Windows Desktop

Using Group Policy Preferences with Older Versions of Windows

http://www.microsoft.com/en-us/download/details.aspx?id=6955I was doing some testing with a newly created GPO that used Group Policy Preferences (GPP) to add a user account to the local administrators group, and I noticed that the policy seemed to apply properly to all of my Server 2012 and 2008 systems but not on any Server 2003 machines.

I did some research and came across an article on Microsoft’s Group Policy blog that shined some light on my issue:

Group Policy Preferences Not Applying on Some Clients: Client-Side Extension, XMLLite

The gist of it is that I needed to install the proper Client-Side  Extensions (CSEs) for Server 2003. All of the links for the individual OSes and versions are in the MS blog post, but the specific one I needed is below.

CSEs for Windows Server 2003 with SP1 or later (32-bit)

You may also need to install XMLLite in addition to the CSEs, but to quote the post:

“XMLLite is not needed if:

· Your clients run Windows Server 2008 or Windows Vista.

· Your clients Windows XP and Windows Server 2003 clients run Internet Explorer 7 and/or the latest service packs.”

After installing the CSEs on my machines, they started processing the GPPs normally.

Drop Down

As a side-note for anyone interested; The GPP to add user accounts to local groups is located under Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Groups.

To modify a local group, right-click and select New – > Local Group, choose Update as the action, pick a group from the Group Name drop down menu, in my case Administrators (built-in) (make sure to use the drop down and not the ellipses button; see image), and then use the Add button at the bottom of the window to add either local or domain accounts to that group.

Most of the guides I’ve found suggest using Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups to add users to the local administrators group, but this policy acts to replace any existing memberships rather than merge with them, so keep this in mind if you have Group Policy Objects linked at higher OUs which add users to the same groups. If you want to preserve the existing memberships, consider using GPPs to make the modifications instead.

-Rick

Advertisements

Alt Methods to Fix: “The Trust Relationship Between This Workstation and the Primary Domain Failed”

 

For any Windows admin, this error is a familiar sight.

The typical fix, and Microsoft’s recommended resolution, is to log in with a local admin account, join the system to a workgroup, and then rejoin it to the domain.

However, I ran into this blog post a while back which details some cool alternative methods and saved the link in case it should come in handy some day, which it has on several occasions.

DON’T REJOIN TO FIX: The trust relationship between this workstation and the primary domain failed

Basically, he lists two distinct methods for resetting the computer password:

  1. use netdom.exe

netdom.exe resetpwd /s:<server> /ud:<user> /pd:*

<server> = a domain controller in the joined domain

< user> = DOMAIN\User format with rights to change the computer password

“Where you get netdom.exe depends on what version of Windows you’re running.”

“On Windows Vista and Windows 7 you can get it from the Remote Server Administration Tools (RSAT).”

Download RSAT for Windows 7 SP1 here

Download RSAT for Windows 8.1 here

You can read some additional notes about this method in the blog post. (link here)

  1. via Powershell

Reset-ComputerMachinePassword [-Credential <PSCredential>] [-Server <String>]

“You can use the Get-Credential cmdlet for a secure way to generate a PSCredential, which can be stored in a variable and used in a script.  You will want to generate a credential for an Active Directory user with sufficient rights to change the computer’s password.  The Server parameter is the domain controller to use when setting the machine account password.”

Here’s a TechNet article on the Reset-ComputerMachinePassword command for additional reference.

-Rick

VMware Horizon View – Resource Dump

When preparing for my VMware Horizon View deployment, I spent a lot of time (as you should too) searching, reading, and parsing through official documentation and expert guides. Most of what I found is easy enough to find with some simple Google searches but, in the interest of consolidation and to save you the trouble, what follows is a resource dump of what I found the most helpful.

VMware Horizon View Infrastructure Planning, Installation, and Administration

VMware Horizon View 5.3 Official Documentation Page

VMware Horizon View Architecture Planning

VMware Horizon View Installation

VMware Horizon View Administration

VMware Horizon View Security

VMware Horizon View Upgrades

Operating System Optimization for VDI

VMware Horizon View Optimization Guide for Windows 7 and Windows 8

VMware View 5 PCoIP Optimization Guide

VMware Horizon View 5.2 Performance and Best Practices

VMware OS Optimization Tool

My Top 10 VMware View Performance Tips

Turbo-charge View Video Performance

“For desktop VMs using VMXnet3 NICs, you can significantly improve the peak video playback performance of your View desktop by simply setting the following registry setting to the value recommended by Microsoft:”
HKLM\System\CurrentControlSet\Services\Afd\Parameters\FastSendDatagramThreshold to 1500

View Accelerated – 3D Graphics with Horizon View 5.2

“Registry change on the VM – [HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware SVGA DevTap]
“MaxAppFrameRate”=dword:00000000 – If it does not exist it defaults to 30. Set it to 0 to disable any frame cap.”

How to improve VMware View video performance

VMware KB 2010359

Method 1:
1. Power off the virtual machine using the vSphere Client.
2. Right-click the virtual machine and click Edit Settings.
3. Select the Options tab and under Advanced.
4. Click General.
5. Click Configuration Parameters and click Add Row
6. In the Name field enter mks.poll.headlessRates and in the Value field enter 1000 100 2.
7. Click OK.
8. Power on the virtual machine.

VMware View 5.x – Windows 7 Golden Image

“Video Card: Do not “Auto detect” (see VMware KB 1017380), set to 2 displays and 128 MB video memory”

“Remove he following components (features) from the OS (unless you really need them) and reboot VM:
• Games
• Media Features – Windows DVD Maker
• Media Features – Windows Media Center
• Print and Document Services – Internet Printing Client
• Print and Document Services – Windows Fax and Scan
• Tablet PC components
• Windows Gadget Platform”

Suggested changes to VMware View Optimization Script for Windows 7

-Rick

Create a Windows Security Baseline Group Policy Object with Microsoft Security Compliance Manager (SCM)

Security Compliance Manager (SCM) is a tool that I find extremely useful, especially when preparing for a new Windows OS deployment. And best of all, it’s free!

Included in SCM are Microsoft’s recommended baseline security configurations for just about all of their current Operating Systems, including both desktop and server OSes, as well as some of their flagship applications such as Internet Explorer and Office. You can review and modify these configurations directly in SCM, export the configuration to a GPO Backup folder (as well as to a .cab or .xlsm), and then use that export to create a Group Policy Object to be applied to the appropriate systems in your domain.

I recently used this tool to create a security baseline GPO for Windows Server 2012 R2, so I’ll provide you with the basic steps that I used as a reference.

Please take note that even though the baselines included in SCM are Microsoft’s recommended configurations for security hardening, many of the settings have the potential of having a negative impact on your systems’ performance  and/or your ability to manage them. Because of this I highly recommend taking the time to carefully review and research each setting within a baseline to make sure it will not conflict with any existing policies or procedures in your environment, and making changes as needed.

  1. Download and install Security Compliance Manager 3.0.
  2. In the left pane, expand Microsoft Baselines.
  3. Expand the desired operating system or application version and then select a role. In my case I chose Windows Server 2012 and the basic Member Server Security Compliance role.

SCM1

  1. With the role selected, click on the Duplicate button in the right pane under the Baseline section.

SCM2

  1. Give the duplicate configuration a new name and modify the description if you wish and then click Save.
  2. Your duplicate configuration will show up at the top of the left pane under Custom Baselines, above Microsoft Baselines. Click on it to open the configuration.

SCM3

  1. Take some time to carefully review the configuration settings included in the baseline in the center of the window. You can make changes as needed by clicking on the setting and then modifying the options shown.

SCM4

  1. When you’re finished making any necessary changes, export the configuration by clicking on the GPO Backup (folder) link in the right pane. Be sure to save it somewhere accessible from the system where you manage your domain group policies.

SCM5

  1. Open up the Group Policy Management console and connect to your domain.
  2. Under Forest -> Domains -> MyDomain -> Group Policy Objects, create a new Group Policy Object and name it according to your organization’s GPO naming convention. If you don’t have one, I recommend basing the name off of the baseline configuration you created to distinguish it and make it easier to find, e.g. Windows Server 2012 Security Baseline.
  3. Once created, right-click on the new GPO and click Import Settings…

SCM6

  1. When the Import Settings Wizard appears click Next >.
  2. If you’re attempting to import the configuration settings into an existing GPO rather than with a newly created one, I recommend using the next screen to create a backup of the GPO first. Otherwise, since there are no existing settings to overwrite, click Next > to continue.
  3. Browse to the location of the GPO Backup folder that you exported from SCM earlier and then click Next >.

SCM7

  1. The wizard should detect the baseline in the backup folder and list it in the next window. Click on it and then click Next >.

SCM8

  1. You may get a warning that the backup contains UNC paths. Select Copying them identically from the source and then click Next >.

SCM9

  1. Click Finish to complete the import.

And there you go, you now have a Group Policy Object containing the recommended baseline security settings for your product. From here you can begin linking the GPO to your OUs as needed. I would highly recommend using security filtering and/or a WMI filter to make sure the GPO is only applied to a few select test systems until you’ve gauged how the new settings will impact your environment.

To use my recent experience as an example, I created a security group in Active Directory named Windows Server 2012 GPO Testing, added a single test server to this group, and then added the group to my baseline GPO’s Security Filtering (make sure you also remove Authenticated Users). To be extra careful, I also created a new WMI filter to only return Windows Server 2012 R2 Member Servers and added this to my GPO as well. These help to ensure that my policy will only be applied to servers which are members of my security group, are running Windows Server 2012 R2,  and are not domain controllers, regardless of the OU that I link the policy to in my Active Directory structure.

If you want to create your own custom WMI filter, the process is very simple.

  1. Open the Group Policy Management console and expand Forest -> Domains -> MyDomain -> WMI Filters.
  2. Right-click the WMI Filter container and click New.
  3. Name the new filter appropriately. In my case, I named it Windows Server 2012 Member Server ONLY. Add a description to help others know exactly what your filter does.
  4. Click the Add button to create a new query.
  5. You can leave the namespace as root\CIMv2 and then enter your custom query. To find and return only Windows Server 2012 R2 Member Servers, I used the following query:

select * from Win32_OperatingSystem where Version like “6.3%” and ProductType=”3″

  1. When finished click Save.
  2. You can now use this filter for any GPO that you wish, simply by using the drop-down at the bottom of the Scope tab (same place where you set Security Filtering)

SCM10

For some help creating your own WMI filters, check out the links below.

Create WMI Filters for the GPO

Operating System Version Numbers

-Rick