Split Jobs by Permission Scope
Create separate application definitions for machine-level and user-level data. Run them as independent scheduled tasks or scripts with the appropriate execution context. This separation ensures environment variables resolve correctly and permissions match the target data.
Application Definition Design
Split your application definitions into two sets based on which registry hives and file paths they target:
| Definition Set | Contains | Example Names |
|---|---|---|
| Machine definitions | HKLM registry keys, %ProgramData% files, %ProgramFiles% config files, shared configuration | Firefox-Machine, Office-Machine, Citrix-Machine |
| User definitions | HKCU registry keys, %APPDATA% files, %LOCALAPPDATA% files, %USERPROFILE% documents | Firefox-User, Office-User, Chrome-User |
Naming convention: Use a consistent suffix (-Machine, -User) so the split is immediately visible in logs, reports, and CLI commands.
Export Job 1 — Machine-Level Backup
Runs as SYSTEM via Scheduled Task. Captures HKLM keys, ProgramData, and shared configuration. Runs nightly when no user interaction is needed.
:: Scheduled Task: "APS Export Machine"
:: Trigger: Daily 02:00
:: Run as: SYSTEM
:: Run whether user is logged on or not: Yes
AppProfileSafe.CLI.exe --export ^
--manifestFile "\\server\backups\%COMPUTERNAME%\Machine\Manifest.xml" ^
--apps "Firefox-Machine,Office-Machine,Citrix-Machine" ^
--unc-credential-store --silentModeExport Job 2 — User-Level Backup
Runs in the user's session at logon. Captures HKCU keys and user profile files. Environment variables resolve to the correct user paths.
:: Scheduled Task: "APS Export User"
:: Trigger: At logon
:: Run as: logged-in user (elevated via "Run with highest privileges")
:: Delay: 120 seconds (allow logon scripts and first-launch routines to complete)
timeout /t 120 /nobreak > nul
AppProfileSafe.CLI.exe --export ^
--manifestFile "\\server\backups\%COMPUTERNAME%\%USERNAME%\Manifest.xml" ^
--apps "Firefox-User,Office-User,Chrome-User" ^
--unc-credential-store --silentModeWhy the delay? Some applications write initial configuration during logon. Exporting too early may capture an incomplete or transitional state. A 2-minute delay allows most logon-triggered processes to complete.
Resulting Folder Structure on the Share
\\server\backups\
WS-PC042\
Machine\
Manifest.xml ← machine-level backup
Manifest\ ← exported registry and files
jdoe\
Manifest.xml ← user-level backup (jdoe)
Manifest\
msmith\
Manifest.xml ← user-level backup (msmith)
Manifest\This structure supports multiple users per machine and makes it clear which backup belongs to which scope.
UNC Share Permissions
| Principal | Required Permission | Path |
|---|---|---|
SYSTEM (COMPUTERNAME$) | Read/Write | \\server\backups\%COMPUTERNAME%\Machine\ |
| Logged-in user or service account | Read/Write | \\server\backups\%COMPUTERNAME%\%USERNAME%\ |
| Import service account (restore operations) | Read | All backup folders |
For SYSTEM access to UNC shares, store credentials under the machine's computer account or use a dedicated service account. See Working with UNC Paths for cmdkey setup.
Timing Considerations
| Concern | Recommendation |
|---|---|
| Machine export while no user is logged in | Expected behavior. Machine definitions only reference machine-level paths — no user paths needed. |
| User export timing | Add a 60–120 second delay after logon to let applications finish initialization. |
| Applications writing during export | AppProfileSafe reads files and registry atomically per entry. For maximum consistency, schedule machine exports at night. |
| Concurrent GUI and CLI | Only one instance can run at a time (global mutex). If the GUI is open, the CLI exits with code 2. Schedule exports when interactive use is unlikely. |
| Multiple user logons (shared machines) | Each user's export writes to %USERNAME%\ — no conflicts. The machine export runs once regardless of which user is logged in. |
Monitoring and Error Handling
Wrap the CLI call in error checking to detect and alert on failures:
AppProfileSafe.CLI.exe --export ^
--manifestFile "\\server\backups\%COMPUTERNAME%\Machine\Manifest.xml" ^
--apps "Firefox-Machine,Office-Machine" ^
--unc-credential-store --silentMode
if %ERRORLEVEL% NEQ 0 (
eventcreate /T ERROR /ID 1001 /L Application /SO "AppProfileSafe" ^
/D "Machine export failed with exit code %ERRORLEVEL%"
)Exit codes are documented in Exit Codes. For SIEM-integrated environments, failed exports also generate events through the Event Pipeline.
See Also
- Understanding Execution Contexts — Why the split is necessary
- Restore: Fresh Client Build — How to use these backups for a full restore
- Export via CLI — CLI export syntax and parameters
- Working with UNC Paths — Credential setup for scheduled tasks
- Silent Mode Behavior — Unattended operation
- Backup & Retention Strategy — Managing backup data over time