AP Remote Viewer crash
Article ID: 127014
Updated On:
Products
Automation Point
Issue/Introduction
When logging on remotely to the CA AP server and starting the CA AP Remote Viewer it crashes very time. Even when the user belongs to the Administrator group.
Environment
Release:
Component: ATMXC
Component: ATMXC
Resolution
This is caused by insufficient access to "%AP_DATA%\Logs" folder preventing initialization of logging mechanism.
CA AP Remote Viewer requires permissions to Read, Create, Append and Delete files in %AP_DATA%\Logs to be able to maintain logs.
It is possible that permissions are set up in a way that Creator/Owner has different rights than Administrators group.
In such a case using “Run as Administrators” would circumvent this.
We recommend checking if the Administrators group has Full Control permission for %AP_DATA%\Logs folder.
CA AP Remote Viewer requires permissions to Read, Create, Append and Delete files in %AP_DATA%\Logs to be able to maintain logs.
It is possible that permissions are set up in a way that Creator/Owner has different rights than Administrators group.
In such a case using “Run as Administrators” would circumvent this.
We recommend checking if the Administrators group has Full Control permission for %AP_DATA%\Logs folder.
Additional Information
It is caused by a certain UAC behavior in Windows, which causes problems with accessing “Logs” folder for writing log files.
If there is a process run by a user that is trying to access file/folder then if the access right needed by the process is unavailable to built-in “Users” group (whether or not the user has the necessary rights inherited from other group) then it has to be ran in elevated mode (“As Administrator”).
This is caused by inconsistency within the way windows treats user and group permissions.
For example if you set “Full Control” permissions for each user individually this issue does not occur, but if you use a group of which the users are members of, then this issue will start occurring.
One would expect, that Windows would not differentiate between listing all users in a group and using the group as substitute.
However this is not the case and I was unable to find justification for this behavior anywhere within Windows documentation.
There are few options to get around this:
A) Keep running Remote Viewer “As Administrator” as you already do.
B) List all users who will be running the Remote Viewer individually in the Security settings in Properties of “%AP_DATA%\Logs” folder and give those users “Full Control” permissions.
Instead of just giving “Full Control” permission to the group they are members of.
C) Give “Full Control” permission to the built-in “Users” group.
D) In “Local Security Policy” in “Local Policies\Security Options” and disable
“User Account Control: Admin Approval Mode for the Built-in Administrator account” and
“User Account Control: Run all administrators in Admin Approval Mode” settings.
This would make the Remote Viewer (but also other processes) run “As Administrator” by default for all admins.
If there is a process run by a user that is trying to access file/folder then if the access right needed by the process is unavailable to built-in “Users” group (whether or not the user has the necessary rights inherited from other group) then it has to be ran in elevated mode (“As Administrator”).
This is caused by inconsistency within the way windows treats user and group permissions.
For example if you set “Full Control” permissions for each user individually this issue does not occur, but if you use a group of which the users are members of, then this issue will start occurring.
One would expect, that Windows would not differentiate between listing all users in a group and using the group as substitute.
However this is not the case and I was unable to find justification for this behavior anywhere within Windows documentation.
There are few options to get around this:
A) Keep running Remote Viewer “As Administrator” as you already do.
B) List all users who will be running the Remote Viewer individually in the Security settings in Properties of “%AP_DATA%\Logs” folder and give those users “Full Control” permissions.
Instead of just giving “Full Control” permission to the group they are members of.
C) Give “Full Control” permission to the built-in “Users” group.
D) In “Local Security Policy” in “Local Policies\Security Options” and disable
“User Account Control: Admin Approval Mode for the Built-in Administrator account” and
“User Account Control: Run all administrators in Admin Approval Mode” settings.
This would make the Remote Viewer (but also other processes) run “As Administrator” by default for all admins.
Feedback
Yes
No
Powered by
