Table of Contents
Advertisement
Deploying MSI Files on Microsoft Vista
When you deploy MSI files on Vista, you must indicate whether an installer needs elevated privileges. Typical
individual user installations do not require elevated privileges but individual machine installations require
such privileges.
ThinApp provides the MSIRequireElevatedPrivileges parameter in the Package.ini file that specifies
the need for elevated privileges when the value is set to 1. Specifying a value of 1 for this parameter or forcing
an individual user installation from the command line can generate UAC prompts. Specifying a value of 0 for
this parameter prevents UAC prompts but the deployment fails for machine‐wide installations.
Controlling Application Access with Active Directory
You can control access to applications using Active Directory groups.
When you build a package, ThinApp converts Active Directory group names into Security Identifier (SID)
values. A SID is a small binary value that uniquely identifies an object. SID values are not unique for a few
groups, such as the administrator group. Because ThinApp stores SID values in packages for future validation,
the following considerations apply to Active Directory use:
You must be connected to your Active Directory domain during the build process and the groups you
specify must exist. ThinApp looks up the SID value during the build.
If you delete a group and re‐create it, the SID might change. In this case, rebuild the package to
authenticate against the new group.
When users are offline, ThinApp can authenticate them using cached credentials. If the users can log into
their machines, authentication still works. Use a group policy to set the period when cached credentials
are valid.
Cached credentials might not refresh on clients until the next Active Directory refresh cycle. You can force
a group policy on a client by using the gpupdate command. This command refreshes local group policy,
group policy, and security settings stored in Active Directory. You might log out before Active Directory
credentials are recached.
Certain groups, such as the Administrators group and Everyone group, have the same SID on every
Active Directory domain and workgroup. Other groups you create have a domain‐specific SID. Users
cannot create their own local group with the same name to bypass authentication.
Active Directory Domain Services define security groups and distribution groups. If you use nested
groups, ThinApp can only support nested security groups.
Package.ini Entries for Active Directory Access Control
ThinApp provides the PermittedGroups parameter in the Package.ini file to control Active Directory
access.
When you start a captured application, the PermittedGroups parameter checks whether a user is a member
of a specified Active Directory group. If the user is not a member of the Active Directory group, Thinapp does
not start the application. For information about restricting packages to Active Directory groups, see
"PermittedGroups" on page 73.
In the following Package.ini entry, App1 and App2 inherit PermittedGroups values.
[BuildOptions]
PermittedGroups=Administrators;OfficeUsers
[App1.exe]
[App2.exe]
VMware, Inc.
...
..
...
...
Chapter 3 Deploying Applications
45
Advertisement
Table of Contents
Troubleshooting
