RES Automation Manager security Modules


When configuring a security role in RES Automation Manager (RES AM) it is posible to deny access to the content of the modules.

When editing the permisions of the Module node in a RES AM security Role, a select box is shown. With the option “Limit task details when read access permissions are set” selected, a user who is configured with this security role can not view the content of the tasks of the modules.


Option “Limit task details when read access permissions are set” selected.


Option “Limit task details when read access permissions are set” not selected. Setting and Script tab are accessible.



Show Specific control panel items issue RES WM

In a locked down Windows environment, it is a best practice to hide specific control panel items for those functions that can’t or shouldn’t be performed by an end user.

With a RES WM “User registry” object, you can use “control.admx” to load the policy template to configure these settings.policy_01

In the “List of allowed control panel items” the Canonical name of the Control panel items should be entered.

So far so good. But it wasn’t working in my environment…

With this configuration active in RES Workspace Manager  2014, still all control panel items were shown.

When looking in the registry of a logged in user, these registry key’s were present:


The registry hive “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl” is set by the policy.

As stated in this MS Technet article, “The Hide specified control panel applets policy takes precedence over the Show only specified control panel applets policy.”

The entries in the “DisallowCpl” hyve are:



What about the “…\DisallowCpl”? Where does it come from?

The “villan” here, appears to be the setting “Disable Add/Remove programs” at Composition -> Desktop -> Lockdown and behaviour:


This setting will result in the “Disallow” hive.

Logging in, with this setting unchecked, only the specified items in the control panel were visible. Everything is working as expected…


“Stub” Application – RES Workspace manager

In an RES Workspace Manager environment you have to deal with the following settings:

  1. Application Security Rules
  2. User settings (Zero Profile)
  3. Configuration

An issue can be, to know and keep track for what reason a specific setting has been set. A way to keep track is to make use of the “Administrative note”. When filling in this field, make it short and descriptive. With “Security Rule” you can end up with more than one rule for a specific application, eg. Java. You will end up adding “Java” to each rule.

A more organized way, is making use of a “Stub” (Dummy) application Object and Move all security rule, belonging to Java to this “Stub” object. To move the security rule to the “stub”, select the rule, click right, select “Move…” and select the “stub” object. Name this object “stub Java” .SecurityMove_01 To keep these special Application Objects together (more than one stub), you can put the “Stub”s in a separate start menu folder.


To make sure that this special Application Object doesn’t behave as a normal Application Object, some settings needs to be set on the Application Object:

  1. General -> Command Line = empty
  2. General -> ☐ Create Start Menu Shortcut
  3. Settings -> ☑ Hide application
  4. Settings -> ☑ Do not list in PowerHelp
  5. Settings -> ☑ Do not show in “New Applications”
  6. Settings -> ☑ Autolaunch at session start: Mandatory

“Identity”, “Location” and devices” and “Workspace Containers” needs to be adjusted according to the need of the security rules.

This technique can also be used with an application suite (a collection of Application objects, eg. Office). By doing so you can configure the “user settings” and “Configuration” actions once and link to the application objects of the suite.

  • User settings: ☑ Use the user settings from the following application: “…” and select the stubUsersettings_02
  • Configuration: Add “Linked Action” and select the stubLinkedaction_01

The “Zero profile mode” configured in the Usersettings of the “stub” need to be set to “capture on session end”.


To get the Zero profile activated at the start of a session, configure the “User Settings” -> “Application user settings”, global or for a Workspace conatainer, to “Prefetch in background, check on application start”.

Usersettings_01Having all the settings for a specific Application, collected in the “stub”, you have a better overview of what is necessary for that application. Also changing from a Test to a Production environment is a lot easier, one Building Block instead of…


Update 14-10-2014: For “User settings” to save settings at session end, it is nessesarry to start the “stub” at session start. Added setting 6. to the setting for a sub application object.



RES Workspace Manager “Installation on demand”

In a RES Workspace Manager environment it is easy to present an application to an end user (Identity).

Most of the time, the challence is to install the application on the Laptop / Desktop. There needs to be consistency between the application delivered and installed on the machine of the end user.

By integrating RES AM (for installation of the application) in RES WM (for delivering the application), in case the application is not pressent when started, it can be installed.

In this example the application “Skype” is used.

RES AM Integration

To integrate RES AM in RES WM, go in the WM Console to menu Setup -> RES Software -> RES Automation Manager…



Select “RES Automation Manager” integration. In the “Dispatcher dectection” settings, select“Autodetect” or choose “User dispatcher address list” and add a Dispatcher.
To choose a RES AM environment, Click “…” and select the name of the AM environment.

Choose “authentication” the way that you have enough rights within RES AM(Read on Modules and Projects) with the account you are logged in in the RES WM console. To find out if you can access RES AM, click “Test Now…”. When correct you will see the Modules/projects from RES AM.

RES AM Installation module

In RES AM a Module needs to be created to acctualy install the application.



In this example, a “Windows Installer Package” Task I configured, in the “Install – Skype” Module. This task performs a “Silent” installation of the “skypesetup.msi”. Additional configuration, for the application on the machine, can be added to the module.

RES WM Application

To add the RES AM module to a RES WM application, open the application and add an “Automation task” action at “Configuration” of the application object.



At the “Automation task” select “Task” and select the RES AM installation module for the application.




Enter at “Custom status message” a message, which will be shown to the end user, when the RES AM module is started by RES WM. Default, the option “Skip if applicatie executable was found” is checked, this is the trigger for RES WM to initiate the RES AM task. Select “Wait for task to finish before continuing” to postpone the start of the application until the RES AM task has finished. When this option is not selected, RES WM will present an error message, “Can’t start application”, because the installtion task hasn’t finished. With the option “Run Once” -> User, you can prevent that an application is installed on different devices.

RES WM Application start

When the end user starts the application for the first time, a message appears at the lower right of the screen. When the installattion is finished the application will be launched. When the installation takes some time, the end user can click on “Dismiss and notify me when done”, RES WM will notify the end user when the installation is done and the application can be used.

Install-skype-ws-01    Install-skype-ws-02


With this integration of RES AM in RES WM, an application can be easily, on demand, deployed to an end user device. By doing so an initial deployment of an end user device can contain less software.




Display Logon Message with RES Workspace manager

In the case of implementing changes to your RES Workspace Manager 2012 and higher (RES WM) Environment, you need to inform your users what is changing for them.

You can publish a message on your Intranet or send a mail to your end users, but you won’t know that the message is read by your end users. A more direct way is prompting the end user with a message box, containing the information you want them to know.

To show a message from RES WM, an Application Object can be created to display a HTML page (iexplore.exe with parameter) or PDF (arcoread.exe with paramter) and set it to “Voluntary” Autostart (so the end user can disable the message). This way of showing a message is easy to manage, but when we want to reuse this application object to display a new message, there isn’t a way to at it to the start up (Mandatory is no option, message will be shown at every logon).

To extend the functionality of RES WM, I created a Powershell script / function to display a message box, which will show a Ritch text file (.rtf). The Message (path to RTF file), title, width and height are parameters for the function.


The function to show this message is entered in an “Execute command” object. The file, containing the message to show, is also stored as custom resource. (\Messages\*.rtf).


Parameters to the “Display-RTFFile” function:

-sPathRTF <string> : used to supply the path to the RTF file to display, is Mandatory, no default.

-sTitle <string> : used to change the caption of the Message, default is “Message”.

-iHeight <pixels> : used to set the Height of the Message, default is “400”

-Width <pixels> : used to set the Width of the Message, default is “500”

To show this message before the user logs in, select:

  • Run Task: At logon after other actions.
  • Select “Wait for task to finish before continuing”

To show this message once to a user, Select “Run once” , “Per user”.

To resuse this function, Select “Run once: Clear history”.


The script file, containing the function is placed as a custom resource (\Script\Display-RTFFile.ps1)


UPDATE 01-10-2014: When using this script, the Message box was sometimes hidden behind the RES splash screen. This issue is solved by specifying the property TopMost = $True (Line 91) to the form displayed.


Download script:

2.2 KiB


Sticky Notes on Windows 2008 R2 with RES Workspace Manager

In Windows 7 Sticky Notes is a standaard accessory. Strangely enough Sticky Notes is not an application on Windows 2008 R2.

When browsing the net I came along a site (link) how to make Sticky Notes available. (with the binaries from Windows 7).

After the installation of Sticky Notes on a Windows 2008 R2 server, when a user will start the application, a security message is shown.


To remove this message the “StikyNot.exe” needs to be edited, so that NTFS file information is removed. The tool to use is “Steams.exe” which can be downloaded from sysinternals/Microsoft.

Starting the modified exe will start Sticky Notes without the security warning.

An other issue with this “port” of Stiky Notes is that is “installed” on another location than in Windows 7. “C:Program FilesSticky Notes” on Windows 2008 R2 and “%windir%system32” on Windows 7.

Luckily the user is using RES Workspac Manager to manange the Workspace. I modified the application for Sticky Notes at the command line “%ST_PATH%StikyNot.exe“.
The Environment Variable is created on the Configuration option of the application and its value is changed depending on the OS it’s started. In the case of this RES WM implementation the appropiate Workspace container is used.

One big advantage is that for both OS’s the User Preferences are the same independant on which OS the user start the application.