Group Policy

App-V Client Management via GPO

Richard Green on

Deploying the App-V Client to end-user machines can be headache. Microsoft provide ADM files for managing the configuration of the App-V Client via Group Policy in AD DS, however if you are trying to deploy the client yourself, you will soon discover that the Microsoft ADM files don’t allow you to configure an App-V Publishing Server. The only options you have with the ADM files are to override the sequenced application package and icon source roots.

Using this method, you install string for silent installation will look something like this:

setup.exe /s /v” /qn SWIPUBSVRDISPLAY=”App-V Server” SWIPUBSVRTYPE=”RTSP /secure” SWIPUBSVRHOST=”SERVERNAME” SWIPUBSVRPORT=”322” SWIPUBSVRREFRESH=”on” SWIFSDRIVE=”Q””

As anyone can see this isn’t exactly elegant, and if you are using SCCM to deploy the App-V Client as I am, you will soon discover SCCM has a character limit for the installer path which means you may have to turn to building a batch file to execute the installation and then call the file in the SCCM Program.

The other problem you will have are that you are then hardcoded to use the server name and port specified in the install. Yes, you could use a DNS CNAME to direct your clients to the App-V servers, and sure you can use a GPO to edit the registry keys on the end-user machines after the fact, however none of this is elegant as properly managing the deployment.

Introducing Login Consultants, a Netherlands based virtualization specialist company. This company provide a third-party ADM file for you to import into AD DS for extending the management options for App-V from the Microsoft ADM file, and best of all, you can register and download the ADM file for free from http://www.loginconsultants.com/index.php?option=com_docman&task=cat_view&gid=20&Itemid=149.

Using the Microsoft ADM file and the Login Consultants ADM file in conjunction, your install string turns into this:

setup.exe /s /v” /qn”

Much cleaner, easier to setup in Configuration Manager and then it gives you the ability to manage all of your App-V server configuration, including server name, ports, protocol, SFT_SOFTGRIDSERVER environment variable and all the other settings you need via Group Policy.

For centralising and streamlining management, this is a huge boon, as it means you have a one size fits all deployment of the App-V Client and then allowing you to manage everything else from either AD DS or from the App-V Management Server.

Using Group Policy Restricted Groups

Richard Green on

Since starting work at Primark, I’ve learnt tonnes, and loving it. Today however, was the exception in that I tried to demonstrate something to a colleague about how to use Restricted Groups in a Group Policy Object ‘in reverse’, but I couldn’t recall how to do it, leaving me feeling somewhat inadequate.

Under normal use, the Restricted Groups component of a Group Policy object allows you to restrict the membership of a particular group to selected members. The most common use case for this is at the end-user desktop level to ensure that no users are able to add themselves by hook or crook to the local Administrators group (assuming you don’t give your users Administrator permissions in the first place).

imageThe flip of this is that in some circumstances , more commonly on servers, you may want to supplement the Administrators group with additional members, but not remove any existing additions to the group.

To achieve this configuration, right-click on the Restricted Groups list item in the MMC Console and select Add Groups. When asked to specify the name of the group you wish to add, under normal circumstances, you would enter the name of the group that you want to control permissions (Eg. Administrators), however in this example you enter the name of the group that you want to add to Administrators.

When the dialog appears, in the “This group is a member of” section, add the Administrators group.

This change is normal configuration allows you to add specified groups to existing groups as desired.

Enjoy.

Managed Software Installation in Windows Vista and 7

Richard Green on

In Windows XP, a domain client computer would display messages like “Installing Managed Software Windows Defender” “Apply Computer Settings”.

In Windows Vista all of this disappeared and was replaced with “Please Wait”. In my opinion this was a bad move because users can get anxious that something is wrong quickly and sitting with the Please Wait message is tempting users to hit the power button.

I noticed sometime ago that Windows Server 2008 displays the correct messages to the user at start-up such as “Applying Default Domain Policy” and “Installing Managed Software X”

I didn’t realise however that it was possible to get this functionality back in Windows Vista and Windows 7.

Open your GPMC and navigate to Computer Configuration > Administrative Templates > System

In here you will find a policy named Verbose Vs Normal Status Messages. Enabling this policy has the following effects according to the GMPC information:

Directs the system to display highly detailed status messages.

If you enable this setting, the system displays status messages that reflect each step in the process of starting, shutting down, logging on, or logging off the system.

This setting is designed for sophisticated users that require this information.

Note: This setting is ignored if the “Remove Boot / Shutdown / Logon / Logoff status messages” setting is enabled.

Domain Problems in Windows 7 RC1

Richard Green on

So it seems there are some problems with Domain Membership in Windows 7.

I formatted, installed and joined a Windows 7 RC1 x86 machine at home to the domain at home over the weekend, and me being me, I have quite a lot of GPO’s that apply.

After joining the clients to the domain, if you enter the username and password to logon, once the logon process begins, an error is shown that explorer.exe cannot start. There is a thread running on the TechNet forums for this issue.

Some of the posts on the TechNet forums seem to suggest the Restricted Groups component is at fault here, when trying to control the Administrators groups members on the client, however I don’t believe this is the issue.

For the client in question, I added a new OU called WindowsSeven and moved the client to this OU after setting the Block Policy Inheritance setting. After doing this the client logged in ok. After this I wanted to get the AV software deployed to the client, so I linked my software deployment GPO’s to the new OU, and at reboot the explorer.exe error returned.

I’ve since moved the client back down to Vista, but I will be building a Windows 7 VM to play with which policies may be causing the issues – Keeping you posted as always.