You can control access to application using Active Directory
Groups. At build-time Thinstall will convert AD Group names into
SID values. A SID is small binary value that unique identifies an
object, similar to a GUID. SIDs are not unique for a few special
groups like Administrator. Because SID values are stored in
packages for later validation, this means a few different
things:
1. You must be connected to your AD domain during build and the
Groups you specified must exists. Thinstall will lookup the SID
value during build.
2. If you delete a group and recreate it, the SID may change so you
will need to rebuild the package in order to authenticate against
the "new" group.
3. When users go offline, they can authenticate using cached
credentials. Assuming a user can log into their laptop, Thinstall
AD authentication will still work. You can control the period of
time cached credentials are valid using Group Policy.
4. Cached credentials may not refresh on clients until the next AD
refresh cycle. You can force a group policy on a client using the
command "gpupdate". Sometimes the user may need to log-off before
AD credentials are recached.
5. Special groups like Administrators and Everyone have the same
SID on every Active Directory domain and Workgroup. Other groups
you create will have a domain-specific SID, meaning a user cannot
create their own local group with the same name to bypass
authentication.
In this example App1 and App2 with both inherit PermittedGroups
from "BuildOptions"
------------------------------------------------------------------------
[App1.exe] PermittedGroups=App1Users
AccessDeniedMsg=Sorry, you can't run this application
..
[App2.exe]
...
...
In this example, App1Users will be allowed to use App1.exe and
Everyone will be allowed to use App2.exe
The default message for denied user is also changed for App1
------------------------------------------------------------------------