-
Title
How Validation Logic works and tips for configuration -
Description
How Validation Logic works and tips for configuration.
-
Cause
A good percentage of issues that come up when configuring Desktop Authority can be attributed to a misconfiguration of Validation Logic.
-
Resolution
This document is not expected to replace the “Validation Logic” section in the Administrator Guide, but to supplement and provide more general information as to how Validation Logic works and general practice.
Desktop Authority Administrators Guide
Validation Logic provides the rules setup for your users and computers in Desktop Authority’s Profiles and Elements. Desktop Authority Validation Logic can be very granular and is applied each time that the SLOGIC.BAT script is run for the User Management Profiles.
The process that Desktop Authority goes through in applying these rules, is that the PROFILE LEVEL VALIDATION LOGIC RULE is applied first. The settings applied are in the “Validation Logic” tab, when the PROFILE FOLDER is selected. In the case of multiple PROFILES, all profiles are read and applied in the order that they appear in the Desktop Authority Manager Console ‘Navigation Pane’. The Profile settings, and its Elements and its settings are validated in subsequent order before it reads and applies any following Profiles and elements, until it completes the list.
HOW VALIDATION APPLIES:
If the PROFILE is successfully validated and applied for the user or computer, then it will continue to read through and apply any ELEMENTS configured within the Profile (that the Validation Logic Rules state on the Profile level).
If at the PROFILE LEVEL the validation logic rules DO NOT APPLY then no further reading or validation into the elements of this Profile (or sub-profiles) will continue. This is important to note because if the Profile Level Validation does not apply to a specific user, domain, OU or group, and an element within this profile has validation logic applying to a certain user/group/or computer NOT INCLUDED in the Profile Validation, then the ELEMENT WILL NOT APPLY.
IMPORTANT NOTE: A common misconfiguration is that expected validation logic is applied to the “Default Validation Logic” tab instead of the “Validation Logic” tab. Leaving the “Validation Logic rules” blank (as shown in diagram above). Leaving the “Validation Logic”, “Validation Logic Rules” blank will apply this profile to ALL USERS and COMPUTERS that have the Desktop Authority Client installed (for Computer Management Profiles), and to all users that have the SLOGIC.BAT script (for User Management Profiles) assigned to their ACTIVE DIRECTORY profile!
IMPORTANCE OF DEFAULT SETTINGS:
By default, any new Profiles and Elements will usually have BLANK Validation Logic Rules applied. If LEFT BLANK, your validation at the Profile Level will apply to ALL USERS (slogic.bat applied) and COMPUTERS (with DA Client installed), unless you LIMIT what user, domain, group or OU you want the specific profile to apply to. This will in turn apply any ELEMENTS that are left blank (for Validation Logic Rules) to ALL SLOGIC.BAT users and ALL Computers with the Desktop Authority Client installed.
The exception to this is explained on the “Default Validation Logic” tab settings which specify what rule settings any NEW PROFILES or ELEMENTS will have upon creation of a new profile or element.
OPTIONS for VALIDATION LOGIC (Profile Level):
Within the Validation Logic tab and the “ADD” button is selected, the following GROUP options are available:
Network Membership (shown expanded in diagram below)
Computer Information
Terminal Services
Custom Validation
Timing and Events
Additional Operators such as AND, OR can be used to provide further granularity when describing who, what and when it should apply. (see additional link on “How to use Validation Logic Operators” provided at the end of this document).
Additional options factored in conjunction with the Validation Logic Rules are:
Class – Desktop, Portable, Tablet PC, Embedded, TermServ Client, Member Server, Domain Controller
OS – 7, 8.1, 10, 2008, 2008 R2, 2012, 2012 R2, 2016
Connection Type – LAN, Dial-up
Timing – Logon, Logoff, Refresh
Virtualization - Non-virtual machines, VMware, Microsoft Virtualization, Citrix Xen
Platform - x86, x64
Network Connection - On-Network, Off-Network
All of these groups have individual settings depending on your needs, and are covered in the Administrator’s Guide, or the Help section. You can get to the help section by clicking on the F1 keyboard key in the Desktop Authority Manager Console when you are in a profile or element Validation Logic tab.
Once options are chosen, and the SLOGIC.BAT script is run (based on the Timing of Logon, Refresh or Logoff for User Management profiles), DA applies the logic provided to determine:
WHO/WHAT gets these validation rules applied, WHAT Class of computer will this apply on, on WHAT OS, through WHAT connection type and at WHAT time, when SLOGIC.BAT script runs (generally setup slogic.bat is set in the user’s Active Directory profile). This is for any profiles under the USER MANAGEMENT Profiles listed.
The meaning of the Valued Operators are as follows:
A right arrow (>) indicates greater than
A left arrow (
A right arrow followed by an equal sign (>=) indicates greater than or equal to
A left arrow followed by an equal sign (
A left arrow followed by a right arrow (
An equal sign means that the value matches exactly
*Note: the greater than and less than operators can only be used on numeric data.
APPLICATION OF VALIDATION LOGIC AT THE ELEMENT LEVEL:
Once the PROFILE is applied, the Elements are read through and applied based on the Validation Logic Rule options chosen. Validation logic rules at the element level will need to comply and validate at the above Profile level. This is not always apparent and reviewing the Validation Logic Rules at the above profile level should provide context for the element.
BEST PRACTICE in TROUBLESHOOTING VALIDATION LOGIC ISSUES:
It can be very difficult to identify via the Validation Logic Rules to see who/what is supposed to get this, when you are at a user’s computer and something is not applying. Part of the reasoning is that any Active Directory group, OU, Domain, IP Address, Mac Address, or other validation logic rules that may not be easily apparent in identifying why your settings may not be applying.
The best practice to troubleshoot is to use the SLTRACE.htm for User Management Profiles troubleshooting, and the ComputerManagementTrace_DAY_xx-yy-zz.htm to correctly identify and diagnose any validation problems (with day of the week name and date in xx-yy-zz representing creation of log).
BEFORE YOU CAN TROUBLESHOOT:
User management trace files are turned off by default in DA 8.x, and will need to be enabled. From the Desktop Authority Manager console, go to Global Options | User Management Options | Troubleshooting. In the view pane make sure that there is a checkmark next to “Create a detailed trace file for these specific computers and/or users, and type an asterisk (*) in the box underneath to turn on trace file for all users that run slogic.bat (See diagram below). These trace files are overwritten each time that the user logs on and will not build up locally with these settings.
If troubleshooting a USER MANAGEMENT PROFILE issue:
After enabling trace files, log in to computer and proceed to the users trace log. Go to START | Run command and type %temp%\desktop authority on the CLIENT COMPUTER.
Tips for TESTING - USER MANAGEMENT PROFILE TESTING: When testing if a User Management profile element is applying, you can run the slogic.bat script manually. In most cases this can expedite testing instead of having the user log off and then back on. Go to START | Run and type: %logonserver%\netlogon\slogic.bat
To troubleshoot issues at LOGON (or when manually running slogic.bat), check the SLTrace.htm file
For REFRESH ISSUES check the SLTraceEnforce.htm
For LOGOFF ISSUES check the SLTraceLogoff.htm
Confirmation of your validation logic from the SLTRACE should include these steps:
Step 1 – At the top of the SLTrace.htm, confirm that the correct username, date, and time stamp coincide with that last know logon information.
Step 2 – By clicking on “Client Configuration” (item # 8) or scrolling to this area in the file, confirm that the PROFILE will be processed and validated.
Step 3 – Continue to scroll down or go back to top and click on the ELEMENT that you are testing for.
Step 4 – Under the Element heading, confirm that the Profile and Element states that it validated successfully. In the example below, we are confirming that the Internet Explorer element was processed, that it validated for 1 out of 1 IE Elements, that it is an IE Element in the “New Profile” named Profile, and what some of the settings applied are that I have setup for this element.
Tips for TESTING - COMPUTER MANAGEMENT PROFILE TESTING:
Computer Management trace files are turned on by default and are located in the C:\Windows\Temp\Desktop Authority folder. (%windir%\Temp shortcut). When testing, we recommend that the “Timing” be set for “Startup” instead of “Refresh/Shutdown” or a “Scheduled” event.
Computers in your environment will not receive any changes that are saved and replicated to your environment UNTIL THE NEXT Startup, Refresh, or Shutdown of the Scriptlogic CBM Service or when the computer is restarted.
If the timing is set to “Startup” for testing, you can execute a startup event by going into WINDOWS SERVICES CONSOLE, finding and then restarting the Scriptlogic CBM Service on the target client machines.
If you are troubleshooting a COMPUTER MANAGEMENT PROFILE issue:
After verifying that the Computer Management element is setup for “Startup” and after restarting the Scriptlogic CBM Service, you can go to the C:\Windows\temp\Desktop Authority folder, grab the latest ComputerManagementTrace_day_xx-yy-zz.htm file and verify that the element validated correctly.
If you had just restarted the Scriptlogic CBM Service, you can go to the end of the ComputerTrace file where it will note the time and identify a STARTUP EVENT. Upon expansion of the “Event at Startup Event” it should provide any Computer Management machine specific information and listing of any Computer Management Elements that were validated.
These can be expanded to provide additional information on the element that validated. Example shown below is of the Patch Management Element that validated.
Additional Information
