VMware Horizon View – Script to create Persona Management Repositories, Shares and Permissions

When setting up VMware Horizon View Persona Management, one of the task to do is to create a remote repository to store the user data and settings, application-specific data, and other user-generated information in user profiles.

Required persona management remote repository permissions

The minimum required NTFS and share level permissions are:

 

NTFS PERMISSIONS REQUIRED FOR THE USER PROFILE REPOSITORY AND REDIRECTED FOLDER SHARE
User Account Minimum permission required
Creator Owner Full Control==> Subfolders and Files Only
Administrator None.

Enable the Windows group policy setting “Add the Administrators security group to the roaming user profiles. In the Group Policy Object Editor, this policy setting is located Computer Configuration\Administrative Templates\System\User Profiles\. ==> This policy setting must be configured on the client computer, not the server, for it to have any effect, because the client computer sets the file share permissions for the roaming profile at creation time.

Security Group of users needing to put data on the share List Folder/Read Data, Create Folders/Append Data, Read Attributes==> This Folder Only
Everyone No Permission
Local System Full Control==> This Folder, Subfolders and Files

 

SHARE LEVEL (SMB) PERMISSIONS REQUIRED FOR USER PROFILE REPOSITORY AND REDIRECTED FOLDER SHARE
User Account Minimum permission required
Everyone No permission
Security group of users needing to put data on share Full Control

See also

https://pubs.vmware.com/horizon-61-view/index.jsp#com.vmware.horizon-view.desktops.doc/GUID-8DA2B3DC-028F-4A0A-9AB0-DCABE72B802C.html

https://pubs.vmware.com/horizon-7-view/index.jsp?topic=%2Fcom.vmware.horizon-view.desktops.doc%2FGUID-8DA2B3DC-028F-4A0A-9AB0-DCABE72B802C.html

Persona Management Configuration

The persona management configuration is done through Group policy by adding the VMware Horizon View Persona Management Administrative Template (Viewpm.ADM) which can be located in the VMware Horizon 6 GPO bundle

ViewPM_adm

The settings I normally use are the following:

Roaming & Synchronization

Manage User Persona: Enabled

Profile Upload Interval: 10 minutes

Persona Repository Location: Enabled

Share Path: \\fileserver\VDI_Profiles$\%username%.%userdomain%

Override Active Directory User Profile Patch if it is configured: YES

Roam Local Settings Folder: Enabled

Folders to Background Download: Enabled

Folders to download: %APPDATA%\Thinstall

Folder Redirection

Desktop: Enabled

Redirect to the following location: \\fileserver\VDI_UserFolders$\%username%.%userdomain%\Desktop

Downloads: Enabled

Redirect to the following location: \\fileserver\VDI_UserFolders$\%username%.%userdomain%\Downloads

Favorites: Enabled

Redirect to the following location: \\fileserver\VDI_UserFolders$\%username%.%userdomain%\Favorites

My Documents: Enabled

Redirect to the following location: \\fileserver\VDI_UserFolders$\%username%.%userdomain%\MyDocuments

My Music: Enabled

Redirect to the following location: \\fileserver\VDI_UserFolders$\%username%.%userdomain%\MyMusic

My Pictures: Enabled

Redirect to the following location: \\fileserver\VDI_UserFolders$\%username%.%userdomain%\MyPictures

My Videos: Enabled

Redirect to the following location: \\fileserver\VDI_UserFolders$\%username%.%userdomain%\MyVideos

Desktop UI

Show progress when downloading large files: Enabled

Minimum file size to show progress window (MB): 10

As you can see in the above, the settings require two shares to be available:

  • \\fileserver\VDI_Profiles$ ==> This will store the users profile
  • \\fileserver\VDI_UserFolders$ ==> This will store the redirected folders

Also Enable the following GPO settings on the OU where your VDIs live:

Computer Configuration\Administrative Templates\System\User Profiles\Add the Administrators security group to the roaming user profiles

GPO_01

Script to create Persona Management repositories, shares & permissions

To create the repositories and to set the permissions on NTFS and share level correct, you can execute the following commands from a command prompt on the fileserver.

md D:\VDI\VDI_Profiles
net share VDI_Profiles$=D:\VDI\VDI_Profiles /grant:domainname\eucusergroup,FULL
icacls D:\VDI\VDI_Profiles /inheritance:r
icacls D:\VDI\VDI_Profiles /grant "CREATOR OWNER":(OI)(CI)F
icacls D:\VDI\VDI_Profiles /remove Administrators
icacls D:\VDI\VDI_Profiles /grant domainname\eucusergroup:(NP)(RD,AD,RA)
icacls D:\VDI\VDI_Profiles /grant everyone:D
icacls D:\VDI\VDI_Profiles /grant System:(OI)(CI)F

md d:\VDI\VDI_UserFolders
net share VDI_UserFolders$=d:\VDI\VDI_UserFolders /grant:domainname\eucusergroup,FULL
icacls D:\VDI\VDI_UserFolders /inheritance:r
icacls D:\VDI\VDI_UserFolders /grant "CREATOR OWNER":(OI)(CI)F
icacls D:\VDI\VDI_UserFolders /remove Administrators
icacls D:\VDI\VDI_UserFolders /grant domainname\eucusergroup:(NP)(RD,AD,RA)
icacls D:\VDI\VDI_UserFolders /grant everyone:D
icacls D:\VDI\VDI_UserFolders /grant System:(OI)(CI)F

Notes:

  • The domainname\eucusergroup referenced in the above commands is an Active Directory group containing all the user accounts that will be using Persona Management.
  • I chose to create the repositories on the D: drive of the fileserver, but this could of course be any drive of your choice
  • I also chose to create hidden shares ($), but this is not a necessity to do this

 

One Comment

  1. Pingback: Horizon Group Policy and Profiles – Carl Stalhood

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.