[wpdm_package id=’3132′]
A limitation of App-V applications that are published to users is that we can’t simply right-click a shortcut and run the application as a different user (we will refer to this as the ‘impersonating user’), even if the impersonating user is in the correct AD group. Here we provide a free tool that will enable users to run App-V as a different user.
Run App-V as a Different User
In the modern enterprise, administrators typically have two domain accounts:
- a standard domain account used for logging in, surfing the web and running business applications
- an administrative domain account used for running network administration tools, such as Remote Server Administration Tools (RSAT).
The practise of running an application as a different user works well when we want to run local, non-virtualised applications. However, App-V doesn’t permit this behaviour by default. And the reason is because it doesn’t know which applications are provisioned to the impersonating user.
Indeed to force this behaviour manually, we would need to open up PowerShell session as the impersonating user and synchronise the App-V publishing server:
Get-AppvPublishingServer | Sync-AppvPublishingServer
But even then, there are two reasons why this is clunky.
- Asking a user to open up a Powershell prompt as their impersonated account to run the aforementioned command line periodically (perhaps every session for a non-persistent environment?) is not really feasible.
- If your App-V applications are published to users, this command will publish any shortcuts to the user profile of the impersonating user you are running it as. So you’ll need to go digging into this profile to find the shortcuts before you can launch them.
For these reasons we created Impersonatr.
Impersonatr is a portable executable that will display a list of App-V applications that the impersonating user has access to.
You can run Impersonatr as any user (Using ‘Run as a different user’, for example) and launch the impersonating users’ applications by double-clicking the application, or highlighting the application and clicking ‘Run Application’.
There is no configuration required.
Delivering Impersonatr
When providing users with access to Impersonatr, we obviously do NOT want to deliver it via a ‘typical’ virtualised App-V package. Otherwise we will end up with the same problem that we are trying to solve! So we must use a non-virtualised way.
There are a couple of approaches:
- We could deliver it via group policy, by perhaps hosting the exe on a remote share and dropping a shortcut down for the user at login.
- We could use App-V to deliver it…..without virtualisation!
In some organisations, changes to group policies (even to add an innocuous shortcut) requires change control approval, and this can cause unnecessary delays. For this reason I prefer to use the second approach, since we can manage the delivery of Impersonatr at the application level. It’s a bit of a hack, but it works well.
We can do this like so:
- Create a blank App-V package (you might need to create a dummy file for it to mount the virtual file system without error)
- Add Impersonatr.exe to the Scripts folder
- Save this code into a file called Impersonatr.ps1, and add it to the Scripts folder
try {
#create paths
$currentDirectory = [System.AppDomain]::CurrentDomain.BaseDirectory.TrimEnd('\')
if ($currentDirectory -eq $PSHOME.TrimEnd('\'))
{
$currentDirectory = $PSScriptRoot
}
$pathToExe = $currentDirectory + "\Impersonatr.exe"
#create shortcut
$WshShell = New-Object -comObject WScript.Shell
$Path = [Environment]::GetFolderPath("StartMenu") + "\Programs"
$Shortcut = $WshShell.CreateShortcut("$Path\Impersonatr 1.0.0.lnk")
$Shortcut.TargetPath = "$pathToExe"
$Shortcut.IconLocation = "$pathToExe"
$Shortcut.Save()
} catch {}
- Save the package
- Once saved, open the User Config XML and add the following script:
<UserScripts>
<PublishPackage>
<Path>powershell.exe</Path>
<Arguments>-ExecutionPolicy ByPass -WindowStyle Hidden -File "[{AppVPackageRoot}]\..\Scripts\Impersonatr.ps1"</Arguments>
<Wait RollbackOnError="false" Timeout="30"/>
</PublishPackage>
</UserScripts>
And that’s all there is to it! When you click on the shortcut in the Start Menu this will launch Impersonatr.exe from the Scripts folder in the package cache – an area that is typically trusted by tools such as AppLocker.
Make sure you specify the new User Config script when you import the package into the management console! Please report any feedback via our community pages.