Hello Everyone,
We have an in-house software that should be looking at the ViewClient_Machine_Name Value in HKEY_CURRENT_USER\Volatile Environment or if we issue a set view command but unfortunately it is pretty much hit and miss. THe application needs to look a the client name that the user is connecting from as this is the only constant that doesn't change
in our Instant Clones deployment
The developer came up with another idea and is able to program the application to look at the System Variable with much more reliability. However, to achieve that they are asking us to deploy a VBS script that should be deployed using Horizon View GPO/Agent Settings and be running at logon (CommandsToRunOnConnect) and reconnect to session (CommandsToRunon Reconnect) with the following command: c:\windows\system32\cscript.exe \\domain.local\netlogon\viewlogin.vbs
Overall the script works when logged in to VM with writable only but as soon as I attach another appstack to it the script breaks and does not run. ALso if I'm fully logged in and go to my Netlogon share and run it then it doesn't work. No errors, nothing in logs, at least I cannot find anything.
Below is the script:
'************************************************************************************************************************
'The following will create applications and printers based on the following variables:
'vMachine = View Client Machine Name
'vIP = View Client IP Address
'vMAC = View Client MAC Address
'This section sets the variables mentioned above based on registry keys set by VMware View Agent
'***********************************************************************************************************************
On Error Resume Next
Const HKEY_CURRENT_USER = &H80000001
Set wmiLocator=CreateObject("WbemScripting.SWbemLocator")
Set wmiNameSpace = wmiLocator.ConnectServer(".", "root\default")
Set objRegistry = wmiNameSpace.Get("StdRegProv")
sPath = "Volatile Environment"
lRC = objRegistry.GetStringValue(HKEY_CURRENT_USER, sPath, "ViewClient_Machine_Name", vMachine)
lRC = objRegistry.GetStringValue(HKEY_CURRENT_USER, sPath, "ViewClient_IP_Address", vIP)
lRC = objRegistry.GetStringValue(HKEY_CURRENT_USER, sPath, "ViewClient_MAC_Address", vMAC)
'msgbox "The Remote Device Name is " & vMachine & " @ " & vIP & " (" & vMAC & ") "
Dim WSHShell
Dim Shortcut, Desktop, DesktopPath
Set WSHShell = WScript.CreateObject("WScript.Shell")
DesktopPath = WSHShell.SpecialFolders("Desktop")
Set fso = CreateObject("Scripting.FileSystemObject")
'Sets ViewClient_Machine_Name as a system variable Dim SysVarReg, Value Set SysVarReg = WScript.CreateObject("WScript.Shell") value = SysVarReg.RegRead("HKCU\Volatile Environment\ViewClient_Machine_Name") SysVarReg.RegWrite "HKCU\Volatile Environment\1\CLIENTNAME", value WshShell.Environment.Item("ViewClient_Machine_Name") = vMachine
We did give Users Modify permissions to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
It seems to be very inconsistent too as it seems to work with some appstacks attached but not all which is majority but it always works fine on Vm with no appstacks and writable only.
I have also attempted to do the same with Powershell Script but that doesn't seem to work at all, not even on appstack free machines.
$userVariables= (Get-ItemProperty -Path 'Registry::HKEY_CURRENT_USER\Volatile Environment')
Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name ViewClient_Machine_Name -Value $userVariables.ViewClient_Machine_Name
Also tried UEM Logon task just to see if the PS script would work and even though in logs I see it processed it does not work. When logged in to the machine I can run it just fine. UEM was more for test as it wil lneed to work through Horizon GPO due to reconnect option.
Envronment: AppVoloumes 2.16, Horizon 7.8, vCenter 6.7 U3, Windows 1809 LTSC
Any advise would be very appreciated.
Have you tried wrapping the command in a cmd file?
I didn't, just simply followed what vendor requested. Would you mind sharing how to accomplish this?
take
c:\windows\system32\cscript.exe \\domain.local\netlogon\viewlogin.vbs
and put it in viewlogin.bat, and save that in the appstack and use the gpos to call viewlogin.bat instead.
Ok I'll try that. I'm not putting the script in the appstack. Instead is sits in my Netlogon share and I'm calling it from there as not every machine has the same appstack and some don't have any.
If these are all instant clones can you put it in the parent image? If not you may want to enable the always wait for network gpo setting to make sure its not being ran before the netlogon share is available.
Yes I do have wait for network gpo setting enabled. For now if it works I will leave it in Netlogon and once I go around with my image updates I'll include it there and point it to local drive of the Parent Image
OK so I have done more testing and different scenarios. None of them seem satisfactory, here are the reuslts"
All scenarios have permissions for Users set to Modify on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
1. Scenario 1 - as main post above
- ViewLogin.vbs located in \\domain\netlogon\viewlogin.vbs
- horizon agent configured through GPO to run c:\windows\system32\cscript.exe \\domain\netlogon\viewlogin.vbs
Results:
Works on VMs with writable only and some appstacks but with majority of them it does not work
If I'm logged in to the machine with appstack and try to run it manually it also doesn't work
2. Scenario 2
- Placed ViewLogin.vbs in C:\Windows\Setup\Scripts on the master image
- horizon agent configured through GPO to run c:\windows\system32\cscript.exe C:\Windows\Setup\Scripts\viewlogin.vbs
Results:
The same as Scenario 1.
Works on VMs with writable only and some appstacks but with majority of them it does not work
If I'm logged in to the machine with appstack and try to run it manually it also doesn't work
3. Scenario 3
As advised I have created a ViewLogin.bat and placed it into \\domain\netlogon\viewlogin.bat.
ViewLogin.bat contains the following:
c:\windows\system32\cscript.exe C:\Windows\Setup\Scripts\viewlogin.vbs
- Placed ViewLogin.vbs in C:\Windows\Setup\Scripts
- horizon agent configured through GPO to run \\domain\netlogon\viewlogin.bat
Results:
Doesn't work at the logon on Vm with no appstack. If I run it manually it adds the Environmental Variable just fine
If I attach and appstack, it doesn't work at the logon and it doesn't work when I manually launch it when logged in to machine with appstack
4. Scenario 4
Created a ViewLogin.bat and placed it into \C:\Windows\Setup\Scripts\viewlogin.bat on master image
ViewLogin.bat contains the following:
c:\windows\system32\cscript.exe C:\Windows\Setup\Scripts\viewlogin.vbs
- Placed ViewLogin.vbs in C:\Windows\Setup\Scripts
- horizon agent configured through GPO to run C:\Windows\Setup\Scripts\viewlogin.bat
Results:
The same as Scenario 3
Doesn't work at the logon on Vm with no appstack. If I run it manually it adds the Environmental Variable just fine
If I attach and appstack, it doesn't work at the logon and it doesn't work when I manually launch it when logged in to machine with appstack
Any idea what might be happening?
So we have identified why it's not working with appstacks but don't really know how ti fix it.
Even though HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment key has users permissions to modify the key on the master image, when I attach appstack the command is not running successfully and we are seeing access denied in logs. I have tried to manually run the command in logged in machine and it fails as well.
I have tried to create any key this registry key and it fails with access denied as well. I can successfully create one in HKCU but not in HKLM. Once I detach the appstack I can run it successfully.
SO for some reason having appstack attached is causing it to fail
Also, more for anyone trying to run commands on Connect and reconnect through Horizon Agent GPO I was missing -c in front of the command that's why the bat file didn't work on logon with no appstack
To run scripts that require console access, prepend the -C or -c option followed by a space. For example:
-c C:\Scripts\Cli_clip.cmd
-C e:\procexp.exe
Supported file types include .CMD, .BAT, and .EXE. .VBS files will not run unless they are parsed with cscript.exe or wscript.exe. For example:
-C C:\WINDOWS\system32\wscript.exe C:\Scripts\checking.vbs
The total length of the string, including the -C or -c option, should not exceed 260 characters.
UPDATE:
I had SR opened with VMware and we have discovered that if I create brand new appstack containg the same application ( not update existing one) it appears to be working and script successfully is running, so we decided to go that route. However, now we are finding that we still have 10 more appstacks that even after recreation they still prevent this script from running. We even tried to add registry exclusion for that key exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment in snapvol.cfg of the appstack and still no luck
Furthermore, I have been playing around a little more with affected appstacks and found that for some reason I can create new registry entry under Environment key using regedit UI and it sticks fine but if I try to run it using cmd I get access denied. If I run cmd with privileged account that has admin rights to the machine it works as well.
So somewhere along the lines of provisioning something is changing and prevents the script from creating the registry in it. I do have Environment key configured with modify permissions for users.
It alos seems like it is only with some applications in appstack that we are seeing it. Don't know what it is though. Examplease are Content Manager Desktop, SQL Management Studio, Quickbooks and couple of other ones specific to our organization.
Anyone seen anything like it?
One more update:
The issue is fixed. It appears that the registry key Environment has some permission issues. If I'm in provisioning and want to change permissions on that key they don't stick. As the matter of the fact yo modify permission and immediately is wipes the change. So affected appstacks were somehow affecting that key because even after attaching the appstack to VM and was trying to manually add the Variable to the key using CMD I would be getting access denied. I can do that using UI (regedit) but just not using cmd. I have checked exclusions on snapvol.cfg and that key is not excluded besides we pretty much stayed with default template.
Anyway long story short, I ended up changing the permissions on that key for users to be able to modify on packaging machine and did snapshot and provisioned the same application on that machine and now the script runs with no issues.
Thank you everyone for all the suggestions and help with it. Hopefully this will help anybody trying to do something similar.