Group Policy Preference ( GPP ) : GPP Is Not Working, There Are Red and Green Dots / circle At The Settings

Group Policy Processing has been introduced since Server 2008, and Microsoft recommends to use GPP instead of normal GPO. To me, I prefer to use GPP as well, as it is more convenience to configure and troubleshoot. 

However, in some cases, the configuration may not get reflected, no matter how many times you perform gpupdate (gpupdate /force as well), or even reboot the machines. Your settings are all good, linked enabled to appropriate OU, Block Inheritance already enabled (to ensure policies assigned to parent OU not conflicting with your policies, just in case), there were no similar setting in Site and Domain policies, policies already being enforced (oh wait, do you really need to enforce?). 

What else could it be then? Oh wait, just before you planned to kill someone, you realized there were red dots / circles at the configurations, and those configurations (with red dots / circles ) were the one who drove you crazy! Configurations with green straight lines / circles were working as expected! 

So yes, it is how GPP works, actually. To simplify things, Microsoft (by default) disabled some configurations, so Administrators won't accidentally make changes. They need to enable those changes first, before the changes working as expected. In order to enable / disable those changes, one need to press :

• F5 - Enable all configurations
• F6 - Enable that specific configuration 
• F7 - Disable that specific configuration 
• F8 - Disable all configurations

To demonstrate some examples :

This is default configurations, some are enabled, some are not.

You pressed F5 (all enabled with green straight lines)

You pressed F8 (all enabled with red dots)

You clicked at some setting, and pressed F6 or F7 (pressing F6 will enable it, F7 will disable it)

Now we go to Advanced setting, to see on green / red circles.

We pressed F8.

We pressed F6 on some settings.

Read More

Disabling drive mapping on Server 2008

In previous post, I mentioned on how to disable drive mapping on Server 2003 via GPO. In this post, I will show on how to disable drive mapping on server 2008.

Description :
Disabling drive mapping on Server 2008


How To Do :

1.  Access to GPMC, edit the intended GPO. Browse to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
   
2. Click at ' Do not allow drive redirection '. That is our target setting
   
3. Right click at it, and press Edit
   
4.  Choose Enabled, press Apply and OK.
   
5.  You can double confirm the setting by checking at ICA-TCP and RDP-TCP Properties. They are now checked, and grayed out.
   
   
   
   
6. And this is the explanation by Microsoft on the GPO setting.
   

Read More

Failed to Delete / Move Organizational Unit in Active Directory

I think I rarely touch about Active Directory, so let's start with a basic one. Let say, one day you want to housekeep your OU structure, delete or maybe move some OUs to different locations, but you got an error :

You do not have sufficient privilages to delete <OUName>, or this onject is protected from accidental deletion.

or

Windows cannot move object <OUName> because:

Access is denied.

Well, if we look at the first error, it is clear cut, the object is protected from accidental deletion, so the object needs to stay there. Whereas for second error, it just mentioned "access is denied". 

Issues :

• Can't delete or move OU, either one of above errors prompted.

Troubleshooting 

1.  Right click at the target OU, and click at Properties
   

Read More

How To Hide Windows Local Disk Drives From Users

In some organizations, Management may want to hide certain server local drives from being accessed by Citrix users. There are a few methods to do so, but in this post, we will be using GPP. 

Note that this step will only HIDE but not prevent users from acecssing to it. The configured drive will only be hide from WIndows Explorer. Thus, users still can access to the drive via Command prompt, Run command etc.

Description :
Hide certain drives from being accessed by users.



How To Do :

1.  Launch Group Policy Management Console. Depending on how your AD is structured, right click at the OU, and choose " Create a GPO in this domain, and Link it here... "
   
   
   
2.  Give it a name, and press OK.
   
   
   
3.  Then you can see the GPO created.
   
   
   
4.  Right click at the GPO, and choose Edit.
   
   
   
5.   Expand to User Configuration > Preference > Windows Settings, click at Drive Maps
   
   
   
6.  Right click at Drive Maps, hover to New and click at Mapped Drive
   
   
   
7.  In here, follow below instructions:
   Action : Update
   Drive Letter : Existing, and choose desired drive (in this example, it is D: drive
   
   Press Apply and OK.
   
   
   
   
   

Read More

Task Scheduler Error - An Error has occurred for task . The following error was reported: A specific logon session does not exist. It may already have been terminated.

A few days ago I created a script to do some little, tiny checking on my servers. My plan was to create a Task Scheduler so that script can be executed periodically. But (yeah, there is always a but), I encountered an error. If we look carefully at the error, it did not mentioned about Securty or policy setting, but I know it must related to UAC.

Issues :

Receive error when configuring Task Scheduler :

An Error has occurred for task <Task Name>. The following error was reported: A specific logon session does not exist. It may already have been terminated.

Troubleshooting 

1.  Go to Start > Administrative Tools > Click at Task Scheduler
   
   
   
2.  Browse to Task Scheduler (local) > Task Scheduler Library
   
   
   
3.  Right click at the specific Task Scheduler > choose Properties
   
   
   
4.  At General tab, the radio box " Run whether user is logged on or not " is enabled. Which means, the setting is okay.
   
   
   
5.  Further checking, go to Start > Run, type secpol.msc and press Enter.
   
   
   
6.  Browse to Security Settings > Local Policies > Security Options
   
   
   
7.  Check on this setting, it is Enabled.
   

Resolution :

1.  Right click at the above mentioned setting, and choose Properties
   
   
   
2.  Click at Disabled, press Apply and OK.
   
   
   
   
   
3.  Perform gpupdate /force to refresh policy update.
   

Read More

How To Use Citrix Receiver Clean Up Utility

Citrix has came up with an utility to fully uninstalled and removed Citrix Receiver from a workstation / server. 

Based on their article, this utility must be used in one or more of these situations :

• Receiver or Online Plug-in is installed but the old components still exist or creating abnormal scenarios.
• Receiver or Online Plug-in components must be cleaned before troubleshooting or installation.
• Receiver or Online Plug-in are unable to function and the product is unable to install or uninstall.

However, not all OS can use this utility. It only can be applied to these products :

• Windows 8 32-bit and 64-bit
• Windows 7 32-bit and 64-bit
• Windows 2008 32-bit and 64-bit
• Windows 2008 R2
• Windows Vista 32-bit and 64-bit

Description :
To uninstall Citrix Receiver, and perform cleanup so there is  no trace of Citrix Receiver inside the workstation / server.

How To Do :

1.  Right click at Citrix Receiver Clean Up Utility, and choose Run as administrator.
   
   
   
2. Key in 1 and press Enter to properly remove Citrix Receiver.
   
   
   
3. Running….
   
4. Once completed, you will see this screen. Press 1 to reboot the workstation.
   

Read More

Change Farm Utility ( CHFARM) Has Stopped Working

Well, this issue was occurred to me last weekend, when I was busying myself changing my Citrix XenApp servers from farm A to farm B, using GUI. Why? because I have nothing to do (on weekend? seriously??). Please put my forever alone life aside, shall we? Well, this issue occurred to my XenApp 5 for Server 2008 farm. Hmm, Server 2008 is the keyword there... :)

Issues :

• Citrix Admins received below screen after putting the credential for ODBC Driver Access.
  
• Citrix Admins can't move forward, as the GIU will froze just after putting the credential.
  

Troubleshooting 

1. Go to Start > Run, and type SecPol.msc
   
   
    
2. You will be prompted with all UAC permission, so just proceed accordingly

   

   Click at I want to complete this task

   
   

   

   Press Ctrl + Alt + End

   

   Press Continue

   
   
   
3. After that, you will see this console. Our focus is on Security Settings > Local Policies > Security Options
   
   
   
4. On the right column, find this configuration, and check the setting configured
   

Resolution :

• Right click at the configuration item, and choose Properties
  
  
• From this box, change the option from Enabled to Disabled
  
  

Read More

Cannot Find a Valid Terminal Services License Server

After installing Terminal Services Role to a server, you may want to specify the license server. The Terminal Server will make an attempt to locate the Terminal Service License servers first, before make an attempt to follow automatic license server discovery process. You may see below balloon :

Note that this is for Windows Server 2008. For Windows Server 2003, please go to here.

Description :

• You want to specify Terminal Services License server, so Terminal Services role can be used by servers.

How To Do :

1. Go to Start > Administrative Tools > Terminal Services > Terminal Services Configuration. Or you can type tscc.msc in Run box.
   
   
   
2. Right click at License server discovery mode, and click at Properties.
   
   
   

Read More