Search This Blog

Wednesday, February 27, 2013

Merge button missing in Security Compliance Manager (SCM)

When trying to merge two baselines in Microsoft Security Compliance Manager (SCM) you might see that the Merge button is missing.

image

Baselines must be associated with the same product before they can be merged.

image

After the baseline has been associated you are able to merge.

image

Tuesday, February 26, 2013

Updates missing when schedule update of Windows 2012

When trying to schedule update of a Windows 2012 Server image in System Center Configuration Manager 2012 SP1 no updates are shown even though updates are available.

image

Microsoft has released an update to fix this issue: http://support.microsoft.com/kb/2793237

image

After updating SCCM 2012 SP1 the updates are shown as expected, nice Smiley

image

Monday, February 25, 2013

Remove Citrix XenApp Graphics from Web Interface

In some situations you might want to remove the Citrix XenApp graphics shown on the Web Interface.

image

Start a command prompt as administrator.

image

Create a copy of the existing file c:\inetpub\wwwroot\Citrix\XenApp\app_data\include\fullStyle.inc

image

Then edit the file c:\inetpub\wwwroot\Citrix\XenApp\app_data\include\fullStyle.inc

image

Find the entry #horizonTop img {  and insert the text Display: none;  as shown here:

image

Graphics is now gone:

image

Friday, February 22, 2013

Skip You have been logged off on Web Interface

In some situations you would like not to see the message You have been logged off. Se you again soon. And instead of pressing the Return to Log On you would like to go directly the logon page after logoff.

image

Start a Command Prompt as administrator.

image

Copy the existing file c:\inetpub\wwwroot\Citrix\XenApp\auth\loggedout.aspx in order to have a backup of the original file.

image

Edit the file c:\inetpub\wwwroot\Citrix\XenApp\auth\loggedout.aspx

image

Find the entry // A new Session will have been created for this page request as it has already been and insert the text Response.Redirect("login.aspx?CTX_FromLoggedoutPage=1"); just before the %> as shown here:

image

You will now jump directly to the logon page when you logoff.

Wednesday, February 20, 2013

Slow Citrix Web Interface

This is a typical problem with newly installed Citrix Web servers.

You may see a very long response time for the users to get to the welcome screen.

This is often when you have restarted IIS or the web site has not been used lately.

To fix this start a command prompt as administrator.

image

Edit c:\Windows\Microsoft.NET\Framework\v2.0.50727\Aspnet.config

image

Insert the text <generatePublisherEvidence enabled="false"/> as show here:

image

Do the same for the 64 bit version in c:\Windows\Microsoft.NET\Framework64\v2.0.50727\Aspnet.config

image

More information can be found here http://support.citrix.com/article/CTX117273

Another tip that seem to have a good performance impact on Application Enumeration is to disable NetBIOS over TCP/IP:

image

Thursday, February 14, 2013

ADMX files available

In this post I will list the ADMX/ADML files I am aware of.

Some of them I have used in my daily work , there are properly many more so let me know if you know other ADMX files and I will update the list.

Product Download Link/Information Link
Office 2007 SP2 http://www.microsoft.com/en-us/download/details.aspx?id=3795
Office 2010 http://www.microsoft.com/en-us/download/details.aspx?id=18968
Office 2013 http://www.microsoft.com/en-us/download/details.aspx?id=35554
Office 2016 https://www.microsoft.com/en-us/download/details.aspx?id=49030 (Added October 2015)
Internet Explorer 8 Install Internet Explorer 8 on a computer and copy the updated inetres.admx and inetres.adml from C:\Windows\PolicyDefinitions or use IE 11 download link
Internet Explorer 9 Install Internet Explorer 9 on a computer and copy the updated inetres.admx and inetres.adml from C:\Windows\PolicyDefinitions or use IE 11 download link
Internet Explorer 10 Install Internet Explorer 10 on a computer and copy the updated inetres.admx and inetres.adml from C:\Windows\PolicyDefinitions or use IE 11 download link
Internet Explorer 11 Install Internet Explorer 11 on a computer and copy the updated inetres.admx and inetres.adml from C:\Windows\PolicyDefinitions or use
http://www.microsoft.com/en-us/download/details.aspx?id=40905
OneDrive for Business Next Generation Sync Client https://support.office.com/en-us/article/Administrative-settings-for-the-OneDrive-for-Business-Next-Generation-Sync-Client-0ecb2cf5-8882-42b3-a6e9-be6bda30899c
(Added June 2016)
Silverlight https://www.microsoft.com/GetSilverlight/resources/documentation/grouppolicysettings.aspx
MDOP (UE-V, APP-V and MBAM) https://www.microsoft.com/en-us/download/details.aspx?id=54957 (changed March 2017)
Adobe Reader XI ftp://ftp.adobe.com/pub/adobe/acrobat/win/11.x/11.0.00/misc/
Direct Access Connectivity Assistant http://www.microsoft.com/en-us/download/details.aspx?id=10322
Citrix Profile management Find it in your XenDesktop/XenApp ISO in
x64\ProfileManagement\ADM_Templates (changed March 2017)
Citrix Receiver https://www.citrix.com/downloads/citrix-receiver/windows/receiver-for-windows-latest.html part of installation in "C:\Program Files (x86)\Citrix\ICA Client\Configuration"
(changed March 2017)
Citrix Sharefile https://www.citrix.com/downloads/sharefile/clients-and-plug-ins/sharefile-drive-mapper.html (ShareFile Drive Mapper Policy Definitions) changed March 2017
Windows Server 2016 TP5 Windows Server 2016 Technical Preview 5
https://www.microsoft.com/en-us/download/details.aspx?id=51957

(added April 2016)
Windows 10 (RTM and 1511) http://www.microsoft.com/en-us/download/details.aspx?id=48257
(added August 2015)
Windows 10 (1607) and server 2016 https://www.microsoft.com/en-us/download/details.aspx?id=53430
(added August 2016)
Windows 10 (1703) https://www.microsoft.com/en-us/download/details.aspx?id=55080
(added April 2017)
Windows 8.1 and 2012 R2 with Update1 (KB2919355) http://www.microsoft.com/en-us/download/details.aspx?id=43413
(added July 2014)
Windows 8.1 and 2012 R2 http://www.microsoft.com/en-us/download/details.aspx?id=41193
(added December 2013)
Windows 8 and 2012 (RTM) http://www.microsoft.com/en-us/download/details.aspx?id=36991
Windows 7 and 2008 R2 (RTM) http://www.microsoft.com/en-us/download/details.aspx?id=6243
Windows 2008 http://www.microsoft.com/en-us/download/details.aspx?id=14355
Windows Vista http://www.microsoft.com/en-us/download/details.aspx?id=17835
Forefront Identity Manager 2010 http://www.microsoft.com/en-us/download/details.aspx?id=13118
Chrome https://support.google.com/chrome/a/answer/187945?hl=en
Firefox
http://www.frontmotion.com/Firefox/download_firefox.htm
http://sourceforge.net/projects/firefoxadmx/
GPO Logging Custom ADMX http://gpoguy.com/free-tools/free-tools-library/gpo-logging-custom-admx-for-windows-vista/
3rd party software like Adobe Reader, 7-ZIP, Java, Skype and more http://customadmx.sourceforge.net
HP Universal Printer Driver HP Printer Administrator Resource Kit (added January 2014)
Forefront Endpoint Protection 2010 http://www.microsoft.com/en-us/download/details.aspx?id=13088 (fep2010grouppolicytools-en-us.exe)
Enhanced Mitigation Experience Toolkit https://www.microsoft.com/en-us/download/details.aspx?id=50766 Install EMET  and you will find the admx file in the installation folder under EMET\Deployment\Group Policy Files
(e.g. C:\Program Files (x86)\EMETxx\Deployment\Group Policy Files)
(added March 2014)
LogMeIn https://secure.logmein.com/welcome/webhelp/EN/SecDoc/LogMeIn/t_adm_download.html
VMware Horizon 6 https://pubs.vmware.com/horizon-61-view/index.jsp?topic=%2Fcom.vmware.horizon-view.desktops.doc%2FGUID-633FB6A2-206E-40A2-A72B-0FD28823EBCA.html ADMX files available inside the file VMware-Horizon-View-Extras-Bundle-x.x.x-yyyyyyy.zip
(added July 2015)

Please also take a look at the article http://larslohmann.blogspot.dk/2013/02/create-central-store-for-gpo.html

Tuesday, February 12, 2013

Encountered an error while parsing in GPMC


After updating the ADMX files in you central store, you might see this error in GPMC:

Encountered an error while parsing.

Expected one of the following possible element(s)

This error is for example seen if you try to open the administrative template node from a Windows 2008 server but your central store is updated to Windows 2008 R2 or Windows 7 ADMX files.

From now on you should only use Windows 2008 R2, Windows 7 or newer to edit your group policy objects.

image

Friday, February 8, 2013

Create a central Store for GPO administrative templates

Update 18-11-2015

Looks like the ADMX files for the 1511 update has almost the same problem as the last time:

If you previously has copied ADMX files for Windows 8.1 you might see this error:

Namespace 'Microsoft.Policies.WindowsStore' is already defined as the target namespace for another file in the store.

image

Right now just delete the old files winstoreui.adml and winstoreui.admx they are replaced by WindowsStore.admx and WindowsStore.adml

Update 05-08-2015

In order to support Windows 10 clients you can after updating your central store with Windows 2012 R2 and Windows 8.1 ADMX files also update with Windows 10 ADMX files.

Download the Windows 10 ADMX files from here Administrative Templates (.admx) for Windows 10. Install the downloaded MSI and then copy all ADMX files and the language folders you need (ADML files) from "C:\Program Files (x86)\Microsoft Group Policy\Windows 10\PolicyDefinitions" to \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions

image

Accept to copy and Replace all files and folders:

image

image

After copying you need to do this:

Delete the LocationProviderADM.admx and LocationProviderADM.adml files from the central store.

Rename Microsoft-Windows-Geolocation-WLPAdm.admx to LocationProviderADM.admx

Rename Microsoft-Windows-Geolocation-WLPAdm.adml to LocationProviderADM.adml

"'Microsoft.Policies.Sensors.WindowsLocationProvider' is already defined" error when you edit a policy in Windows

Update 05-01-2014

Now that we are typically dealing with Windows 2012 R2 and Windows 8.1 it’s its time for a short update.

The procedure explained in this article is still valid, but at the moment the easiest way is to download the ADMX files from here http://www.microsoft.com/en-us/download/details.aspx?id=41193 and copy all ADMX files after installing the downloaded file from "C:\Program Files (x86)\Microsoft Group Policy\Windows 8.1-Windows Server 2012 R2\PolicyDefinitions" to \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions

Then copy all the language folders (with ADML files) for the languages you need ending up with something like this were only en-US language files are used.

image

By using the downloaded files instead of the files in c:\Windows\PolicyDefinitions you will see a bit more files than in the local PolicyDefinitions folder, in my example the ADMX files added were these:

image

But this will depend on the Roles and features installed on your Windows 2012 R2 server. By doing this you are ready to support Windows 2012 R2 and Windows 8.1 clients.

Original post

In order to take full advantage of the ADMX/ADML template files we create a central store for the files.

To create a Central Store for .admx and .adml files, create a folder that is named PolicyDefinitions in the following location: \\FQDN\SYSVOL\FQDN\policies as shown here

image

Copy all files and subfolders from the PolicyDefinitions folder on a Windows 7 client computer to the PolicyDefinitions folder on the domain controller.

After that copy all files and subfolders from the PolicyDefinitions folder on a Windows 2008 R2 server to the same location overwriting any existing files.

The same has to be done if you source is Windows 8 and Windows 2012 instead.

image

You can find the PolicyDefinitions folder in your windows folder (C:\Windows\PolicyDefinitions).

The reason for copying from both Windows 7 and Windows 2008 R2 is that some ADMX/ADML files only exist on one of the platforms.

To make this a bit more complicated some ADMX/ADML files will first show up in the local PolicyDefinitions folder when the corresponding server role has been installed.

You should always edit your policies from a OS platform equal to or higher than the OS platform were the ADMX/ADML files is taken from. So if your files is taken from Windows 7 and Windows 2008 R2, don’t use Windows Vista or Windows 2008 to edit GPO’s.

ADMX files for other products can also be copied to the central store, more on this later Smiley

When the central store is in use you will see the information Policy definitions (ADMX files) retrieved from the central store when looking at the administrative templates in the Group Policy management Editor (GPMC).

image

Please also see my list of available ADMX files that you could add to your Central Store when needed:

http://larslohmann.blogspot.dk/2013/02/admx-files-available.html

Remember to use the latest version of the Group policy Editor or you could end up with errors like this:

http://larslohmann.blogspot.dk/2013/02/encountered-error-while-parsing-in-gpmc.html

Thursday, February 7, 2013

Drive Mappings in Group Policy Preferences not working

Drive mappings in group policy preferences is not always working as I would like it to do. There are however ways to change the default behavior.

Drive mappings are not done at every login or gpupdate, so in order to change this you can change the policy

Computer Configuration – Administrative Templates – System – Group Policy – Drive Maps preference extension policy processing (on Windows 8/2012 the title is Configure Drive Maps preference extension policy processing)

If this setting is missing you might have to update your ADMX files in your central store.

image

This will trigger the drive mapping CSE at every login.

When deleting a drive mapping and running GPUPDATE the drive is not coming back.

This can be fixed by changing this registry value to 0 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F}\NoBackgroundPolicy

image

If your Windows 7 users have local administrative rights you might also need to take a closer look at this link and then create the EnableLinkedConnections registry entry. For Windows 8 this hotfix might be your answer http://support.microsoft.com/kb/2795944.

 

Another issue seen more than once is that your non-persistent drive mappings is shown as disconnected when you start your computer offline, Microsoft has an hotfix available for this problem:

A mapped drive that has the non-persistent flag set is displayed as a disconnected drive in Windows 7 or in Windows Server 2008 R2

Wednesday, February 6, 2013

Users able to eject NIC on RDS and XenApp servers

When building virtual XenApp og RDS servers it might not me a good thing that users are able to eject the network card Smiley.

image

One way to disable this is to change the configuration of the virtual machine.

Go to the Options tab, select General and then click on Configuration Parameters.

image

Now Add a Row named devices.hotplug and set it to False, this will remove the eject option from Windows.

image

Friday, February 1, 2013

DCPROMO error

When demoting a DC I ran into this error:

The operation failed because: Active Directory Domain Services could not configure the computer account <hostname>$ to the remote Active Directory Domain Controller account <fully qualified name of helper DC>. “Access is denied”

I found a possible explanation dealing with missing security rights as described here kb2002413, but it was quickly clear that this was not the case.

It turned out to be a very simple solution, the computer had the protect object from accidental deletion checked, when this was unchecked, I was able to remove the DC.