Today's subject sits a tad off the AppSense track, but it's still very relevant to all of you out there with modern Windows-based computing environments. I get asked this question quite a lot when I'm consulting or doing project work. How can you deploy per-user file type associations (FTAs) in a shared session Windows environment? By this I mean primarily users on RDS or Citrix XenApp, where altering the per-device FTAs simply doesn't cut it.
Before I go on, I'm well aware there are loads of different ways this could be done and people will already have things implemented that do it quite adequately. I'm looking at this from a perspective of those who are at the upgrade crossroads, and trying to simplify as well as enrich their environments.
FTAs
Firstly, a quick explanation of what we were trying to do. On RDS/XenApp servers, you normally have a number of users logged on and utilizing the installed applications. However, sometimes issues (usually licensing-based) necessitate that users on the same machine need different default applications associated with a single file type extension. Maybe you have Adobe Acrobat and Adobe Reader installed on the same server, and you only want certain users to run the full version when opening PDF files. Or maybe some users want to use full-fat Visio and others just need to use the Visio Viewer. We're looking at forcing particular FTAs onto particular groups of users.
We're also dealing with installed applications here. If we were discussing using published applications, we could push the FTA and the associated application from the published app (if the delivery platform supports it). However, we are primarily dealing with a published desktop with a host of installed applications in the base image.
How to do it?
The first product I thought of was, naturally, AppSense Environment Manager. However, EM doesn't have a native Action for FTAs (please, please, please, add this in a future release! PLEASE!) We do, of course, have access to PowerShell and VB from EM, but there's no PowerShell cmdlet to do anything with FTAs directly.
For years, people have been manipulating Registry entries directly, backed up by assoc and ftype (native Windows commands). So we do have the option to use assoc and ftype (called from PowerShell, naturally), and from there use EM Registry Actions to fine-tune the associations based on group memberships.
It does become a little complicated, though. You start getting into handlers, file type names, file type associations and a whole host of Registry keys. You've got the interplay between HKCR and HKLM and HKCU to consider, you've got the possibility to configure multiple file type associations - it all sounds like it is becoming horrendously complicated, not just to do, but particularly to maintain.
Isn't there an easier way to do this, short of EM actually supporting this natively? Well, yes there is. Step forward Group Policy Preferences.
Doing it with GPP
There are a few things Group Policy Preferences can do natively that EM can't, but the lack of customized triggers generally makes it my less preferred option. However, the good thing about it is because it ships with AD, it's always there as a backup for the stuff that EM can't do (or doesn't do yet).
As we are configuring this for a XenApp server, we will need to configure Loopback Policy Processing, as we are going to use the User settings on a machine basis. This sits in Computer Configuration | Policy | Administrative Templates | System | Group Policy
And then we will configure the item itself. You need to look in User Configuration | Preferences | Control Panel Settings | Folder Options and choose New | Open With from the right-hand pane.
This will allow you to specify the file extension and the program you want to open it with, and also whether you want it set as the default file type association (i.e. the one that it uses when double-clicked). You will also need to set the Action type - I'm using Replace, which will delete any existing FTA in use for that filetype and replace it with this one. In my example, I am setting the .png extension to open with Microsoft Office Picture Manager 2007.
Finally, we can use the Common tab to set some more options to narrow down the scope of the Action. What we are interested in is the Item-Level Targeting option, and the Targeting button that allows us to choose the scope.
Now we can select from a whole host of available options to apply this to a specific subset. We are going to do it using an AD security group, but GPP has a nice wide variety of choice similar to EM itself.
And of course, don't make the mistake I always do and forget to link the new object to the relevant OU!
Once we deploy this, it should overwrite the FTA setting for the particular extension to whatever we have configured for the specific user group. The main advantage is that it's nice and easy to support, which was something we weren't going to get by using EM with targeted PowerShell assoc/ftype commands and Registry Actions.
Notes on this method
As this is a Group Policy Preference item, rather than a Policy, it won't overwrite any changes the user makes. In my testing, I was using local profiles on a single XenApp server, and if I changed the association manually, at next logon the manually-set FTA was still present. So if you want to be able to switch things around for the FTAs at some point using a central mechanism, but also allow users to maintain other FTAs they set manually, you will have to get around this somehow. There are probably a load of ways to do this, but as I am predominantly concerned with AppSense stuff we will attack it from this perspective.
In an EM environment, users generally dump their profiles at logoff, which means that if you don't want users to be able to alter their FTAs at all and just have the preconfigured ones, this is ideal. But if they select a custom FTA that you haven't set through GPP - for instance, opening .csv files in Notepad - you may want to allow them to persist this.
Personalization Server or EM Policy Registry Hiving are the obvious choices for this. You simply need to make sure that you capture these Registry keys into Session Data (for Personalization) or into Registry Hiving Actions.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
and
HKEY_CURRENT_USER\Software\Classes\Applications
These keys will allow user FTAs to persist.
If you wanted to customize this further - for instance, to set the default .pdf FTA to Adobe Reader and not allow users to change this, but allow them to change and maintain all others - you'd have to get a bit cleverer. Session Data doesn't allow exclusions, so you'd have to specifically add all the filetypes you wanted to save (a nasty job), or use something like APPSENSESPECIAL to remove the .pdf keys from the user's Personalization data at logoff.
Summary
Anyways - I get asked a lot of times about if you can set FTAs in Environment Manager. The simple answer is, yes you can, but it takes a lot of configuring and involves using PowerShell to call internal Windows commands alongside Registry key manipulation. Part of having a successful implementation is selecting the right tool for the job, and in its current incarnation (8.4 at time of writing), EM isn't the best tool available. Even though it takes part of your solution out of one technology and into another, simply from a support and maintenance perspective, this is one situation where I'd happily choose GPP to do the business.
Hopefully, though, EM will soon support FTAs natively, because getting this working in SBC environments can become a real PITA.
I'd also be very interested in hearing how others have dealt with this issue....it may well be there's a much slicker method I hadn't considered.