Group Policy design for Terminal Server

Similar Messages

• Deploy an MSI for Terminal server users

  Hello,
  I have faced with the issue which I can't resolve on my own - the MSI is not run when the user logs on. Moreover, I don't see the GPO applied in the Group Policy Results for the user:
  Here is what I did on the server side:
  1. Created a separate OU for testing (actually, it doesn't work if I apply a policy at the domain level).
  2. Created a test user account.
  3. Created a shared folder (Read for everyone). Made sure that an user can read files from that folder.
  4. Placed the msi file in the shared folder. Before doing that, I tested the installer in the fields running the "msiexec.exe /i /s" command.
  5. Created a new Group Policy object where I added a new software installation at the User Configuration node. I specified the filepath in the following format -
  \\server\folder\msifile . Assigned. Chose the
  Install this application at logon. Maximum (User Interface).
  6. Linked the GPO to the OU where the user resides.
  7. The Settings in the GPO apply only for the specified user. Also I checked permissions on the Delegation tab for the user - Read / Apply Group Policy are selected.
  Here is how it looks like:
  Most probably I tried to adjust some properties for troubleshooting. But nothing helped.
  When I logon as a domain user I see that the GPO was applied successfully (gpresult.exe confirms). But I don't see any installation wizard, nor MSI installed. The result is shown on the first screenshot.
  I even don't get any errors in the Group Policy log. I have a feeling that user settings in my GPO are ignored by the system. Why does it happen? Is there any setting I missed setting up a new GPO?
  P.S. I have tried turning on various Group Policy settings located in the Administrative Templates / System / Group Policy.

  Hi Eugene,
  Based on your description, to make sure that this is not caused by fast logon optimization feature, we can enable the following setting:
  Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon
  After enabling this setting and updating the policy, we can try logging off and logging on again to see if it works.
  Regarding fast logon optimization, the following article can be referred to for more information.
  Description of the Windows Fast Logon Optimization feature
  http://support.microsoft.com/kb/305293/en-us
  Hope it helps.
  Best regards,
  Frank Shen

• Adobe Illustrator in out Terminal Server environment. How is the licensing work for Terminal Server installations?

  Adobe Illustrator in out Terminal Server environment. How is the licensing work for Terminal Server installations?

  You can find all forums here:
  https://forums.adobe.com/welcome

• Outlook is running to slow for terminal server users

  All tried but no luck .thanks

  Outlook is running to slow for terminal server users and very slow updating inbox. Can anyone suggest how can i increase speed for the users ?
  Office 2013
  exchange 2010
  This topic first appeared in the Spiceworks Community

• Configuring HWIC-8A card for terminal server access

  Hi Friends,
  I have a 3825 router having HWIC-8A async card, and want to cnfigure that for terminal server connectivity. I believe it will have different config to NM-16A module config. any advice please.
  Thanks..
  Arun

  Having them both kills being able to access the Net.Take out the gateway on your loopback adapter and network traffic should happen as normal :)
  Is this configured only in TNSNAMES.ORA, and if so how?It's configured in listener.ora, but changing the port won't change the amount of traffic nor the Oracle load, it will just make everything slightly more confusing to everyone trying to help you troubleshoot your machine ;)
  ~Jer

• Sequencing for terminal server

  Hi,
  Is there any prereq we should take into account when creating an app for terminal server (Windows 2008 R2)?
  The problem we are facing now is that App-v packages are working correctly for 1 user but others (on the same terminal server) don't see the shortcut. If we copy past the screenshot to their menu it works fine.
  Please advise.
  J.
  Jan Hoedt

  I suppose it's SP1 for SCCM 2012, as this adds App-V 5 support.
  Do you target machines or users in your deployment type? 
  Do you do any 'bad tricks' with the start menu (like redirecting it)?
  Falko
  Twitter
  @kirk_tn   |   Blog
  kirxblog   |   Web
  kirx.org   |   Fireside
  appvbook.com

• Group policy template for Novell Client for Windows 7

  Does anyone know if there is a group policy template for the Novell Client for Windows 7? I find it really hard to believe that Novell has not yet released one, but I cannot find one anywhere. We use ZCM 11.2, and I really need to be able to send out settings for the client via a group policy.
  By the way, I am also posting this on the Novell Client forum, but since this is also a ZCM thing, I am hoping I might get some feedback here.
  Rick P

  Two recent/new resources are available for the Novell Client 2 SP3 for Windows:
  Cool Solutions AppNote: Novell Client 2 SP3 for Windows: Registry Settings
  Novell Client 2 SP3 for Windows: Registry Settings | Novell User Communities
  Cool Solutions Tool: Group Policy Administrative Template for Novell Client 2 SP3 for Windows
  Group Policy Administrative Template for Novell Client 2 SP3 for Windows | Novell User Communities

• DLU Policy for terminal server

  Hi all
  I am trying to apply a DLU policy to allow users to remotely login to a terminal server. However, I do not want the DLU policy to allow users to have remote desktop access to other workstations.
  Right now I have 3 DLU policies configured
  DLU Admin - Grants IT users full admin access to all devices
  DLU Users - Gives employees access only to the users and power users group on the managed devices
  DLU Remote - grants remote desktop access to specific users
  Is there a better way to assign a remote dlu policy to a specific device?
  I want to lock down the DLU to specific devices.
  thanls

  JSorrenti,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://forums.novell.com/

• Question on a specific Group Policy setting for SCCM Updates

  Hello,
  This may not exactly be the correct forum for this question but in looking around I didn't come up with an immediate answer and was hoping someone else had this issue.
  I have a WSUS server and am moving over to SCCM for updates. I've actually had success in getting 2 sets of patches installed after some very frustrating days thanks to people here.
  I've noticed that when I switch workstations to my AD folder that has the SCCM Updates GPO instead of our standard WSUS GPO that we get action center errors "Set up Windows Update", "Windows Update is not set up". When we click
  the flag it tells us to "Choose an Update Option".
  In my new GPO I  do have Configure Automatic Updates Enabled for "Auto Download and notify for install" but we still get this warning. Is there a differnet setting that controls this action that anyone is aware of in their experience? I looked
  through the other settings but didn't se anything obvious.
  Thanks for any help!

  Hi Dustin,
  I'd read a number of different things trying to solve the problem. That article looked a little familiar but I re-read it carefully.
  I do have "specify intranet Microsoft Update service location" set to Not Configured as someone had correctly pointed me to that as the reason I was not getting updates.
  I did not have "Allow signed updates from an Intranet Micorsoft update server" enabled so that shoudl help some.
  "Configure Automatic Updates" was enabled because I, incorectly, thoguth that's all that might be needed since Ihad to make sure I'd Not Configured the first setting.
  I had "Turn on Recommended Updates" Enabled so I put it back to not configured.
  I understand that turning things to Not Configured doesn't necessarily change any previous group policy settings so I may be getting some fallout from having a WSUS server on these systems before. I'd just like to aviod having to have everyone go into the
  action center and manually click to configure updates.
  I'll see if my one setting change has any effect.
  UPDATE: I forced a gpupdate and the red flag in the action center has not disappeared.

• Proxy details keep deleting from field in Group Policy Preferences for IE 10 on windows 7 and 8

  We have a lot of users who on the last update and have seemed to manage to install IE 10 onto their windows 7 machines as now causing all sorts of issues. I know that IEM has been replaced in favour of Group Policy Preferences and I have build a windows
  8 machine just to create a group policy preference as you are unable to create the preferences from windows 7, thank you Microsoft!
  I have created a test OU and got a win 7 and a win 8 machine both with IE 10 for testing. I have created the preference settings, home page etc and disabled using the F keys the advanced features that we do not require as from reading in other post even
  if it is not ticked, if it is green then it will apply it, kinda defeats the using the tick but it is what it is!
  When we do a gpupdate it picks up the default homepage as well as other settings but the proxy settings is blank. I then went back into the preferences I created for IE 10 and checked the connections, LAN settings and the proxy server name is missing but
  both ticks are showing for the proxy settings and when you click on advanced it shows the proxy server and port details fine. I have been working on this now for 4 days and getting no where to a point were we just roll back any users on IE 10 back to IE 9.
  I have also unlinked any other gpo relating to Internet settings on the test OU just in case there are conflicts. Any ideas as where to go from here?

  In the end to get around the proxy settings I had to create a registry key preference with proxy and port details which seemed to have done the trick and now IE 10 is picking up the proxy details and displaying webpages

• Server 2012 Group Policy Templates installed on Server 2008 R2

  Setup: 2 x Domain Controllers running Server 2K8 R2 SP1
  We are currently running our environment with IE9 and want to upgrade to IE11. However 2K8 R2 group policy doesnt support IE11 unless you upgrade your DC's to this version of IE. We are not going to deploy IE11 all at once but instead as we reimage or replace
  PC's. 
  My question is can install http://www.microsoft.com/en-us/download/details.aspx?id=36991 Server 2012 templates on 2008 R2 and have the ability to apply GP objects to both versions of the browser? Will it's possibly make some of the current GP's ineffective
  by erasing some settings?
  Maybe there is a better was for me to do this? Any help on this would be appreciated! Thanks in advance. 
  I will monitor this thread very closely and reply to any questions as soon as I can. Thanks!
  BCU

  Yes this can be done and its advisable to install the latest and greatest admx templates, please be aware that from IE10 upwards IE maintenance is deprecated and applied via a GPP, id advise you create a central store for your Admx and adml files if not
  already done so
  http://support.microsoft.com/kb/929841
  http://support.microsoft.com/kb/929841

• Adding another exchange account Outlook 2013 Pro Plus for terminal Server users

  Really hoping someone can offer some advice on this one as I have wasted far to many cycles trying to figure this out.
   Company I work for recent purchased another company and we are in the process of bringing them into our network.  They currently run a a 2008 R2 terminal server where all users connect to for there day to day work.  A number of applications
  are installed including Office 2013.
  All users have Outlook 2013 configured to access their exchange server for email and this works fine.
  The first step in bringing them into our fold is to add an email account for Our Exchange  server without removing their existing exchange configuration or Outlook Profile.  So the one profile will have both exchange accounts listed and they can
  continue to get email from their server but as well email from our domain.
  I created a MSP file and tested pushing this out using PDQ Deploy to a few workstations here in our office and it works fine.  I then started to work on deploying in their environment.  PDQ Deploy will not work as they are all terminal Services
  Clients.  So I tried to push out via GPO.  I created the GPO Initially wanting to use a package and apply that GPO to an AD group.  However it will not let me deploy a MST as a package.  So I then tried moving it to a script that would
  run at logon.  That too is not working.
  I know I could enter install mode then run the MSIEXEC.EXE \config.MSP but that takes away the ability to control the role out.
  Any other ideas on how to get this done.

  Using the MSPfile method would require the logged-on user to have the necessary Windows permissions to run setup.exe, and on an RDS/TS Session Host, that's not likely to be available. (since it's not a great idea to give end-users those permissions on a
  shared system like RDS/TS)
  But you might be able to do it with a PRF file and an Outlook launch command, like this?
  http://technet.microsoft.com/en-us/library/cc179062(v=office.15).aspx
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Installation blocked by group policy designed to prevent CryptoLocker

  We have followed the steps outlined by bleepingcomputer.com to prevent as best we can the CryptoLocker virus.  Link to article: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#prevent
  Please update your Reader installer to not use %AppData%\Local\Temp\.  The CryptoLocker prevention method involves blocking that and the following paths.  I know many businesses using these techniques.
  Block CryptoLocker executable in %AppData%
  Path: %AppData%\*.exe
  Security Level: Disallowed
  Description: Don't allow executables to run from %AppData%.
  Block CryptoLocker executable in %LocalAppData%
  Path if using Windows XP: %UserProfile%\Local Settings\*.exe
  Path if using Windows Vista/7/8: %LocalAppData%\*.exe
  Security Level: Disallowed
  Description: Don't allow executables to run from %AppData%.
  Block Zbot executable in %AppData%
  Path: %AppData%\*\*.exe
  Security Level: Disallowed
  Description: Don't allow executables to run from immediate subfolders of %AppData%.
  Block Zbot executable in %LocalAppData%
  Path if using Windows XP: %UserProfile%\Local Settings\*\*.exe
  Path if using Windows Vista/7/8: %LocalAppData%\*\*.exe
  Security Level: Disallowed
  Description: Don't allow executables to run from immediate subfolders of %AppData%.
  Block executables run from archive attachments opened with WinRAR:
  Path if using Windows XP: %UserProfile%\Local Settings\Temp\Rar*\*.exe
  Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe
  Security Level: Disallowed
  Description: Block executables run from archive attachments opened with WinRAR.
  Block executables run from archive attachments opened with 7zip:
  Path if using Windows XP: %UserProfile%\Local Settings\Temp\7z*\*.exe
  Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
  Security Level: Disallowed
  Description: Block executables run from archive attachments opened with 7zip.
  Block executables run from archive attachments opened with WinZip:
  Path if using Windows XP: %UserProfile%\Local Settings\Temp\wz*\*.exe
  Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
  Security Level: Disallowed
  Description: Block executables run from archive attachments opened with WinZip.
  Block executables run from archive attachments opened using Windows built-in Zip support:
  Path if using Windows XP: %UserProfile%\Local Settings\Temp\*.zip\*.exe
  Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
  Security Level: Disallowed
  Description: Block executables run from archive attachments opened using Windows built-in Zip support.

  Hi, I am using a toshiba personal laptop, windows 7 home premuim. No one else uses it, nor have i brought it to any buisness , other home, etc.
  I have been blocked by group policy for 3 months.  I have spend over 200 dollars on ITs to only tell me they have never seen this before, and to buy a new laptop.. I have no idea why i am the admin, and only user yet all i can open is aol.
  I am at my wits end, and will go buy another laptop, deffenitly nothing like this one.. I have lost alot of time and money trying to fix this, late payments etc
  thanks for any input
  aimee
  oh my isp is cox, and i have a router
  reading this I am able to identify that you are contaminated with malware, it may has also affected your recovery
  try recovery to factory fresh and then install Microsoft Security Essentials so that you have 1/2 a chance next time
  Corsair Carbide 300R with window
  Corsair TX850V2 70A@12V
  Asus M5A99FX PRO R2.0 CFX/SLI
  AMD Phenom II 965 C3 Black Edition @ 4.0 GHz
  G.SKILL RipjawsX DDR3-2133 8 GB
  EVGA GTX 6600 Ti FTW Signature 2(Gk104 Kepler)
  Asus PA238QR IPS LED HDMI DP 1080p
  ST2000DM001 & Windows 8.1 Enterprise x64
  Microsoft Wireless Desktop 2000
  Wacom Bamboo CHT470M
  Place your rig specifics into your signature like I have, makes it 100x easier to understand!
  Hardcore Games Legendary is the Only Way to Play!

• Group policy preference for creating printers setting the wrong printer as default

  Hi
  We have a a group policy preference applied to users.  At the moment we create a shared printer and set it as default for all users in a specific OU.  Now we need to add another shared printer.  I have updated the policy and set it to create
  the new shared printer and have set item level targeting to the same OU as the first printer.  I want to keep the existing printer as the default, however when the policy runs, the new printer is created fine but it is set as the default
  printer.  Is this because it has been added last ?  There doesn't seem to be a way of changing the order that the printers are applied.
  Both printers are Shared printers and are set to Create
  The existing printer (printer A) is set as the default printer.  It is targeted at the London OU.
  The new printer (printer B) has NOT been set as default.  It is targeted at the London OU.
  No other options have been set.
  When the policy is applied both printers are added but printer B is being set as the default.
  Any help would be appreciated.
  Thanks
  G

  Hi G,
  >>however when the policy runs, the new printer is created fine but it is set as the default printer.  Is this because it has been added last ?  There doesn't seem to be a way of changing the order that the printers are applied.
  Before going further, what's the operating systems of our clients? Here, I need to double confirm that the checkbox of
  Set this printer as the default printer... is not selected in the new GPP Printer item. Besides, we can change the orders of the printer items. To do this, select the printer item, right click, click All Tasks, and choose Move Up or Move
  Down to change the order.
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Group Policy item for Security Center

  What's the easiest way to do this?
  I want to disable the security center popup.Windows XP Pro SP2, zen 3.2sp2
  Roaming profiles (for students, a single volatile profile is in use).
  I've attempted a few things to get this screen from showing up. I run
  fortres, but the security center screen comes up before fortres has
  initialized on the machine. I've tried wiping out the wscntfy.exe, but it's
  self-repairing.
  I tried to build an adm to add to the user extensible policies in the
  package, but it's either being ignored or I've got the wrong key
  (HKCU\Software\Microsoft\Security Center\FirstRun=dword:00000001).
  I noticed that if I turn off the notification on the workstation, it appears
  to be in the LM hive and sticks around for subsequent users. But the next
  user to use the machine has the thing pop up everytime (because the
  notification that they have seen the screen once disappears when their
  profile is wiped out).
  I guessed that this is the time that I would truly have to switch over to
  Windows Group Policies rather than relying on the unsupported user
  extensible policies (which have been working fine for me for quite some
  time).
  But when I tried to get the security center in the group policy editor
  (launched from console 1), it isn't there at all. How do I add the proper
  snapin to this editor so that I can apply security center settings?
  Chris Denby
  IT Coordinator
  Rainy River District School Board
  Fort Frances, Ontario
  Canada

  Chris,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
  - Check all of the other support tools and options available at
  http://support.novell.com.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://support.novell.com/forums)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://support.novell.com/forums/faq_general.html
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/