Skip to main content

Posts

Showing posts with the label Active Directory

Group Policy Preference ( GPP ) : GPP Is Not Working, There Are Red and Green Dots / circle At The Settings

Group Policy Processing has been introduced since Server 2008, and Microsoft recommends to use GPP instead of normal GPO. To me, I prefer to use GPP as well, as it is more convenience to configure and troubleshoot.  However, in some cases, the configuration may not get reflected, no matter how many times you perform gpupdate (gpupdate /force as well), or even reboot the machines. Your settings are all good, linked enabled to appropriate OU, Block Inheritance already enabled ( to ensure policies assigned to parent OU not conflicting with your policies, just in case ), there were no similar setting in Site and Domain policies, policies already being enforced ( oh wait, do you really need to enforce? ).  What else could it be then? Oh wait, just before you planned to kill someone, you realized there were red dots / circles at the configurations, and those configurations (with red dots / circles ) were the one who drove you crazy! Configurations with green straight lines / circles

The Trust Relationship Between This Workstation and The Primary Domain Failed

This is one of the common issue happen to PVS environment, IF the environment is not properly configured. The trust relationship will failed, if the password expiration days is  set below than computer account password updates. For example, if you set the password to be expired in 5 days, and computer account password updates set for 7 days, the password will then expired 2 days before renewal. Therefore, either disable password expiration, or properly set these 2 options according to Corporate Security policy. Issues : PVS : The Trust Relationship Between This Workstation and The Primary Domain Failed Troubleshooting   Accessed to the VDA, could not authenticate using domain ID.  Convert the VDA to Private mode / Create new version under Maintenance mode, unjoined and rejoined to domain. Put the VDA to Standard Mode / promote to Production, issue persisted. Resolution :  Shut down the target device.  Right click at it, go to Active Directory >

How To Totally Remove GPO

Assuming you mistakenly created a GPO and want to delete it before your boss hammerring your head (huh?).. Okay, too much drama, so let's change it. You want to housekeep your GPO (again?), and there are some GPOs need to be deleted. You right click at it, press Delete, and this message box prompted.  Do you want to delete this link?  This will not delete the GPO itself. So, are you doing it right? The answer is no. Deleting it from the OU structure will not totally remove the GPO, it only unlink the OG from the GPO. Description : Put Citrix servers out of Citrix load (some sort of private mode / maintenance mode). How To Do :  Within Group Policy Management Console, Go to Group Polcy Objects node. Right clik at the target GPO, and choose Delete

Failed to Delete / Move Organizational Unit in Active Directory

I think I rarely touch about Active Directory, so let's start with a basic one. Let say, one day you want to housekeep your OU structure, delete or maybe move some OUs to different locations, but you got an error : You do not have sufficient privilages to delete <OUName>, or this onject is protected from accidental deletion. or Windows cannot move object <OUName> because: Access is denied. Well, if we look at the first error, it is clear cut, the object is protected from accidental deletion, so the object needs to stay there. Whereas for second error, it just mentioned "access is denied".  Issues : Can't delete or move OU, either one of above errors prompted. Troubleshooting   Right click at the target OU, and click at Properties

How To Hide Windows Local Disk Drives From Users

In some organizations, Management may want to hide certain server local drives from being accessed by Citrix users. There are a few methods to do so, but in this post, we will be using GPP.  Note that this step will only HIDE but not prevent users from acecssing to it. The configured drive will only be hide from WIndows Explorer. Thus, users still can access to the drive via Command prompt, Run command etc. Description : Hide certain drives from being accessed by users. How To Do :  Launch Group Policy Management Console . Depending on how your AD is structured, right click at the OU, and choose " Create a GPO in this domain, and Link it here... "  Give it a name, and press OK .  Then you can see the GPO created.  Right click at the GPO, and choose Edit .   Expand to User Configuration > Preference > Windows Settings, click at Drive Maps  Right click at Drive Maps , hover to New and click at Mapped Drive  In here, follow

Add a Member Server To Domain Failed Due to DNS Configuration

This would be my first post regarding Server 2012 (pretty cool, huh?) So this is the case. I just created a lab environment for my XenDesktop 7. Because of this new classy environment, so I decided to use Server 2012. I have a server act as a DHCP, DNS and DC (have to, not enough resources), and another server as member server. So when I wanted to add this member server to my domain, I received error as in Issue section. Issues : Facing with this error while adding member server to domain. The following error occurred attempting to join the domain <domainName> : The specified domain either does not exist or could not be contacted. Troubleshooting  It turned out that my DNS server is not properly configured. It is not configured to any server, thus resulting member server cannot contact to any DNS server. Resolution : Configure the correct DNS server. Depending on your environment, you may want to set it manually at servers, or at Scope

AD Group Scope

Some people are having difficulties to differentiate between Universal, Global and Domain Local groups (including me, sometimes).  The table below illustrates the differences between those group scopes. Some lesson learnt :- Global groups can be added to Domain Local groups (from the same domain or crossed-domain), but not vice versa For Global groups, you only can add accounts from its domain and its parent Global groups In order to add accounts from any domain, you need to have Local Domain groups, Global groups won’t allow you to do so. Converting a group to Domain Local, add those crossed-domain users, and convert it back to Global group won’t do the trick. Domain Local groups cannot be added to Domain Local groups from any domain except for its domain and the parent. Group scope Group can include as members… Group can be assigned permissions in… Group scope can be converted to… Universal ·       Accounts from any domain within t