none
AppV 5: Sequence package and set security to folder

    Question

  • I am trying to build a App-V 5 sequence package.

    I found out that on a specific folder the users needs to have full access...how do I arrange that ? Is that possible to sequence that information ?

    My distribution mechanism would be SCCM 2012...


    Tuesday, February 19, 2013 3:58 PM

Answers

  • I got confirmation from Microsoft:

    - security is not captured during AppV 5 sequencing !

    - when storing an AppV 5 package the local security will be merged. So when security is locally set, then the package will get the correct security.

    This means (i have not tested it yet) that when you give e.g. C:\ProgramData Users:F that when an AppV package is stored there the user that is starting the AppV package also has F right on the C:\ProgramData folder.

    I need to test this before I believe :-)

    • Proposed as answer by znack Saturday, March 9, 2013 9:30 AM
    • Marked as answer by Aaron.ParkerModerator Monday, March 18, 2013 11:53 AM
    Friday, March 8, 2013 10:08 AM

All replies

  • Is the folder inside the package? Change the NTFS permissions during sequencing to capture the ACLs


    Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually answer your question). This can be beneficial to other community members reading the thread.


    This forum post is my own opinion and does not necessarily reflect the opinion or view of my employer, Microsoft, its employees, or other MVPs.

    Twitter: @stealthpuppy | Blog: stealthpuppy.com | The Definitive Guide to Delivering Microsoft Office with App-V

    Tuesday, February 19, 2013 5:14 PM
    Moderator
  • Hi Aaron i did that. The package installs someparts at c:\program files (x68)\packagename and in c:\programdata\packagename and in hklm\software\syswow64\packagename. Ik put on all locations the security object Everyone:F but after the sequencing it seems to,be that the security is not captured. Is there an easy way of debugging the e.g. Xml files to see if the security is set ? Will it be possible to run a script after the appv deployment which sets the correct secuty ? Ps. The protram to be sequenced is a rather old 32 bit application and i want to,sequence it for a windows 2008 x64 citrix server.
    Tuesday, February 19, 2013 9:16 PM
  • Hi Guys -  I'm experiencing the same issue. When permissions are set on folders within the primary virtual directory or locations within the VFS they do not seem to carry through to the final sequence.

    I set Everyone "Full" on the folder c:\ProgramData\MyApp then when i deploy the sequence and check %APPVROOR%\VFS\CommonAppData\MyApp ... the Full control permissions are not set.

    Any idea what I'm doing wrong or is this a bug with the sequencer?

    Cheers,

    Mitch 

    Wednesday, February 20, 2013 10:52 AM
  • Hello,

    What happens when the application attempts to write to that location?


    Nicke Källén | The Knack| Twitter: @Znackattack

    Wednesday, February 20, 2013 2:45 PM
  • I get application errors when the app attempts to write to those locations. If I mount the sequence fully and then go and manually set the permissions on the folders and files everything works fine. It appears as though app-v does still enforce permissions. Any thoughts?
    Wednesday, February 20, 2013 7:44 PM
  • Hello,

    Can you see an ACCESS DENIED events in Process Monitor when reviewing the activity?


    Nicke Källén | The Knack| Twitter: @Znackattack

    Wednesday, February 20, 2013 9:51 PM
  • No - I don't see Access Denied, I see a lot of path not found etc. But I know for a fact that the permissions should be FULL control everyone on that particular folder, yet the appv client seems to reset to everyone read,list.

    Basically, during a certain process within the application, the app tries to create a folder and some files within the c:\ProgramData\MyApp folder. When sequenced with appV the user is unable to create the files/folders due to the change in permissions, if I run the sequenced application as an "Adminisatrator" it works fine.

    The speicifc folder c:\ProgramData\MyApp is captured as part of the VFS not the PVAD - nto sure if this has any impact on the situation.

    If I install the software locally (without AppV) the permissions are set correctly and remain set.

    Wednesday, February 20, 2013 10:27 PM
  • Here is an exmaple of the "default" permissions the AppV client seems to place on the folders. During sequencing, this particular directory "Shared", was configured with everyone FULL. As you can see, at runtime, it has reverted to everyone Read, List, Execute.

    Wednesday, February 20, 2013 11:21 PM
  • As a work around, have you considered implementing a Pre-script to re-set the permissions before launching the app? I haven't done a whole lot with the Security Descriptors in version 5.0 yet. I always preferred to leave the permissions open within the virtual applications but I guess since there's less isolation now they've standardized on locking the folders down more. Shame!

    I suspect though that the App-V Client is overwriting the permissions. In what little I did look at, it looked like some of the default users/groups were removed out of the Security options. Leaving only Everyone, System and Trusted Installer. When I tried to set permissions on the Users Group, they were gone because the Client seemed to remove Users from the Security options.

    It doesn't seem to matter if you have the directory set to Override or Merge either, it still overwrites the existing permissions. It's like the old LockPermissions table in MSI, Permissions are not being appended, they are being overwritten completely, only it's worse because it seems like even if you set the permissions in Users, it defaults to wipe that out. It sounds like you are saying that is also happening for Everyone which does exist on the client. I also wonder if this is a bug or maybe there's something which can be set on the Sequencing machine or in the Config files to ensure the Security Groups reflect what is set on the Sequencing machine at the time....or at least appends rather than overrides.

    All I could say for sure is a Pre-script, maybe calling SecEdit or iCacls or whatever your preferred method is.


    PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon

    Wednesday, February 20, 2013 11:43 PM
  • Hello,

    Neither a user, nor an admin would have permissions to write to the above file. Just saying.


    Nicke Källén | The Knack| Twitter: @Znackattack

    Thursday, February 21, 2013 12:44 AM
  • Look at the resultant permissions from within the virtual environment, not outside it.


    Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually answer your question). This can be beneficial to other community members reading the thread.


    This forum post is my own opinion and does not necessarily reflect the opinion or view of my employer, Microsoft, its employees, or other MVPs.

    Twitter: @stealthpuppy | Blog: stealthpuppy.com | The Definitive Guide to Delivering Microsoft Office with App-V

    Thursday, February 21, 2013 12:47 AM
    Moderator
  • For fun, I just sequenced a dummy app. Two folders with two text files, one within my primary directory as a subfolder with a file and another under C:\ProgramData

    I set the permissions for Users to Full Control on both sub folders. I created a shortcut to the Command prompt.

    When I launched the command prompt I navigated to the folder within the virtual environment. I saw my folders in the correct location, un-fortuntely the permissions were also overwritten here, no Users set in the Security options, it was wiped out during sequencing I guess.


    PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon


    • Edited by RorymonMVP Thursday, February 21, 2013 1:32 AM
    Thursday, February 21, 2013 1:29 AM
  • Very interesting - I'm glad to see it's not just me experiencing this.

    Interestingly enough, depending on which server I run the sequence on (XenApp servers) I get slightly different behavior.

    If on one server things fail due to permissions on the other server, the application works.

    If I check PROCMON and on the working server, it appears as though the application tries to create the folder in %USERPROFILE%\AppData\Local\Microsoft\App-V\<PACKAGEID>\<GIUD>\VFS\CommonAppData\MyApp but on the server on which the application fails writes to the %APPVROOTINSTALL%\VFS\MyApp.

    Weird?

    Thursday, February 21, 2013 2:20 AM
  • Is there any difference between the two servers?

    Did you also try to look at the permissions from within the actual virtual environment through a DEBUG script, to see what the permissions were? Not just by browsing to the C:\ProgramData folder itself but rather, within the virtual environment.


    PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon

    Thursday, February 21, 2013 7:59 AM
  • Hi Roryman,  Is a Pre-Script easy to create ?

    If I want to create a prescript which execute icacls to set everyone:f permissions on e.g. C:\ProgramData\AppName...how do I do that ?

    Could you guide me ?

    Thursday, February 21, 2013 8:46 AM
  • I would suggest using a vbscript. Refer to http://technet.microsoft.com/en-us/library/cc753525%28v=ws.10%29.aspx

    I've been using SecEdit myself but only because I was not using the Integrity setting in Icacls so didn't see a need to move to it right now.


    PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon

    Thursday, February 21, 2013 4:48 PM
  • Hi Rorymon, ICACLS i know and adding the command to a VBSCRIPT using shell.run I know as well, but how do assign the script to my App-V package so it will be a Pre-Script ?

    To which XML do I add the script and how do I add it to the XML file ? Any hints for this ?

    Thursday, February 21, 2013 5:21 PM
  • I tried to set security just before the AppV starts using a script in the *DeploymentConfig.XML. like below.

         <UserScripts>
           <StartProcess RunInVirtualEnvironment="true">
             <Path>cmd.exe</Path>
             <Arguments></Arguments>
             <Wait RollbackOnError="true"/>
        <ApplicationId>[{AppVPackageRoot}]\my.exe</ApplicationId>
           </StartProcess>
         </UserScripts>

    When I start the AppV a CMD is opened and I try to set the security using ICACLS to the %ALLUSERSPROFILE% folder.

    But I receive an access denied ! When closing the CMD box, the application is starting....

    How can I make it possible to set the scurity before the application starts ??? any idea what I am doing wrong ?


    Friday, February 22, 2013 11:22 AM
  • Hello,

    You are executing the above script as the user starting the application. If the users does not have permissions to alter the folders ACLs - that would generate the Access Denied.

    Have you tried applying Hotfix 1?


    Nicke Källén | The Knack| Twitter: @Znackattack

    Friday, February 22, 2013 3:54 PM
  • Yes I am trying to set the rights when the user starts the program. I thought that the rights were set by using the SYSTEM account according the table. Is there another way of doing it so the script will run by the system account ?

    Hotfix 1 for AppV 5 Sequencer ???

    I am not aware of such an update...

    Friday, February 22, 2013 4:43 PM
  • Hello,

    You can call Microsoft and request it. More info here;

    http://social.technet.microsoft.com/Forums/en-US/appvclients/thread/8ca1ff54-35ea-40f5-b241-de186c206eb8

    If you are meaning the table here;

    http://blogs.technet.com/b/appv/archive/2012/12/10/scripting-and-embedded-scripting-for-appv-5-0-dynamic-deployment-and-user-configuration-scripting.aspx

    It says that StartProcess is executed in User context. You can execute scripts for Add / Remove package or Publishin / Unpublish package that would be in a SYSTEM context


    Nicke Källén | The Knack| Twitter: @Znackattack


    • Edited by znack Friday, February 22, 2013 9:52 PM
    Friday, February 22, 2013 6:07 PM
  • I noticed this same problem, customers have application what demands more than default user permissions (modify) to application installdir (c:\program files (x86)\etc.). So at earlier versions of AppV, this wasnt a issue but at version 5 is a issue.

    If we pre-create this c:\program files (x86)\etc. folder and give users modify permissions, after that launching app, it wont work also.

    Tried also in seqvensing ACL edit to folder, not worked.

    Also i tried to change ACL to AppV "package(sid)\version(sid)\root\etc." folders, it worked neither.

    Saddly there is lots of software wich are poorly coded and needs more permissions to default ACLs. If appv5 cannot provide and appv5&(local)ACLedit does not work together then what is a solution? :)

    Thursday, March 7, 2013 4:42 PM
  • I have been back and forth with Microsoft on this, YOU CANNOT CHANGE PERMISSIONS to anything in the VFS folder!!!

    We have even tried a GPO to override this to no AVAIL.

    Microsoft, please bring back "Security Descriptors" and fix this ASAP!

    Only folder that will allow you read/right access is the Pre Designated install

    directory that you choose prior to install during the sequence.


    • Edited by PSmith45 Thursday, March 7, 2013 8:14 PM
    Thursday, March 7, 2013 8:12 PM
  • I got confirmation from Microsoft:

    - security is not captured during AppV 5 sequencing !

    - when storing an AppV 5 package the local security will be merged. So when security is locally set, then the package will get the correct security.

    This means (i have not tested it yet) that when you give e.g. C:\ProgramData Users:F that when an AppV package is stored there the user that is starting the AppV package also has F right on the C:\ProgramData folder.

    I need to test this before I believe :-)

    • Proposed as answer by znack Saturday, March 9, 2013 9:30 AM
    • Marked as answer by Aaron.ParkerModerator Monday, March 18, 2013 11:53 AM
    Friday, March 8, 2013 10:08 AM
  • So I guess you run it as a script that is not neccessarily a pre-script? But still a script run from the Deployment Config or else I'm making incorrect assumptions about what the Deployment Config can do.

    PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon

    Friday, March 8, 2013 3:56 PM
  • I've done exactly that, I run a script at <ADDPACKAGE> which changes the folder permissions for me. This works perfectly, but it is a shame that the sequencer is not able to capture the information correctly. I've currently got a case open with MS support about it. I will update this thread as and when I make any progress.

        <MachineScripts>

          <AddPackage>
            <Path>cmd.exe</Path>
            <Arguments>/c %SYSTEMROOT%\System32\icacls.exe "[{AppVPackageRoot}]\VFS\Common Documents\MitchApp" /grant Everyone:(OI)(CI)F</Arguments>
          </AddPackage>

        </MachineScripts>

    Tuesday, March 12, 2013 9:32 PM
  • This is nuts. They enforce security descriptors but you can't set them during sequencing? Is this a bug? I thought App-V 5 was all about being more compatible with applications, and not less.

    Wednesday, March 13, 2013 8:45 PM
  • This is nuts. They enforce security descriptors but you can't set them during sequencing? Is this a bug? I thought App-V 5 was all about being more compatible with applications, and not less.

    MS' answer is 'Apps behave more like locally installed ones' :-\  But I agree, this is far from beeing a perfect solution


    Falko

    Twitter @kirk_tn   |  Blog kirxblog   |  Web kirx.org

    Thursday, March 14, 2013 12:03 PM
    Moderator
  • Answer from MS tech support on this:

    "AppV 5.0 doesn’t support changing file ACLs while sequencing.

    Package content is immutable, by default the package has an ACL that denies write access for everyone. Root directory has a read/write access to everyone. 

    Some application changes ACLs on sequencing machine to give user access to directories they normally don’t have access to. This doesn’t work. We will need to setup a script to change the ACL on the VFS directory  inside the user profile on configuration time, as you are doing now."
    Thursday, March 14, 2013 8:28 PM
  • Running cacls.exe is not always allowed, unfortunatley for us this is block.

    Microsoft need to fix this, ASAP.

    The sequencer needs to handle this and not the client, this should be a simple solution for the developers


    Paul Smith

    Monday, March 18, 2013 8:32 PM
  • Has there been any update to this since 3/14? Does anyone know if 5.0 Hotfix 1 resolves this? If not, does the sample icalcs VBS actually work as a "band-aid" solution? This issue is preventing us from using App-V 5.0 at this point.
    Thursday, April 4, 2013 8:12 PM
  • no SP1 will not fix this

    Paul Smith

    Thursday, April 4, 2013 8:23 PM
  • Has anyone verified the sample icalcs VBS works as a "band-aid" solution?
    Thursday, April 4, 2013 8:26 PM
  • JeremyRDS - I use the embedded icacls script extensively and it does work around this limitation. (as per my example above)

    However, if you need to apply different permissions to different folders, it can get a little tricky.

    Mitch

    Tuesday, April 16, 2013 10:54 AM
  • MitchyB, so you are adding this to the DeploymentConfig.xml correct not the UserConfig.xml, correct? Also, when you edit the script, do you need to remove the application from the client first, then re-publish it? Do you have to add the app first, before executing? It seems as though when used within the <AddPackage> in the config file, that the script may be running before all the files are loaded to the "[{AppVPackageRoot}]\VFS\Common AppData" path in which I need the permissions changed.

    Should I move it under the <Applications> instead. 

    Paul


    Duramaxster

    Wednesday, April 17, 2013 6:56 PM
  • I Have tried the

    MachineScripts>

          <AddPackage>
            <Path>cmd.exe</Path>
            <Arguments>/c %SYSTEMROOT%\System32\icacls.exe "[{AppVPackageRoot}]\VFS\Common Documents\MitchApp" /grant Everyone:(OI)(CI)F</Arguments>
          </AddPackage>

        </MachineScripts>

    But with no luck. Most packages I have made, demands permissions to the \\programdata\app-v folder, but nothing i have tried in the scrip helps
    Does anyone have a solution?

    Monday, April 22, 2013 2:17 PM
  • {AppVPackageRoot}] is not a variable that will be addressable via a script. You'll need to work out the real path to be able to change the permissions.


    Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually answer your question). This can be beneficial to other community members reading the thread.


    This forum post is my own opinion and does not necessarily reflect the opinion or view of my employer, Microsoft, its employees, or other MVPs.

    Twitter: @stealthpuppy | Blog: stealthpuppy.com | The Definitive Guide to Delivering Microsoft Office with App-V

    Monday, April 22, 2013 2:59 PM
    Moderator
  • Well the correct path is C:\ProgramData\App-V\Sid1\sid2\Root\''

    Please excuse me if I need to be clear about this as we have serius problems, All apps works when startting as Admin and procmon claims no access ti files in this folder, when starting as "normal" user. That would men that the script would act like

    MachineScripts>
     <AddPackage>
             <Path>cmd.exe</Path>
             <Arguments>/c %SYSTEMROOT%\System32\icacls.exe C:\ProgramData\App-V\sid1\sid2\Root\''" /grant Everyone:(OI)(CI)F</Arguments>
           </AddPackage>
    </MachineScripts>

    with the sid adresses? can this be correct?

    Tuesday, April 23, 2013 12:27 PM
  • That's correct. You can find the path which is typically:

    %ProgramData%\App-V\Package GUID\Version GUID

    Via PowerShell with the Get-AppvClientPackage cmdlet. You would really need to write a PowerShell script that first finds the right path and then passes that to ICACLS.exe.



    Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually answer your question). This can be beneficial to other community members reading the thread.


    This forum post is my own opinion and does not necessarily reflect the opinion or view of my employer, Microsoft, its employees, or other MVPs.

    Twitter: @stealthpuppy | Blog: stealthpuppy.com | The Definitive Guide to Delivering Microsoft Office with App-V



    Tuesday, April 23, 2013 12:31 PM
    Moderator
  • Hello everyone, I have found a solution to the problem. It is not necessary to use the above suggested in the script, the variable works just fine.

    Add the following script to your DeploymentConfig file. be sure to take the comments out <!-- to the -->
      <MachineScripts>
       <AddPackage>
              <Path>cmd.exe</Path>
              <Arguments>/c %SYSTEMROOT%\System32\icacls.exe "[{AppVPackageRoot}]\VFS\Common AppData" /grant Everyone:(OI)(CI)F
       </Arguments>
        <Wait RollbackOnError="true" Timeout="30"/>
       </AddPackage>
     </MachineScripts>

    NOTE: The particular path I needed to edit for QuickBooks was all located in the VFS\Common AppData folder. Ensure that the path you are needing to edit is correct. To identify, I simply converted the .Appv to a zip and found where the files were that needed editing.

    If you have previously added the app, I chose to remove-AppvClientPackage "myapp", although I think it will update, I removed anyways.

    Your not done. Now you will need to add the package using the following, this particular one is for my QuickBooks app, but hopefully you get the idea. What I found really odd is even though I edited the default config file, I still needed to use the "-DynamicDeploymentConfiguration" to get the script to work.
    Add-AppvClientPackage"\\myserver\virtualapps_5$\3011-QuickBooksPro2010.V09\3011-QuickBooks Pro 2010_2.appv" -DynamicDeploymentConfiguration "\\myserver\virtualapps_5$\3011-QuickBooksPro2010.V09\3011-QuickBooks Pro 2010_2_DeploymentConfig.xml"

    Run the package as a normal non-admin user that has rights to the package, it will reload and your done.

    I have tested this on 7 different apps that gave me trouble and it works. after running the above script. I noticed this on every app. :-)

    Hope this is helpful to you guys, it took me 3 weeks, Aaron RoryMon and Znack were all a big part of this success

    Paul


    Duramaxster

    • Proposed as answer by Dominik Britz Tuesday, May 7, 2013 2:27 PM
    Tuesday, April 23, 2013 11:23 PM
  • This looked promising....but doesn't fix QuickBooks for me, particularly for the qbregistration.dat file.

    Nick Moseley | http://t3chn1ck.wordpress.com

    Wednesday, April 24, 2013 9:41 PM
  • What is the error you are getting? Can you give me more info?

    Paul


    Duramaxster

    Did you add the package using the same command I did?

    Did you edit the DeploymentConfig.xml or create a new one?

    • Edited by Duramaxster Wednesday, April 24, 2013 10:23 PM
    Wednesday, April 24, 2013 10:21 PM
  • Well, I may have multiple issues going on with QuickBooks.  I hate to hijack this thread, so if want, can you respond on http://social.technet.microsoft.com/Forums/en-US/mdopappv/thread/123ad679-02b8-497c-9cc4-04c515d66b29 for me?

    But to answer your questions, I did edit the existing DeploymentConfig.xml and I did run the Add-Package commandlet (though we're operating in Shared Content Mode, so I'm not sure how effective that command would be)


    Nick Moseley | http://t3chn1ck.wordpress.com

    Wednesday, April 24, 2013 10:34 PM
  • Hi Paul,

    I am working with QuickBooks Pro 2010 and am getting the following error message when I launch it without choosing "run as administrator".

    QuickBooks has problem in accessing this registration file... C:ProgramData\Common Files\Intuit\QuickBooks\qbregistration.dat"

    I have edited my default config file. I tried your syntax and I also tried this:

        <MachineScripts>
          <AddPackage>
            <Path>cmd.exe</Path>
            <Arguments>/c %SYSTEMROOT%\System32\icacls.exe "C:\ProgramData\App-V\981CA122-CC48-4FF7-A46B-E3069682B056\980539D5-0435-4BCA-B7CA-AE9408A667B9\Root\VFS\Common AppData" /grant "mydomain\Domain Users":(OI)(CI)F
            </Arguments>
              <Wait RollbackOnError="true" Timeout="30"/>
          </AddPackage>
        </MachineScripts>

    I used the following powershell commands:

    stop-AppvClientPackage -Name "QuickBooks 2010 Pro (UK)" -global

    stop-AppvClientPackage -Name "QuickBooks 2010 Pro (UK)" -global

    Set-AppVClientConfiguration -EnablePackageScripts 1

    Add-AppvClientPackage -path "C:\QuickBooks 2010 Pro (UK)\QuickBooks 2010 Pro (UK)_2_3_4.appv" -DynamicDeploymentConfiguration "C:\QuickBooks 2010 Pro (UK)\QuickBooks 2010 Pro (UK)_2_3_4_DeploymentConfig.xml"

    Publish-AppvClientPackage -Global (and pasted the guids when prompted)

     
    • Edited by IT Juggler Thursday, May 2, 2013 7:52 PM typo
    Thursday, May 2, 2013 7:50 PM
  • This is precisely the same issue I am having with the qbregistration.dat file.  Permissions are set on the folder structure with everyone having full control, but the error still occurs.

    However, I've found that if UAC is off or if the app is Run as Administrator, then this problem goes away.


    Nick Moseley | http://t3chn1ck.wordpress.com

    Thursday, May 2, 2013 8:16 PM
  • Well, I may have multiple issues going on with QuickBooks.  I hate to hijack this thread, so if want, can you respond on http://social.technet.microsoft.com/Forums/en-US/mdopappv/thread/123ad679-02b8-497c-9cc4-04c515d66b29 for me?

    But to answer your questions, I did edit the existing DeploymentConfig.xml and I did run the Add-Package commandlet (though we're operating in Shared Content Mode, so I'm not sure how effective that command would be)


    Nick Moseley | http://t3chn1ck.wordpress.com

    This Recepie worked for me in App-V 5

    http://social.technet.microsoft.com/Forums/en-US/prescriptiveguidance/thread/9ccd5eb6-676f-469b-be8f-41530a21b1da


    Paul Smith

    Thursday, May 2, 2013 8:18 PM
  • Well, I'm one step closer (I think) but it still isn't working. I changed AddPackage to PublishPackage in my script because I noticed that the VFS folder only gets created during publishing, not adding. Now when I run the app as an administrator, I can see from within the package that Everyone has full control on the Common Appdata folder. However, I still get the same error message about qbregistration.dat when I run it as a normal user.
    Monday, May 6, 2013 7:42 PM
  • Any one found a decent solution to the security settings to the APPV folder?

    I am unable to getting any script to achieve access to the VFS folder.
    We are running on RDS a TS 2008  r2 and are planning to migrate to 2012 any time now, but this is holding things up.

    Everything works lika a charm when running the app as an admin, but the standard user cannot get the proper access to the VFS folder.

    Tuesday, May 21, 2013 9:19 AM
  • I'm not able to get this to work.  I can apply the permissions to the folder (under ProgramFilesX86) and a standard user can open a regular command prompt, navigate to the equivalent location under C:\ProgramData\AppV and create files there.

    However, opening a CMD prompt in the bubble and trying to write the to the folder under C:\Program Files (x86) gives me access denied, even though icacls run in the bubble shows me that I have rights.

    I have tried turning off inheritance on that particular folder, removing and adding permissions again, adding the Users group as well as Everyone,  but nothing seems to work!



    Why can't I get a signature to work on these damn forums?

    Friday, June 21, 2013 10:47 AM
  • I've found the solution.  You need to edit the permissions on the folder under the user's local appdata directory.  I've made a pre-launch script to take care of it, see here for full details:

    http://packageology.com/2013/06/file-permissions-app-v-5/


    Dan Gough

    Saturday, June 22, 2013 5:17 PM
  • I was just wondering if there is news on the horizon of a more permanent solution to this problem as i have encountered it a lot with multiple apps i have been trying to package recently.

    Cheers

    Friday, September 20, 2013 1:58 PM
  • Check out this App-V 5.0 Powershell Set-Acl Script for setting Custom Security rights for the [AppvPackageRoot}] which also comes very handy for setting Custom Security rights for virtual Add-ins / Plugins in a (Office) Connection Group: http://www.getonict.nl/blog/app-v-blog.html#app-v-set-acl


    Jeroen Spaander

    Tuesday, October 15, 2013 11:05 AM
  • Jeroen,

    I just went over to your site to check out the script and maybe implement it in a test environment tomorrow myself, yet I do not seem to be able to find it.

    Could you direct me to the contents or a link to the script itself ?

    Kind regards

    Wednesday, January 22, 2014 10:05 PM
  • http://packageology.com/2013/06/file-permissions-app-v-5/

    works fine for me, there is both, the link for downloading the script and the source code (tough it's not Jeroen's solution)


    Falko

    Twitter @kirk_tn   |   Blog kirxblog   |   Web kirx.org   |   Fireside appvbook.com

    Thursday, January 23, 2014 11:30 AM
    Moderator
  • I think Jeroen's script solves a different problem to mine though?

    My vbscript allows users to gain write permission to otherwise locked down VFS folders (e.g. Program Files). Jeroen's Powershell script looks like it is used to apply AD group permissions to the root where the streamed files are stored, so that a big connection group can be published and certain user groups restricted from accessing specific packages in the group. At least that's what I could gather from reading a translated web page some time ago!



    Dan Gough - packageology.com Twitter (@packageologist) LinkedIn

    Thursday, January 23, 2014 3:08 PM