When setting up VMware Horizon View Persona Management, one of the task to do is to create a remote repository to store the user data and settings, application-specific data, and other user-generated information in user profiles.
Required persona management remote repository permissions
The minimum required NTFS and share level permissions are:
NTFS PERMISSIONS REQUIRED FOR THE USER PROFILE REPOSITORY AND REDIRECTED FOLDER SHARE | |
User Account | Minimum permission required |
---|---|
Creator Owner | Full Control==> Subfolders and Files Only |
Administrator | None.
Enable the Windows group policy setting “Add the Administrators security group to the roaming user profiles“. In the Group Policy Object Editor, this policy setting is located Computer Configuration\Administrative Templates\System\User Profiles\. ==> This policy setting must be configured on the client computer, not the server, for it to have any effect, because the client computer sets the file share permissions for the roaming profile at creation time. |
Security Group of users needing to put data on the share | List Folder/Read Data, Create Folders/Append Data, Read Attributes==> This Folder Only |
Everyone | No Permission |
Local System | Full Control==> This Folder, Subfolders and Files |
SHARE LEVEL (SMB) PERMISSIONS REQUIRED FOR USER PROFILE REPOSITORY AND REDIRECTED FOLDER SHARE | |
---|---|
User Account | Minimum permission required |
Everyone | No permission |
Security group of users needing to put data on share | Full Control |
See also
Persona Management Configuration
The persona management configuration is done through Group policy by adding the VMware Horizon View Persona Management Administrative Template (Viewpm.ADM) which can be located in the VMware Horizon 6 GPO bundle
The settings I normally use are the following:
Roaming & Synchronization
Manage User Persona: Enabled
Profile Upload Interval: 10 minutes
Persona Repository Location: Enabled
Share Path: \\fileserver\VDI_Profiles$\%username%.%userdomain%
Override Active Directory User Profile Patch if it is configured: YES
Roam Local Settings Folder: Enabled
Folders to Background Download: Enabled
Folders to download: %APPDATA%\Thinstall
Folder Redirection
Desktop: Enabled
Redirect to the following location: \\fileserver\VDI_UserFolders$\%username%.%userdomain%\Desktop
Downloads: Enabled
Redirect to the following location: \\fileserver\VDI_UserFolders$\%username%.%userdomain%\Downloads
Favorites: Enabled
Redirect to the following location: \\fileserver\VDI_UserFolders$\%username%.%userdomain%\Favorites
My Documents: Enabled
Redirect to the following location: \\fileserver\VDI_UserFolders$\%username%.%userdomain%\MyDocuments
My Music: Enabled
Redirect to the following location: \\fileserver\VDI_UserFolders$\%username%.%userdomain%\MyMusic
My Pictures: Enabled
Redirect to the following location: \\fileserver\VDI_UserFolders$\%username%.%userdomain%\MyPictures
My Videos: Enabled
Redirect to the following location: \\fileserver\VDI_UserFolders$\%username%.%userdomain%\MyVideos
Desktop UI
Show progress when downloading large files: Enabled
Minimum file size to show progress window (MB): 10
As you can see in the above, the settings require two shares to be available:
- \\fileserver\VDI_Profiles$ ==> This will store the users profile
- \\fileserver\VDI_UserFolders$ ==> This will store the redirected folders
Also Enable the following GPO settings on the OU where your VDIs live:
Computer Configuration\Administrative Templates\System\User Profiles\Add the Administrators security group to the roaming user profiles
Script to create Persona Management repositories, shares & permissions
To create the repositories and to set the permissions on NTFS and share level correct, you can execute the following commands from a command prompt on the fileserver.
md D:\VDI\VDI_Profiles
net share VDI_Profiles$=D:\VDI\VDI_Profiles /grant:domainname\eucusergroup,FULL
icacls D:\VDI\VDI_Profiles /inheritance:r
icacls D:\VDI\VDI_Profiles /grant "CREATOR OWNER":(OI)(CI)F
icacls D:\VDI\VDI_Profiles /remove Administrators
icacls D:\VDI\VDI_Profiles /grant domainname\eucusergroup:(NP)(RD,AD,RA)
icacls D:\VDI\VDI_Profiles /grant everyone:D
icacls D:\VDI\VDI_Profiles /grant System:(OI)(CI)F
md d:\VDI\VDI_UserFolders
net share VDI_UserFolders$=d:\VDI\VDI_UserFolders /grant:domainname\eucusergroup,FULL
icacls D:\VDI\VDI_UserFolders /inheritance:r
icacls D:\VDI\VDI_UserFolders /grant "CREATOR OWNER":(OI)(CI)F
icacls D:\VDI\VDI_UserFolders /remove Administrators
icacls D:\VDI\VDI_UserFolders /grant domainname\eucusergroup:(NP)(RD,AD,RA)
icacls D:\VDI\VDI_UserFolders /grant everyone:D
icacls D:\VDI\VDI_UserFolders /grant System:(OI)(CI)F
Notes:
- The domainname\eucusergroup referenced in the above commands is an Active Directory group containing all the user accounts that will be using Persona Management.
- I chose to create the repositories on the D: drive of the fileserver, but this could of course be any drive of your choice
- I also chose to create hidden shares ($), but this is not a necessity to do this
Pingback: Horizon Group Policy and Profiles – Carl Stalhood