Thursday, November 8, 2012

How to: Apply Active Directory Group Policy to Citrix XenApp servers


This may seem straight forward but it's taken some time to get this to work like a charm.

Scenario:

XenApp (XA) 6.x farm with multiple servers. You have settings that need to be applied to the servers as well as settings for Users.

This is how I configured it.  I came to this conclusion because Group Policy wasn't applying the correct Intranet Zone sites in Internet Explorer (although the same settings worked flawlessly on their desktop)

1.  Create and move all servers to an OU containing XA Servers only.

XenApp Computer object location

my.company.com
       |
       __ Computer Accounts
                                |
                                _ XenApp
                                        |
                                        |- XENAPP01
                                        |- XENAPP02
                                        |- XENAPP03

Therefore: OU=XenApp,OU=Computer Accounts,dc=my,dc=company,dc=com

User Accounts object location

Create or use an existing group containing your users.


my.company.com
       |
       __ User Accounts
                                |
                                _ Location
                                        |
                                        |- USER1
                                        |- USER2
                                        |- USER3


2.  Create and AD group eg. 'All XenApp Servers' containing all your XA servers .  This is important to allow the computer configuration settings to apply to the servers.

3. Three group policies required.
           A.  Name: Policy XenApp Loopback
                 Purpose: This invokes Loopback processing
                 Settings: Computer Configuration > Policies > Administrative Templates > System /
                 Group Policy
                     Policy:  User Group Policy loopback processing mode
                     Mode: Replace
                 GPO Status: User Configuration settings disabled
                 Link Order: 3 (Apply this first)
       
           B.  Name: Policy XenApp Server Configuration
                 Purpose: Contains computer configuration settings which will apply to all your XA servers
                 Settings:  Computer configuration > As required.
                 GPO Status: User Configuration settings disabled
                 Links:  OU=XenApp,OU=Computer Accounts,dc=my,dc=company,dc=com
                 Security Filtering: All XenApp Servers
                 Link Order: 2 (Apply second)

           C.  Name: Policy XenApp User Configuration
                 Purpose: Contains users configuration settings which will apply to all your XA users
                 Settings:  User Configuration > As required.
                 GPO Status:  Computer Configuration settings disabled

                 Links:  OU=XenApp,OU=Computer Accounts,dc=my,dc=company,dc=com
                 Security Filtering: 'All XenApp Users' or Authenticated Users
                 Link Order: 1 (Apply last)


That's it.

:)

JJ

Tuesday, August 14, 2012

Administering the ActiveX Installer Service in Windows 7

The below link contains details on configuring the ActiveX Installer Service to automatically install ActiveX controls silently for Windows 7 PCs.

Reference:

http://technet.microsoft.com/en-us/library/dd631688(v=ws.10)



Sunday, July 1, 2012

AnyConnect removes "Connections" tab from IE Settings


Overview:
If enabled in policy AnyConnect disables and re-enables the Connections tab on a graceful disconnect of the VPN client.  The trouble arises when a user abruptly closes the AnyConnect VPN client. The "Connections" tab is left hidden and subsequent connect/disconnects of the VPN client do not restore it.  

Solution:
Delete the registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel]
"ConnectionsTab"=dword:00000001

Thursday, March 8, 2012

HOWTO: Generate and import an SSL certificate on VMware View Connection Server


To generate and import an SSL certificate on the View Connection Server:
Notes:
  • Certificates are required only for client-facing systems, such as Standard, Replica, or Security servers.
  • Information appearing within represents variable information. Do not include the brackets when typing commands.
  1. Add keytool to the system path:
    1. In your View Connection Server or Security Server host, right-click My Computer and click Properties.
    2. Click the Advanced tab.
    3. Click Environment Variables.
    4. In the System variables group, select Path and click Edit.
    5. Type the path to the JRE directory in the Variable Value text box. For example,\VMware\VMware View\Server\jre\bin.

      Note: Use a semicolon (;) to separate each entry from the other entries in the text box.
  2. Generate a Keystore and Certificate:
    1. Open a command prompt and run this command using keytool to generate a Keystore file:keytool -genkey -keyalg "RSA" -keystore -storetype pkcs12 -validity 360To generate a 2048-bit key, run this command:keytool -genkey -keyalg "RSA" -keystore -storetype pkcs12 -validity 360 -keysize 2048
    2. When keytool prompts you for the first and last name, type the fully qualified domain name (FQDN) that the client computers use to connect to the host.
    3. Enter all other information to complete the keystore file.
    4. After keytool creates the Keystore file in the current directory, back up the file.
  3. Obtain a Signed Certificate from a CA:
    1. Open a command prompt and run this command using keytool to create a CSR:keytool -certreq -keyalg "RSA" -file -keystore -storetype pkcs12 -storepass
      Notes:
      • keytool creates the CSR file in the current directory.
      • The keystore password must be at least 6 characters and cannot be left blank.
    2. Send the CSR to the CA according to the CA's enrollment process and request a certificate in PKCS#format.

      Some CAs provide certificates only in PKCS#12 format. If you download a certificate in the PKCS#12 format, you must convert it to PKCS#7 format.  Some vendors may use type rather than file type.  In this case request a Tomcat certificate.

      To convert a PKCS#12 certificate to PKCS#7 format:
      1. Open the certificate file in Internet Explorer.

        Note: Verify that the certificate chain is complete, including root and intermediate certificates.
      2. In the Details tab, click Copy to File. The Certificate Export wizard appears.
      3. Specify PKCS#7 format, include all certificates in the certification path, and then click Next.
      4. Specify a filename and click Next.
      5. Click Finish to export the file in PKCS#7 format. The file is saved with a .P7B extension.
  4. Import the Signed Certificate into a Keystore file.

    To import the Signed Certificate into a keystore file, open a command prompt and run this command using keytool:
    keytool -import -keystore -storetype pkcs12 -storepass -keyalg "RSA" -trustcacerts -file

    Note: The storepass must be the same password that was used to generate the CSR in step 3.
  5. Configure the View Security Server to use the new certificate:
    1. Copy the Keystore file that contains your certificate to the SSL gateway configuration directory on the View Connection Server or security server host. For example, install_directory\VMware\VMware View\Server\sslgateway\conf\keys.p12.
    2. Add the keyfile and keypass properties to the locked.properties file in the SSL gateway configuration directory on the View Connection Server or security server host.

      Note: If the locked.properties file does not exist, you must create it.
    3. Set the keyfile property to the name of your Keystore file.
    4. Set the keypass property to the password for your Keystore file. For example:keyfile=keys.p12
      keypass=MY_PASS
  6. Restart the View Connection Server service or Security Server service for the changes take effect.
  7. Ensure that the certificate is being used by checking the debug log on the server.

Tuesday, March 6, 2012

MDT 2010 created an IMGMGR folder that can't be deleted, and it's huge!

From an elevated command prompt (if OS is Windows Server 2008), try running "dism.exe /cleanup-wim" to clean up the mounted image.

That's it!! Thanks Michael Niehaus

Source:

Sunday, March 4, 2012

Disable Legal Notice during Windows 7 Deployment

Solution:
Open the unattend.xml file using a Text Editor and add the following Synchronous Command to the unattend.xml File in the corresponding Task Sequence Folder (\\%DistributionServer%\DistributionShare\Control\%TSId%\unattend.xml)

------------------------------------------------------------------------------------

Disable Legal Notice
3
cmd /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" /v NoMachinePolicy /t REG_DWORD /d 1 /f

------------------------------------------------------------------------------------

There are also steps for when using MDT for Deployment in the URL attached.

Source:
http://www.microtom.net/?p=675