Archive for the 'Uncategorized' Category

Issue: Citrix/Roaming profiles are not used after RUM processing

Oct. 11th 2017


Steps to recreate the problem:

  1. Citrix roaming profiles are in use.
  2. Roaming profile folders naming standard is “username.sourcedomain.v2”.
  3. Process profiles folder with a RUM processing task to add target permissions.
  4. When the migrated user logs onto the target domain a new roaming profile folder is created. This is not the expected behavior, the new profile name is in the format “username.targetdomain.v2”
  5. The target account does not use the processed roaming profile.


The group policy setting that determines the location of the roaming profile folder needs to be changed:

  • Original configuration – with this group policy setting the roaming profile folder names are in the format username.domain.v2.
    • Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Session Host/Profiles
      • Set path for Remote Desktop Services Roaming User – Enabled
        • Profile Path – specify the path in the form \\Computername\Sharename
  • Updated configuration – with this group policy setting the roaming profile folder names are in the format username.v2.
    • Computer Configuration/Administrative Templates/System/User Profiles
      • Set Roaming profile path for all users logging onto this computer
        • \\Computername\Sharename\%USERNAME%
      • Copy all user profiles and permissions to the user profiles folder with the name username.v2 (removing the domain name).
      • Update group policy to use the %USERNAME% variable. Remove the original configuration from the GPO
      • Process the roaming profile and logon using the target account.  Using the new GPO setting will force the folder name to be “username.V2” and not to include the domain name.

The original configuration using the “Set path for Remote Desktop Services Roaming User” GPO setting includes the domain name in the roaming profile folder name, which caused the logon process to create a new folder with the target domain name. Updating the GPO to use the “Set Roaming profile path for all users logging onto this computer” removes the domain name from the folder name and allows the user to logon to the processed profile on the target domain.

Written by John Hobbs

Posted by bc-admin | in Authentication Services, Uncategorized | Comments Off on Issue: Citrix/Roaming profiles are not used after RUM processing

Troubleshooting Process Elevation in Privilege Manager

Oct. 12th 2016

Here are some tips when trying to discover why the process elevation feature is not working as expected.

  • Ensure that the rule has been created, has been saved and applied to a Group Policy Object (GPO). Ensure this GPO has been linked to either an OU or the domain.
  • Ensure that the Privilege Authority Client is installed on the client machine by looking in the Add/Remove Programs applet. If WMI is available, you can query the machine by dropping into a command prompt and typing “wmic /node: <fqdn of machine> product get name,version “.  If you need PowerShell, there is a great script located here.
  • From the command prompt, run ‘GPUpdate /force’ to make sure that the Group Policy has been refreshed.
  • Run ‘GPResult’ (or ‘GPResult /R’ on Windows7 or 2008), and check that the GPO the rule belongs to has been applied to that machine.  You can also use the Resultant Set of Policy (RSoP) feature or Group Policy Modeling on the Group Policy Console.  For more info, see here.
  • Check in the registry for the rule. Rules are copied to the key –

HKEY_LOCAL_MACHINE\Software\ScriptLogic Corporation\Privilege Authority\CSE\CSEHost\Host. Under this key you will see a key which is the SID for each user (i.e. S-1-5-21-15….) and then a unique GUID for each rule underneath this. To match the SID to a user account, navigate to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and look at the data in the ProfileImagePath value or use the script provided below.

You can also create a VB Script using the following script:

Set oShell = CreateObject( “WScript.Shell” )



strComputer = “.”

Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2”)

Set objAccount = objWMIService.Get(“Win32_UserAccount.Name='” & User & “‘,Domain='” & UserDomain & “‘”)

DisplayString = UserDomain & “\” & User & ” = ” & objAccount.SID

Wscript.Echo DisplayString

Wscript.Echo objAccount.SID

  • If the rule is present in the registry, enable logging to troubleshoot further.

 To Enable Logging


Under the registry key HKLM\Software\ScriptLogic Corporation\Privilege Authority\ change ‘LogLevel’ from the default value of 0 to 3 and restart the ScriptLogic Privilege Authority Host Service.  The log files can be found in the folder specified in the ‘InstallPath’ value under this same key. The default log location is C:\ProgramData\Privilege Authority\Logs.

  • Run the application or target process that you have created your rule for. Then go to the log file folder (by default – C:\ProgramData\Privilege Authority\Logs) and open the CSEHostEngine.log file. Every process that is being run by the user will be displayed.  To the right of each process, you will see a “MATCH” or “NO MATCH” status indicating whether or not the process matched a given Privilege Authority rule. Then, do a search for the process that you are trying to elevate and see if there is a match or not.
Posted by bc-admin | in Uncategorized | Comments Off on Troubleshooting Process Elevation in Privilege Manager

The Most Important Aspect of a Notes Migration

Aug. 21st 2013


There are some aspects of a Lotus Notes Migration to Exchange that are more important than others, but they probably aren’t what you would expect.

Over the past five years of doing these mail migrations I’ve found that the most successful migrations come down to three common factors:
1) Good Analysis
2) Extensive Planning
3) Appropriate Expectations

That may seem like a given but sadly it’s far from it.

Good Analysis gives you a true understanding of what your source data is. This lets you plan how long your migrations will take, how many migration machines you need to setup and what kinds of data your actually migrating. In the end, understanding what you have will better prepare you for supporting what you migrate.

Planning seems like it should be easy enough from the start of a migration project. You only need some servers, and the software right? We all wish it were that easy. The reality is that yes, you need the servers and software, but you need to plan for:
• Migration space and expansion for growth on your Exchange server.
• You need to plan for when you need to be done with your migration and how many people per day you need to migrate.
• You need to know how much data you need to migrate per person.
• What kind of data you need to migrate. Do you need only calendar, mail, both?
• How are users going to connect to their new Exchange mailbox? OWA? Outlook Clients?
• How are you going to support your users after they are migrated? What kind of call volume can your support desk handle?
• Can you migrate during the day or will that impact your production servers too much? This is a limiting factor on how quickly you can migrate.
• Do you need coexistence?

These are just some examples of the common things to put a plan in place for. These are just the tip of the questions you need to ask and investigate before you start your migration. A rich plan will make your migration go much more smoothly.

And finally, setting appropriate expectations is probably the most important of all. Migrations are a translation from one system to another not a copy and paste. Knowing the limitations of a migration will help to control the support calls after the migration.

Starting with those three basic migration concepts will get you far in the start of your migration.

Author: Dave Cook, LeadThem Security  Notes Architect





Posted by bc-admin | in Notes Migrator, Uncategorized | Comments Off on The Most Important Aspect of a Notes Migration