Group Policy Preference ( GPP ) : GPP Is Not Working, There Are Red and Green Dots / circle At The Settings

Group Policy Processing has been introduced since Server 2008, and Microsoft recommends to use GPP instead of normal GPO. To me, I prefer to use GPP as well, as it is more convenience to configure and troubleshoot. 

However, in some cases, the configuration may not get reflected, no matter how many times you perform gpupdate (gpupdate /force as well), or even reboot the machines. Your settings are all good, linked enabled to appropriate OU, Block Inheritance already enabled (to ensure policies assigned to parent OU not conflicting with your policies, just in case), there were no similar setting in Site and Domain policies, policies already being enforced (oh wait, do you really need to enforce?). 

What else could it be then? Oh wait, just before you planned to kill someone, you realized there were red dots / circles at the configurations, and those configurations (with red dots / circles ) were the one who drove you crazy! Configurations with green straight lines / circles were working as expected! 

So yes, it is how GPP works, actually. To simplify things, Microsoft (by default) disabled some configurations, so Administrators won't accidentally make changes. They need to enable those changes first, before the changes working as expected. In order to enable / disable those changes, one need to press :

• F5 - Enable all configurations
• F6 - Enable that specific configuration 
• F7 - Disable that specific configuration 
• F8 - Disable all configurations

To demonstrate some examples :

This is default configurations, some are enabled, some are not.

You pressed F5 (all enabled with green straight lines)

You pressed F8 (all enabled with red dots)

You clicked at some setting, and pressed F6 or F7 (pressing F6 will enable it, F7 will disable it)

Now we go to Advanced setting, to see on green / red circles.

We pressed F8.

We pressed F6 on some settings.

Read More

The Trust Relationship Between This Workstation and The Primary Domain Failed

This is one of the common issue happen to PVS environment, IF the environment is not properly configured. The trust relationship will failed, if the password expiration days is  set below than computer account password updates. For example, if you set the password to be expired in 5 days, and computer account password updates set for 7 days, the password will then expired 2 days before renewal. Therefore, either disable password expiration, or properly set these 2 options according to Corporate Security policy.

Issues :

PVS : The Trust Relationship Between This Workstation and The Primary Domain Failed

Troubleshooting 

1.  Accessed to the VDA, could not authenticate using domain ID. 
2. Convert the VDA to Private mode / Create new version under Maintenance mode, unjoined and rejoined to domain. Put the VDA to Standard Mode / promote to Production, issue persisted.

Resolution :

1.  Shut down the target device.
   
   
   
   
2.  Right click at it, go to Active Directory > and choose Reset Machine Account Password...
   
   
   
   
3.  Correctly choose Domain as well as the Organization Unit, and press Reset Account
   
   
   
   
4. Resetting target device
   
   
   
   
    
5.  Target Device successfully reset
   
   
   
   
6.  Bring up the target device and try again.
   

Read More

How To Totally Remove GPO

Assuming you mistakenly created a GPO and want to delete it before your boss hammerring your head (huh?).. Okay, too much drama, so let's change it. You want to housekeep your GPO (again?), and there are some GPOs need to be deleted. You right click at it, press Delete, and this message box prompted. 

Do you want to delete this link? 

This will not delete the GPO itself.

So, are you doing it right? The answer is no. Deleting it from the OU structure will not totally remove the GPO, it only unlink the OG from the GPO.

Description :
Put Citrix servers out of Citrix load (some sort of private mode / maintenance mode).



How To Do :

1.  Within Group Policy Management Console, Go to Group Polcy Objects node. Right clik at the target GPO, and choose Delete
   
   
   
   
   

Read More

Failed to Delete / Move Organizational Unit in Active Directory

I think I rarely touch about Active Directory, so let's start with a basic one. Let say, one day you want to housekeep your OU structure, delete or maybe move some OUs to different locations, but you got an error :

You do not have sufficient privilages to delete <OUName>, or this onject is protected from accidental deletion.

or

Windows cannot move object <OUName> because:

Access is denied.

Well, if we look at the first error, it is clear cut, the object is protected from accidental deletion, so the object needs to stay there. Whereas for second error, it just mentioned "access is denied". 

Issues :

• Can't delete or move OU, either one of above errors prompted.

Troubleshooting 

1.  Right click at the target OU, and click at Properties
   

Read More

How To Hide Windows Local Disk Drives From Users

In some organizations, Management may want to hide certain server local drives from being accessed by Citrix users. There are a few methods to do so, but in this post, we will be using GPP. 

Note that this step will only HIDE but not prevent users from acecssing to it. The configured drive will only be hide from WIndows Explorer. Thus, users still can access to the drive via Command prompt, Run command etc.

Description :
Hide certain drives from being accessed by users.



How To Do :

1.  Launch Group Policy Management Console. Depending on how your AD is structured, right click at the OU, and choose " Create a GPO in this domain, and Link it here... "
   
   
   
2.  Give it a name, and press OK.
   
   
   
3.  Then you can see the GPO created.
   
   
   
4.  Right click at the GPO, and choose Edit.
   
   
   
5.   Expand to User Configuration > Preference > Windows Settings, click at Drive Maps
   
   
   
6.  Right click at Drive Maps, hover to New and click at Mapped Drive
   
   
   
7.  In here, follow below instructions:
   Action : Update
   Drive Letter : Existing, and choose desired drive (in this example, it is D: drive
   
   Press Apply and OK.
   
   
   
   
   

Read More

Add a Member Server To Domain Failed Due to DNS Configuration

This would be my first post regarding Server 2012 (pretty cool, huh?) So this is the case. I just created a lab environment for my XenDesktop 7. Because of this new classy environment, so I decided to use Server 2012. I have a server act as a DHCP, DNS and DC (have to, not enough resources), and another server as member server. So when I wanted to add this member server to my domain, I received error as in Issue section.

Issues :

• Facing with this error while adding member server to domain.

  

  The following error occurred attempting to join the domain <domainName> :
  The specified domain either does not exist or could not be contacted.

Troubleshooting 

• It turned out that my DNS server is not properly configured. It is not configured to any server, thus resulting member server cannot contact to any DNS server.
  

Resolution :

1. Configure the correct DNS server. Depending on your environment, you may want to set it manually at servers, or at Scope option level.
   
2.  Perform IPCONFIG /Release and IPCONFIG /Renew, so new configuration will take place. 
   
3.  Rejoin the member server to domain, and tadaa!
   

Reference 

• http://social.technet.microsoft.com/Forums/windowsserver/en-US/8df10ef3-5789-46cc-9446-40664e56522a/error-message-the-specified-domain-either-does-not-exist-or-could-not-be-contacted?forum=winservergen

Read More

AD Group Scope

Some people are having difficulties to differentiate between Universal, Global and Domain Local groups (including me, sometimes).  The table below illustrates the differences between those group scopes.

Some lesson learnt :-

• Global groups can be added to Domain Local groups (from the same domain or crossed-domain), but not vice versa
• For Global groups, you only can add accounts from its domain and its parent Global groups
• In order to add accounts from any domain, you need to have Local Domain groups, Global groups won’t allow you to do so.
• Converting a group to Domain Local, add those crossed-domain users, and convert it back to Global group won’t do the trick.
• Domain Local groups cannot be added to Domain Local groups from any domain except for its domain and the parent.

Group scope	Group can include as members…	Group can be assigned permissions in…	Group scope can be converted to…
Universal	·      Accounts from any domain within the forest in which this Universal Group resides ·      Global groups from any domain within the forest in which this Universal Group resides ·      Universal groups from any domain within the forest in which this Universal Group resides	Any domain or forest	·      Domain local ·      Global (as long as no other universal groups exist as members)
Global	·      Accounts from the same domain as the parent global group ·      Global groups from the same domain as the parent global group	Member permissions can be assigned in any domain	Universal (as long as it is not a member of any other global groups)
Domain local	·      Accounts from any domain ·      Global groups from any domain ·      Universal groups from any domain ·      Domain local groups but only from the same domain as the parent domain local group	Member permissions can be assigned only within the same domain as the parent domain local group	Universal (as long as no other domain local groups exist as members)

Note

The information in this table implies that the domain functional level is set to either Windows 2000 native or Windows Server 2003. When the domain functional level is set to Windows 2000 mixed or Windows Server 2003 interim, security groups with universal scope cannot be created, although distribution groups with universal scope are still permitted.

source : http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx

Read More