OneDrive with simulated Single Sign-On

Recently we have received numerous requests to implement OneDrive in multi-user environments. This is not an easy task given that Microsoft refuses to release and develop a client supporting multi-user environment. Citrix and Microsoft give the following recommendations:

  1. Use OneDrive for Business through the browser.
  2. Use ShareFile instead of OneDrive for Business.
  3. Continue using OneDrive for Business, but through ShareFile Desktop App or ShareFile Driver Mapper.

You can read more about this here. It is very important to understand these recommendations from Microsoft and Citrix before you continue reading, because what I am about to show you is a different approach. An alternative to these recommendations is to use FSLogix with the OneDrive for Business client. You can read more about this here. This means that FSLogix will give you the support upon using their software. My approach requires that Microsoft does not change how OneDrive is setup, and as we all know – Office 365 is updated very often.

 

If you are going to implement OneDrive in a multi-user environment and at the same time give your users a “simulated” single sign-on experience a few things need to be in place. I am referring to this as a “simulated” single sign on, because this solution is built on top of several different techniques rather than a native single sign-on. I have specified the criteria below. You will need:

  1. FSLogix licenses
  2. OneDrive
  3. Programming skills (AutoIT and PowerShell)
  4. Extensive knowledge about Group Policy Management and Active Directory

In this blog post I will take for granted that FSLogix is installed unto your session hosts and every user is successfully receiving a personal VHDX where OneDrive data will be stored. If you need help with this, please refer to FSLogix docs quick start. Basically what we will do is to install OneDrive to each user session on logon and then launch a packaged app to automatically click through the first sync process.

 

 

Let’s get this started. The first thing we must do is to install OneDrive to our session hosts. The code below will install OneDrive for your user and also drop ”OneDriveSetup.exe” into ”C:\Program Files (x86)\Microsoft OneDrive”. This will come in handy later on.

 

When we have the installation files in place you will need to create a program with AutoIT that simulates user input. You do not have to install anything on to the session hosts, but you will need to install AutoIT (AutoIT full installation) and AutoIT script editor (SciTE4AutoIt3) on your local machine. Once you have that installed, fire up the ”AutoIT Script Editor” and create a new file called ”OneDrive.au3”. Paste the code below and then compile it into an executable file (AutoIT_OneDrive.exe). We will use this file to automatically generate mouse clicks through the first sync process to get a “simulated” single sign-on experience.

 

Now that we have all the prerequisites in place it is time to implement. Create a powershell script and paste the following code. The script will make sure that OneDrive installs successfully for the user and also opens OneDrive prepopulated with the user’s email address.

 

If you try to logon now you will get a single sign on with OneDrive. Since all this happens after the user logon, FSLogix is not aware that OneDrive is GOING TO BE installed and the data should be redirected to the VHDX. This will cause all OneDrive data to be downloaded to the local disk on the first logon (usually C:\). This means that if several people try to logon for the first time they risk filling up the system drive. For example, if we have 20 users that each have 1 TB data in their OneDrive all their data will be downloaded to the local disk which requires 20 TB of free disk space on the system drive. I have reported this to FSLogix developers and they are working on a fix for this. However, we came up with two possible workarounds:

  1. Log out the user automatically when they have succesfully logged on and OneDrive is installed
  2. Create two registry keys when logging in to trick FSLogix into believing that OneDrive already is installed.

In this example we are going with workaround number two. Create a new powershell script and paste the following code:

 

And then finally – add both scripts and executable from AutoIT to start for the user at logon via GPO. The correct order should be like this:

  1. CTX-XA-U-FSLogixOneDrive.ps1
  2. AutoIT_OneDrive.exe
  3. CTX-XA-U-InstallOneDrive.ps1

Good luck with the configuration and feel free to drop a comment or email me at mans.hurtigh@xenit.se if you have any feedback or questions.

Disclaimer: All information on this blog is offered "as is" with no warranty. It is strongly recommended that you verify all information and validate all scripts in isolated test environments before using them in production environments.