admintube

… time to reveal

Home

Subscribe

How to use usrlogon.cmd on a 64-Bit System as

Logonscript

by Stefan Bärthel on November 24, 2010

Posted in: Citrix XenApp 6

Today I faced a funny problem while implementing my logonscript for the terminal server. Normally I replace

the default usrlogon.cmd script which resides in C:\Windows\System32 What I needed to realize soon is

that citrix still uses 32-Bit programs in the background.

One example I had to learn the hard way is that the Citrix provided ctxhide.exe program is still compiled as

32-Bit program. As we already know there is a filesystem redirection in place which tells 32-Bit programs to

find their “SYSTEM32” under C:\Windows\SySWoW64.

ctxhide.exe will use SySWoW64!

So, if you are running XenApp6 on Windows 2008 R2 (64-Bit) this results in a situation that the following

path is used to execute the usrlogon.cmd script

C:\Windows\SySWoW64\usrlogon.cmd

This may get important if you are migrating to a 64-Bit platform like I do.

How to replace the standard usrlogon.cmd script?

Before I was able to replace the usrlogon.cmd script, I needed to take the ownership of the file. Otherwise

the access will be denied by the system.

1) I used the following SetAcl command to set the owner of the file to the local Administrators group:

setacl -on "C:\Windows\SySWoW64\usrlogon.cmd" -ot file -actn setowner -ownr "n:S-

1-5-32-544;s:y"

2) Than I give System and the local Administrators group full access, and local Users read and execute

permission:

setacl -on "C:\Windows\SySWoW64\usrlogon.cmd" -ot file -actn rstchldrn -rst

"dacl,sacl" -actn setprot -op "dacl:p_nc" -actn ace -ace "n:S-1-5-32-

544;s:y;p:full" -actn ace -ace "n:S-1-5-18;s:y;p:full" -actn ace -ace

"n:$group;s:n;p:$Permission" -actn clear -clr "dacl,sacl"

By the way: There is an old citrix knowledgebase article which already describes this behaviour.

Additional Information

http://support.citrix.com/article/CTX108901 (Usrlogon.cmd Does Not Execute on Presentation Server for

Windows x64)

Tags: 64-Bit • citrix

{ 4 comments… read them below or add one }

Frank February 3, 2011 at 14:20

Hello Stefan,

shouldn’t you use the default citrix policy groups to manage your XenApp 6 Servers ? Isn’t there a

problem with the usrlogon.cmd and the User Account Control (UAC).

Best Regards

Frank

Reply

Stefan Bärthel February 3, 2011 at 21:07

Hi Frank,

Thanks for your comment. What do you mean with “Citrix Policy Groups”? I am not sure if I

understand correctly (maybe a feature I do not know?). Can I run logon scripts using this

method?

Regarding the UAC feature: I have to admit that I don’t like the UAC feature and I disable it

completely by windows group policies. So far I do not have any problems operating the

usrlogon.cmd this way.

Reply

Brian June 14, 2011 at 21:33

Stefan:

I feel a disturbance in the Force . It bothers me that you have turned off UAC. Just

because you don’t like a feature doesn’t mean it isn’t good. Are you sure you’re not

turning it off out of laziness? I don’t mean that as an insult. I just want you to consider that

the best road is very often the bumpy one. I hate UAC as well. It makes my admin duties

on clients that much harder. However, I equally express my thanks for that mechanism as

it ends up saving us TONS of time in keeping “morons” and the bad guys at bay.

To answer your Citrix Policy Groups question. With XenApp 6, you now employ Citrix

policies with the same mechanism as Windows group policies. When you change or

modify policies, you actually have to go to the command line and do a “gpupdate /force”

to apply them (or wait for the built-in gpupdate refresh cycle). That said, we found the

Citrix Policies don’t always apply as they should and this is disturbing to me and my

colleagues. …brian

Reply

Stefan Bärthel June 18, 2011 at 22:46

Hi Brian,

hehe, I just recognized how much habits during daily work are formed by laziness.

Sometimes I see my self doing workarounds (even if they take longer), because I

am too lazy to fix it …habits!

I agree with you to have the UAC turned on clients, but on a server I still prefer to

act as an administrator when I use an admin account. I don’t need the OS to

remind, that I am doing admin tasks, which was the purpose of logging in with an

admin account.

To be honest, I like the fact that this is configurable… something I miss on apple

products sometimes.

Reply

Leave a Comment

Name *

E-mail *

Website

Submit

Previous post: XenApp 5 to XenApp 6: Preparing for Windows 2008 R2

Next post: How to manage your XenApp 6 published applications automatically using scripts

Search the tube here...

About

Welcome to admintube.com. A blog about sysadmin's life in a world of windows and applications.

This blog is about infrastructure topics around terminal services and other stuff. To reveal interesting

stuff is the driver behind this site.

Recent Posts

Is your print spooler stuck?

Deep dive videos – Nordic Infrastructure Conference 2012 event

Getting Rid Of DigiNotar’s Root CA

How to solve conflicting PDF viewer with Internet Explorer

Bluescreens with McAfee when running Windows 2008, VSE 8.7i with Patch 4, and terminal

services

Topics

Applications

Citrix XenApp 6

Infrastructure

PowerShell

Windows 2008

Windows 2008 R2

Tube Cloud

64-Bit Applications citrix Internet Explorer PDF PowerShell Printing Windows Windows 2008

XenApp

Get smart with the Thesis WordPress Theme from DIYthemes.