cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Shared WVD Environment

limaecho
Copper Contributor

‎Jun 10 2020 08:12 PM

‎Jun 10 2020 08:12 PM

Shared WVD Environment

Hi All

 

Just lab testing WVD environment to match our current RDS Farms environment.

 

We run a shared RDS Farms servers where multiple clients connect up to our RDS Servers. We lock down the RDS servers using group policy so that they don't get to see each other on the servers.

 

With WVD + FSLogix Profile Containers - I wonder how we can lock down C:\Users folders so that one user cannot see another users folders in there?

 

I have tried restricting access to C Drive - but given that FSLogix container mounts in C:\Users - the test users weren't able to access their documents, downloads etc folders.

 

Would be really good if someone has a way to achieve this?

1,964 Views
0 Likes
3 Replies
Reply
3 Replies
CMurphyUSA

‎Jun 12 2020 08:43 PM

‎Jun 12 2020 08:43 PM

Re: Shared WVD Environment

@limaecho 

 

I've found that most our on-prem RDS GPOs can apply to the pools host, you may just be able to publish similar GPOs to these new pool hosts.

 

The storage location of the fslogix vhds will be locked down via these permissions so users cannot see or access other user folders:
https://docs.microsoft.com/en-us/fslogix/fslogix-storage-config-ht

Are you wanting to restrict them from accessing C:\Users so they do not see usernames of others? Similar folder permissions above applied to the pool host may allow access to C:\Users and limit to only visibility\access to their user folders (username and local_username) but not others. Not sure though as the C:\Users folders are removed with the session ends.

 

On the pool host I would imagine you do not have them as admins. They may be able to access the C:\Users directory but they will not be able to access those folders.

0 Likes
Reply
limaecho

‎Jun 15 2020 04:25 AM

‎Jun 15 2020 04:25 AM

Re: Shared WVD Environment

@CMurphyUSA 

 

Thank you. Users can still "see" other users folders under C:\Users - permissions just prevent access to getting into the folders.

 

I have semi-solved the issue now by restricting access to C: Drive and setting up hub mode for file explorer. This still shows the user his profile folders and prevents access to C: drive completely. The issue is when you use an application that allows open location (i.e. in outlook data file) - the C:\ does open up and a user can get to C:\Users and see other users folders in there.

0 Likes
Reply
CMurphyUSA

‎Jun 15 2020 08:53 AM

‎Jun 15 2020 08:53 AM

Re: Shared WVD Environment

@limaecho 

 

I believe all you can do is restrict visibility by, say hiding the C:\ drive from file explorer via registry or GPO (Amazon Workspaces does this be default for example). A user is going to have to be granted permission to the C:\ and C:\Users directory in order to do their work on any Windows PC. Third party file explorers, they will be able to view C:\.

 

Sounds like you just need to confirm the folder and sub-folder permissions on the C:\Users directory.

 

There is a GPO under User Config > Admin Templates > Windows Comp > Windows Expl > 'Prevent Access to Drives'.

 

Hopefully this is somewhat helpful, but I may be misunderstanding the need.

0 Likes
Reply