none
AppV 5: Add Package Script RRS feed

  • Question

  • Hi

    I am trying to set permissions on folders within the PackageInstallationRoot folder, to work around the "security changes" Microsoft chose to impose upon us with App-V 5.0

    So, I've created a cmd file called permissions.cmd which uses ICACLS to set permissions on folders within my PackageInstallationRoot root folder.
    The cmd file looks like this...

    icacls "[{AppVPackageRoot}]\QB" /grant:r Everyone:(OI)(CI)(R,RD,WD,AD)
    icacls "[{AppVPackageRoot}]\VFS" /grant:r Everyone:(OI)(CI)(R,W,RD,WD,AD)

    The package is called using the AddPackage embedded scripting event like this.

    <AddPackage>
    <Path>cmd.exe</Path>
    <Arguments>/c B:\Application.001\permissions.cmd</Arguments>
    </AddPackage>

    What I'm finding is that the permissions are not being set on the folders within the PackageInstallationRoot.
    My question, when calling an cmd file as part of an embedded script event, can I use AppV tokens, such as [{AppVPackageRoot}] as part of the cmd file.

    My experience to date, suggests that this is not possible, but I'd like to know if anyone else has tried this with any degree of success.

    I can confirm that if I simply run iCACLS from the AddPackage event, the permissions will set correctly, however, 
    since I can only use on AddPackage event I can only apply one set of ICACLS persmissions (my PublishPackage event is calling another separate script).

    Thanks for any help,
    Mitch



    Tuesday, April 16, 2013 10:42 AM

Answers

  • Ok. So on the back of that. i tried setting the PVAD as C:\ProgramData\Sage. This was the folder  i knew the installer created and the one that the end non admin user needed full access to not just read access. I also install the application to the same folder.

    Bad practice i know, not very pretty either, but this time, much like the first blog post stated, the user had permissions to write to the folder AppData\Local\Microsoft\AppV\Client\VFS\2878599B-D200-4316-BCFC-0901DB1020B2\Common AppData

    • Proposed as answer by znack Monday, September 23, 2013 5:18 PM
    • Marked as answer by David WoltersModerator Thursday, November 21, 2013 7:37 PM
    Monday, September 23, 2013 1:27 PM

All replies

  • Hello,

    Most likely you can not - however you could pass on the path as a parameter to the BAT-file


    Nicke Källén | The Knack| Twitter: @Znackattack

    Tuesday, April 16, 2013 1:36 PM
  • Out of curiosity what is your use case where you want write permissions inside the product itself?  Not questioning or anything, just interested in what you are seeing/needing.
    Tuesday, April 16, 2013 2:46 PM
  • The application we are sequencing requires that users have Full Control over C:\User\Public\Public Documents and also Write Access to the applicatications primary installation directory.

    Unfortunately, the App-V 5.0 sequencer no longer allows installer set permissions to be carried over into the final sequence (Security descriptors), it applies a default set of permissions which essentially does not permit users to write to the primary installation folder or the VFS.

    So the script is required to set permissions to folders within the PackageInstallationRoot to accomdate the requirements of the application.

    I hope this makes sense,

    Mitch

    Tuesday, April 16, 2013 9:54 PM
  • Hi Mitch

    Did you happen to find a way to get this working so that security is set when the package is added?

    Cheers!

    Monday, September 23, 2013 7:42 AM
  • I Have read these posts, but was hoping to find a cleaner solution like in the OP where you can give everyone full permissions to a folder before the package is run. in my example im getting a lot of apps that end users need RW access to the VFS Common Appdata folder and rather than them having to run the application 2 or 3 times i wanted to give them full permissions prior to the App-V package being availiable
    Monday, September 23, 2013 1:03 PM
  • Ok. So on the back of that. i tried setting the PVAD as C:\ProgramData\Sage. This was the folder  i knew the installer created and the one that the end non admin user needed full access to not just read access. I also install the application to the same folder.

    Bad practice i know, not very pretty either, but this time, much like the first blog post stated, the user had permissions to write to the folder AppData\Local\Microsoft\AppV\Client\VFS\2878599B-D200-4316-BCFC-0901DB1020B2\Common AppData

    • Proposed as answer by znack Monday, September 23, 2013 5:18 PM
    • Marked as answer by David WoltersModerator Thursday, November 21, 2013 7:37 PM
    Monday, September 23, 2013 1:27 PM