VMware Horizon Community
ijdemes
Expert
Expert
Jump to solution

User Profile Archive Folder not created (DFS)

Hi,

I have a strange issue at a customer using UEM 9.2.1.

I have configured a profile archive path (DFS) in the FlexEngine GPO to \\<domain.something>\share\Profiles\Test\%username%

FlexEngine is configured to run as a GP extension.

During logon the profile archive folder is not created for the user.

I have enabled the "FlexEngine logging to the Windows event log" GPO setting which resulted in the following error during logon, which confirms my issue Smiley Wink

pastedImage_0.png

After being logged on with my default settings, I created the following CMD file to check if I (as a user) have the correct permissions for creating the folder.

cls

md \\<domain.something>\share\Profiles\Test\%username%

pause

The CMD successfully created the profile archive folder, which confirms that I have the correct permissions.

So why am I able to create the folder after logon, but why isn't the folder created during logon?

The permissions for the profile archive share/folders are configured as per this article: https://docs.vmware.com/en/VMware-User-Environment-Manager/9.2/com.vmware.user.environment.manager-i...

I am a bit puzzled here, and curious if anyone else came across this issue or has any suggestions pointing me in the right direction.

Any help is much appreciated.


\\ Ivan
---
Twitter: @ivandemes
Blog: https://www.ivandemes.com
1 Solution

Accepted Solutions
ijdemes
Expert
Expert
Jump to solution

Hi UEMdev​,

There is no FlexEngine log file, because this is a "chicken and egg" situation. Smiley Wink

However, I managed to solve the problem once I found out the requested change was implemented a "little bit" differently by the customer. :smileysilly:

I will describe the solution.

I requested two shares for hosting the profile archives, one for testing and one for production. Each share should have it's NTFS security configured according VMware UEM best practices. Each share should be connected to a DFS sub folder and that's that.... normally.

However, the customer created one file share and created a folder "Test" and a folder "Production" on that share with the NTFS security on both these folders configured according VMware UEM best practices.

DFS Configuration and share/NTFS permissions

+ <domain.something>

+--------------------- \Profiles --> \\server\share (Share permissions: Everyone: READ)

+---------------------------------------------------- \Test --> NTFS permissions: For End users: Create folders and append data, applied to this folder only.

                                                            --> NTFS permissions: For Creator owner: Full control, applied to sub folders and files only.

+---------------------------------------------------- \Production --> NTFS permissions: For End users: Create folders and append data, applied to this folder only.

                                                                  --> NTFS permissions: For Creator owner: Full control, applied to sub folders and files only.

The DFS configuration results in two paths:

\\<domain.something>\Profiles\Test

\\<domain.something>\Profiles\Production

Now for the solution, I had to add the following additional NTFS security on the root of the share (\\server\share):

- Traverse folder / execute file (this folder only)

- List folder / read data (this folder only)

Now the profile archive folders are successfully created. Users are not able to see each others folders/files, which is exactly what you want.

Though I'm still a bit puzzled why the folder could be created by the user after logon using the CMD command MD and not by FlexEngine during logon. It seems that FlexEngine really traverses the folders and needs to be able to reach each individual folder in the path before being able to create the profile archive folder for the user if it does not already exist, but there's no clear proof for that, except the implementation of the additional NTFS permissions described above Smiley Wink


\\ Ivan
---
Twitter: @ivandemes
Blog: https://www.ivandemes.com

View solution in original post

4 Replies
DEMdev
VMware Employee
VMware Employee
Jump to solution

Hi ijdemes,

Hmmm... Weird. For DFS paths we try to log the actual path as well; anything interesting in your FlexEngine log? (Given that event 268, you might need to temporarily configure a non-DFS location for the log file, though 🙂

I'd also be interested to hear what happens if you run FlexEngine.exe -r inside a session. If that fails as well, ProcMon would be a good next step.

ijdemes
Expert
Expert
Jump to solution

Hi UEMdev​,

There is no FlexEngine log file, because this is a "chicken and egg" situation. Smiley Wink

However, I managed to solve the problem once I found out the requested change was implemented a "little bit" differently by the customer. :smileysilly:

I will describe the solution.

I requested two shares for hosting the profile archives, one for testing and one for production. Each share should have it's NTFS security configured according VMware UEM best practices. Each share should be connected to a DFS sub folder and that's that.... normally.

However, the customer created one file share and created a folder "Test" and a folder "Production" on that share with the NTFS security on both these folders configured according VMware UEM best practices.

DFS Configuration and share/NTFS permissions

+ <domain.something>

+--------------------- \Profiles --> \\server\share (Share permissions: Everyone: READ)

+---------------------------------------------------- \Test --> NTFS permissions: For End users: Create folders and append data, applied to this folder only.

                                                            --> NTFS permissions: For Creator owner: Full control, applied to sub folders and files only.

+---------------------------------------------------- \Production --> NTFS permissions: For End users: Create folders and append data, applied to this folder only.

                                                                  --> NTFS permissions: For Creator owner: Full control, applied to sub folders and files only.

The DFS configuration results in two paths:

\\<domain.something>\Profiles\Test

\\<domain.something>\Profiles\Production

Now for the solution, I had to add the following additional NTFS security on the root of the share (\\server\share):

- Traverse folder / execute file (this folder only)

- List folder / read data (this folder only)

Now the profile archive folders are successfully created. Users are not able to see each others folders/files, which is exactly what you want.

Though I'm still a bit puzzled why the folder could be created by the user after logon using the CMD command MD and not by FlexEngine during logon. It seems that FlexEngine really traverses the folders and needs to be able to reach each individual folder in the path before being able to create the profile archive folder for the user if it does not already exist, but there's no clear proof for that, except the implementation of the additional NTFS permissions described above Smiley Wink


\\ Ivan
---
Twitter: @ivandemes
Blog: https://www.ivandemes.com
ijdemes
Expert
Expert
Jump to solution

Oh I forgot to mention, I also tried using the FlexEngine.exe -r command in the session, without success. Which means, no profile archive folder was created.

But thanks for the suggestions UEMdev​!!


\\ Ivan
---
Twitter: @ivandemes
Blog: https://www.ivandemes.com
DEMdev
VMware Employee
VMware Employee
Jump to solution

Hi ijdemes,

Happy to hear that you got everything to work!

I'm not quite sure what's going on here... It used to be the case (years ago), that the code that checks whether a folder exists (and also creates the missing parts if it doesn't) wasn't very smart, but I don't understand why your customer's scenario would break...

Maybe I'll ask Pim_van_de_Vis​ to provide me with a DFS playground so I can test a few things 🙂