Spoofed Profile fails to delete at Logoff

Version 1

    Verified Product Versions

    AppSense Environment Manager 10.0AppSense Environment Manager 8.6AppSense Environment Manager 8.5AppSense Environment Manager 8.4AppSense Environment Manager 8.2AppSense Environment Manager 8.1AppSense Environment Manager 8.3

    Introduction

    Environment Manager can be configured to spoof the profile state from one to another. The use case for this is allow more or less access to sensitive resources during certain times (such as logon and logoff) but also to get profiles cleaned up. You may find that configuring a registry action as below does not have the desired effect:

    Detail

    It has been found that this can be caused by faulty permissions on the C:\Windows\Temp folder. Environment Manager will store a session variable cache here by default to allow the variables to be persisted. Since $(UserSid) is a session variable, failure to create the cache in this location will also cause failure to get the correct registry path.

    The default permissions for the C:\Windows\Temp folder are as follows:

    BUILTIN\SYSTEM
    Access: Full Control
    Applies To: This folder, subfolders and files
    BUILTIN\CREATOR OWNER
    Access: Full Control
    Applies To: Subfolders and files only
    BUILTIN\Administrators
    Access: Full Control
    Applies to: This folder, subfolders and files
    LOCALMACHINENAME\Users
    Access: Special
    Applies To: This folder, subfolders and files
    Advanced Permissions: Traverse folder / execute file, Create files / write data, Create folders / append data.

    With the above default Windows permissions in place the handling of Environment Manager session variables should work as expected.

    TIP: If you have a business requirement to restrict permissions on C:\Windows\Temp and find that Environment Manager session variables don't work, consider changing the location that this store is saved into. You can do this by using the ValueStorePath engineering setting. You can find out more about this setting here: http://www.appsense.com/kb/160928095251122.