User-assigned GPSI apps and redirected User Shell Folders
Hi all,
Got a problem with our deployment, and wondered if anyone else has had to overcome this scenario?
Our image has User Shell Folders\AppData redirected from the default of C:\Documents and Settings\<username>\Application Data, to H:\<username>\Application Data. This approach has been in use for years and so much of the desktop image, applications, etc. use it happily.
This seems to cause us a problem with user-assigned applications through GPSI policies. We are not setting these applications to auto-install, so we can achieve the useful 'placeholder icon' in the Start Menu until a user decides they want that app, clicks on the the icon, it calls the MSI to install, and runs automatically.
This works fine on XP when the User Shell Folders have no redirection, however, with AppData redirected, the assignment fails:
Event Type: Error
Event Source: Application Management
Event ID: 101
User: NT AUTHORITY\SYSTEM
Description:
The assignment of application <appname> from policy <gpo policy> failed. The error was : Fatal error during installation.
Event Type: Error
Event Source: Userenv
Event ID: 1000
User: NT AUTHORITY\SYSTEM
Description:
The Group Policy client-side extension Application Management was passed flags (1) and returned a failure status code of (1603).
I've spent a long while looking at error 1603 (and 0x643 in userenv) to find its a very generic error code.
If I restore the User Shell Folders\AppData key back to the default (C:\Documents and Settings...) then the assignment is successful. Redirect it again to H: and it fails.
The key difference I can see is this...
Windows Installer and GP Application Management run on the local workstation under SYSTEM.
When you use the default AppData (C:\Documents and Settings...) the permissions on that user profile folders are workstation\Administrators, workstation\SYSTEM and domain\username.
The permissions for the network hosted home folder(H:\<username>\Application Data...) are domain\Administrators and domain\username. As this is hosted on a SAN, we are unable to add workstation\SYSTEM from the local workstation, so I presume (although I may be wrong!) that this is the underlying problem - and thus when Application Management and Windows Installer do anything, they do it under workstation\SYSTEM which fails as soon as it tries to do any read/writes to the redirected Application Data due to lack of permissions - I did test with everyone, authenticated users and domain computers on the network home folder, just in case but no joy.
Is this theory correct, and more importantly, is there anyway around it or is such behaviour fixed?
Ta in advance,
Steph
Got a problem with our deployment, and wondered if anyone else has had to overcome this scenario?
Our image has User Shell Folders\AppData redirected from the default of C:\Documents and Settings\<username>\Application Data, to H:\<username>\Application Data. This approach has been in use for years and so much of the desktop image, applications, etc. use it happily.
This seems to cause us a problem with user-assigned applications through GPSI policies. We are not setting these applications to auto-install, so we can achieve the useful 'placeholder icon' in the Start Menu until a user decides they want that app, clicks on the the icon, it calls the MSI to install, and runs automatically.
This works fine on XP when the User Shell Folders have no redirection, however, with AppData redirected, the assignment fails:
Event Type: Error
Event Source: Application Management
Event ID: 101
User: NT AUTHORITY\SYSTEM
Description:
The assignment of application <appname> from policy <gpo policy> failed. The error was : Fatal error during installation.
Event Source: Userenv
Event ID: 1000
User: NT AUTHORITY\SYSTEM
Description:
The Group Policy client-side extension Application Management was passed flags (1) and returned a failure status code of (1603).
I've spent a long while looking at error 1603 (and 0x643 in userenv) to find its a very generic error code.
If I restore the User Shell Folders\AppData key back to the default (C:\Documents and Settings...) then the assignment is successful. Redirect it again to H: and it fails.
The key difference I can see is this...
Windows Installer and GP Application Management run on the local workstation under SYSTEM.
When you use the default AppData (C:\Documents and Settings...) the permissions on that user profile folders are workstation\Administrators, workstation\SYSTEM and domain\username.
The permissions for the network hosted home folder(H:\<username>\Application Data...) are domain\Administrators and domain\username. As this is hosted on a SAN, we are unable to add workstation\SYSTEM from the local workstation, so I presume (although I may be wrong!) that this is the underlying problem - and thus when Application Management and Windows Installer do anything, they do it under workstation\SYSTEM which fails as soon as it tries to do any read/writes to the redirected Application Data due to lack of permissions - I did test with everyone, authenticated users and domain computers on the network home folder, just in case but no joy.
Is this theory correct, and more importantly, is there anyway around it or is such behaviour fixed?
Ta in advance,
Steph
0 Comments
[ + ] Show comments
Answers (1)
Please log in to answer
Posted by:
stephenejones
17 years ago
Just an update!
The SAN issue is a side one...
The problem appears to be the typical processing order of Windows - in than it processes group policy (inc. GPSI) before it handles the login scripts and network drive maps. Someone has suggested replacing the hardcoded redirects in the image with Group Policy Folder Redirection, as this will handle profile redirects such as Application Data prior to doing user-assigned application. Any one else using Group Policy Folder Redirection with user-assigned GPSI apps, and what are their thoughts on reliability, etc?
Steph
The SAN issue is a side one...
The problem appears to be the typical processing order of Windows - in than it processes group policy (inc. GPSI) before it handles the login scripts and network drive maps. Someone has suggested replacing the hardcoded redirects in the image with Group Policy Folder Redirection, as this will handle profile redirects such as Application Data prior to doing user-assigned application. Any one else using Group Policy Folder Redirection with user-assigned GPSI apps, and what are their thoughts on reliability, etc?
Steph
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.