Vista Default User.v2 profile and Java 1.6

We are about to engage in a Vista SOE rollout, but have uncovered a problem with our implementation of Java 1.6.4 for the Default User.v2 roaming profile.

We have set up an account just the way we want it on the local PC and copied it to the %server%\netlogon\ share. This server copy of the default user profile was created using the standard Microsoft procedure

The account used for creating the Default User has been tested with Java and works OK. However, when a new user picks up this profile the following errors are displayed when attempting to access a site that uses Java. Access is denied

The Java console shows that the java user home is poitning to the expected directory, c:\users\username .

Things we have tried;

If we replace the nutser.dat file in the Default User.v2 directory with a nutser.dat from a vanilla install, Java works fine.
It appears  that the issue is related to the creation of the c:\users\user\username\appdata\locallow folder.  This folder is created at logon for the vanilla nutser.dat but not for the customised profile.

We have tried uninstalling and reinstalling Java, in fact we first found this problem with Java 1.6.2 and have tried each version up to 1.6.4 but the issue persists. The job of rebuilding the customised profile and testing at each change will be tried as a last resort, but will be a time consuming exercise we would prefer to avoid.

We are using Vista Business edition as the base for our SOE

Any alternative suggestions?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Try changing the Java Temporary Cache folder to a folder that the user has access to.  We use the following VBScript to fix these blasted Java issues in our SOE environment, use the parts you feel necessary.
Option Explicit
On Error Resume Next
Dim objFSO, objEnvironment, objShell
Dim strProfilePath, File
Set objShell = CreateObject("WScript.Shell")
Set objEnvironment = objShell.Environment("Process")
set objFSO = CreateObject("Scripting.FileSystemObject")
strProfilePath = objEnvironment("USERPROFILE")
'Create the security path if it does not exist
CreatePath strProfilePath & "\AppData\LocalLow"
CreatePath strProfilePath & "\AppData\LocalLow\Sun"
CreatePath strProfilePath & "\AppData\LocalLow\Sun\Java"
CreatePath strProfilePath & "\AppData\LocalLow\Sun\Java\Deployment"
CreatePath strProfilePath & "\AppData\LocalLow\Sun\Java\Deployment\Security"
CreatePath strProfilePath & "\AppData\LocalLow\Sun\Java\Deployment\Cache"
'Create the auth.dat file if it does not exist
If not objFSO.FileExists(strProfilePath & "\AppData\LocalLow\Sun\Java\Deployment\Security\auth.dat") Then
	objFSO.CreateTextFile strProfilePath & "\AppData\LocalLow\Sun\Java\Deployment\Security\auth.dat"
End If
'Copy the file if it does not exist
If not objFSO.FileExists(strProfilePath & "\AppData\LocalLow\Sun\Java\Deployment\") Then
	objFSO.CopyFile "D:\BundleCache\QBE_Build_Updates_V1.0_EO\", strProfilePath & "\AppData\LocalLow\Sun\Java\Deployment\"
End If
Sub CreatePath(PathName)
If Not objFSO.FolderExists(PathName) Then objFSO.CreateFolder(PathName)
End Sub

Open in new window

Sorry, I should have said, but the reason for the suggestion above is because Java by default tries to write to the C:\Windows\Temp folder, which no standard user has access to write to.  Have fun.
it-servicesAuthor Commented:
Hey Lester

Thanks for your reply. It is good to know that we aren't the only people with this problem.

I've worked out a simpler workaround fix than yours so I wanted to share it with you.

I determined that the problem was that the LocalLow folder wasn't being automatically created. If you manually create the LocalLow folder then the permissions aren't set correctly to allow programs like Java to  write to the area.

Reading this website I realised that Java was running in Low Integrity mode and that the LocalLow folder needed to be marked as Low Integrity as well.

Using the icacls command from that article I saw that a properly created LocalLow folder has the following permissions:

C:\Users\marchiba\AppData>icacls LocalLow
LocalLow LIB-STAFF\marchiba:(F)
         Mandatory Label\Low Mandatory Level:(OI)(CI)(NW)

A manually created folder doesn't have that bottom permission and it is this permission that allows java to write to it.

So to resolve this problem I added the following script to my logon script.
This script creates the LocalLow folder if it doesn't exist and uses the icacls command to set the Low Mandatory Level on the folder. Once this is done Java is able to write to that folder.

That should simplify your script.

Sub ChkLocalLow()
	Dim sUserProfile
	'Check that the folder %USERPROFILE%\AppData\LocalLow exists and that the correct
	'permissions are set to allow applications to write to this folder.
	sUserProfile = wshShell.ExpandEnvironmentStrings("%USERPROFILE%")
	If Not objFSO.FolderExists(sUserProfile & "\AppData\LocalLow") Then
		'Folder doesn't exist. So create it
		objFSO.CreateFolder(sUserProfile & "\AppData\LocalLow")
	End If
	'Set the permissions on this file so that it's integrity level is low.
	wshShell.Run "icacls.exe " & sUserProfile & "\AppData\LocalLow /setintegritylevel (CI)(OI)L" 
End Sub

Open in new window

Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

it-servicesAuthor Commented:
While I have determined a workaround fix for this problem I'd still like to know why the LocalLow folder isn't being created automatically so if any experts can advise me on that problem it would be much appreciated
PAQed with points refunded (500)

EE Admin

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers

From novice to tech pro — start learning today.