Jun 10 2020 08:12 PM
Jun 10 2020 08:12 PM
Just lab testing WVD environment to match our current RDS Farms environment.
We run a shared RDS Farms servers where multiple clients connect up to our RDS Servers. We lock down the RDS servers using group policy so that they don't get to see each other on the servers.
With WVD + FSLogix Profile Containers - I wonder how we can lock down C:\Users folders so that one user cannot see another users folders in there?
I have tried restricting access to C Drive - but given that FSLogix container mounts in C:\Users - the test users weren't able to access their documents, downloads etc folders.
Would be really good if someone has a way to achieve this?
Jun 12 2020 08:43 PM
I've found that most our on-prem RDS GPOs can apply to the pools host, you may just be able to publish similar GPOs to these new pool hosts.
The storage location of the fslogix vhds will be locked down via these permissions so users cannot see or access other user folders:
Are you wanting to restrict them from accessing C:\Users so they do not see usernames of others? Similar folder permissions above applied to the pool host may allow access to C:\Users and limit to only visibility\access to their user folders (username and local_username) but not others. Not sure though as the C:\Users folders are removed with the session ends.
On the pool host I would imagine you do not have them as admins. They may be able to access the C:\Users directory but they will not be able to access those folders.
Jun 15 2020 04:25 AM
Thank you. Users can still "see" other users folders under C:\Users - permissions just prevent access to getting into the folders.
I have semi-solved the issue now by restricting access to C: Drive and setting up hub mode for file explorer. This still shows the user his profile folders and prevents access to C: drive completely. The issue is when you use an application that allows open location (i.e. in outlook data file) - the C:\ does open up and a user can get to C:\Users and see other users folders in there.
Jun 15 2020 08:53 AM
I believe all you can do is restrict visibility by, say hiding the C:\ drive from file explorer via registry or GPO (Amazon Workspaces does this be default for example). A user is going to have to be granted permission to the C:\ and C:\Users directory in order to do their work on any Windows PC. Third party file explorers, they will be able to view C:\.
Sounds like you just need to confirm the folder and sub-folder permissions on the C:\Users directory.
There is a GPO under User Config > Admin Templates > Windows Comp > Windows Expl > 'Prevent Access to Drives'.
Hopefully this is somewhat helpful, but I may be misunderstanding the need.