Local administrators, or administrators who are to manage the session hosts, should be excluded before a profile disk is created. I have created two scripted actions to help me with this.
As a prerequisite, you need to know that I have a variable in which I have stored the name of the local administrator, as I can’t get this name any other way.
Variables
I therefore always have the following variable:
The two scripted actions also support the variable “FSLogixExcludeList” and one scripted action also supports “FSLogixIncludeList”. In all variables, the values are separated by commas, with no space between them.
In each case, the “LocalAdministrator” and “FSLogixExcludeList” are taken together and added to the corresponding group on the session host.
Scripts
The simpler of the two scripts only adds the users that are to be excluded from profile disks:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
#name: Exclude users from FSLogix #description: Exclude user from FSLogix Romaing Profile. #execution mode: Combined #tags: beckmann.ch <# Notes: Use this script to exclude the local administrator from Romaing Profile. #> $ErrorActionPreference = 'Stop' $exclude = @() If (![string]::IsNullOrEmpty($SecureVars.LocalAdministrator)) { $localAdministrator = $SecureVars.LocalAdministrator.Split(",").Trim() $exclude += $localAdministrator } If (![string]::IsNullOrEmpty($SecureVars.FSLogixExcludeList)) { $excludedList = $SecureVars.FSLogixExcludeList.Split(",").Trim() $exclude += $excludedList } try { Write-Output ("Add users to Exclude Groups: " + ($exclude | Out-String)) Add-LocalGroupMember -Group "FSLogix ODFC Exclude List" -Member $exclude -ErrorAction SilentlyContinue Add-LocalGroupMember -Group "FSLogix Profile Exclude List" -Member $exclude -ErrorAction SilentlyContinue } catch { $ErrorActionPreference = 'Continue' Write-Output "Encountered error. $_" Throw $_ } |
The second script can also add include users:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 |
#name: Exclude and Include FSLogix users #description: Exclude and Include user for FSLogix Romaing Profile. #execution mode: Combined #tags: beckmann.ch <# Notes: Use this script to exclude the local administrator from Romaing Profile. You can also exclude other users by adding them to the ExcludeList. It is also possible to include users by adding them to the IncludeList. #> $ErrorActionPreference = 'Stop' $exclude = @() $include = @() If (![string]::IsNullOrEmpty($SecureVars.LocalAdministrator)) { $localAdministrator = $SecureVars.LocalAdministrator.Split(",").Trim() $exclude += $localAdministrator } If (![string]::IsNullOrEmpty($SecureVars.FSLogixExcludeList)) { $excludedList = $SecureVars.FSLogixExcludeList.Split(",").Trim() $exclude += $excludedList } If (![string]::IsNullOrEmpty($SecureVars.FSLogixIncludeList)) { $includeList = $SecureVars.FSLogixIncludeList.Split(",").Trim() $include += $includeList } Write-Output ("Exclude users: " + ($exclude | Out-String)) Write-Output ("Include users: " + ($include | Out-String)) If (![string]::IsNullOrEmpty($exclude)) { Write-Output ("Add users to Exclude Groups: " + ($exclude | Out-String)) try { Add-LocalGroupMember -Group "FSLogix ODFC Exclude List" -Member $exclude -ErrorAction SilentlyContinue Add-LocalGroupMember -Group "FSLogix Profile Exclude List" -Member $exclude -ErrorAction SilentlyContinue } catch { $ErrorActionPreference = 'Continue' Write-Output "Encountered error. $_" Throw $_ } Write-Output ("Add users to Exclude Groups: success") } If (![string]::IsNullOrEmpty($include)) { Write-Output ("Remove users from Include Groups: NT AUTHORITY\Everyone") try { Remove-LocalGroupMember -Group "FSLogix ODFC Include List" -Member @('NT AUTHORITY\Everyone') -ErrorAction SilentlyContinue Remove-LocalGroupMember -Group "FSLogix Profile Include List" -Member @('NT AUTHORITY\Everyone') -ErrorAction SilentlyContinue } catch { $ErrorActionPreference = 'Continue' Write-Output "Encountered error. $_" Throw $_ } Write-Output ("Remove users from Include Groups: success") Write-Output ("Add users to Include Groups: " + ($include | Out-String)) try { Add-LocalGroupMember -Group "FSLogix ODFC Include List" -Member $include -ErrorAction SilentlyContinue Add-LocalGroupMember -Group "FSLogix Profile Include List" -Member $include -ErrorAction SilentlyContinue } catch { $ErrorActionPreference = 'Continue' Write-Output "Encountered error. $_" Throw $_ } Write-Output ("Add users to Include Groups: success") } |
Conclusion
Managing the groups can also be achieved via group policies or Intune policies, but I prefer to rely on scripted actions, so that this is configured correctly on all systems right from the start. I hope it can help you in your deployment.