A few weeks ago, we faced an issue where all of our GPOs were broken (kind of....). It seems although the GPOs were editable, but the settings were not there... What we see was : Description : GPO gone bad..... Issue :  Launch GPMC | Edit a policy, expand to Computer Config | Policies | Administrative Templates , all settings are missing. However, each config line could be found inside All Settings  If we look carefully, the policy is retrieved from the central store.  if we look at other domain ( other domain, not other Domain Controller ), the policy is retrieved from the local computer . Troubleshooting :   Open Windows Explorer, navigate to \\<DomainName>\SYSVOL\<DomainName>\Policies . There is a folder called PolicyDefinitions    Within the folder, there is nothing, no folders no files..... Resolution :     Open Windows Explorer, navigate to \\ <DomainControllerName>\c$\Windows\PolicyDefinitions . Copy all con

It is a common practice to have a management server, with most (if not all) consoles installed on it. the purpose of this practice are to consolidate the management consoles into centralized servers, and reduce un-needed resources utilization on target servers (e.g : SQL, AppSense, Citrix Delivery Controller, VMware vCenter).  One component that I love to have in my management server is Citrix GPMC. I prefer to configure my Citrix policies via GPO, rather than Citrix Policies. One main reason is to consolidate all policies into a single, centralized location.  This is what you can see from AD server or normal servers/machines without Citrix GPMC installed / enabled. This is what you can see from Citrix servers with GPMC installed / enabled. Now, how to install Citrix GPMC :   Download the installers from here : x86 : http://support.citrix.com/article/CTX142463#download x64 : http://support.citrix.com/article/CTX142464#download  Right click at the installer, an

Group Policy Processing has been introduced since Server 2008, and Microsoft recommends to use GPP instead of normal GPO. To me, I prefer to use GPP as well, as it is more convenience to configure and troubleshoot.  However, in some cases, the configuration may not get reflected, no matter how many times you perform gpupdate (gpupdate /force as well), or even reboot the machines. Your settings are all good, linked enabled to appropriate OU, Block Inheritance already enabled ( to ensure policies assigned to parent OU not conflicting with your policies, just in case ), there were no similar setting in Site and Domain policies, policies already being enforced ( oh wait, do you really need to enforce? ).  What else could it be then? Oh wait, just before you planned to kill someone, you realized there were red dots / circles at the configurations, and those configurations (with red dots / circles ) were the one who drove you crazy! Configurations with green straight lines / circles

In previous post , I mentioned on how to disable drive mapping on Server 2003 via GPO. In this post, I will show on how to disable drive mapping on server 2008. Description : Disabling drive mapping on Server 2008 How To Do :  Access to GPMC , edit the intended GPO. Browse to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection Click at ' Do not allow drive redirection  '. That is our target setting Right click at it, and press Edit  Choose Enabled , press Apply and OK .  You can double confirm the setting by checking at ICA-TCP and RDP-TCP Properties. They are now checked, and  grayed out. And this is the explanation by Microsoft on the GPO setting.

This post will show on how to disable local drive mapping via GPO for Windows Server 2003 environment. Considering GPO will take precedence over Citrix policy, this setting will work on both RDP and ICA sessions. Description : Disable local drive mapping via GPO (the same setting can be applied to local policy too) How To Do : Open your Group Policy Object, and browse to this setting ( Computer Configuration > Administrative Templates > Windows Components > Terminal Services > Client/Server data redirection   Let's focus on Do not allow drive redirection. Right click at it, and click at Properties  Choose Enabled, press Apply and OK.  This will be the outcome. This is the explanation on this setting by Microsoft.   Drive mapping is now disabled, and users are not able to change it.

Description : There are multiple ways to do add AD user groups into computer local groups - manual way or using GPO. To me, it is always GPO way - it is easier (sort of) as the configuration will be persistent across all servers where the GPO being applied to. How To Do :  At your GPO, right click at it, and choose E dit...  Expand to Computer Configuration > Windows Settings > Security Settings > Restricted Groups . Right click at it, and choose Add G roup...  Click at Browse... as we want to choose the AD user Group.  Type your AD User Group   Click at Check Names to ensure the group is correct. Once it is confirmed, click at OK . The User group will be listed here. You can choose as many user groups as you want, it will be listed here. Press OK again.  In here, click at the Add button under This group is a member of:  option.  Click at Browse to choose the local group to be assigned to.  Type your desired local group name. In this example, I