By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Why can't I create a WorkSpace in WorkSpaces Personal?

6 minute read
0

I tried to create an Amazon WorkSpaces Personal WorkSpace, but the process failed.

Resolution

The IAM policy doesn't exist or isn't valid

By default, AWS Identity and Access Management (IAM) identities don't have permissions for WorkSpaces resources and operations. To grant permissions to WorkSpaces resources, create an IAM policy that explicitly grants permissions to a user or group. Then, attach the policy to the IAM users or groups that require those permissions.

For more information, see Identity and access management for WorkSpaces.

WorkSpaces has encrypted volumes that require permissions

You can use AWS Key Management Service (AWS KMS) keys to encrypt the storage volume of a WorkSpace. If the WorkSpace creation fails, then you might not have the required AWS KMS permissions.

Verify that your IAM role has the required AWS KMS permissions and that you meet the prerequisites to use an AWS KMS key to encrypt your WorkSpaces. For more information, see Encrypted WorkSpaces in WorkSpaces Personal.

You reached the WorkSpaces quota

You might have reached the WorkSpaces quota to create WorkSpaces in a specific AWS Region on your AWS account. 

An antivirus software is causing failures

If you created a Workspace from a custom image, then antivirus software might cause failures. Deactivate or uninstall any antivirus software. Then, try to create a new personal WorkSpace.

The AD Connector service account password is incorrect

If you use AD Connector for AWS Directory Service, then reset the AD Connector password. After you reset the AD Connector password, update your AD Connector service account credentials in Directory Service. Then, try to create a new personal WorkSpace.

The incorrect DNS IP addresses is set on AD Connector

If your Active Directory DNS IP addresses changed, then update the DNS addresses for your AD Connector. After you update the DNS addresses, try to create a new personal WorkSpace.

AD Connector security groups are deleted or changed

When you create and register a directory for WorkSpaces, two security groups are created. The security group names are directoryID_workspacesMembers and directoryID_controllers. The "directoryID" represents your directory's ID.

If you change either security group name, then the WorkSpace might not be able to communicate with the directory when you create a new WorkSpace. This communication error can cause issues, such as domain join failures.

To resolve this issue, update the security group to allow inbound traffic from the on-premises domain controllers on the required ports. For more information, see Active Directory and Active Directory domain services port requirements on the Microsoft website.

The user profile already exists in the C:\ drive

Workspace creation fails when the following are true:

  • The user's profile already exists in the C:\Users directory.
  • You launch a Remote Desktop Protocol (RDP) session to the user's WorkSpace, and create a custom image from the WorkSpace.

For example, you launch an RDP session to a WorkSpace from user1. Then, you use the WorkSpace to create a custom image, and you name the image Image_1. The WorkSpace creation from Image_1 fails because a user profile for user1 already exists in the Workspace C:\Users directory where you created Image_1.

To resolve this issue, complete the following steps to delete additional user profiles in C:\Users:

Note: Be sure to also remove the security identifiers and keys of the additional users in the registry.

  1. Access the WorkSpace that you used to create the image for the custom bundle.
    Note: If the WorkSpace no longer exists, then access a WorkSpace that successfully launched from the custom bundle.

  2. Open the Start menu, and then expand Windows System.

  3. Open the context (right-click) menu for This PC, and then choose Properties.

  4. In the navigation pane, choose Advanced system settings.

  5. On the Advanced tab, for User Profiles, choose Settings.

  6. Select the user profile, and then choose Delete.
    Important: Remove only the users that belong to your domain (domain\UserName).

  7. Navigate to the C:\Users folder to confirm that the user folders are removed. Keep the Administrator and Public folders.
    Note: The C:\ drive is hidden by default. Open File Explorer, and then enter C:\ in the address bar to display the folders.

  8. Verify that the user's security identifier (SID) is removed from the registry. Open the Start menu, and then enter cmd to open a command prompt.

  9. Run the following command:

    wmic useraccount get name,sid
    
  10. Note the SID for the removed user.

  11. Open the Start menu, and then enter regedit to open the Registry Editor.

  12. Look for the SID in the following registry location: HKLM:\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\.
    If you don't see a key with the removed user's SID, then no further action is needed. If you find a key with the SID, then proceed to the next step.

  13. Remove the key, and then look for the SID in the following registry location: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileGuid\.
    If you don't see a key with the removed user's SID, then no further action is needed. If you find a key with the SID, then remove the key.

  14. To confirm that all user profiles are deleted, run the Image Checker.

You can now create an image of the WorkSpace for your custom bundle that successfully launches for the user that you removed.

There are domain join errors

When you create a directory or AD Connector, two subnets are chosen for high availability. Communication between the directory and the WorkSpaces subnets can fail because of a VPN issue or a firewall that blocks the required ports. To troubleshoot domain join errors, see How do I troubleshoot a WorkSpace that fails to join a domain?

You selected the wrong bundle or directory

When you launch an Amazon WorkSpaces Bring Your Own License (BYOL) in WorkSpaces Personal, you must choose a custom bundle. You must also register a dedicated directory for WorkSpaces.

If you already registered a directory, you can set up a new AWS Directory Service for Microsoft Active Directory or AD Connector directory. You can also deregister a directory and reregister it for dedicated WorkSpaces. For more information, see Register an existing AWS Directory Service directory with WorkSpaces Personal.

Related information

How do I troubleshoot WorkSpaces image creation issues?

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago