Further to the information presented here: Unable to log in to session host VMs as local administrator – Nerdio Help Center
We found that it would be useful to add the local admin and domain admin accounts, which are not synched using Azure AD Sync into the local exclude groups - we don't want our on-premise domain admin account synched to Azure AD, and teh Local Admin account never will be as it belongs to the individual computer along.
We chose to modify the group policy that applies computer settings, so that it will put both of those accounts into the exclude group, that way we can more easily administer the servers.
- Open Group Policy Management Console
- Create a new GPO or edit an existing one
- Go to Computer Configuration --> Policies --->Windows Settings-->Security Settings-->Restricted Groups
- Right click over Restricted Group and select Add Group
- Type the Group you you want to add or remove members, we copied the name of the group from a host server: FSLogix Profile Exclude List
- In the Members of this Group, chose Add, we added our domain\domainadmin account using the browse button, and entered LocalAdmin manually (without domain\)
I hope someone finds this useful, let me know.
A
Comments (2 comments)