Tuesday, May 21, 2013

Script - detect users SID and make registry changes based on it

Deploying some laptops I needed to add registry changes to the account.  Unfortunately the accounts where not domain accounts making it slightly harder.

To complicate matters registry for these particular machines is disabled by GPO and we didn't want to enable it.  Thus the user can't run the reg add themselves AND for each computer the user SID is different.

Solution was to use psgetsid to find the users sid and then add the reg keys using this from an account that has access to regedit on the machine.

Example:
For /f "delims=" %%i in ('c:\admin\psgetsid.exe usernameofaccounttochange') DO set usersid=%%i

reg add "HKU\%usersid%\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v "DefaultConnectionSettings" /t REG_SZ /d 460000001e00000001000000000000000000000000000000010000000000000018dc31de5756ce0100000000000000000000000000000000 /f
reg add "HKU\%usersid%\Software\Microsoft\Windows\CurrentVersion\Explorer" /v EnableAutoTray /t REG_DWORD /d 0 /f



Note:  You can also use %username% to detect the currently logged on user and retrieve sid for the script, BUT if you do this note that if UAC is enabled or prompts then the username that will return will be that of the admin account that you enter for UAC.  Which is likely not what your after.

Internet Explorer slow on first open

Configuring new laptops we found that Internet Explorer was very slow loading the first time when connecting to a new network (in our case wireless networks).  This was with IE8, IE9, IE10 on a Windows 7 x64 machine using both the 64 and 32 bit versions of IE. 

After many hours of cursing I found that this was due to the following setting:
Internet Options, Connections, LAN settings, Automatically detect settings.

Unchecking this options fixed the issue.


In the registry this is found here:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v "DefaultConnectionSettings" /t REG_SZ /d 460000001e00000001000000000000000000000000000000010000000000000018dc31de5756ce0100000000000000000000000000000000 /f

In particular, the 01 set that I have bolded is what disables it (09 is enabled).
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/cb6abb30-4360-4d3d-93fc-61823b2a5c20

Note: in our case this only effected WLAN connections.  Broadband and LAN did not display the issue (unless WLAN was also connected at the same time).

Friday, May 17, 2013

Prevent domain users from logging into computer

We have a number of laptops that are in a common area (ie conference rooms, shared amongst staff) as well as out in the field where they use them more as a "thin client" to connect back to a Citrix environment.  On these laptops we don't want them logging in as their domain account and having the ability to copy sensitive files to the local disk.  We also don't want a specific domain user logging into a laptop then walking off without logging off and thus effectively preventing the next user from accessing the computer (unless they hard power the system, which isn't what we want).

In the past with Windows XP I was able to quickly remove this access for domain users while not effecting domain admins by removing the following groups from the local "users" group via a script during setup.
Net localgroup users "domainname\Domain Users" /delete
Net localgroup users "NT Authority\Interactive" /delete
Net localgroup users "NT Authority\Authenticated Users" /delete



If you attempt this in Windows Vista and above it results in slow logon, logoff, blank desktop, etc.  IE, it doesn't work.
http://support.microsoft.com/kb/970879



The easy way around this (and the proper fix anyways) is to simply limit the "allow logon to this computer" setting in GPO.

If you open gpedit.msc on the local machine you can see the normal settings for this key:


So we can see that we can easily remove the "users" group from the list.  This will prevent anyone that falls in the "users group" from logging in. 

Now you need to add any of the specific usernames that you do want to allow to login.
This for example could be a specific local account or specific domain user accounts.

I highly recommend that rather than doing this with the local GPO you do it in the domain GPO with an OU specific GPO that contains the computers you want it to effect.  Ensure you don't attach the GPO at the wrong OU or you'll cause havoc across your environment.



Note: depending on your environment setup this could have unexpected results.  Specifically if you have certain users accounts that are non-admin that have to access the system for certain tasks (backups, services, scanning, etc).

Wednesday, May 8, 2013

XenApp 6.5 Get-XAPrinterDriver shows removed drivers

When attempting to replicate drivers in a new farm with Powershell I found that using the Get-XAPrinterDriver -ServerName CtxTest01 would return a list of servers that included old drivers that had been removed (and didn't include new drivers that had been installed).

Rebooting did not help.  Looking back at the scenario recreating the LHC may have worked.

Update-XAPrinterDriver -ServerName CtxTest01

After running the above drivers showed as expected.


Replicate drivers:
http://support.citrix.com/article/CTX126125

printer driver is not installed error on 2008 Print Server

This is nothing new, been around for years, but every year or so I have to spend another 10 minutes having to search out the answer again.

On a Windows 2008 R2 print server I switched a printers driver to another driver and was greated with "printer driver is not installed on this computer. Some printer properties will not be accessible unless you install the printer driver. Do you want to install the driver now?".

Installing the driver again (was already installed) doesn't help.


http://social.technet.microsoft.com/Forums/en-US/winserverprint/thread/5101195b-3aca-4699-9a06-db4578614e2d/


This effects out of the box HP printer drivers.  In my case the HP 4100 series PCL drivers.

Navigate to
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\(printers name)\PrinterDriverData
Change the key HPTrayCount to 12.

Do this for each printer (and repeat anytime you change the driver).

Wednesday, May 1, 2013

Server 2008 R2 - Remove Libraries, Network, and Favorites from Explorer

During the deployment of XA65 I quickly found that I didn't want the Libraries, Network displaying.  Also, I wanted to remove certain content from Favorites, but leave the desktop (since we redirect our desktops to a central store).



 
Microsoft didn't provide a great way of removing this functionality.  Fortunately there are many in the comunity that are sharp and figured this out on their own.
 
Thanks to Marco Sues from this Citrix thread for the solutions: http://forums.citrix.com/thread.jspa?threadID=266828
 
From this we're able to quickly add the necessary keys into GPO for all our Citrix servers to remove the undesired libraries for both x64 and x32.  In addition to adding the keys you also need to give SYSTEM full control over the shellfolder.  This can be done if you use Computer Config/Policies/ Windows Settings/Security Settings/Registry to change the permissions. Use GPO preferences to update the attributes keys.
 
Favorites:
x64 = HKEY_CLASSES_ROOT\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder
x32 = HKEY_LOCAL_MACHINE\Software\Wow6432Node\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder
for both
Attributes = a9400100
dword / hex
 
 
Libraries:
x64 = HKEY_CLASSES_ROOT\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder
x32 = HKEY_LOCAL_MACHINE\Software\Wow6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder
for both
Attributes = b090010d
dword / hex
 
 
Network:
x64 = HKEY_CLASSES_ROOT\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder
x32 = HKEY_LOCAL_MACHINE\Software\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder
 for both
Attributes = b0940064
dword / hex
 
Once this is set in your GPO do gpupdate /target:computer and then logoff and back on. (explorer needs to reinitialize)
 
 
In my case I decided I didn't want to remove Favorites since it gives quick and easy access to the desktop.  Instead I redirected it to a central location for all users.  This implys that end users won't be able to add their own "favorites" to the folder.  This can be done with folder redirection and then place the desktop shortcut in the folder.
You could also easily redirect it to their own personal stash and the script the removal of the unwanted "links" (located in the users Links folder)