Search This Blog

Monday, September 17, 2012

Windows 8 Delete Confirmation

When you delete a file on Windows 8 it will go to the recycle bin without a confirmation box.

If you want the confirmation box back, you must right click on the recycle bin and select properties.

image

Select the option Display delete confirmation dialog.

image

And the confirmation dialog is back.

image

Tuesday, August 28, 2012

Citrix pass-through and NTLM

When using Citrix pass-through on the web interface with Kerberos authentication, everything seems to work very well at first.
But then you might discover that some of your applications running on the XenApp server depend on NTLM for authentication.
This is where the fun part starts, how do you disable Kerberos and only on the applications started from the XenApp server?
What worked for us in the lab is to change the local file c:\Programs Files (x86)\Citrix\ICA Client\WFClient.ini and change the line SSPIEnabled=On to SSPIEnabled=Off.
This will disable Kerberos and allow NTLM to work on the applications.
This requires no change to your Citrix client GPO settings or requires that you change the configuration on the web interface.
The change to the WFClient.ini file can be pushed out by a GPP (Group Policy Preference).
It looks like the logon at the web interface is then still using Kerberos but from there NTLM is used, but this still has to be investigated further and maybe someone out there can shed some light on the subject?
This has been tested on the Receiver version 3.2 and 3.3 against XenApp 6.5 Rollup 1 and web interface 5.4.
image

Wednesday, August 22, 2012

Compressing Windows 2003 Profiles

After cleaning yet another Windows 2003 Terminal server for Excessive Registry Entries in the users HKCU caused by the HP universal Printer Driver, we noticed that the ntuser.dat file in there roaming profile still was very large up to 20 MB.

The reason for this is that even though we deleted all the registry entries which we didn’t need, this just gave a lot of blank spaces in the ntuser.dat file, so we needed a way to compress the file.

One tool I personally didn’t knew about is the Windows 2003 tool called cProfile, with cProfile we were able to compress all users ntuser.dat files in there roaming profiles so that many of them jumped from 20 MB to less than 1 MB.

cProfile information can be found here cProfile

System Center Configuration Manager 2012 Cumulative Update 1 (CU1)

After installing the CU1 update the Site version will not change so to check if the update has been installed you can check installed updates in control panel or one of the updated DLL files.image

image

The updated version on the updated DLL files will be 5.00.7711.200, you can see a list of updated files in the hotfix KB2717295.

This is also the case after updating the console no version will change, so again look in the Control Panel or check an updated DLL.

image

image

Remote desktop prompting for credentials

This is actually a very old tip, but I tend to forget the keyword myself, so now I will know were to look the next time I need it Smiley

Newer versions of the Remote Desktop protocol will require you to enter credentials before the client can establish a connection to the server.

image

This is normally not a big problem but it might be in some circumstances e.g. you are required to change password.

image

To jump directly to the server logon screen and be able to change your password, change your default.rdp file or the specific rdp file you are using.

This file is in your document folder and also typically hidden. Add the line

enablecredsspsupport:i:0

to the file and you will go directly to the server logon page next time you connect.

image

Monday, August 13, 2012

Lync schema version

Just like Exchange we are able to check our Lync schema version with adsiedit.msc.

Connect to the Schema context:

Expand the nodes and drill down to the name ms-RTC-SIP-SchemaVersion.

Right click on ms-RTC-SIP-SchemaVersion and select Properties.

 

image

 

Now find the attribute rangeUpper

 

image

 

The possible rangeUpper values are listed in this table (so this example is taken from a Lync 2010 installation):

Version rangeUpper value
Live Communications Server 2005 1006
Office Communications Server 2007 R1 1007
Office Communications Server 2007 R1 1008
Lync Server 2010 1100
Lync Server 2013 1150

Thursday, July 26, 2012

Windows Installer coordinator hangs

You might experience this when you install MSI packages on your RDS/Terminal and XenApp servers.

The installation will hang and display the message:

Please wait while the application is preparing for the first use

image

I have seen this with the following software packages:
  • Google Chrome (Enterprise)
  • IBM i Access

One way to avoid this issue is to create and set the following dword value to 0:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\TSAppSrv\TSMSI\Enable

During deployment with MDT 2012 or SCCM 2012 one way to do this is to add it in your task sequence:

image

You can find more information in this link

http://support.microsoft.com/kb/2655192

Saturday, July 21, 2012

Exchange Schema Version

After you have updated the schema with the Exchange 2010 changes (RTM or service packs), you can check the current version with adsiedit.msc.

First connect to the Schema:

image

Expand the nodes and drill down to the name CN=ms-Exch-Schema-Version-Pt.

Right click on CN=ms-Exch-Schema-Version-Pt and select Properties.

image

Now find the attribute rangeUpper

image

The possible rangeUpper values are listed in this table (so this example is taken from a Exchange 2010 SP1 installation):

Exchange Version rangeUpper value
Exchange 2000 RTM 4397
Exchange 2000 SP3 4406
Exchange 2003 RTM 6870
Exchange 2003 SP1 6870
Exchange 2003 SP2 6870
Exchange 2007 RTM 10637
Exchange 2007 SP1 11116
Exchange 2007 SP2 14622
Exchange 2007 SP3 14625
Exchange 2010 RTM 14622
Exchange 2010 SP1 14726
Exchange 2010 SP2 14732
Exchange 2010 SP3 14734
Exchange 2013 RTM 15137
Exchange 2013 CU1 15254
Exchange 2013 CU2 15281
Exchange 2013 CU3 15283
Exchange 2013 CU4 15292
Exchange 2013 CU5 15300
Exchange 2013 CU6 15303
Exchange 2013 CU7 15312
Exchange 2013 CU8 15312
Exchange 2013 CU9 15312
Exchange 2013 CU10 15312
Exchange 2013 CU11 15312
Exchange 2016 RTM 15317

You will also be able to use DSQuery as shown here:

dsquery * CN=ms-Exch-Schema-Version-Pt,CN=Schema,CN=Configuration,DC=xx,DC=xx -scope base -attr rangeUpper

image

And PowerShell:

Get-ADObject -Identity "CN=ms-Exch-Schema-Version-Pt,CN=schema,CN=configuration,DC=xx,DC=xx" -properties rangeUpper

image

Thursday, July 12, 2012

KMS caching

By default a KMS client will cache the KMS host that it was able to activate with and will communicate directly with this host when it is time to reactivate (instead of querying DNS). If the client cannot contact the cached KMS host, discovery with DNS will be used.

You are able to disable the caching with the following command:

slmgr /ckhc (or cscript c:\windows\system32\slmgr.vbs /ckhc)

image

image

To enable caching again use the command:

slmgr /skhc (or cscript c:\windows\system32\slmgr.vbs /skhc)

You can verify if caching is active with the command:

slmgr /dli (or cscript c:\windows\system32\slmgr.vbs /dli)

image

Office 2010 will also cache the KMS server used, but in order to disable this you will need to set a registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform]
"DisableKeyManagementServiceHostCaching"=dword:00000001

image

Wednesday, July 11, 2012

Disable Internet Explorer Enhanced Security Configuration in unattend.xml

When deploying Xenapp and RDS servers from MDT 2012 or SCCM 2012, you will probably want to disable Internet Explorer Enhanced Security Configuration. If this feature is not disabled, users will see prompts like this:

Content from the website listed below is being blocked by the Internet Explorer Enhanced Security Configuration.

image

Tuesday, July 3, 2012

.NET Authenticode signature revocation list checking for MMC is currently enabled.

When deploying Xenapp you will see this prompt the first time you start Citrix AppCenter.

image

To get rid of the prompt you can during the automated deployment also deploy the file mmc.exe.config to the C:\windows\SysWOW64 folder.

image

Place the following text inside the file:

image

You can find more information in this link http://support.citrix.com/article/CTX120115

Friday, June 29, 2012

APP-V 5.0 ADMX file

Just as UE-V has a ADMX file for Group Policies, the new APP-V 5 beta delivers an ADMX file for APP-V settings.

You can find the ADMX and ADML files after installing the sequencer:

image

Copy the files to your policy central store and you will be able to set various settings for the APP-V client.

You can find the settings under Computer Configuration\Policies\Administrative Templates\System\App-V

image

Thursday, June 28, 2012

Xenapp Flash player prompt

You might see this prompt on your Citrix clients when they browse to a internet web page with flash contents.

Do you want to optimize content designed for Flash, such as videos, animation, and applications?

image

If you would like to disable flash redirection and also skip the prompt, you can use these Citrix Policies.

Flash content will then always be rendered on the server, please also note that this is a user setting, so if the policy is applied to the Xenapp servers OU, loopback processing mode must be enabled.

image

An online application is attempting to access files on your computer.

Your Citrix Xenapp 6.5 windows clients might see this prompt when connecting to a local drive.

image

One way to get rid of the prompt so that users do not have to answer the question is to add your web interface to the trusted web site zone.

To do this for all your clients use this GPO setting Site to Zone Assignment list:

image

And then add the address of the web interface address and assign the value 2 (trusted zone).

image

Microsoft User Experience Virtualization Settings Storage Path

Microsoft User Experience Virtualization includes ADMX file for Group policy settings.
When setting the storage path you are able to use the variables %USERNAME% and
%COMPUTERNAME%.
image

Tuesday, June 26, 2012

Windows Installer coordinator hangs

You might experience this when you install MSI packages on your RDS/Terminal and XenApp servers.

The installation will hang and display the message:

Please wait while the application is preparing for the first use

image

I have seen this with the following software packages:
  • Google Chrome (Enterprise)
  • IBM i Access

One way to avoid this issue is to create and set the following dword value to 0:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\TSAppSrv\TSMSI\Enable

During deployment with MDT 2012 or SCCM 2012 one way to do this is to add it in your task sequence:

image

You can find more information in this link

http://support.microsoft.com/kb/2655192

Monday, June 18, 2012

Advanced Group Policy management and Service Account rights

I recently wrote that the Group Policy Management Console Sample Scripts could be used to grant the AGPM service account rights to all existing GPO’s.

Another way to do this if your running Windows 2008 R2, is to use the Group Policy cmdlets in windows PowerShell.

First you must import the Group Policy module with the command import-module grouppolicy

And then you will be able to use the cmdlet to grant the service account access, in this example the security group AGPM-Service will be granted full access.

Set-GPPermissions -All -TargetName "AGPM-Service" -TargetType Group -PermissionLevel GpoEditDeleteModifySecurity

image
We will achieve the same as we did with the old scripts but now with PowerShell  Smile

For a complete list of Group policy cmdlets see Group Policy Cmdlets in Windows PowerShell.

Wednesday, June 13, 2012

APP-V 5.0 Beta: The operation failed as the management server was not found

When playing around with the APP-V 5.0 Beta I ran into this error when starting the management console:

The operation failed as the management server was not found. Please ensure it is properly installed.

image

For me the solution was to register ASP.NET 4.0 (both 32 bit and 64 bit)

  • 32-bit registration: c:\windows\microsoft.net\framework\v4.0.30319\aspnet_regiis.exe –ir
  • 64-bit registration: c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_regiis.exe –ir

image

After the registration the console runs as expected.

image

Monday, June 11, 2012

Advanced Group Policy Management

 

When working with Advanced Group policy management and using a service account, you need to give the service account rights to all existing GPO’s if you want to have them controlled by AGPM.

To do this easily you can download Group Policy management Console Sample Scripts.

image

Once downloaded and installed you can use the script GrantPermissionsOnAllGPOs.wsf.

In order to grant the service account (AGPM\svc.agpm) FullEdit access to all existing GPO’s you can use the command:

cscript "c:\Program Files (x86)\Microsoft Group Policy\GPMC Sample Scripts\GrantPermissionOnAllGPOs.wsf" "AGPM\svc-agpm" /Permission:FullEdit

image

Just not fun doing this on every GPO with the GUI Smile

Monday, May 21, 2012

WMI error 0x80041003 in event log

Another error that has shown up lately is this error:

Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

With event ID 10.

image

This error is very annoying but can easily be removed by running a vbs script provided by Microsoft, so to fix this go to this support case:

Event ID 10 is logged in the Application log after you install  Service Pack 1 on Windows Server 2008 R2

Thursday, May 17, 2012

The WinRM service failed to create the following SPNs

I am starting to see this error on many newly created Windows 2008 R2 SP1 domain controllers:

The WinRM service failed to create the following SPNs the event id is 10154

image

The solution is to find the domain controller in Active Directory Users and Computers.

Select Advanced Features and right click and select Properties on the DC with the error.

image

Select the Security tab and click on the Advanced button.

Select Add and enter the name NETWORK SERVICE.

image

Select OK

Change the Apply to so that This object only is selected and allow the Validated write to service principal name right.

Now use the OK button all the way back.

image

The last thing we need to do is to restart the Windows Remote Management service and the error is no longer shown in the event log.

image