Issue: Citrix/Roaming profiles are not used after RUM processing

Oct. 11th 2017


Steps to recreate the problem:

  1. Citrix roaming profiles are in use.
  2. Roaming profile folders naming standard is “username.sourcedomain.v2”.
  3. Process profiles folder with a RUM processing task to add target permissions.
  4. When the migrated user logs onto the target domain a new roaming profile folder is created. This is not the expected behavior, the new profile name is in the format “username.targetdomain.v2”
  5. The target account does not use the processed roaming profile.


The group policy setting that determines the location of the roaming profile folder needs to be changed:

  • Original configuration – with this group policy setting the roaming profile folder names are in the format username.domain.v2.
    • Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Session Host/Profiles
      • Set path for Remote Desktop Services Roaming User – Enabled
        • Profile Path – specify the path in the form \\Computername\Sharename
  • Updated configuration – with this group policy setting the roaming profile folder names are in the format username.v2.
    • Computer Configuration/Administrative Templates/System/User Profiles
      • Set Roaming profile path for all users logging onto this computer
        • \\Computername\Sharename\%USERNAME%
      • Copy all user profiles and permissions to the user profiles folder with the name username.v2 (removing the domain name).
      • Update group policy to use the %USERNAME% variable. Remove the original configuration from the GPO
      • Process the roaming profile and logon using the target account.  Using the new GPO setting will force the folder name to be “username.V2” and not to include the domain name.

The original configuration using the “Set path for Remote Desktop Services Roaming User” GPO setting includes the domain name in the roaming profile folder name, which caused the logon process to create a new folder with the target domain name. Updating the GPO to use the “Set Roaming profile path for all users logging onto this computer” removes the domain name from the folder name and allows the user to logon to the processed profile on the target domain.

Written by John Hobbs

Posted by bc-admin | in Authentication Services, Uncategorized | Comments Off on Issue: Citrix/Roaming profiles are not used after RUM processing

Troubleshooting Process Elevation in Privilege Manager

Oct. 12th 2016

Here are some tips when trying to discover why the process elevation feature is not working as expected.

  • Ensure that the rule has been created, has been saved and applied to a Group Policy Object (GPO). Ensure this GPO has been linked to either an OU or the domain.
  • Ensure that the Privilege Authority Client is installed on the client machine by looking in the Add/Remove Programs applet. If WMI is available, you can query the machine by dropping into a command prompt and typing “wmic /node: <fqdn of machine> product get name,version “.  If you need PowerShell, there is a great script located here.
  • From the command prompt, run ‘GPUpdate /force’ to make sure that the Group Policy has been refreshed.
  • Run ‘GPResult’ (or ‘GPResult /R’ on Windows7 or 2008), and check that the GPO the rule belongs to has been applied to that machine.  You can also use the Resultant Set of Policy (RSoP) feature or Group Policy Modeling on the Group Policy Console.  For more info, see here.
  • Check in the registry for the rule. Rules are copied to the key –

HKEY_LOCAL_MACHINE\Software\ScriptLogic Corporation\Privilege Authority\CSE\CSEHost\Host. Under this key you will see a key which is the SID for each user (i.e. S-1-5-21-15….) and then a unique GUID for each rule underneath this. To match the SID to a user account, navigate to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and look at the data in the ProfileImagePath value or use the script provided below.

You can also create a VB Script using the following script:

Set oShell = CreateObject( “WScript.Shell” )



strComputer = “.”

Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2”)

Set objAccount = objWMIService.Get(“Win32_UserAccount.Name='” & User & “‘,Domain='” & UserDomain & “‘”)

DisplayString = UserDomain & “\” & User & ” = ” & objAccount.SID

Wscript.Echo DisplayString

Wscript.Echo objAccount.SID

  • If the rule is present in the registry, enable logging to troubleshoot further.

 To Enable Logging


Under the registry key HKLM\Software\ScriptLogic Corporation\Privilege Authority\ change ‘LogLevel’ from the default value of 0 to 3 and restart the ScriptLogic Privilege Authority Host Service.  The log files can be found in the folder specified in the ‘InstallPath’ value under this same key. The default log location is C:\ProgramData\Privilege Authority\Logs.

  • Run the application or target process that you have created your rule for. Then go to the log file folder (by default – C:\ProgramData\Privilege Authority\Logs) and open the CSEHostEngine.log file. Every process that is being run by the user will be displayed.  To the right of each process, you will see a “MATCH” or “NO MATCH” status indicating whether or not the process matched a given Privilege Authority rule. Then, do a search for the process that you are trying to elevate and see if there is a match or not.
Posted by bc-admin | in Uncategorized | Comments Off on Troubleshooting Process Elevation in Privilege Manager

How To Redirect the Default Website to the Password Manager(QPM) Self Service Site

Jan. 22nd 2014

Password Manager does not auto redirect the website you have to go to http://servername/qpmuser every time. However with in IIS you can turn out HTTP Redirect. Here are the steps.

Go to the IIS Manager
Select HTTP Redirect under the Default Web Site



Check “Redirect request to this destination”

Enter QPMUser

Check “Redirect all requests to exact destination”

Check “Only Redirect Request to content in this directory”

Click Apply


Go under each subfolder and Virtual site of Default Web Site

Uncheck “Redirect request to this destination” this is very important due to every subfolder and virtual site will be set for HTTP Redirect.

Apply Changes

pic3 pic6 pic5 pic4


Once this is done you will be able to go to http://servername and it will redirect you to http://servername/QPMUser

This Must be done on all QPM Webservers you want to Redirect


Note: If you want to redirect to Helpdesk Enter QPMHelpdesk instead of QPMUser



Author: Wayne Thompson, Exchange Architect, LeadThem Security





Posted by bc-admin | in Password Manager | Comments Off on How To Redirect the Default Website to the Password Manager(QPM) Self Service Site

SharePlex – Repairing a Table with Copy

Jan. 2nd 2014

This procedure is generally used only for very large tables when standard compare and repair can not be executed due to time or system resource constraints.  The instructions below will allow you to execute this procedure with the least amount of impact to the database, by minimizing the lock time required on the table.

  • Open 3 windows on the source system to expedite the process. This will enable you to minimize the amount of time the full table lock is held. With proper execution, the table lock can be less than 10 seconds.
  • In one window, create an export parameter file to export the table you want to synchronize. When complete, enter the export command but don’t hit the return key. The basic export command or data pump can be used.
    • noup / expdp parfile=exp.par &
  • In your second window, enter sqlplus from the command line. Enter the lock table command but do not hit return.
    • sqlplus / as sysdba
    • SQL>  lock table <table name> in exclusive mode;
  • In your third window, enter sp_ctrl and type in the flush command but do not hit return.
    • sp_ctrl
    • > flush <datasource>
  • You are now ready to start the procedure. All steps should be done as quickly as possible to reduce the lock time.
  1. Execute the lock table command in window two. If this times out, retry until successful.
  2. Execute flush command in window three.
  3. Start export command in window one.
  4. Return to window two and execute a commit.
  5. When export is completed, transfer dump file to target server, truncate the table, and import it.
  6. Start the post process.


Author: Mark Bochinski, Senior SharePlex DBA, LeadThem Security





Posted by bc-admin | in SharePlex | Comments Off on SharePlex – Repairing a Table with Copy

SharePlex Compare and Repair

Jan. 2nd 2014


The COMPARE and REPAIR commands are essential components of the Shareplex toolset. The COMPARE command, started on the source system, will compare one table with the corresponding table on the target. The COMPARE USING <config file name> command will compare the entire list of tables in the config file. The COMPARE command creates one log file on the source and two files on the target, one log file and one SQL file. The log file records the steps taken and errors if they occur. The SQL file contains comments plus any SQL statements needed to bring the table back in sync. However, these SQL statements are not executed. During the execution of the COMPARE command, a brief exclusive table lock is required on the source system. The table is immediately unlocked once Shareplex starts reading the table. However, on the target system the exclusive table lock is held for the duration of the compare on that table. This prevents the table from being modified during the compare. The REPAIR command works identically to the COMPARE command with the exception that it does execute the SQL statements and synchronizes the OOS (out-of-sync) table.

Before starting the COMPARE or REPAIR commands, the TEMP tablespace and the UNDO tablespace may need to be made larger. Also, the undo_retention database parameter may need to be increased. At a bare minimum, the TEMP tablespace will need to be at least as large as the largest table. Depending on the setting of SP_DEQ_THREADS (default 2), the size of the TEMP tablespace would need to be larger than the sum of bytes of the two largest tables. If SP_DEQ_THREADS is set to a larger number, increase the size of the TEMP tablespace accordingly. Similarly the UNDO tablespace may need to be increased. Based on transaction volume and the length of time it takes to compare the largest table increase the size of the UNDO tablespace and increase the undo_retention database parameter to avoid an ORA-1555 Snapshot too old error. Tables with LOBs take much longer to compare or repair than tables without them.

The Shareplex COMPARE and REPAIR commands work as follows. After locking the table, the table is read and sorted in identical fashion on both source and target. If the table is large, it will probably need to be sorted in the TEMP tablespace. As this writes to disk, it will take longer than if it was sorted in RAM. Next, 10000 rows are read on the source and target systems, a UNIX check sum is performed. If the check sums match, the next 10000 rows are read, etc. If the check sums do not match, the COMPARE and REPAIR processes determine which rows are out of synch and creates the SQL statements to repair them. The REPAIR process executes the SQL statements.

Commonly modified COMPARE/REPAIR parameters

SP_DEQ_BATCHSIZE – Default 10000.This parameter determines how many rows are read on source and target before executing the UNIX check sum command. Larger batch sizes increase the processing speed but require more RAM. The range of values is from 1 to 32767.

SP_DEQ_THREADS – Default 2. This parameter controls the number of parallel compare or repair processes. It only impacts the COMPARE USING <config file name> command. A common occurrence when this parameter is set to a high value is multiple large tables comparing at once. If the database has 1000 tables in replication and 20 of them are large, Shareplex will quickly compare the small tables while the large tables will take longer as they sort to the TEMP tablespace. Eventually, many large tables could be comparing at the same time. This can cause a huge load on the OS. Setting SP_DEQ_THREADS larger than the number of available CPUs is unadvisable.

SP_DEQ_SKIP_LOB – Default 1. The default value causes LOBs to be included in the compare/repair process. Setting it to 0 will cause only the non-LOB columns to be included in the compare repair process. This will greatly speed up comparing or repairing LOB tables, especially useful if the LOB columns are never modified after insert.


Author: Mark Bochinski, LeadThem Security Senior SharePlex DBA





Posted by bc-admin | in SharePlex | Comments Off on SharePlex Compare and Repair