Category: RES Products

RES Workspace 2015 SR2 – What’s new?

By Max Ranzau

 

Hello everyone, here is a technically digested overview of some of the features in the new Service Release 2 of RES Workspace 2015. Fair warning: These notes were mostly created from the releasenotes in the pre-release, so there may be some nuggets which did not make it into this recap. Second, this is not an exhaustive list, it’s the items which I found the most interesting and/or useful in my work.

warning, yellowOne important thing to keep in mind when doing the upgrade. If you have all agents connected via relay servers, you must reconfigure one of them to point directly to the datastore before doing the SR2 upgrade. I guess RES is probably reconfiguring the matrix changing the database schema. Then upgrade the relay servers and finally all the agents.

o016logoOffice 2016 Support. This is one of the most anticipated features in my opinion. Not only does SR2 include new User Settings templates for the 2016 suite, but it also supports Outlook 2016 for Email Template configuration. Nothing more to say about it other than it seems to work as advertised, when taken for a spin around the block in the RESguru Skunkworks.

win10logoWindows 10 Support. This one you need to pay close attention to: While Workspace seems to work swimmingly on Windows 10 in regards to User Settings, configuration and security – which in my optics usually are the most important bits – there are some things to be aware of. One such thing is creating new tiles do not take effect upon a session refresh: Users will need to log out and back in before these changes take effect. I personally view this as an issue, since we’ve been accustomed to shortcuts appearing at refresh since the early days of PowerMenu 2000. I know from my talks with the product teams they are hard at work to fix this. Workspace SR2 specifically supports the Win 10 build 10240 as of July 2015 and Win 10 v.1511 (OS Build 10586.29). Be sure to check your build/version first, by running the winver.exe command. RES tracks and support Win 10 updates as of May 10, 2016 — KB3156421 (OS Build 10586.318) for Win 10 1511, See update history here. Finally, it’s worth mentioning there is a page in the Workspace SR2 release notes, titled “Microsoft Windows 10 known limitations”. It’s two pages long so I won’t rehash it here, yet do make sure you read and understand this thing before you throw yourself into a Windows 10 project.

Aat-app-endctions: New timing option ‘At application end’ for Execute Command. This is one of those things that have been sitting on the backlog for what feels like half a century. And let’s be honest; it’s one of the features which the goonies in green have been knocking RES for not having. Long story short, this allows you to fire off Sync jobs, cleanups and whatnot upon termination of an application. It goes almost without saying to use common sense on this feature. Any app which places itself in the system tray never really terminates.

winauthAbility to specify account in console for SQL windows authentication. I’ve always hated dealing with the combination of WM and windows authentication with a vengeance. Mainly due to that it was cumbersome to make sure all the pieces line up. For example; before SR2 you had to make sure the account you were logged in with running the windows console had database access. This has been fixed, so now you can just configure the SQL windows credentials.

bypass-groupAdvanced Settings: Bypass composer setting now also supports groups. While it was useful to be able to exclude certain people from being hit by workspace manager, such as admins, it was previously a hardcoded list inside the Workspace console. By now enumerating AD groups, this allows us to control it externally. For example, we can now build a Service to request temporary admin permissions or similar elevations, one could also build a service around this for admins to request Workspace manager to lower it’s shields for a bit.

agent-csvCSV export of agents: Once you have searched for your agents, there’s now an icon in the Workspace toolbar to export a list of agents. I could see this being useful for several automated purposes. Now all we need is a command-line switch for pwrtech.exe to be able to unattend this export. If you are interested here are the headers for the export: Computer name,Run Workspace Composer,FQDN,Domain,Operating system version,Last console user,Agent version,AppGuard version,NetGuard version,RegGuard version,ImgGuard version,Laptop,XenApp version,Citrix Site,VDX Engine version,VDX Plugin version,Last contact,Synchronization status,Connection,Connects to,Relay Server discovery,Relay Server list,Relay Server name,WebGuard version.

aburnerOverall performance enhancements. SR2 has seen a boost on the performance side. Areas such as the DBcache, FileSync, Direct datastore connections, Relay Servers, authorized files / filehash imports and XenApp environments with more than 1000 published apps. Logging has been enhanced to truncate excessive repeating log entries. Essentially if something goes bump in the night more than once per minute for an hour, truncation happens. See the releasenotes for more info. Another item worth mentioning is that SR2 includes new kernel filter drivers, thus a reboot on all affected computers is necessary when installing SR2

New product packaging: Besides the above technical enhancements, there are also some major changes on the product packaging and pricing side. I’ve covered these in a separate article.

fhtNew File Hash Monitor tool: Okay so I cheated a bit and gave the official corp blog a once-over after writing this article. I noticed something that wasn’t in the original, uhm prerelease-release notes: The File Hash Monitor tool. Allow me to fill in a few blanks. Essentially this is a separate download from the RES portal here, which allows you to pick up filehashes ahead of time. When you install it, you specify a scan interval, a target CSV file and some target folders where your executables are, for example C:\Program Files\. Much like the Relay Server, a configuration tool is installed alongside a service called RESFHM. The service will start generating the CSV file within a few moments after initial configuration. The resulting CSV file looks like this:

scan

Once you have your CSV file cooked and done, you can import it into Workspace by running the console executable like this: PWRTECH.EXE /IMPORTHASHES=<your_csv_file> [/CREATEIFNOTEXISTS]. See page 386 in the admin guide.

One rather cool thing which I think should be emphasized, is the ROFHMT (please tell me we’re not going to call it that ;) has the ability to scan executables inside container files such as MSI, CAB, RAR, ZIP, etc. (see screenshot above to the right). You can add your own extensions as well and customize what tool is used to decompress them. Per default it’s set up to use the freeware 7Zip to handle these.

Commandline export of the Security log: Now it’s possible to pull out XML exports for some of the security logs. Use the console binary to run the export as: PWRTECH.EXE /EXPORTLOG /TYPE=<Logtype> /OUTPUT=<log filepath> /START=<startdate> /END=<enddate>. Currently for ‘logtype’ the following logs are supported:

Logtype value Description
APPLICATION Managed app security log
REMDISK Removable disk security log
NETWORK Network security log

Start and end dates are optional yet must be be in YYYYMMDD or YYYYMMDDhhmmss if specified. Also, make sure that the user you run the pwrtech.exe command line with, has at least read permission in the administrative roles for the security subsystem who’s log you want to export.

While it’s cool to be able to do these exports, there’s still an item left on my xmas wishlist: Will we ever be able to clear the logfiles from within the console? Doing the Workspace baseline security on a new installation, this is paramount and yet still the only way to do it is by either hacking the datastore directly or using Patrick’s excellent, yet unsupported Log Management Tool. Oh well, there’s always the next FR/SR to look forward to.

In conclusion: Overall SR2 is a solid update, well worth the subscription advantage. Besides the above enhancements and performance boosts, this update fixes 50+ issues and bugs. Good work! Read the final releasenotes here: pdffile

 

New RES product packaging, part 1 of 2

By Max Ranzau

 

packFrom the Packaging&Shipping dept. Today some major changes were announced on the product packaging side. While it doesn’t affect the technical operations of the products (sorry, the unified license server is not there yet), it does have conceptual impact, which we all would do well to wrap our collective gray goo around. This is the first part of a two-phase announcement, the second one is coming out on May 24th next week during Synergy. Let’s run through the most important bits of the first announcement to understand what’s going on here. The headlines are as follows:

  1. WM and AM are merging into one product. This means that the current stand-alone product Automation is going to be part of Workspace. Again the consoles aren’t merging, this is just a licensing and naming change:
  2. Free RES Core for Workspace. This is essentially just the consoles plus basic functionality, like we’ve seen in the earlier Express versions of Workspace Manager and PowerFuse. For example Core has UserSettings, however only at the global level. If you want the per-app user settings, you will need the new Composition module. See item 4 below.
  3. No more metal versions. The old Bronze, Silver and Gold names have gone the way of the Dodo. This is a good thing, because it means you can now mix and match the editions without having to start out with the mandatory Bronze (configuration and user settings).
  4. Workspace will now have 4 modules:
    • Composition – Same as always (application based user settings, console configuration, app/shortcut management). This is what used to be in the old Bronze more or less.
    • Security – This includes the well-known managed app security, dynamic privileges/process elevation , network security, etc. One thing I didn’t see on the list was Read-only blanketing, however we’ll have to see if it’s still in there.
    • Governance – New name for the module formerly known as Advanced Administration. Contains administrative roles, usage tracking, auditing performance components and license management of managed apps.
    • Automation – This is essentially Automation manager lobbed into the mix as a WM module, where desktop is licensing is inferred, however these are still licensed separately per desktop and I’ll have to presume that any needed servers in the mix are still being licensed differently than desktop. Acording to RES, Automation also comes with some (as of yet undefined) predefined building blocks.
  5. Pricing. The MSRP still holds at $€30 per named user for all modules, with the exception of the free Core. However, it still remains to be seen if RES will be offering a bundling discount if you purchase the whole Workspace product.

According to RES Marketing, these changes are scheduled to go into effect early July 2016. Finally as indicated above, this is the first of a two-part announcement, the second going official next week during Synergy in Las Vegas. However it goes without saying that Service Store was not mentioned above. I will also be investigating what the new Suite with everything will look like. Stay tuned!

 

Removing zombies from Service Store

By Max Ranzau

 

From Rick Grimes has no patience for the undeleted dead.the Hacking Dead dept. Service Store is a fine HR data processor and workflow engine, when you set it up to pull people and department data in from an authoritative data source. In a previous article I showed an example on how to do just that.  However, when a person is marked as deleted in your datasource, IT Store doesn’t delete the user. They effectively are the living dead IT Store people, except in this case they won’t try to claim a license or your brains.

Update: This article was updated on May 8th 2016 with new and improved SQL.

Deleting a user in IT Store has always been a two-stage affair. Initially when IT Store marks a person for deletion it uses the opportunity to scan for any and all delivered services. One should not tinker with this. However, once mentioned services have been properly returned, the user is then marked as [Ready for deletion]. But that’s all she wrote. Nothing more happens.

3zombiesEffectively this means over time an organization with thousands of annual onboarding/offboardings (think educational institutions for example) will have a pileup of undead un-deleted people in IT Store. Sure, they’re obscurred from view until you check the “Include people marked for deletion”. Your only current option is to manually go Mischonne on them in the console yourself. (Yes, I know – old screenshot, but it’s the same deal)

Update: There is also a another problem with leaving people not deleted in the ServiceStore. If you need to re-use people identifiers, say when you delete someone, their email address can be re-registered. This is not the case if a person is not deleted manually from the store.

The design rationale is that since some HR systems don’t delete the employee when off-boarded, then neither should ITS. Here’s where I disagree. It makes sense for HR systems to keep a record of previous people for administrative reasons, but since ITS is the conduit into the rest of the IT infrastructure organization, there’s IMHO little point in keeping a record here once you’ve cleaned up everywhere else. After all, during off-boarding we’d probably be exporting the user’s mailbox and zip up his homedrive as we don’t want dead user remains floating around in the production environment.

At this stage there’s only one way to deal with this if you don’t want to manually flush users marked ready for deletion: Hack the IT Store database.

warning, yellowLike any other vendor, RES gets nervous ticks and reaches for their crossbow, when  you start messing with the brraaaiiins grey matter of the datastores, thus the usual warnings apply: If you do this, you’re on your own. See the MOAD for details. Also, may I recommend you make a backup of the datastore and KNOW how to restore it.

That said, let’s look at the updated hack. It consists of 3 consecutive SQL delete queries. The first version of this database hack only deleted the person, but since people attributes and identifiers are stored in separate tables, they would be orphaned if you don’t clean them out before deleting the person. Presuming your datastore is running MSSQL, the new and improved update SQL looks like this:

-- delete all people identifiers associated with this person
DELETE 
   FROM [$[in.db.its.name]].[dbo].[OR_PeopleIdentifiers]
      FROM [$[in.db.its.name]].[dbo].[OR_PeopleIdentifiers] AS ppli 
      INNER JOIN [$[in.db.its.name]].[dbo].[OR_Objects] AS pers 
         ON ppli.PersonGuid = pers.Guid
    WHERE pers.Type = 1 and pers.RecordStatus = 2;

-- delete all people attributes associated with this person
DELETE 
   FROM [$[in.db.its.name]].[dbo].[OR_PeopleAttributes]
      FROM [$[in.db.its.name]].[dbo].[OR_PeopleAttributes] AS ppla 
      INNER JOIN [$[in.db.its.name]].[dbo].[OR_Objects] AS pers 
         ON ppla.PersonGuid = pers.Guid
   WHERE pers.Type = 1 and pers.RecordStatus = 2;

-- delete the person
DELETE FROM [$[in.db.its.name]].[dbo].[OR_Objects]
	WHERE [$[in.db.its.name]].[dbo].[OR_Objects].Type = 1 and 
             [$[in.db.its.name]].[dbo].[OR_Objects].RecordStatus = 2;

The $[in.db.its.name] above is an Automation Manager module parameter, containing the name of the ITS database. Running this update query will be the same as manually marking all the users marked [Ready for deletion]. One SNAFU back from IT Store 2014 was  the people will not be removed from the ITS console before you exit and re-launch it. My guess is that the records are cached in RAM and are only updated when the old IT Store was doing it’s own operations. This is however not the case with ServiceStore 2015, as the affected people are removed immediately.

sql Putting this into Automation Manager, I came across a minor problem with the SQL statement execute task in Automation Manager. It looks like as of SR3 (7.0.3.0) the password field can’t be properly parameterized. Sure, you can rightclick on the password field and insert a parameter, but next time you go back and edit the module, the password stops working. Until RES fixes this and puts in a proper set of credential-type accepting field, you’re better off hardcoding the password.

If you’re still up for it, try out this buildingblock in your lab:  legobrick-cropped

Note1: Buildingblock has NOT been updated with the new SQL statement above, you’ll need to paste that in yourself.

Note2: If you suspect you might already have orphaned people attributes or people identifiers in your datastore you can check with these two statements:

-- test if we have any orphaned people attributes
select * from your_storedb.dbo.OR_PeopleAttributes
WHERE NOT EXISTS(SELECT NULL
                    FROM your_storedb.dbo.OR_Objects obj
                   WHERE obj.Guid = PersonGuid  )


-- test if we have any orphaned people identifiers
select * from your_storedb.dbo.OR_PeopleIdentifiers
WHERE NOT EXISTS(SELECT NULL
                    FROM your_storedb.dbo.OR_Objects obj
                   WHERE obj.Guid = PersonGuid  )

If both queries above come back with zero rows, you’re fine. Otherwise, you’ve got orphans. You can wipe them out like another Scrooge by running these two deletes:

-- delete orphaned people attributes
delete from your_storedb.dbo.OR_PeopleAttributes
where not exists (
    select NULL 
    from resss.dbo.OR_Objects obj
    where obj.Guid = PersonGuid
);

-- delete orphaned people identifiers
delete from your_storedb.dbo.OR_PeopleIdentifiers
where not exists (
    select NULL 
    from resss.dbo.OR_Objects obj
    where obj.Guid = PersonGuid
);

 

Bug alert: The Zombification Attribute

By Max Ranzau
Will code C# for brrraaaaaaiiiins!

 

From The Brrrraaaains Dept. Although the title might sound like a weird crossover episode between Big Bang Theory and The Walking Dead, I had a super scary experience with Service Store this week. All of a sudden people attributes had disappeared from a client development environment and everyone was biting their nails the problem would propagate into production. Even the built-in People Attributes; Security Questions and Answers, had disappeared from all users when you went to their Attributes tab. What was even worse; services were failing left and right – specifically those which used any reference to #Subscriber(personattribute) or #Requester(personattribute). Looking directly into the OR_PeopleAttributes table, via SQL Studio I could see my attributes were still intact, alas something was making the ServiceStore act all gnarly and puke dayglo, while everything else seemed to work normal.

At this time of writing, I have only experienced this problem with the latest ServiceStore 2015 FR2, Update 2 AKA (8.2.2.0). I do not know if earlier versions of Service/IT store are affected. And yes, this has been reported to the Merry Men of RES Support. You’ll probably notice a new KB article over the next few days until engineering devises a fix for this.

errattr

I’ll spare you the long trials and tribulations I went through to nail this bug down over the course of a night, with only a pot of coffee and Radio Paradise for company. Let’s cut to the chase:

The problem is specifically with certain People Attributes you may define: It would appear if you define a Person Attribute of the TABLE type, with more than 6 columns defined, the problem will manifest itself at some point and your people attributes will be zombified. What specifically triggers it, is not exactly clear, however I suspect it would be when a WFA (WorkFlow Action) references the attribute. I was able to manually trigger it in a new clean database by importing a buildingblock containing the offending attribute and a dummy service.

The good news is that until the software engineers fix the problem, it is relatively easy to get rid of: Go and either delete the table Person Attribute from your Data Model, or edit it down to 6 columns or less. The moment column #7 is deleted and the table definition saved, all the hidden people attributes would re-appear.

So, now we know what we’re dealing with, allow me a moment to spin my thoughts on this: The table objects were originally created to cater for MDM, like registering something a user might have more than one of, such as mobile devices, tablets etc. Typically 4-5 fields were used for Device type, Model, Carrier, Phone#, etc, thus I can only muse that more than 6 columns might never have been attempted duing test – that is until your friendly neighborhood blogging-bull came charging through the china store and created a table attribute with 14 columns.

This concludes the alert/early warning. As mentioned, RES have already been notified, so hopefully this article will be obsolete soon.

 

Setting up a WM console on a jumpbox

By Max Ranzau

 

From the Multiple Hoops dept. The other day I was tasked with setting up a Workspace Manager console on a jumpbox. You know, the typical setup for a client where you VPN into a non-domainmember computer, from where you RDS to the different servers you need to access. The wish is to have the RES WM console running on this box so you don’t have to do Inception-RDS to make a few changes in WM, thus preserving screen real estate. Note: this will of course only work if your jumpbox is allowed to hit the database directly  If the jumpbox is firewalled to the hilt and only allows outbound RDS connections, stop reading right here.

Presuming you’re still with us, you might already have installed the WM console on your jumpbox and connected it to the relay server. When you launch it, you’ll get kicked right back out as the console looks for your local computername\username in the datastore and obviously it’s not there yet, so let’s add it:

The above sounds simple enough, but it appears there’s a few steps to go through, which incidentally left me wondering if there was an easier way to do it. I mean, under applications you can add users manually, but no such luck on Admin roles… (hint hint, nudge nudge dear product management ;)

  1. Assuming you already have WM running on one or more domain-enabled computers, go to one of these. Presuming it’s a Server 2012[R2], launch the Server Manager, goto the Tools menu and Computer Management.
  2. Go to System Tools | Local Users | Users and add a local user. The User name and password must be the same as for the jumpbox local user. This account is temporary and can be nuked at the end of the story.
  3. Now launch the WM console and go to User Context | Directory Services and chose New from the toolbar
  4. In the dialog, chose Local Computer from the Type dropdown and hit Ok. No further changes are necessary. WM now understands that local computer accounts can be used for access control, which also applies to Administrative Roles.
  5. Go to Administration | Administrative Roles | <your security role> | Access Control tab | Add button | Users/group
  6. From the directory services dropdown, chose local computer from the Directory Service dropdown, then search and select your username, which you added in step 2. Be sure the “Limit to this computer only (COMPUTERNAME)”-checkbox is NOT checked.
  7. If you did the above right, your account will be listed as .\username when you return to the previous dialog
  8. Now it’s time to return to your jumpbox and launch the WM console there. Since your username is now in the WM database it will let you. In practice you could stop here, however this would leave the jumpbox username able to launch the WM console from every computer. Let’s just add an ounce more of prevention by locking in the computername too:
  9. On the jumpbox’s WM console, go to Administration | Administrative Roles | <your security role> | Access Control tab
  10. Select your “.\username” and edit it. Repeat step 6, except make sure this to check the “Limit to this computer only (COMPUTERNAME)”-checkbox. When you return to the previous dialog, you’ll note that your account is listed correctly as your jumpboxcomputername\username
  11. As the last loose end to tie up, go back to the domain member computer where you created the temporary local user account and delete it.

 

Authorizing in WM – How it SHOULD work

By Max Ranzau

 

chockFrom the My-Two-Cents Dept. Working with RES Workspace Manager for about 1½ decade, I’ve been witness to many improvements. While the products gets better with each release, regardless of vendor it’s not always flowers and chocolate. By now, most seasoned Workspace Engineers familiar with the product, know the difference between learning mode and blocking mode on the security subsystems. Dialing in the security for a new client/customer always takes a bit of time, as you’ll have to deal with the security baseline – and then authorizing the things that are unique for said customer environment. The work I always seem to find myself spending time on is hopping back and forth between Authorized Files and either the Managed Application node or the Read-Only Blanketing node.

The issue at hand is this; every time that one has dealt with a log entry by right-clicking on it, said log entries will still be in the log. It makes it a challenge to maintain an overview of what’s been dealt with and what hasn’t – especially if you are using wildcard rules to kill multiple log entries with one stone. It would be wonderful if this process could be managed better. I’ve gone through the necessary steps in a previous article here. To optimize this work, below are a few of ideas off the top of my head how this ideally should work:

  • The security logs should be reworked to show a “Processed” or “Authorized” flag. Think of it like the little red flag you can set on your emails and tasks in Outlook.
  • When authorizing a specific log entry, there should be check boxes in the authorization dialog box to “Mark affected log entries as authorized” and/or a “Delete affected entries in log file”. Workspace Manager can already can filter views with the Attention flag etc. in Workspace Analysis, so it should be familiar territory, development wise.
  • In the Authorized file node there should be similar options to process all current log files through active authorizations so it becomes evident which things you haven’t dealt with yet.
  • Finally, it would be stellar to incorporate Patrick Grinsven’s excellent work on the DBlogCleaner tool (which is out in a new version, stay tuned)

Now, before some well-meaning person asks why I don’t put these ideas into UserVoice for voting etc, I will offer my thanks for the consideration, yet I am perfectly happy passing that baton with the associated credit to someone else. In other words, feel free to co-opt these ideas and make them your own.

 

Keeping Virtual Sandboxes under control

By Rob Aarts and Max Ranzau

Rob: After using VMware Thinapp in several projects I wanted to share some best practices The first one is about a common mistake I see made on a regular basis. Applications with several entry points for executables, are presented using Workspace Manager, using multiple managed applications. So far so good.

The problem arises when all entry points (from the same Thinapp capture) have their own Zero Profile setting pointing to the same Sandbox location. Are you still with me here? Let’s have a look at the example below:

p1

Here’s a working example:

  • When a user launches Application 1, Zero Profile settings are loaded and written to the sandbox.
  • The user then launches Application 2 and Zero Profile settings are loaded and writes to the same sandbox location.

What is likely to happen, is that settings for Application 1 become corrupted, due to it’s settings are being changed by another process while it’s running. I personally have seen some strange behavior from apps, which absolutely don’t like this messing are around with their appdata behind the scenes. It doesn’t take a degree in rocket science to imagine what may happen when Application 3 is launched. It will just increase the likelyhood of corruption.

The solution to avoid this mess is simple and was covered previously, although for natively installed applications only: Have a look at Max’s article RG056 in the tech library. Setting up a placeholder application as described in the article will allow you to configure  individual apps app to save the sandbox and direct The Zero Profile from Application 1, 2 and 3 to this placeholder App:

p2

Max: Once you have this set-up, the next challenge is to make sure your User-Settings capture configurations are not overlapping. As of WM SR3 there is a setting for global User settings to grab a setting exclusively. This means that if say 3 different global user settings grab the same registry value you can check one of them as exclusive and only that UserSetting will store it. Unfortunately this approach doesn’t work well for Managed Application based user-settings, as the capture-exclusive feature isn’t available there (yet?). Anyhow, there is a workaround for this. Let’s say you start with creating a suite-settings placeholder app, like described above for Office:

  1. You create a new managed app
  2. Under user settings, you add all the capture templates for Word, Excel, Powerpoint etc. and you have a nice list like shown below
  3. Then everything is cool and ready to rumble, right?

p6

Unfortunately that’s not quite the case, as the templates are likely to overlap. This is not the fault of the template designers, but a function of that they need each to be able to stand alone. This means we have a bit of cleaning up to do, but it’s quite easy. When you are on the User Settings|Capturing tab of the SuiteSettings app as shown above, do the following

  1. Click the Show details checkbox at the bottom of the dialog box
  2. Now click on the data column header to sort on files and registry entries being captured
  3. Look for identical rows (highlight)

p5

Note the line for the ‘Microsoft InfoPath Designer 2010’, which I have highlighted and disabled. I disabled it because that particular User Setting was already captured by the template called ‘Microsoft Infopath Filler 2010’ and as you may recall from our discusion above, we do not have the option to capture exclusively on Managed apps.

You disable an item by doubleclicking on it. Don’t fall for the temptation of removing the checkbox you immediately see, as that will disable the entire template, in which you are only interested in disabeling a certain file/reg grab. Instead  go to the Capturing tab, then select the offending/duplicate entry, double click again and THEN remove the Enabled checkbox you see. Sequence shown below:

p7

You can of course also delete the duplicate entries to tidy things up. In this case I kept them around for illustrative purposes. One thing I’d like to make you aware of: First, go to the global User Settings node, and at the bottom check both ‘Show details’ and ‘Show all User Settings’:

p4

dpNotice that once you link up multiple applications to the same suite app, you will see multiple entries of the same user-setting. This is not a bug or an indication that something unnecessary is being captured. For example, look at the example above where about half way down you see about 7 references to %APPDATA\Microsoft\Access and both Word, Excel etc are pointing to it. This does NOT mean the and Word and Excel templates had duplicate entries. It’s simply because the combination of the two checkmarks shows the canonical list of all combinations of apps and user settings, thus the repeats. In short: They’re mostly harmless. Don’t panic!

We hope with this little away-mission into advanced WM User Settings management to have given you some new thoughts on how to both wrangle virtual applications as well as suite settings for multiple apps.

Rob & Max

 

Migrating from a broken UEM product, part 1

doesnot2From the REScue 911 Dept. Recently I was involved in a client project where they had a problem. And it was a big problem:  Effectively they were using another profile management product which was malfunctioning. I’d prefer not to give the game away by naming the vendor. Not that I have any problem with verbally beating vendors over the head when they deserve it – this is out of courtesy to the client.

Suffice to say, the product in question employed by my client was practically holding the user’s profile settings hostage. Allow me to clarify: If your current UEM tool redirects a write to a proprietary format, you are putting all the user’s profile data into a basket you have no or little control over. Meaning: If you switch said UEM tool off, then all your user’s settings are stuck in said basket. The following article puts you on a path out of this situation.

doc-icon2<<< Click here to read the article

 

Seamless switch from Policies to WM

gpo-morpheusFrom the The-GPO-has-you Dept. As of recent, one of my clients was facing an interesting issue: They wanted to do a seamless switchover from a currently windows GPO managed environment to a RES Workspace Manager environment. Essentially the job was to devise a method to make one system let go and have the other one take over at the same time. This example was built on a 2012R2 AD with a Win7 front-end.

This method revolves around using a simple AD group that serves a dual purpose. 1) When a user is put in the group, specified policies are denied and 2) Workspace Manager takes effect. The nice part of this approach is that it is fully reversible, just by removing the user from the group.

doc-icon2<<< Click here to read the article

Setting up a Lab HR system for IT Store

xor-logoFrom the Lab Essentials Dept. This article is to show you how you can stand up your very own open-source HR system and hook it up with RES IT Store. One of the things you may often hear about in regards to RES IT Store, is the ability to do employee on/offboarding. If you want to test this out for real, you probably won’t get access to a live HR system in production, thus I wrote this article.

doc-icon2<<< Click here to read the article