locked
Best Practice for Revoking Access Permissions to an Application RRS feed

  • Question

  • Does anybody know the best practices for removing acccess permisisons to an application in App-V server.  Furthermore, we currently have an issue, which I suspect may be due to us not carrying something out.

    When we upgrade an application, we import it side-by-side during testing and then remove the desktop icon for the old application and then add the relevant AD group to the new application, when we require all users to access it.  This works ok.

    However, if we remove a user from the AD group that controls access to an application and the user logs off and back on again (we have set for publishing refresh to happen on logon), the application can still be opened.  We can resolve this locally through using the App-V Client but we need to ensure that when the access permissions are changed by removing a user from an AD group or removing the AD group from the access permissions of the application on the App-V server, that the user's rights are revoked at next logon; so the desktop icon disappears and the ability to open the application is revoked.  Any help would be appreciated.

    Infrastructure:

    2 x App-V v4.5 App-V servers (which ever the latest is)

    Application folders containing OSD and SFT files and so on are placed in a folder called AppData on the C drive.  This folder is replicated between servers via DFS.

    Application streaming is via http, so the application and package paths within the package and application properties within the App-V server MMC point to the http:// load balanced URL.  The OSD file has HREF as the load balancer http address, which load balances between the two App-V servers.

    App-V Client is v 4.6 with SP1 (which ever the latest is)

    This uses RTSP to connect to the App-V server.

     

     

     


    • Edited by -Virtual- Thursday, January 19, 2012 2:11 PM
    Thursday, January 19, 2012 2:07 PM

Answers

  • Removing the user from the group and waiting for the next publishing refresh is most common.

    How is your Provider Policy configured? Is that using a group that is different to the group used to assign the application?

    What does the App-V client log say after a publishing refresh? What do you have set for the RequireAuthorizationIfCached value on the client?



    Twitter: @stealthpuppy | Blog: stealthpuppy.com

    This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually answer your question). This can be beneficial to other community members reading the thread.

    • Marked as answer by -Virtual- Monday, January 30, 2012 10:16 AM
    Thursday, January 19, 2012 3:09 PM
    Moderator
  • Was testing today and it appears that it is now working with newly sequenced applications. 

    I started by setting RequireAuthorizationIfCached to 1.

    I have removed the group from the permissions tab of the application and Publish refreshed.  The application Desktop shortcut disappeared.  The application still appears in the list of applications, which I assume is due to it still being cached locally.  It does not show the application icon used by the shortcut.

    I then re-added the permissions group and publishing refreshed.  The application shortcut comes back.

    I removed the user from the AD security group assigned to the application permissions.  I didn't log off and back on again and went straight to a publishing refresh.  The desktop application shortcut disappeared.  The application still appears in the list of applications.  The application listed still shows the application icon used by the shortcut.

    I added the, back to the security group and the application shortcut came back.

    I then tried the same but this time logging off and back on again each time. All scenarios worked the same.

    Thank you all for your assistance.  


    • Edited by -Virtual- Monday, January 30, 2012 10:15 AM
    • Marked as answer by -Virtual- Monday, January 30, 2012 10:16 AM
    Monday, January 30, 2012 10:15 AM

All replies

  • Removing the user from the group and waiting for the next publishing refresh is most common.

    How is your Provider Policy configured? Is that using a group that is different to the group used to assign the application?

    What does the App-V client log say after a publishing refresh? What do you have set for the RequireAuthorizationIfCached value on the client?



    Twitter: @stealthpuppy | Blog: stealthpuppy.com

    This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually answer your question). This can be beneficial to other community members reading the thread.

    • Marked as answer by -Virtual- Monday, January 30, 2012 10:16 AM
    Thursday, January 19, 2012 3:09 PM
    Moderator
  • Thanks for the response Aaron and I'd like to add how helpful I find your blogs. 

    We are using the default policy provider and have added Domain Users to there.  It is set to publishing refresh on logon.  This is different to the group set for the application.  The issue occurs on all applications.  We have a considerable number as currently carrying out a VDI and RDSH solution with App-V providing applications when compatible.

    I will take a look at the App-V client logs.  I didn't specifically set the RequireAuthorizationifCached value on the client.  Will look and see what it is set to.  I also should add that we have VDI Windows 7 workstations and RDSH servers and both have the same issue.

     



    • Edited by -Virtual- Friday, January 20, 2012 10:51 AM
    Friday, January 20, 2012 8:14 AM
  • RequireAuthorizationIfCached is set to 0.   I changed to this 1 and logged off and back on again, the application is still available to the user. 

    I set the logging on the App-V Client to verbose and get this regarding the application.

    Logs wise, a considerable number of applications say: App's pid  - 4294967295 - doesn't match.

    Also, I logged onto another RDSH server I had never been on before.  The icon was cached in the roaming profile so appears.  When running the shortcut, a window appears and states: The Application Virtualization Client could not launch the application ou requested.  ...The specified application does not exist...etc...

    So permissions have been revoked.  It appears to be something locally causing the issue.  We of course to need ensure that icons also disappear when permissiosn are revoked.

    Doing a Clear on the application using the App-V client causes the desktop shortcut to disappear.  The application is still listed under the 'applications' node but is no longer showing the icon. Even after a publishing refresh, it is still appearing. After deleting the application from the list and running a publishing refresh, the applicaiton does not appear.

    Extract of logs below with regards to the application. 

    These will follow shortly. - Have been trying to add the log file here and getting errors with regards to characters. Anyway of uploading a text file?



    • Edited by -Virtual- Friday, January 20, 2012 10:34 AM
    Friday, January 20, 2012 9:25 AM
  • Hello,

    Have you verified that the active directory group membership is reflected on the client? You can do so by running gpresult /R
    Nicke Källén | The Knack| Twitter: @Znackattack
    Friday, January 20, 2012 2:31 PM
  • Thanks for the response.

    The AD group is not appearing for the user and the issue does occur even after logging off and on again.  I have even removed the AD group from the permissions of the application in App-V server and publication refreshed and the application is still available. As mentioned above, if you use the 'clear' option, the desktop shortcut disappears for the application.  Deleting the application and doing a publishing refresh does not bring it back for the user.

    Sunday, January 22, 2012 2:50 PM
  • Hello,

    What is the difference, when performing a verbose-logging, between a publishing refresh at logon and a publishing refresh after logon?

     


    Nicke Källén | The Knack| Twitter: @Znackattack
    Sunday, January 22, 2012 3:30 PM
  • Thanks.  I'll take a look and let you know.

    Monday, January 30, 2012 8:46 AM
  • Was testing today and it appears that it is now working with newly sequenced applications. 

    I started by setting RequireAuthorizationIfCached to 1.

    I have removed the group from the permissions tab of the application and Publish refreshed.  The application Desktop shortcut disappeared.  The application still appears in the list of applications, which I assume is due to it still being cached locally.  It does not show the application icon used by the shortcut.

    I then re-added the permissions group and publishing refreshed.  The application shortcut comes back.

    I removed the user from the AD security group assigned to the application permissions.  I didn't log off and back on again and went straight to a publishing refresh.  The desktop application shortcut disappeared.  The application still appears in the list of applications.  The application listed still shows the application icon used by the shortcut.

    I added the, back to the security group and the application shortcut came back.

    I then tried the same but this time logging off and back on again each time. All scenarios worked the same.

    Thank you all for your assistance.  


    • Edited by -Virtual- Monday, January 30, 2012 10:15 AM
    • Marked as answer by -Virtual- Monday, January 30, 2012 10:16 AM
    Monday, January 30, 2012 10:15 AM