One of the problems facing when you used the LockPermissions table, was that permissions on already existing local files were simply overwritten and were not added/merged with the already existing permissions on these files. Another limitation was that it didn’t natively localized user groups based on well-known SIDs. When you e.g. were setting permissions on the ‘Users’ group and ran the msi on a Russian Win7 system the msi would fail to install, because it didn’t know of a usergroup called ‘Users’. In Russian the group is called ‘Пользователи’. You would receive error message 1609 “An error occurred while applying security settings. Users is not a valid user or group. This could be a problem with the package, or a problem connecting to a domain controller on the network. Check your network connection and click Retry.“ There was a way to solve this with a special mergemodule called SIDLookup, but not everyone knew of its existence.

Since Windows Installer 5.0 (included in Windows 7 by default) there is a brand-new table called ‘MsiLockPermissionsEx‘ which can be used to set permissions on files, registry, folders, and services that are installed with your msi-package. You can find the TechNet page explaining all this here:

http://msdn.microsoft.com/en-us/library/windows/desktop/dd408009%28v=vs.85%29.aspx

Tutorial – how to use MsiLockPermissionsEx in your msi

Step 1: Add the MsiLockPermissionsEx table to your msi.

I recommend you to use Orca 5 (latest version available in Windows 7 SDK) which already supports the new table natively. You won’t see it right away, you just have to tell Orca to use it. But before you add this table you should make sure that the ‘old’ LockPermissions table is removed (in Orca this can be done by selecting ‘drop table’ when you right-click on the table’s name). Your msi will fail during installation on Win7 or later when both (LockPermissions and MsiLockPermissionEx) tables exist in the same package. On Windows XP the installation itself will not fail, but permissions are simply not set.

Open your existing msi in Orca and you will see that the table MsiLockPermissionsEx is not there yet, so you need to add it first.

Click ‘Add table’ in the ‘Tables’ menu.

Now select ‘MsiLockPermissionsEx’ and click <OK>.

When you look at the tables again, you will see that the new table is already added to your msi

The MsiLockPermissionsEx table consists of the following columns:

-MsiLockPermissionsEx

-LockObject

-Table

-SDDLText

-Condition

For further info about using this table I refer to the before mentioned TechNet article.

Step 2: Install the package/software and set the permissions you want.

You can only set permissions on items which are part of the package, therefore you should first install the software. You can set permissions on files, folders, registry keys and services.

Now you can set the permissions on the items you want. I will give the following permissions in my example:

-Give the ‘Everyone’ group full control on the registry key HKLM\Software\Wow6432Node\Primavera and all subkeys.

-Give the ‘Everyone’ group read and execute rights on the file C:\Windows\SysWow64\dbexpint.dll.

Step 3 Download the SubInACL tool from Microsoft.

You can find the SubInACL tool here: http://www.microsoft.com/download/en/confirmation.aspx?id=23510

Step 4 Retrieve the SDDL string which you need to copy into the SDDL Text column in the MsiLockPermissionsEx table

After installing the SubInACL tool, you should browse to the C:\Program Files (x86)\Windows Resource Kits\Tools folder (with administrative rights) and execute the following command:

Subinacl.exe /file C:\Windows\SysWow64\dbexpint.dll /display=sddl

This command returns the SDDL string that I need for the SDDL Text column in Orca.

Now I need to repeat this last step for getting the SDDL string of my registry key permissions:

Subinacl.exe /keyreg HKEY_LOCAL_MACHINE\Software\Wow6432Node\Primavera /display=sddl

Step 5 compile the msi and check the results.

After compiling your package and installing it on the client pc’s, you should now have the permissions like desired.

Keep in mind that MsiLockPermissionsEx will still overwrite existing permissions, BUT it can preserve inherited permissions. The old LockPermissions table was not able to preserve inherited permissions. The inheritance depends on the SDDL string you enter.

There exists a nice script from the CSI website to get SDDL strings, but you are only allowed to use it when you have a license for it or when one of your companies employees has attended a particular CSI course. You can find their tool here: http://csi-windows.com/toolkit/csigetsddlfromobject

Look here for more info about the SDDL string: http://msdn.microsoft.com/en-us/library/aa379570%28v=vs.85%29.aspx

Microsoft launched a new free Windows gadget, the TechNet Forum Assistant. For details and download, see below.

TechNet Forum Assistant
The TechNet Forum Assistant is a free Windows gadget, available in the Microsoft Download Centre. This gadget will help you better utilize the great information in TechNet Forums and community. By downloading, you have the support and expertise of Microsoft TechNet Forum Support Engineers directly right on your desktop. Receive support on your terms by downloading the TechNet Forum Assistant.

Ask Questions
The TechNet Forum Assistant enables you to ask questions directly to our dedicated TechNet Forum Support Engineers. With a click of your mouse, you can choose your favourite thread among the numerous topics available in the TechNet Forums.

 Hot Topics & Resources
The TechNet Forum Assistant instantly directs you to the hottest questions and discussions, professional technique recommendations for development and free sample code from the All-In-One Code Framework. Searching through your forum threads has never been easier. With TechNet Forum Assistant you can search through your threads directly from your desktop.

Receive Personalized Updates
The TechNet Forum Assistant conveniently gathers forum threads which are of interest to you. By selecting your favourite forums, the Forum Assistant provides updates on the most recent threads, making your online support experience much more convenient and hassle free.

Download:
http://www.microsoft.com/download/en/details.aspx?id=27747

Originally posted here:
http://microsoftplatform.blogspot.com/2011/11/announcing-new-technet-forum-assistant.html

Only 2 weeks after registration for this event had opened, the organization had to tell people that it was no longer possible to register, because there was no more space. But next year there will be another event – in Amsterdam again (at the Sheraton Hotel which offers space for over 350 people). Today there were about 120 people at the event.

Not only for the sessions itself it was useful to attend the event, but also for networking and meet other people that are obsessed in some way by App-V.

To give you some idea of the high quality of the event: there should have been 9 App-V MVP’s – unfortunately 2 had to cancel their visit at the last moment – but that still is quite extraordinary, as there are only 16 App-V MVP’s worldwide!

Not only people from Holland visited the event, but also people from countries like Belgium, Germany, UK, Ukraine, Norway, Sweden, and many more countries.

After a nice presentation about Project VRC Phase IV by Ruben Spruijt (PQR) the attendants could hear Madelinde Walraven (Microsoft Holland) and Sebastian Gernert (Microsoft Germany) speak about some advanced App-V troubleshooting. Did you know for instance that an App-V application uses 2 high ports on the App-V Virtual Application Server and that the default maximum is 16,383 ports? 16,383 ports might seem a high number, but when your company uses Dynamic Suite Composition a bit too much, this maximum will be reached quite fast and then you get into ‘connection lost’ problems.

After a short break, Ment van der Plas (Login Consultants) highlighted some App-V related changes in the new SCCM 2012 RC1 release. There are many changes, but unfortunately not all for the better: uninstalling an App-V from the clients is now not that straightforward anymore, as it used to be in SCCM 2007.

Another MVP (Nicke Källén, Viridis) had a session about ‘Heavy Duty Sequencing’. The information Nicke was talking about was not new to me, but certainly useful for people that are not that experienced in App-V yet.

Jurjen van Leeuwen (Dutch guy living and working in Norway, Leodesk) talked about Server App-V and after him Falko Gräfe gave a session about Dynamic Suite Composition. DSC looks like a great concept at first, but it can get you into a lot of trouble.

Rodney Medina (Immedio) had to prepare a session on short notice, as the original presenter wasn’t able to visit the event, but did a great job by talking about User State Virtualization.

The last session of the day was presented by all the presentators together, and was called “Top 10 Myths around App-V”. In this session the public was invited to discuss with the experts about certain situations, like virtualizing Office 2007 or cleaning up the sequence (which used to be best practice when you captured a MSI in the old days).

Nicke Källén is a great presenter and his session was, in my opinion the best of the day when I just look at the way he presented. The most interesting session for me was the session about ‘Troubleshooting App-V’ by Madelinde and Sebastian.

I want to thank the organizers for organizing this great event and look forward to the 2^nd European App-V User Group meeting. I had a great time and met some really nice people that are as passionate with App-V as I am. Next time there might be news about the next version of App-V… who knows.

When you like to come too to this great event – the date is not known yet – please visit www.appvug.com / www.appvug.nl for the latest news.

The slides of the sessions haven’t been released yet, but when they are I will update this post with the links to the presentations.