In my previous post I explained how to get the recursive group membership with a very simple Powershell Script.

Commenter Michel thought that the script only tested one level deep but it doesn’t.

But let’s prove that!

Create 3 Global Groups in your Active Directory and name them Level1, 2 and 3:

Make Level3 a Member of Level 2 and make Level a member of Level 1 and finally add an account to the Level 3 group:

Read the rest of this entry »

Recently I needed to create an Unattended Install for an application that uses a piece of software (for scanning) called Kofax VRS.

This Kofax software comes with an .msi file but there was no documentation on the install options.

In fact it didn’t seem like the Vendor anticipated on an Unatttended Install.

I browsed in the msi file using Microsoft’s Orca tool and tried some of the properties I found in the public properties table.

Read the rest of this entry »

In this post I will show an easy way to get the recursive group membership for the current user.

I use this in a logon script to handle certain tasks based on group membership.

Most scripts I see for this task do a manual recursive enumeration but in a large environment this could be very slow.

A better way would be to use the tokenGroups attribute of the Active Directory user object.

The tokenGroups attribute is an array of SIDs computed by Active Directory and is used to verify user access.

We need to translate these SIDs to their sAMAccountNames to get the actual group names.

In unmanaged code this could be accomplished by calling the DsCrackNames API or the IADsNameTranslate interface.

Read the rest of this entry »

I got some interesting questions from a user today regarding TIFF images on a Windows 2003 based Citrix environment.

This user has an application that works with scanned documents and for each document exists both a pdf and a tiff version in the application.

By default the TIF (and TIFF) file extensions are linked to the Windows Picture and Fax Viewer in Windows 2003.

The user told me that some time ago she had an extra toolbar where she could perform some extra operations such as making a selection on TIFF images.

At some point in time this mysterious Toolbar disappeared and she was never able to get it back. She reported this to the helpdesk and the system administrator but they were unable to resolve this.

I hadn’t hear of this toolbar before but a Google Search led me to this page which explains the toolbar in question which is called the Annotation Toolbar.

Read the rest of this entry »

Another post on something that happened last week, this time it’s about a Java based Application again.

This particular application wanted to download three DLL’s from the Webserver to the Java bin directory.

This presents us with several issues on a multi user server such as a Citrix of Terminal Server:

1. The user does not have write permissions in this directory
2. If we we give the user write permissions here what happens when the DLL’s are in use by another user?

I assumed that if I preinstalled the DLL’s the application wouldn’t try to overwrite them but that didn’t work.

Then I monitored with Process Monitor if the Application wrote some kind of check file but at first I didn’t find anything.

So I decided to use the CorrectFilePaths shim to redirect the DLL’s to the user’s homedirectory (see Using the CorrectFilePaths shim to redirect an ini file to a writable location for an explanation).

Read the rest of this entry »

A few days ago I was packaging an application that was writing an INI file in the application directory.

If you have read my earlier article, Using the CorrectFilePaths shim to redirect an ini file to a writable location, then you will probably think: create a nice shim and redirect that ini file!

But this application had a few challenges, the first being that it writes %COMPUTERNAME%.INI. The application’s developer probably assumed that a user is bound to one pc and that no other user’s use that pc.

To solve it we we need to catch all possible computer names (it would be nice if the CorrectFilePaths shims was able to accept wildcards and environment variables).

But it doesn’t so it means we have to add a parameter for each possible computer name. In my case that was doable because I have only 8 Citrix servers.

So I created a Fix using the Application Compatibility Manager as described in my previous post.

However it didn’t work, so I started to trace what happens.

Read the rest of this entry »

I was writing a test program that will perform some actions when a USB Memory Stick is inserted.

When this happens Windows send a Broadcast a WM_DEVICECHANGE message.

The wParam member of this Message contains a (pointer to) a DEV_BROADCAST_HDR structure.

if the dbch_devicetype member of this structure is of type DBT_DEVTYP_VOLUME then we can cast the structure to DEV_BROADCAST_VOLUME.

And finally the dbcv_unitmask member of that structure returns a Bitmask containing the Drive Letter.

A fast and convenient method to convert this Bitmask to a Drive Letter (the first found) is the function below:

Today I noticed that a recently added Application to the Citrix Test environment added a Macro to the Office Startup directory.

When a user launches Word he will get a popup because the Template (.dot file) was not signed:

It would have been a lot easier if Application Vendors sign their stuff because in that case I could have just added the certificate using Group Policy (yesterday’s post describes how to do this).

Application Vendors usually tell you that you should lower the Macro security in Office (or Word in this case) to Low to get rid of this message. But I think there’s a better solution: we will sign the .dot file ourselves!

Read the rest of this entry »

Yesterday I created an Unattended Installation of a webapplication. Of course it was “just a web link” and the application vendor usually says: you don’t need to install it just go the URL and that’s it.

The reality is usually that you go to the URL and need to install several (ActiveX) components and maybe other dependencies such as Java.

While a user may have the permissions for this on his own pc, on a Citrix or Terminal Server environment this is highly unlikely.

So we need to package and pre-install this for the users.

Nothing special so far but this particular application had some special things that were interesting enough to blog about.

So let’s start with what happened, I visited the URL of an application called Centric Key 2 Financien.

First I got a few popups with Certificates that needed to be accepted:

The application’s instructions say that the user must accept this and set the “Always trust content from this publisher” checkbox.

Read the rest of this entry »

I added some new Categories to the Blog, something I should have done a long time ago.

I also tried to add missing Categories to existing posts but I didn’t check all posts ever written so feel free to add a comment to this post if you miss a category or that a certain post is properly categorized.

The added Categories are:

• Application Compatibility
• Category per Windows version: XP 2003 Vista 7 2008 2008R2
• Java