Lokale Administratoren, oder Administratoren, die die Session Hosts verwalten sollen, sollten vor der Erstellung einer Profil Disk ausgeschlossen werden. Ich habe dazu zwei Scripted Actions erstellt, welche mir dabei helfen.
Als Voraussetzung muss man wissen, dass ich eine Variable habe, in der ich den Namen des Lokalen Admins hinterlegt habe, da ich anders nicht an diesen Namen komme.
Variablen
Ich habe somit sicher immer folgende Variable:
Die beiden Scripted Actions unterstützen noch die Variable „FSLogixExcludeList“ und die eine Scripted Action noch zusätzlich „FSLogixIncludeList“. In allen Variablen werden die Werte mit Komma separiert, ohne Abstand dazwischen.
In jedem Fall werden die „LocalAdministrator“ und „FSLogixExcludeList“ zusammen genommen, und zu der entsprechenden Gruppe auf dem Session Host hinzugefügt.
Scripts
Das einfacher der beiden Scripts fügt nur die User hinzu, die von Profil Disks ausgenommen werden sollen:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
#name: Exclude users from FSLogix #description: Exclude user from FSLogix Romaing Profile. #execution mode: Combined #tags: beckmann.ch <# Notes: Use this script to exclude the local administrator from Romaing Profile. #> $ErrorActionPreference = 'Stop' $exclude = @() If (![string]::IsNullOrEmpty($SecureVars.LocalAdministrator)) { $localAdministrator = $SecureVars.LocalAdministrator.Split(",").Trim() $exclude += $localAdministrator } If (![string]::IsNullOrEmpty($SecureVars.FSLogixExcludeList)) { $excludedList = $SecureVars.FSLogixExcludeList.Split(",").Trim() $exclude += $excludedList } try { Write-Output ("Add users to Exclude Groups: " + ($exclude | Out-String)) Add-LocalGroupMember -Group "FSLogix ODFC Exclude List" -Member $exclude -ErrorAction SilentlyContinue Add-LocalGroupMember -Group "FSLogix Profile Exclude List" -Member $exclude -ErrorAction SilentlyContinue } catch { $ErrorActionPreference = 'Continue' Write-Output "Encountered error. $_" Throw $_ } |
Das zweite Script kann auch noch Include Users hinzufügen:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 |
#name: Exclude and Include FSLogix users #description: Exclude and Include user for FSLogix Romaing Profile. #execution mode: Combined #tags: beckmann.ch <# Notes: Use this script to exclude the local administrator from Romaing Profile. You can also exclude other users by adding them to the ExcludeList. It is also possible to include users by adding them to the IncludeList. #> $ErrorActionPreference = 'Stop' $exclude = @() $include = @() If (![string]::IsNullOrEmpty($SecureVars.LocalAdministrator)) { $localAdministrator = $SecureVars.LocalAdministrator.Split(",").Trim() $exclude += $localAdministrator } If (![string]::IsNullOrEmpty($SecureVars.FSLogixExcludeList)) { $excludedList = $SecureVars.FSLogixExcludeList.Split(",").Trim() $exclude += $excludedList } If (![string]::IsNullOrEmpty($SecureVars.FSLogixIncludeList)) { $includeList = $SecureVars.FSLogixIncludeList.Split(",").Trim() $include += $includeList } Write-Output ("Exclude users: " + ($exclude | Out-String)) Write-Output ("Include users: " + ($include | Out-String)) If (![string]::IsNullOrEmpty($exclude)) { Write-Output ("Add users to Exclude Groups: " + ($exclude | Out-String)) try { Add-LocalGroupMember -Group "FSLogix ODFC Exclude List" -Member $exclude -ErrorAction SilentlyContinue Add-LocalGroupMember -Group "FSLogix Profile Exclude List" -Member $exclude -ErrorAction SilentlyContinue } catch { $ErrorActionPreference = 'Continue' Write-Output "Encountered error. $_" Throw $_ } Write-Output ("Add users to Exclude Groups: success") } If (![string]::IsNullOrEmpty($include)) { Write-Output ("Remove users from Include Groups: NT AUTHORITY\Everyone") try { Remove-LocalGroupMember -Group "FSLogix ODFC Include List" -Member @('NT AUTHORITY\Everyone') -ErrorAction SilentlyContinue Remove-LocalGroupMember -Group "FSLogix Profile Include List" -Member @('NT AUTHORITY\Everyone') -ErrorAction SilentlyContinue } catch { $ErrorActionPreference = 'Continue' Write-Output "Encountered error. $_" Throw $_ } Write-Output ("Remove users from Include Groups: success") Write-Output ("Add users to Include Groups: " + ($include | Out-String)) try { Add-LocalGroupMember -Group "FSLogix ODFC Include List" -Member $include -ErrorAction SilentlyContinue Add-LocalGroupMember -Group "FSLogix Profile Include List" -Member $include -ErrorAction SilentlyContinue } catch { $ErrorActionPreference = 'Continue' Write-Output "Encountered error. $_" Throw $_ } Write-Output ("Add users to Include Groups: success") } |
Abschluss
Das verwalten der Gruppen kann auch über Gruppenrichtlinien oder Intune Richtlinien erreicht werden, jedoch verlasse ich mich lieber auf eine Scripted Actions, damit ist das gleich zu Beginn auf allen Systemen richtig konfiguriert. Ich hoffe es kann dir in deinem Deplyoment helfen.