Click here to load reader
Upload
sagalog
View
272
Download
0
Embed Size (px)
Citation preview
admintube
… time to reveal
Home
Subscribe
How to use usrlogon.cmd on a 64-Bit System as
Logonscript
by Stefan Bärthel on November 24, 2010
Posted in: Citrix XenApp 6
Today I faced a funny problem while implementing my logonscript for the terminal server. Normally I replace
the default usrlogon.cmd script which resides in C:\Windows\System32 What I needed to realize soon is
that citrix still uses 32-Bit programs in the background.
One example I had to learn the hard way is that the Citrix provided ctxhide.exe program is still compiled as
32-Bit program. As we already know there is a filesystem redirection in place which tells 32-Bit programs to
find their “SYSTEM32” under C:\Windows\SySWoW64.
ctxhide.exe will use SySWoW64!
So, if you are running XenApp6 on Windows 2008 R2 (64-Bit) this results in a situation that the following
path is used to execute the usrlogon.cmd script
C:\Windows\SySWoW64\usrlogon.cmd
This may get important if you are migrating to a 64-Bit platform like I do.
How to replace the standard usrlogon.cmd script?
Before I was able to replace the usrlogon.cmd script, I needed to take the ownership of the file. Otherwise
the access will be denied by the system.
1) I used the following SetAcl command to set the owner of the file to the local Administrators group:
setacl -on "C:\Windows\SySWoW64\usrlogon.cmd" -ot file -actn setowner -ownr "n:S-
1-5-32-544;s:y"
2) Than I give System and the local Administrators group full access, and local Users read and execute
permission:
setacl -on "C:\Windows\SySWoW64\usrlogon.cmd" -ot file -actn rstchldrn -rst
"dacl,sacl" -actn setprot -op "dacl:p_nc" -actn ace -ace "n:S-1-5-32-
544;s:y;p:full" -actn ace -ace "n:S-1-5-18;s:y;p:full" -actn ace -ace
"n:$group;s:n;p:$Permission" -actn clear -clr "dacl,sacl"
By the way: There is an old citrix knowledgebase article which already describes this behaviour.
Additional Information
http://support.citrix.com/article/CTX108901 (Usrlogon.cmd Does Not Execute on Presentation Server for
Windows x64)
Tags: 64-Bit • citrix
{ 4 comments… read them below or add one }
Frank February 3, 2011 at 14:20
Hello Stefan,
shouldn’t you use the default citrix policy groups to manage your XenApp 6 Servers ? Isn’t there a
problem with the usrlogon.cmd and the User Account Control (UAC).
Best Regards
Frank
Reply
Stefan Bärthel February 3, 2011 at 21:07
Hi Frank,
Thanks for your comment. What do you mean with “Citrix Policy Groups”? I am not sure if I
understand correctly (maybe a feature I do not know?). Can I run logon scripts using this
method?
Regarding the UAC feature: I have to admit that I don’t like the UAC feature and I disable it
completely by windows group policies. So far I do not have any problems operating the
usrlogon.cmd this way.
Reply
Brian June 14, 2011 at 21:33
Stefan:
I feel a disturbance in the Force . It bothers me that you have turned off UAC. Just
because you don’t like a feature doesn’t mean it isn’t good. Are you sure you’re not
turning it off out of laziness? I don’t mean that as an insult. I just want you to consider that
the best road is very often the bumpy one. I hate UAC as well. It makes my admin duties
on clients that much harder. However, I equally express my thanks for that mechanism as
it ends up saving us TONS of time in keeping “morons” and the bad guys at bay.
To answer your Citrix Policy Groups question. With XenApp 6, you now employ Citrix
policies with the same mechanism as Windows group policies. When you change or
modify policies, you actually have to go to the command line and do a “gpupdate /force”
to apply them (or wait for the built-in gpupdate refresh cycle). That said, we found the
Citrix Policies don’t always apply as they should and this is disturbing to me and my
colleagues. …brian
Reply
Stefan Bärthel June 18, 2011 at 22:46
Hi Brian,
hehe, I just recognized how much habits during daily work are formed by laziness.
Sometimes I see my self doing workarounds (even if they take longer), because I
am too lazy to fix it …habits!
I agree with you to have the UAC turned on clients, but on a server I still prefer to
act as an administrator when I use an admin account. I don’t need the OS to
remind, that I am doing admin tasks, which was the purpose of logging in with an
admin account.
To be honest, I like the fact that this is configurable… something I miss on apple
products sometimes.
Reply
Leave a Comment
Name *
E-mail *
Website
Submit
Previous post: XenApp 5 to XenApp 6: Preparing for Windows 2008 R2
Next post: How to manage your XenApp 6 published applications automatically using scripts
Search the tube here...
About
Welcome to admintube.com. A blog about sysadmin's life in a world of windows and applications.
This blog is about infrastructure topics around terminal services and other stuff. To reveal interesting
stuff is the driver behind this site.
Recent Posts
Is your print spooler stuck?
Deep dive videos – Nordic Infrastructure Conference 2012 event
Getting Rid Of DigiNotar’s Root CA
How to solve conflicting PDF viewer with Internet Explorer
Bluescreens with McAfee when running Windows 2008, VSE 8.7i with Patch 4, and terminal
services
Topics
Applications
Citrix XenApp 6
Infrastructure
PowerShell
Windows 2008
Windows 2008 R2
Tube Cloud
64-Bit Applications citrix Internet Explorer PDF PowerShell Printing Windows Windows 2008
XenApp
Get smart with the Thesis WordPress Theme from DIYthemes.