/build/static/layout/Breadcrumb_cap_w.png

User-assigned GPSI apps and redirected User Shell Folders

Hi all,

Got a problem with our deployment, and wondered if anyone else has had to overcome this scenario?

Our image has User Shell Folders\AppData redirected from the default of C:\Documents and Settings\<username>\Application Data, to H:\<username>\Application Data. This approach has been in use for years and so much of the desktop image, applications, etc. use it happily.

This seems to cause us a problem with user-assigned applications through GPSI policies. We are not setting these applications to auto-install, so we can achieve the useful 'placeholder icon' in the Start Menu until a user decides they want that app, clicks on the the icon, it calls the MSI to install, and runs automatically.

This works fine on XP when the User Shell Folders have no redirection, however, with AppData redirected, the assignment fails:

Event Type: Error
Event Source: Application Management
Event ID: 101
User: NT AUTHORITY\SYSTEM
Description:
The assignment of application <appname> from policy <gpo policy> failed. The error was : Fatal error during installation.

Event Type: Error
Event Source: Userenv
Event ID: 1000
User: NT AUTHORITY\SYSTEM
Description:
The Group Policy client-side extension Application Management was passed flags (1) and returned a failure status code of (1603).

I've spent a long while looking at error 1603 (and 0x643 in userenv) to find its a very generic error code.

If I restore the User Shell Folders\AppData key back to the default (C:\Documents and Settings...) then the assignment is successful. Redirect it again to H: and it fails.

The key difference I can see is this...

Windows Installer and GP Application Management run on the local workstation under SYSTEM.

When you use the default AppData (C:\Documents and Settings...) the permissions on that user profile folders are workstation\Administrators, workstation\SYSTEM and domain\username.

The permissions for the network hosted home folder(H:\<username>\Application Data...) are domain\Administrators and domain\username. As this is hosted on a SAN, we are unable to add workstation\SYSTEM from the local workstation, so I presume (although I may be wrong!) that this is the underlying problem - and thus when Application Management and Windows Installer do anything, they do it under workstation\SYSTEM which fails as soon as it tries to do any read/writes to the redirected Application Data due to lack of permissions - I did test with everyone, authenticated users and domain computers on the network home folder, just in case but no joy.

Is this theory correct, and more importantly, is there anyway around it or is such behaviour fixed?

Ta in advance,
Steph

0 Comments   [ + ] Show comments

Answers (1)

Posted by: stephenejones 16 years ago
Senior Yellow Belt
0
Just an update!

The SAN issue is a side one...

The problem appears to be the typical processing order of Windows - in than it processes group policy (inc. GPSI) before it handles the login scripts and network drive maps. Someone has suggested replacing the hardcoded redirects in the image with Group Policy Folder Redirection, as this will handle profile redirects such as Application Data prior to doing user-assigned application. Any one else using Group Policy Folder Redirection with user-assigned GPSI apps, and what are their thoughts on reliability, etc?

Steph
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ