Securing FSLogix Profile and Office 365 Containers

Posted by Aaron Parker on Oct 6, 2016 12:18:03 PM

Find me on:

FSLogix Storage Requirements

When designing for a deployment of FSLogix Profile Containers and Office 365 Containers, the most challenging part of that design will be a solution for storage – you’ll need to ensure whichever solution you go with meets your high availability requirements. Underneath though, a simple SMB location is required for storing the virtual disks that contain the Profile and Office 365 containers.

When a user logs onto a desktop enabled with FSLogix, the virtual disk container stored in the target location, is mounted by desktop with a junction created into the user’s profile.

The screenshot here shows this in action:




Enabling Secure Permissions on the Containers Share

To secure the share that hosts the FSLogix containers, we can draw from existing permissions recommendations for user home directories and folder redirection. The following two articles are a great reference:
* How to dynamically create security-enhanced redirected folders by using folder redirection in Windows 2000 and in Windows Server 2003
* Deploy Folder Redirection with Offline Files

Recommended Permissions

To secure the share, here are my recommendations for NTFS permissions. Share permissions are straight-forward – users will need write access; however, also ensure that the target desktop computer accounts have read-only access.

Recommended NTFS permissions are below. This will ensure that the FSLogix agent can create a virtual disk for each user with secure permissions, preventing access to other user’s virtual disks.

  • CREATOR OWNER – Full Control (Apply onto: Subfolders and Files Only)
  • SYSTEM – Full Control (Apply onto: This Folder, Subfolders and Files)
  • Administrators – Full Control (Apply onto: This Folder, Subfolders and Files)
  • Users – Create Folder/Append Data (Apply to: This Folder Only)
  • Users – List Folder/Read Data (Apply to: This Folder Only)
  • Users – Read Attributes (Apply to: This Folder Only)
  • Users – Traverse Folder/Execute File (Apply to: This Folder Only)

If you are deploying Profile Containers and Office 365 Containers in a multi-tenant environment, you can change SYSTEM for a domain group that contains the target computer accounts. In this case, read-only access is the minimum permissions required.

Additionally you can change Users for a domain group containing the target user accounts. This could be the same group, added to the local groups that enable inclusion (or exclusion) of Profile Containers or Office 365 Containers.

This blog was originally posted at

Topics: profile containers, Office 365, security, Office 365 Containers

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all

Follow Me