Today on of my colleagues was telling me about a Windows 7 deployment that was configured trough GPP but he noticed that not all the GPP settings where set somehow. He found a quick fix by removing the user from all the groups he was nested in, log the user in and add the user to all the groups again. When I heard this problem I knew I had seen this before in an environment with users in +200 nested groups in Windows 2008 R2. So I told him it could be the MaxTokenSize that has to be set to a proper value, Microsoft has an KB article to do so.
Archive for TS
Microsoft: Maximum number of groupmemberships for users (MaxTokenSize)
RES Automation Manager: Add fonts on Windows Server 2008 R2
Today while working on an unattended installation for a Citrix XenApp 6 on Windows Server 2008 R2 installation the customer asked me to add some fonts to the default installation. After some searching I found a VBS script that could do this, I had to change the script a bit because it gave some errors:
RES Workspace Manager: Launch after Citrix published desktop
Because one of our customers was planning to use the Citrix Desktop Appliance Lock, we needed to publish a Citrix desktop and start RES Workspace Manager after the launch of the desktop. While Microsoft has GPO’s for running a program after logging in, Citrix prohibits this.
Upon installation, Citrix adds tabs to the RDP-TCP Listener Properties in the Terminal Services Configuration. By default, the Environment tab has the “Run initial program specified by user profile and Remote Desktop Connection or Terminal Services client” radio button selected. Also, the Citrix Settings tab has “Only allow administrators to create desktop connections” selected.
When leaving this setting default you will get an error message when logging in:
“To log on to this remote computer, you must have Terminal Server User Access permissions on this computer. By default, members of the Remote Desktop Users group have these permissions. If you are not a member of the Remote Desktop Users group or another group that has these permissions, or if the Remote Desktop User group does not have these permissions, you must be granted these permissions manually.”
To correct this you can manually clear the “Only allow administrators to create desktop connections” check box like stated in CTX109925 but you can also create a custom ADM template to clear this check box. The key that’s used for this is:
HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\ICA-tcp\fDisableExe
Where 0 is cleared and 1 is checked.
To create a custom ADM file I used the following PDF, the ADM template contained the following information:
;Configure The only allow admins to create desktop connections settings.
CLASS MachineCATEGORY “Server Based Computing”
CATEGORY “Citrix Presentation Server”
CATEGORY ICAKEYNAME “SYSTEM\ControlSet001\Control\Terminal Server\WinStations\ICA-tcp”
POLICY !!fDisableExe
EXPLAIN !!ExplainWords
PART “Disable the only allow admins to create desktop connections settings?” TEXT
END PART
PART “Clear the ‘Only allow administrators to create desktop connections’ check box?”
CHECKBOX
VALUENAME “fDisableExe”
VALUEON NUMERIC 0
VALUEOFF NUMERIC 1
END PART
END POLICYEND CATEGORY
END CATEGORY
END CATEGORY[strings]
fDisableExe=”Allows published desktops for users”
ExplainWords=”This policy enables/disables published desktops with autostart programs for users”
I’ve applied this policy to my Windows 2003 w/ XenApp 5 farm and the check box is cleared and I can start a Citrix published desktop (while using the Desktop Appliance Lock) and start RES Workspace Manager after the desktop launch. This way I can have the best of both worlds!
I denied the GPO on the Administrator accounts so when somebody with an administrator accounts connects via this Citrix Desktop they won’t get this policy and thus Workspace manager won’t get started.
If you’re using XenApp 6 you can use the following policies:
- ICA\Desktop launches : “Allows or prevents non-administrative users to connect to a desktop session on the server.
When allowed, non-administrative users can connect. By default, non-administrative users cannot connect to desktop sessions.”- ICA\Launching of non-published programs during client connection : “Specifies whether to launch initial applications or published applications on the server. By default, only published applications are allowed to launch.”
Your policies should look like the following image:
Sepago User Profiles white paper
Sepago released a white paper on Sepago User Profiles, this document describes the concepts behind Windows user profiles and explains common pitfalls and how to avoid them – both with and without the profile optimization solution Citrix User Profile Manager.