GPO - Setting Missing, Only All Settings Folder Is Available

A few weeks ago, we faced an issue where all of our GPOs were broken (kind of....). It seems although the GPOs were editable, but the settings were not there... What we see was :

Description :
GPO gone bad.....

Issue :

1.  Launch GPMC | Edit a policy, expand to Computer Config | Policies | Administrative Templates, all settings are missing. However, each config line could be found inside All Settings
   
   
   
2.  If we look carefully, the policy is retrieved from the central store.
   
   
   
   
3.  if we look at other domain (other domain, not other Domain Controller), the policy is retrieved from the local computer.
   
   
   
   

Troubleshooting : 

1. Open Windows Explorer, navigate to \\<DomainName>\SYSVOL\<DomainName>\Policies. There is a folder called PolicyDefinitions 
   
   
   
   
   
2.  Within the folder, there is nothing, no folders no files.....
   
   
   
   

Resolution : 

1.  Open Windows Explorer, navigate to \\<DomainControllerName>\c$\Windows\PolicyDefinitions. Copy all contents there....
   
   
   
   
   
2.  ... and paste them to \\<DomainControllerName>\c$\Windows\SYSVOL\sysvol\<DomainName>\Policies\PolicyDefinitions. You may need to wait for x minutes for replication to complete (depending on your replication time).
   
   
   
   
   
3.  Once done, try to edit any GPO, it should be working fine now...
   
   
   

Read More

GPO : Failed to Open Group Policy Object

This happened to my environment anew days ago, where I was not able to edit my group policy with below error. The GPO is working fine, just that I could not make any changes on it.

Issues :

Failed to open the Group Policy Object. You might not have the appropriate rights.

Details :

The system cannot find the path specified.

Troubleshooting :

1. Manually assigned delegated permission (with Edit settings, delete & modify security) - not working
2. Tried to edit the policy from PDC Emulator server - not working
3. Checked the availability of the GPO folder in SYSVOL, the GPO folder is available.
   
   
   
   
   
   

Resolution :

A bit of Googling, I got this :

This is the issue, I executed the Procmon & found that process is trying to access the Registry.pol file under User folder under the policy path & it is failing to access, even though user configuration are not configured.

It turned out, a folder named 'User' was missing from the GPO folder, which causing GPO Editor unable to read the content, thus throwing the error. 

An empty folder created with the name of User, and it resolved the issue.

Reference 

• https://social.technet.microsoft.com/Forums/office/en-US/b91f3726-3a8c-42c4-9ac9-0fce356cc29d/failed-to-open-the-group-policy-object-you-may-not-have-the-appropriate-rights-the-system-cannot?forum=winserverDS

Read More

Citrix Group Policy Management Console

It is a common practice to have a management server, with most (if not all) consoles installed on it. the purpose of this practice are to consolidate the management consoles into centralized servers, and reduce un-needed resources utilization on target servers (e.g : SQL, AppSense, Citrix Delivery Controller, VMware vCenter). 

One component that I love to have in my management server is Citrix GPMC. I prefer to configure my Citrix policies via GPO, rather than Citrix Policies. One main reason is to consolidate all policies into a single, centralized location. 


This is what you can see from AD server or normal servers/machines without Citrix GPMC installed / enabled.

This is what you can see from Citrix servers with GPMC installed / enabled.

Now, how to install Citrix GPMC : 

1.  Download the installers from here :
   
   x86 : http://support.citrix.com/article/CTX142463#download
   
   x64 : http://support.citrix.com/article/CTX142464#download
   
   
2.  Right click at the installer, and click Install (or just double click at it).
   
   
   
3.  Preparing to install..
   
   
   
4.  Accept the agreement, and click Install
   
   
   
5.  Installing...
   
   
   
6.  Done, click Finish.
   
   
   
7.  Launch Group Policy Management, and Edit any GPO
   
   
   
8.  Now we can see Citrix Policies available in GPO.
   
   

Read More

Group Policy Preference ( GPP ) : GPP Is Not Working, There Are Red and Green Dots / circle At The Settings

Group Policy Processing has been introduced since Server 2008, and Microsoft recommends to use GPP instead of normal GPO. To me, I prefer to use GPP as well, as it is more convenience to configure and troubleshoot. 

However, in some cases, the configuration may not get reflected, no matter how many times you perform gpupdate (gpupdate /force as well), or even reboot the machines. Your settings are all good, linked enabled to appropriate OU, Block Inheritance already enabled (to ensure policies assigned to parent OU not conflicting with your policies, just in case), there were no similar setting in Site and Domain policies, policies already being enforced (oh wait, do you really need to enforce?). 

What else could it be then? Oh wait, just before you planned to kill someone, you realized there were red dots / circles at the configurations, and those configurations (with red dots / circles ) were the one who drove you crazy! Configurations with green straight lines / circles were working as expected! 

So yes, it is how GPP works, actually. To simplify things, Microsoft (by default) disabled some configurations, so Administrators won't accidentally make changes. They need to enable those changes first, before the changes working as expected. In order to enable / disable those changes, one need to press :

• F5 - Enable all configurations
• F6 - Enable that specific configuration 
• F7 - Disable that specific configuration 
• F8 - Disable all configurations

To demonstrate some examples :

This is default configurations, some are enabled, some are not.

You pressed F5 (all enabled with green straight lines)

You pressed F8 (all enabled with red dots)

You clicked at some setting, and pressed F6 or F7 (pressing F6 will enable it, F7 will disable it)

Now we go to Advanced setting, to see on green / red circles.

We pressed F8.

We pressed F6 on some settings.

Read More

Disabling drive mapping on Server 2008

In previous post, I mentioned on how to disable drive mapping on Server 2003 via GPO. In this post, I will show on how to disable drive mapping on server 2008.

Description :
Disabling drive mapping on Server 2008


How To Do :

1.  Access to GPMC, edit the intended GPO. Browse to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
   
2. Click at ' Do not allow drive redirection '. That is our target setting
   
3. Right click at it, and press Edit
   
4.  Choose Enabled, press Apply and OK.
   
5.  You can double confirm the setting by checking at ICA-TCP and RDP-TCP Properties. They are now checked, and grayed out.
   
   
   
   
6. And this is the explanation by Microsoft on the GPO setting.
   

Read More

Disable Local Drive Mapping On Windows Server 2003

This post will show on how to disable local drive mapping via GPO for Windows Server 2003 environment. Considering GPO will take precedence over Citrix policy, this setting will work on both RDP and ICA sessions.

Description :
Disable local drive mapping via GPO (the same setting can be applied to local policy too)

How To Do :

1. Open your Group Policy Object, and browse to this setting ( Computer Configuration > Administrative Templates > Windows Components > Terminal Services > Client/Server data redirection 
   
   
   
   
2.  Let's focus on Do not allow drive redirection. Right click at it, and click at Properties
   
   
   
   
3.  Choose Enabled, press Apply and OK.
   
   
   
   
   
   
4.  This will be the outcome.
   
   
   
   
5. This is the explanation on this setting by Microsoft.  
   
   
   
   
6. Drive mapping is now disabled, and users are not able to change it.
   
   

Read More

Unable to Change Citrix XenApp Farm

This issue occurred to me a few years back, when we started enrolling Windows Server 2008. When I tried to change my Citrix XenApp server to another farm, CHFARM.exe crashed and I could not do it. Because I was using GUi rather than command line during that time, so I could capture below detail.

I did not have any issues in changing farm for XenApp in Server 2003, and my home lab (with Windows Server 2008) also gave a positive result. As I only can see this error on Server 2008 (security permission on my home lab was more relaxed - UAC disabled) and but not on Server 2003 (and my home lab), thus to me it was safe to narrow down the root cause to security permission on Server 2008 (to be exact : User Acess Control) that cause the problem.

Issues :

CHFARM crashed in the middle of changing Citrix XenApp farm (on Windows Server 2008).

Troubleshooting 

1.  RDP to the server, launch RUN, type secpol.msc, and press OK.
   
   
   
   
2. (First hint) At this window, click at I want to complete this action.
   
   
   
   
3.  Press Control+Alt+End at your keyboard to proceed.
   
   
   
   
4. Click at Continue.
   
   
   
   
5. Local Security Policy window appeared. Browse to Security Settings > Local Policies > Security Options
   
   
   
   
6.  Look for this option, you will find it Enabled
   Option : User Account Control: Run all administrators in Admin Approval Mode
   
   
   
   

Resolution :


**Depending on you organization security policies, you may want to consult with your Security team first before performing these steps.

1.  Right click at the option, and click on Properties
   
   
   
   
2.  From Enabled, change it too Disabled. Press Apply and OK. Reboot the server before proceed to change the XenApp farm. You may want to re-enable it once done.
   
   
   
   
3.  This explains in detail on the options. Note that Microsoft already stated that changing this setting requires a system reboot.
   

 p/s : You may find the option set to Not Configured. Try to check GPO applied to the server.

Read More