Exclude Nerdio Local Administrator Account from FSLogix

Avatar
DStephenson

As we move more and more to a non-GPO world, it'd be nice to have the (Nerdio) Local administrator account (Settings>Portal>Local Administrator credentials) be added to FSLogix Profile Exclude List (local user group) automatically.

If that's not possible, or as a (potentially) simpler solution, we could have a parameter for the Nerdio Local Administrator account (i.e. $nerdiolocaladmin) that we could pass to a scripted action to accomplish the same thing.

Nerdio support recommended adding the Administrators (local user group) to the FSLogix Profile Exclude List group. The only issue there would be if you have an Intune policy set to add certain users to the local admin group on AAD joined devices and someone inadvertently didn't get an FSLogix profile. It'd probably only be an issue for personal desktops but wanted to call it out in case someone else wanted to go that route instead. 🙂


3

Comments (6 comments)

Sort by
0
Avatar
Tomas

Startup or 'on create' script would be rather easy to do if names are set in order to add to the exclude group.

An option for the AAD joined computers would be to utilize the device administrator role in AAD. They do not get listed in the local administrator group but would be local admin on ALL AAD computers, so including administrators in the exclude group would not effect them.

If those users should not be admin on all devices then a policy would be my next choice. Can do a custom configuration with an xml format to configure local groups.
(Assuming intune)
./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
This would let you scope the policy to a set of devices.

But yes a simple field in nerdio for local group membership would be nice.

1
Avatar
Gido Veekens

Thanks DStephenson and Tomas, I understand the use case. Is there any use case to exclude specific users/groups from FSlogix other than the Nerdio stored administrator account?

0
Avatar
DStephenson

Thanks, Gido Veekens!
The only reason I could think to exclude multiple accounts would be to have a maintenance account (used to run scripted actions/updates?) not have a local profile. I could be wrong though.
But, as Tomas pointed out, we could do it with GPO or Intune if there was that need.

My main thought behind this was to have a "break glass" way of modifying/troubleshooting FSLogix issues on the session host.
I wouldn't be opposed to having a way for Nerdio to manage that local FSLogix Profile Exclude List group though. 

 

1
Avatar
Tomas

We have maintenance accounts excluded for some troubleshooting.
We use deny logon if fslogix fails so if something were to happen that the device couldnt use fslogix (lets say a tech broke something) then we would fail to be able to logon.

While we could get by with some things using only the defaultAdmin account in order to get it working if i need to authenticate against the domain or troubleshoot azure files then using a domain account makes more sense.

1
Avatar
Ryan Dorman

I often put Domain Admins (or AAD DS Admins as appropriate) into the Exclusion.  Admins = No FSLogix. Users = FSLogix

1
Avatar
Ryan Dorman

I see this made it into 4.2, that's great!  Right now, you can do the local admin, or a domain admin.  Would it be possible to add a checkbox to use the well-known SID of the Domain Admins group?  The Nerdio "domain admin" from my understanding only needs domain joiner rights not full domain admin so the accounts may not be the same for testing purposes.

Please sign in to leave a comment.