Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FSLogix DSC package AAD logic update #527

Merged
merged 18 commits into from
Nov 6, 2023
Merged

FSLogix DSC package AAD logic update #527

merged 18 commits into from
Nov 6, 2023

Conversation

danycontre
Copy link
Collaborator

Overview/Summary

Replace this with a brief description of what this Pull Request fixes, changes, etc.

This PR fixes/adds/changes/removes

  1. Adding logic for DSC package to properly handle AAD scenarios.
  2. Updating default domain join credentials when using AAD.
  3. Changes on NTFS permission applied for AAD scenarios:
    Old:
    Write-Log "setting up NTFS permission for FSLogix"
    icacls ${DriveLetter}: /remove "BUILTIN\Administrators"
    icacls ${DriveLetter}: /grant "Creator Owner:(OI)(CI)(IO)(M)"
    icacls ${DriveLetter}: /remove "Authenticated Users"
    icacls ${DriveLetter}: /remove "Builtin\Users"
    Write-Log "ACLs set"

    AVD group permissions

    if ($SecurityPrincipalName -eq 'none' -or $IdentityServiceProvider -eq 'AAD') {
    Write-Log "AD group not provided or using Microsoft Entra ID joined session hosts, ACLs for AD group not set"
    }
    else {
    $Group = $DomainName + '' + $SecurityPrincipalName
    icacls ${DriveLetter}: /grant "${Group}:(M)"
    Write-Log "AD group $Group ACLs set"
    }

New:
Write-Log "setting up NTFS permission for FSLogix"
icacls ${DriveLetter}: /inheritance:r
icacls ${DriveLetter}: /remove "BUILTIN\Administrators"
icacls ${DriveLetter}: /grant "Creator Owner:(OI)(CI)(IO)(M)"
icacls ${DriveLetter}: /remove "BUILTIN\Users"
Write-Log "ACLs set"
#AVD group permissions
if ($SecurityPrincipalName -eq 'none' -or $IdentityServiceProvider -eq 'AAD') {
Write-Log "AD group not provided or using Microsoft Entra ID joined session hosts, ACLs for AD group not set"
}
else {
icacls ${DriveLetter}: /remove "Authenticated Users"
$Group = $DomainName + '' + $SecurityPrincipalName
icacls ${DriveLetter}: /grant "${Group}:(M)"
Write-Log "AD group $Group ACLs set"
}

Breaking Changes

  1. Renaming parameters or adding new ones on the storage bicep template:
  • domainJoinUserPassword changed to adminUserPassword
  • New: vmLocalUserName
  1. DSC package parameter updates:
  • DomainAdminUserName changed to AdminUserName
  • DomainAdminUserPassword changed to AdminUserPassword

Testing Evidence

Replace this with any testing evidence to show that your Pull Request works/fixes as described and planned (include screenshots, if appropriate).

As part of this Pull Request I have

  • Read the Contribution Guide and ensured this PR is compliant with the guide
  • Ensured the resource API versions in .bicep file/s I am adding/editing are using the latest API version possible
  • Checked for duplicate Pull Requests
  • Associated it with relevant GitHub Issues
  • (AVD LZA Team Only) Associated it with relevant ADO Items
  • Ensured my code/branch is up-to-date with the latest changes in the main branch
  • Performed testing and provided evidence.
  • Updated relevant and associated documentation (e.g. Contribution Guide, Module READMEs, Docs etc.)

@danycontre danycontre merged commit db7ebfd into main Nov 6, 2023
9 checks passed
@danycontre danycontre deleted the aad-fslogix branch November 7, 2023 19:26
petersonjdNIH pushed a commit to ARPA-H/avdaccelerator-nih that referenced this pull request Aug 26, 2024
FSLogix DSC package AAD logic update
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant