Azure AD advanced user properties and non-default OUs for WVD

Copper Contributor

I've the need to implement "home folder" for WVD users but that section is grayed out in AD User Properties. Somewhere in the documentation it says that this is by design for users propagated from Azure AD trough AZ Domain Services. I also have the need to apply different group policies for different category of users which I currently use OU's to group them together in my local environment. Creating OUs within the provided "AADDC Users" OU is not allowed. Moving the users to other OUs is not allowed. When I create a new OU tree at the root of the domain and then create accounts within the local active directory I do have full access to all AD properties as expected however these local users are not recognized by WVD. Apparently only users created in Azure AD and replicated to the default "AADDC Users" OU are allowed to login. Are there any plans to remediate these limitations? I would need to be able to move users to different OUs for organization purposes and be able to apply different group policies against those different OUs per our needs, the same would be required for computer accounts.

5 Replies
How do we go about setting "home folders" for users under WVD?
I think this is a question that is related to Azure AD with an Azure AD DS synching from it. That should be a supported combination that you can tech support for using your normal channels. Since I am not from MSFT and not an expert I can just give you an amateur view. If you have the setup as above, you are limited to the attributes available in Azure AD. Azure AD does not support OU and home drives, probably due to it initially being focused more on supporting Office365 etc. In addition the synch between Azure AD and Azure AD DS is one-way from Azure AD. You could argue that MSFT took a wrong turn when they decided that the structure of Azure AD user/machine setup was a small subset of standard AD. Nevertheless, I think your problem is that you selected Azure AD as your user/computer store before checking if it could replicate the functionality you want (ou:s/homedrive/...) Again - Not really WVD related and only answered by an amateur. Cheers, Johan
Fair enough as drive mapping can be achieved via other means, but how about applying different group policies to different OUs, any ideas how could I accomplish something like that when accounts cannot be moved to other OUs?
Apply all GPO's to the same OU, but use security groups to limit the scope of users to which they apply

Hi@Johan_Eriksson 

 

I have used "Home folder" and "Shared network drives" in diffrent scenarios in the past. it is not very reliable. I think it is the time to move to Azure Files

https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction

 

I have been using Azure Files alongside Azure AD in production and can guaranty it will deliver the user needs. I agree Azure AD has long way to go to become a perfect cloud DC (eventually it will) but for now they are doing a grea job, Azure files is doing even a better job.  So from my point of view, Micrsoft idea on Azure Ad and Files is leading to a perfection direction.

 

I would recommend everyone to vote on this https://feedback.azure.com/forums/217298-storage/suggestions/19693045-automatically-mount-an-azure-f...

 

Microsoft is doin a great job to get Azure Files to parity with Windows File Server. Using Azure Files via GPO would be the dream.

 

Thank you

Dav,