes sense. You may want to also change step 6. to refer to "Windows Virtual Desktop users" rather than "session host virtual machines".
Apr 27 2020 04:20 PM - edited Apr 27 2020 04:21 PM
Hi
We are doing this with azure storage instead of using a server and it doesn't work.
We followed the instructions on this link.
We create the share
We enable AAD DS
We assign specific users with "Storage File Data SMB Share Contributor" role to the share
We mount the share on a VM and configure full access for domain users
But still not allowing access
On the event log I can see this message:
No Create access: \\intechwvd.file.core.windows.net\wvdprofiles\S-1-5-21-303179029-2383376087-3032883996-1139_jmorales-test (The user name or password is incorrect.)
Jun 16 2020 07:51 AM - edited Jun 16 2020 08:05 AM
@JaviMora We are having the same issue. Were you able to fix it?
Aug 30 2020 06:05 AM
Sep 24 2020 12:02 PM
@Agdar Did you get an answer to this? Same issue here. Thanks.
Sep 24 2020 02:44 PM
yes, this was a problem with the Azure file share account.. in this case you go to MS open a case with FSLogix, they check the logs and decide where the problem is 🙂
Oct 28 2020 07:39 AM
Hello all,
I my case, I worked with a Microsoft expert on this and we got it to work for my account just fine. All other users trying to login got the error that many people have seen here. I figured it was a permissions issue....but where?
Here is the Microsoft doc for setting up the Azure Files Shares:
Step 4 in the 'Configure NTFS permissions' section: (This is done on one of the VM's in the host pool.)
After running all four icacls lines for the first user, you will need to run the first icacls line for EVERY USER INDIVIDUALLY for BOTH the Windows profile and the Office profile local VM shares. Oddly, you only need to do this on the on VM. I tried on the second and it was already done 🙂
The 'net use' commands in step 2 creates the links to the Azure File shares, but you need to apply permissions to the shares that are consistent to the permissions on the shares in Azure Files (Storage File Data SMB Share Contributor). Also so users are not not able to access other users profiles.
Example for LOCAL share permissions:
(O and R drive letters are what I used on Step 2)
icacls O: /grant john.doe@contoso.com:(M)
icacls R: /grant john.doe@contoso.com:(M)
I hope this helps!
Nov 02 2020 01:21 PM
@Mark Plantenberg Is there not a way to use Security groups instead? I mean I have 3,000 users I have to set this up for, Does this mean I Have to script it for all the users, and then when we get new employees gotta remember to do this for them as well? That's crazy to maintain.
May 05 2023 11:33 AM
@AliGomaa, Not sure if you ever got an answer to this? I'm in the process of migrating to Blob and am having the same issue. Any information would be greatly appreciated.
Sep 28 2023 03:16 AM
You can use groups. Its described here:
Set up FSLogix Profile Container with Azure Files and AD DS or Azure AD DS - Azure Virtual Desktop |...
icacls <mounted-drive-letter>: /grant "<DOMAIN\GroupName>:(M)"
icacls <mounted-drive-letter>: /grant "Creator Owner:(OI)(CI)(IO)(M)"
icacls <mounted-drive-letter>: /remove "Authenticated Users"
icacls <mounted-drive-letter>: /remove "Builtin\Users"
I am using the same group that assigns access to the AVD Workspace
Sep 28 2023 03:17 AM - edited Sep 28 2023 03:17 AM
You can use groups. Its described here:
Set up FSLogix Profile Container with Azure Files and AD DS or Azure AD DS - Azure Virtual Desktop |...
Nov 23 2023 01:16 PM
Wrong Approch with icacls y: /grant "CONTOSO\AVDUsers:(M)"
When we mount the drive with the net use command, it says using the Access key.
Since we use Azure<storageaccountname>, It will look like a group in windows.core.net rather than the desired ADDS or Entra Domain service.
The mounted storage should use the desired domain ID with elevated SMB rights.