Files created in VFS by the user have read only permissions
Hello,
I am currently packaging an application : let's call it 'myapp'. This application is installed in c:\Program Files\myapp (quite classical).
To run properly, the application needs to have Write Access to c:\Program Files\myapp.
I am packaging the application with the APPV5 Sequencer SP3 and I checked the option "Allow virtual applications full write permissions to the virtual file system".
When running the application with APPV5 Client SP3, I see files been created in "C:\Users\%username%\AppData\Local\Microsoft\AppV\Client\VFS\<packageid>\ProgramFilesX64\myapp" and so everything seems to work correctly. The permissions on those files are set to Full Control for the user who has launched the application.
What I also did is creating 'RunVirtual' registry key in order to run Microsoft Word in the Virtualized Environment of 'myapp' and this works fine also : when I launch WORD, I can save a document in "C:\Program Files\myapp" and this document appears in "C:\Users\%username%\AppData\Local\Microsoft\AppV\Client\VFS\<packageid>\ProgramFilesX64\myapp".
The strange thing is that the permissions on this DOC file are not the same as the ones set on the other files in the same folder : in fact, the DOC file permissions are set to "Everyone, Read - Read and Execute" (with also permissions the Trusted Installer, Administrators, etc...). So actually, the user who saved the files can never modify it after. This should not be important because it is not a usual location to save Word document but actually, the application itself launches automatically Word to perform some document automation tasks and save temporary files in this location. So when this file has been created once, it cannot never be reused or deleted. This is causing troubles for the application.
Any idea to force the Full Control permissions on these files ?
Thanks in advance
Olivier
April 16th, 2015 7:44am

Interesting, I can say I've never seen that, likely due to the fact like you say yourself, it would be unusual to save something to that directory, also most applications these days no longer write to directories other than in C:\ProgramData or in the users own profile.

I'm honestly not sure of a good way to force that in this situation, unless, perhaps you have a UEM soluion like AppSense. You could have a Powershell script run through the package store and check permissions on the files and then set the persmissions according to the way you want using something like iCacls, SecEdit, SetACL or maybe using Get-ACL and Set-ACL in Powershell...there's a few different methods for doing this, you could pick the one that suits you best.

If you don't have a UEM solution capable of this, maybe you could use some scripting in your App-V package itself, either on launch or perhaps process exit, you could run a script to do this. It may be better on process exit as it may slow launch times...but it's also better for a script which may take quite a while to process like this to be run outside of any launch or exit, to be honest

Free Windows Admin Tool Kit Click here and download it now
April 16th, 2015 3:08pm

Hello,
After spending a lot of times, i decided to give up with APPV for this application and to install the application from a script launched at the startup of the server. I have tried several solutions, including a powershell script launched from the deployment.config file but I encountered other problems with the "Import-Module NTFSSecurity" and "Import-Module AppvClient" in the PS Script probably because the script is launched with the System account.
Thanks for your help anyway
April 22nd, 2015 3:31am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics