“Logon failure: the user has not been granted the requested logon type at this computer”

CustomCPZoomedQuick answer:
In Windows 7/8/10, we use a third-party Credential Provider, and it was blocking LOCAL (ie. not Domain) accounts from logging on.  Removing the third-party CP resolved the issue.  (we have logged a fault with the vendor).

Detailed answer follows:

Continue reading

Windows 10 – “The properties for this item are not available”

The properties for this item are not availableThere’s a bug with Windows 10 which prevents you from seeing the properties for a folder.  To trigger it, you need to do the following:

  1. logon to Windows 10 with user account UserA.
  2. Run As an application, such as Explorer++ or QDir, with a different user account UserB
  3. right mouse-click on a folder, and select Properties.

“The properties for this item are not available” occurs.

The fix
Apply March 2016 Cumulative Update for Windows 10 for x64-based Systems (KB3140745), or later

The workaround
The “Interactive User” value needs to be removed form the the Runas registry key under [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{448aee3b-dc65-4af6-bf5f-dce86d62b6c7}]

You may need to take ownership of the key in order to change it.

AppLocker, ActiveSetup, Group Policy; all the dumb things

4846.applocker.png-200x0Welcome, strangers, to the show
I’m the one who should be lying low
Saw the knives out, turned my back
Heard the train coming, stayed out on the track
In the middle, in the middle, in the middle of a dream
I lost my shirt, I pawned my rings
I’ve done all the dumb things

– Paul Kelly, Dumb Things

Microsoft AppLocker is a wonderful technology which allows your IT Department to prevent malicious programs from being run on your work computer.  Great in theory, and my experience is that it works with some wrinkles.  It broadly works by using Group Policy to configure what is a “Trusted” location.

Applocker and Active Setup
Active Setup allows you to execute commands once per user, early, during login.   For example, you might want to do this to configure iTunes for each user who logs onto the computer.

Each Active Setup command has a file path to the commands that you need to run.  If you don’t trust this file path in Applocker, your Active Setup fails.

If you are using System Center Configuration Manager (SCCM), then it’s likely that you’ll see this failure.

If you are going to add a “Path” rule to fix this issue, you need to add two.  One for EXEs and another one for MSIs.

Removing AppLocker via Group Policy
So for whatever reason, you have a class of “”special”” computers which AppLocker is not to apply to.  So you remove the AppLocker Group Policy from the “”special”” computer.  And it still seems to have AppLocker blocking programs.

What gives?
Well what seems to be happening is this:

  1. The AppLocker Application Identity service (AppIDSvc) is set to Manual.
  2. The AppLocker registry settings are being left behind.
  3. AppLocker causes applications to be blocked.

The fix?

  1. Start the Application Identity service (AppIDSvc)
  2. Logon to the computer.
  3. Restart the computer.

This causes AppLocker to finish removing the registry settings.

KB2918614 – Not only does it break MSI Repair .

“What the security bulletin doesn’t say is that the change in Windows Installer repair operations means that application repair attempts will be met with a User Account Control credential window each time. However, the credentials required are administrator access.”
Bug or Feature? KB2918614 Alters Windows Installer Behavior

KB2918614 Should your application install use Active Setup, to say, personal per-user settings, then this MS14-049 security patch causes a UAC prompt as well.

The current workaround, courtesy of happysccm,  is as follows:

  1. Uninstall the application and reinstall it with the security update installed. (sourcehash file generated with security update)
  2. Manually copy the sourcehash file to c:\windows\installer folder. As the sourcehash file is generated based on the application files, the sourcehash file generated on computer A can be used on computer B.

Not scalable if, say, you have 500 packaged applications deployed to customers.

“The server application, source file, or item can’t be found,

or returned an unknown error.  You may need to reinstall the server application.”
The server application, source file, or item can't be found, or returned an unknown error.  You may need to reinstall the server application.

We had two cases of this error occur within a short time frame.

  1. “When I paste from Visio into Powerpoint, an error occurs.”
  2. “Clicking on a Visio diagram in a Powerpoint document, causes an error to occur.”

The solution was simple enough, and it was to re-register the Component Object Model provider, OLE32.dll.
regsvr32 c:\windows\system32\ole32.dll

Old versions of Samba, and Windows Vista / 7 / 8

samba-logo-v1-200x154 The customer reported a problem with our Windows 7 desktop.

Unable to delete the top level folder with Windows 7, but it works with Windows XP.  It must be something you’ve done to Windows 7.

Ok, well the “must be something you’ve done to Windows 7” was unspoken, but that’s where they going to next.

I admit I didn’t do a whole lot of investigating.  In fact all I did a simple Google search “samba vista top level folder”, and the answer is that it was fixed in Samba release 3.0.24.  Which was released SEVEN YEARS AGO.

“Why didn’t you do a lot of investigation?”, I hear you ask.

Because I’m aware that the version of Samba that the customer is using, is so old, it doesn’t even support encrypted passwords.

USB power issues with Citrix Receiver

usbpowerexceededr So we deployed the latest Citrix Receiver (4.0 at the time).  Then the issues rolled in.  “USB Hub Power Exceeded” was one of them.  The typical customer complaining was a user with a laptop in a docking station.

The cause of the error is that the Citrix Receiver client (file ctxusbm.sys) is restricting the USB power down to 100ma, from 500ma.  It’s a bug that’s been around since at least July 2013.  At the time of writing, it’s yet to be fixed.  I’m told that Citrix will bundle the fix into the Receiver v4.2 release.

AirCard Watcher is unable to authorize the use of this device. Please check your Internet and Firewall settings.

sierra_320u_4g_lte_stick_testra_optus_4g_usb_aircard_320u_1__1 The Sierra AirCard Watcher software is bundled with the Telstra TurboCard series of devices.   When the Sierra Watcher software starts up, the software goes out to a Sierra licensing server and checks whether you’re authorised to use the software.

Netgear purchased the Sierra Aircard assets in April 2013.
And guess what
Netgear did just before Christmas 2013 break?  

They took the Sierra licensing server offline in order to migrate it to a Netgear server.  Thus breaking the Telstra Sierra Aircards we use.

The supplied workaround?  Download the latest Aircard software from Netgear.

With Windows Installer 4.5, we had an MSI install which wouldn’t complete the user section of the install.

Symantec_fail And it turned out to be a fault with Windows Installer 4.5.

The installation process of a MSI package that contains multiple packages stops responding (hangs) in Windows XP, Windows Vista, or Windows Server 2008

We need to use Windows Installer 4.5, as we’re seeing some software installs which require it as a prerequisite.  So we need the hotfix.

But, this from the company “where good products go to die”:

Some Microsoft Windows Installer hotfixes may have error handlers that do not ignore any errors and fail the installation process if any errors are encountered.

One such hotfix is Microsoft Windows Installer hotfix KB981669. If Microsoft hotfix KB981669 is installed, the hotfix will not ignore any errors and will cause the PGP Desktop installation to fail.
(my emphasis)

Alternately, they could have fixed their PGP Desktop installation, so it doesn’t produce errors.