Today on of my colleagues was telling me about a Windows 7 deployment that was configured trough GPP but he noticed that not all the GPP settings where set somehow. He found a quick fix by removing the user from all the groups he was nested in, log the user in and add the user to all the groups again. When I heard this problem I knew I had seen this before in an environment with users in +200 nested groups in Windows 2008 R2. So I told him it could be the MaxTokenSize that has to be set to a proper value, Microsoft has an KB article to do so.
Archive for Workspace Manager
Microsoft: Maximum number of groupmemberships for users (MaxTokenSize)
Category: Microsoft, RDS, TS, Workspace Manager, XenApp, XenDesktop |
Tags: Groups, MaxTokenSize, Microsoft
RES: Workspace Manager and creating bulk printers
I was talking to Grant Tiller about a customer that had +500 printers that had to be created in RES Workspace Manager and he told me there was a solution to create printers in bulk so it wouldn’t be a manual job. Here’s a description of the utility and how to use it:
RES Workspace Manager and Change Password dialog
One of our customers noticed that the balloon that pops up when a password is about to expire isn’t displayed properly while using RES Workspace Manager. I send them an old powershell script that checks Active Directory and sends an email when the password expire date is within 14 days.
Category: Microsoft, Workspace Manager |
Tags: Password, Powershell, RES Software, Workspace Manager
RES Workspace Manager: Launch after Citrix published desktop
Because one of our customers was planning to use the Citrix Desktop Appliance Lock, we needed to publish a Citrix desktop and start RES Workspace Manager after the launch of the desktop. While Microsoft has GPO’s for running a program after logging in, Citrix prohibits this.
Upon installation, Citrix adds tabs to the RDP-TCP Listener Properties in the Terminal Services Configuration. By default, the Environment tab has the “Run initial program specified by user profile and Remote Desktop Connection or Terminal Services client” radio button selected. Also, the Citrix Settings tab has “Only allow administrators to create desktop connections” selected.
When leaving this setting default you will get an error message when logging in:
“To log on to this remote computer, you must have Terminal Server User Access permissions on this computer. By default, members of the Remote Desktop Users group have these permissions. If you are not a member of the Remote Desktop Users group or another group that has these permissions, or if the Remote Desktop User group does not have these permissions, you must be granted these permissions manually.”
To correct this you can manually clear the “Only allow administrators to create desktop connections” check box like stated in CTX109925 but you can also create a custom ADM template to clear this check box. The key that’s used for this is:
HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\ICA-tcp\fDisableExe
Where 0 is cleared and 1 is checked.
To create a custom ADM file I used the following PDF, the ADM template contained the following information:
;Configure The only allow admins to create desktop connections settings.
CLASS MachineCATEGORY “Server Based Computing”
CATEGORY “Citrix Presentation Server”
CATEGORY ICAKEYNAME “SYSTEM\ControlSet001\Control\Terminal Server\WinStations\ICA-tcp”
POLICY !!fDisableExe
EXPLAIN !!ExplainWords
PART “Disable the only allow admins to create desktop connections settings?” TEXT
END PART
PART “Clear the ‘Only allow administrators to create desktop connections’ check box?”
CHECKBOX
VALUENAME “fDisableExe”
VALUEON NUMERIC 0
VALUEOFF NUMERIC 1
END PART
END POLICYEND CATEGORY
END CATEGORY
END CATEGORY[strings]
fDisableExe=”Allows published desktops for users”
ExplainWords=”This policy enables/disables published desktops with autostart programs for users”
I’ve applied this policy to my Windows 2003 w/ XenApp 5 farm and the check box is cleared and I can start a Citrix published desktop (while using the Desktop Appliance Lock) and start RES Workspace Manager after the desktop launch. This way I can have the best of both worlds!
I denied the GPO on the Administrator accounts so when somebody with an administrator accounts connects via this Citrix Desktop they won’t get this policy and thus Workspace manager won’t get started.
If you’re using XenApp 6 you can use the following policies:
- ICA\Desktop launches : “Allows or prevents non-administrative users to connect to a desktop session on the server.
When allowed, non-administrative users can connect. By default, non-administrative users cannot connect to desktop sessions.”- ICA\Launching of non-published programs during client connection : “Specifies whether to launch initial applications or published applications on the server. By default, only published applications are allowed to launch.”
Your policies should look like the following image:
Category: Citrix, Microsoft, RDS, TS, Workspace Manager, XenApp, XenDesktop |
Tags: Citrix, Published Desktop, RES Software, Workspace Manager
Desktop Appliance Lock:Windows 7 Embedded, Citrix and log off local client #2
After posting RES Workspace Manager: Windows 7 Embedded, Citrix and log off local client I got pointed to the Desktop Appliance Lock by Michel Helderman on Twitter. This is an MSI on the XenDesktop DVD which can be installed on a thin client with Windows 7 embedded:
Supported Windows Operating Systems:
- Windows 7, 32-bit and 64-bit editions (including Embedded Edition)
- Windows XP Professional, 32-bit and 64-bit editions
- Windows XP Embedded
- Windows Vista, 32-bit and 64-bit editions
- Windows Server 2008 R1, 32-bit and 64-bit editions (not supported by XenDesktop connections)
- Windows Server 2008 R2, 64-bit edition (not supported by XenDesktop connections)
- Windows Server 2003, 32-bit and 64-bit editions (not supported by XenDesktop connections)
Important: For XenDesktop connections, be aware that the Desktop Appliance Lock is only supported on Windows XP Professional and Windows XP Embedded.
Prerequisite for this is a Citrix Online plugin (Full) that’s properly configured with a Citrix Services Site. Keep in mind that there’s a shell replacement so when the Desktop Appliance Lock is installed it can only be un-installed by the same account that was used for the installation (the shell of the install account won’t be changed).
As we’re using RES PowerFuse 2010 at this customer we first tried this with a RES PowerFuse desktop but this wouldn’t work because it’s a published application and not a published desktop like the Desktop Appliance Lock expects. If you want this to work you have to publish a desktop and if you’re using RES PowerFuse (or Workspace Manager) you have to configure it so it starts at the user log on process. You can do this by using Group Policy or by using the RES Console:
Configuring Agents
If you choose not to run the Workspace Composer automatically after installation of the .
msi, you may choose to change the shell later via the RES Workspace Manager Console at Setup > Agents.The Run Workspace Composer column reflects whether an Agent was configured to start the Workspace Composer automatically when users log on to the Agent. This information does not apply to Agents running on Terminal Servers.
- If the column shows the value Automatic (pending) or Manual (pending), the Agent cache has not been updated yet.
The Settings tab of the Edit RES Workspace Manager Agent window, which is shown when editing the settings of a RES Workspace Manager Agent features the option Run Workspace Composer. This option, which is not available for Agents running on a server, makes it possible to choose whether the Workspace Composer should run automatically when a user logs on to the computer on which the Agent runs.
Like I said earlier, the shell is modified and when the Citrix Online plugin is configured the right way the session will be started automatic and when logging off the Windows 7 Embedded client will be logged off as well.
Category: Workspace Manager, XenApp, XenDesktop |
Tags: Citrix, DesktopApplianceLock, RES Software, Workspace Manager
RES Workspace Manager: Windows 7 Embedded, Citrix and log off local client
Today I was at a customer with thin clients with Windows 7 embedded installed, these thin clients had to be configured to connect to a Citrix XenApp 5 farm. The problem was that we wanted to have SSO (single sign out ;-)). So of course we asked RES if we could use the Subscriber/VDX but they came with the following statement:
Category: Citrix, Microsoft, Workspace Manager, XenApp |
Tags: Citrix, Microsoft, RES Software, Workspace Manager, XenApp
