Permissions in the PVAD and VFS with App-V 5.0


This post has moved here

Comments (26)

  1. Thamim Karim says:

    In that case, I cannot explain the behaviour you are seeing nor am I able to replicate it. Feel free to use the "Email Blog Author" button above if you would like to share the package with me to see if I can find anything.

  2. Thamim Karim says:

    Gautam, can you check you can replicate this with SP2 please. Arokiyaraj, 1. If you package is entirely VFS then non-admins won’t have access as described in this post. 2. Please can you upgrade to SP2 and check that this is still an issue please.

  3. Thamim Karim says:

    Hi Arokiyaraj, this is not a scenario I have tested and would need to be done on a package basis

  4. Thamim Karim says:

    Hi Dan, thanks for sharing your blog post, the team are aware that the ability to modify permissions in the VE is highly desired with App-V 5.0. Sequencing to the PVAD or specifying it as the place you would like to be writable is one technique you may employ, although this isn't ideal for apps that have multiple locations. App-V 5.0 is really just keeping the default security of the folders that are outside of the package root but I do agree this does not give us as much flexibility as we had in previous versions.

  5. Thamim Karim says:

    Hi Paul,

    Thanks for sharing!

  6. Thamim Karim says:

    The thing to understand is the article relates to permissions the user has when running the application not the ability for a user to directly go and modify those locations outside of the application running in the VE.

    There is no documented or supported way to directly change either location you have specified, the cache holds a static state and is not writable, state changes are described in more detail here: blogs.technet.com/…/app-v-5-0-os-integration-part-4-state-changes.aspx

    This article describes what state changes are permitted across VFS and PVAD for non-admin and admin.

  7. Anonymous says:

    VFS directory have two other directories i.e; ProgramFilesCommonX86 , windows .

    I didn't alter permission , we are working with default permission only.

  8. Dan Gough says:

    quote access = write access

    (damnyouautocorrect)

  9. Thamim Karim says:

    Ah okay great. Is the VFS directory a user profile based location? If not, have you changed the default permissions on the root of the place where the VFS folder resides?

  10. Thamim Karim says:

    Okay, further to our messages via email it looks like you have non-default permissions set on these directories as you can write to these places natively as a non-admin user. I'll explain what you are seeing in a post very soon.

  11. Thamim Karim says:

    First can you please clarify, in what context you are trying to make changes? Are you physically browsing to the cache location and trying to change files or are you running an App-V package that writes to these locations?

  12. Anonymous says:

    I installed the package and then launces shortcuts , then navigated File—>Open—> and reached to PVAD(root) and VFS location in VE and tried to create new folder in Root directory and in VFS directory as Admin and as Non Admin and in both cases , i was able to write.

  13. Thamim Karim says:

    Kevin, are you looking from within the bubble?

  14. Thamim Karim says:

    Gautam, can you check you can replicate this with SP2 please. Arokiyaraj, 1. If you package is entirely VFS then non-admins won’t have access as described in this post. 2. Please can you upgrade to SP2 and check that this is still an issue please.

  15. Anonymous says:

    Thank you for your response Thamim

    As per above mentioned contents "PVAD has write access to both admin and non-admin and the VFS only gives write access to admin."  but when i checked , i found that both admin and non-admin have write access to PVAD , VFS in "C:ProgramdataAPPV…………" on Client.

    Can you please let me know your thought on this?

  16. Dan Gough says:

    It's a shame that there's no way to open up these permissions – there will be plenty of badly written legacy applications that depend on quote access to certain locations.  With Windows Installer we could set permissions on install, with App-V 4 we could change permissions during sequencing and they would be captured, or we could disable security descriptors entirely… With App-V 5 it seems the only option we have is to use shims.  I hope that Microsoft take notice and provide a way to really alter permissions in a future update.  Until then, I have my own workaround!

    packageology.com/…/file-permissions-app-v-5

  17. gautam says:

    Whatever descibed above , I tried to implement the same as an admin and non-admin and found was not positive.

    Please let me know, whether we could write or not as an admin or user in C:ProgramDataApp-V71A57C9A-3E3F-4308-B8E1-3909096F02E6C549E4AE-DEF3-4BD1-83EB-59639F648F44Root and C:ProgramDataApp-V71A57C9A-3E3F-4308-B8E1-3909096F02E6C549E4AE-DEF3-4BD1-83EB-59639F648F44RootVFS

    or

    C:UsersABCDAppDataLocalMicrosoftAppVClientIntegration7532754F-9420-4D4E-B0F5-D55E94EB67EARoot and C:UsersGautamAppDataLocalMicrosoftAppVClientIntegration7532754F-9420-4D4E-B0F5-D55E94EB67EARootVFS

    Please give brief descriptions based on above directory structure.

  18. Kevin says:

    Hmmmm I am assigning my PVAD during sequencing as the install directory but when I deploy my app, users are presented with an error cannot find C:MyappMyapp (which I specified as the PVAD). When trying to browse to this location by typing it in manually (as I know it is hidden) it says that it doesn't exist. Am I missing something?

  19. paul says:

    Here is a solid solution for the C:ProgramData allowing write permissions for everyone Full. But I am unable to get write access to the C:UsersadminAppdataLocalMicrosoftAppVClientVFS"GUID"Common  Appdata, now that being said, once the application is launched I can go in and manually add permissions which has resolved the issue for me 100% of the time, but I cannot do that for every user, ugh. Need help on that one.

    Here is the cure C:ProgramData…. Permissions

    Within the DeploymentConfig.xml file locate the Machine scripts, take out the "Comments"  <!– and –> and the following lines.

    <MachineScripts>

     <AddPackage>

         <Path>cmd.exe</Path>

         <Arguments>

     /c %SYSTEMROOT%System32icacls.exe "[{AppVPackageRoot}]VFSCommon AppData" /grant Everyone:(OI)(CI)F

     </Arguments>

     <Wait RollbackOnError="true" Timeout="30"/>

     </AddPackage>

    </MachineScripts>

    Paul

  20. paul says:

    I meant add the following lines 🙂

    Paul

  21. Johan says:

    You can do that by running it as a userscript instead.

    then change acl by removing the folder and adding it again, then the security will be opened.

  22. Gautam6584 says:

    This is the error i am getting , when i am trying to load the dynamic configuration file(xml file) while publishing.
    DOM Error: Unknown HResult Error code: 0xc00ce224
    Reason: Het knooppunt is geldig of ongeldig, omdat er geen DTD/schemadeclaratie is gevonden.

    Error we gets in powershell GUI , invalid xml document.

    Please let me know , what can be done to successfull load the configuration file.

  23. Gautam6584 says:

    Hi Paul,

    The scripts you mentioned abve , i am not able to run successfully.It gives error , i.e; invalid xml documents.
    Moreover , Please see error i mentioned above.

  24. Arokiyaraj M says:

    Thamim — I have couple of questions to be answered.. 1. I have a 5.0 converted package where in after install the application is unable to write or modify files to its own folder and reporting as access denied. Is there any ways that it can be fixed.
    2. For some 5/0 converted applications, even DLL files are present inside the bubble where it was in 4.6 package but still upon shortcut launch it throws that file is missing, any reason for this and anyways to fix this.

  25. Arokiyaraj M says:

    Hi Thamim – Thank you so much for your suggestion. I do have a straight General question. So any applications which are converted from 4.6 to 5.0 will have VFS folder structure ?, If so NON-ADMINS will not have access to modify something on that manually.
    But Is this same applicable to the application it self to modify certain files during runtime on the Standard users environment. Thanks

  26. Arokiyaraj M says:

    Hi Thamim, Please can I get some on info on the above asked questions. Thanks.