Modified Service Permissions causing Logoff actions to fail and Personalization not to sync

Version 1

    Verified Product Versions

    AppSense Environment Manager 8.6AppSense Environment Manager 8.5AppSense Environment Manager 8.4AppSense Environment Manager 8.2AppSense Environment Manager 8.1AppSense Environment Manager 8.3AppSense Environment Manager 8.0

    Introduction

    When a user logs off, processes are spawned to carry out the following actions:

    • Environment Manager logoff policy actions
    • Windows Settings Groups personalization sync to database
    • Sync of any open applications at logoff

    If the process is not able to carry out a query on the EmCoreService, the above may fail.

    Detail

    During a user logoff a process is spawned which queries to ensure that the EmCoreService (AppSense User Virtualization Manager) is running on the system and this process runs as the Interactively Logged-On User. If security templates have modified the permissions on this service, you may see the following log lines in Environement Manager logs:

     

     

    L4 T14236 475984150 [IsEmCoreServiceRunning] [ENTER]
    L1 T14236 475984150 [IsEmCoreServiceRunning] Failed to open the service : 5
    L3 T14236 475984150 [IsEmCoreServiceRunning] Service is not running
    L4 T14236 475984150 [IsEmCoreServiceRunning] [EXIT]
     

    The error code '5' represents 'Access is Denied' and this points to the Interactively Logged-On Users being unable to query the status of the service and this is generally down to security templates being placed on th affected endpoints.

     

    Windows has no in-built GUI tool for checking or modifying the permissions however you are able to use the command-line tool SC. Information on SC can be found here. The following command will provide an output of currently configured permissions:

     

     

    SC SDShow "AppSense EmCoreService"
     

    The below image displays the default permissions:

     

     

    Alternatively, the service permissions can be seen in a GUI by running Process Explorer from SysInternals. As long as this is run as an elevated user, permissions on the service can be found by selecting EmCoreService.exe-->Services-->Permissions. Below is an image of the default permissions:

     

     

     

     

    Process Explorer will allow you to configure these permissions directly through the GUI however you are also able to use the command-line process SC to carry out these modifications. Once configured as per the above image, you should find that your logoff logs contain the following:

     

     

    L4  T9172 670885606 [IsEmCoreServiceRunning] [ENTER]

    L3  T9172 670885606 [IsEmCoreServiceRunning] Service is running

    L4  T9172 670885606 [IsEmCoreServiceRunning] [EXIT]
     

    At this point, you should be seeing your Windows Settings data sync and your logoff actions to complete as expected.