App-V: GPUpdate to Get App to Stream Down to Client? RRS feed

  • Question

  • Hello, when a user in my organization needs access to a particular application, we add their domain ID to the relevant global security group.  I'm wondering if anyone has any info about how these permissions actually get applied?  I know they can log off and then back on to get the app to show up, but if they don't want to do that, is it necessary for them to run gpupdate /target:user before re-syncing with the publishing server?

    NOTE: This is for App-V 5.1

    • Edited by Nate.L Thursday, July 5, 2018 5:44 PM
    Thursday, July 5, 2018 3:25 PM

All replies

  • GPUPDATE wont work because this is applying policies rather than security permissions.

    Most systems which work with security permissions require the user token to be updated.  The easiest way is a logoff/on.

    Tuesday, July 10, 2018 10:22 AM
  • How do you publish App-V packages? Using SCCM or the full infrastructure? In our SCCM environment, ever since I believe SCCM 2012 applications (app model) would come down without having to log out, and back in but it took some time.

    In full infrastructure, you can set a key so that the pub server looks to AD instead of the user's token. See this link, the specific information is all the way at the bottom:


    Tuesday, July 10, 2018 8:01 PM
  • they permission( I think you are referring to the package entitlement) was applied via AppV server or SCCM depends on what you are using. if you are using AppV server, the permissions are created and applied when you publish the application from server.

    user re-login would trigger Sync-AppvPublishingServer, to pull all the configuration/permission settings from server and apply them on client.

    GPUpdate has nothing to do with this. if you do not want the user do logoff / login, just call the powershell command from client side:


    Wednesday, July 11, 2018 9:31 PM
  • Or even a lock / unlock
    Thursday, July 12, 2018 11:34 AM
  • The list of groups that the user (or machine) is a member of is established as part of the logon (or boot) process.  This, in essence is part of their Kerberos ticket.  So logon/logoff is the easiest method for user based publishing, and reboot for machine based.

    Technically, the ticket has a lifespan and will automatically get updated eventually, but the user will logon/off long before then.

    App-V MVP & CTP Fellow. Author of AppV books: PowerShell with App-V 5, The Application Book, & Window Caching (http://www.tmurgent.com/Books)

    Tuesday, July 17, 2018 7:21 PM