22-07-14

VCAP-DTA Objective 6.2 – Configure Group Policies for PCoIP and RDP

  • Identify and resolve group policy conflicts – One of the great things about group policies is that there are so many settings you can configure and lock down that sooner or later you’ll end up doing something that means different group policies treading on each other’s toes. There are a couple of ways to check group policy inheritance:-
    • gpresult.exe – a command line tool that can be used to generate a RSoP report (Resultant Set of Policies). This is a quick way of looking at what’s been applied, what has been filtered and which AD groups a user is a member of, which can help troubleshooting. The command syntax for a RSoP style report is gpresult.exe /r and you’ll get something similar to below:-

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 22/07/2014 at 20:34:43
RSOP data for BECKETT\Administrator on DC01 : Logging Mode
———————————————————–

OS Configuration: Primary Domain Controller
OS Version: 6.1.7600
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\Administrator
Connected over a slow link?: No
COMPUTER SETTINGS
——————
CN=DC01,OU=Domain Controllers,DC=beckett,DC=local
Last time Group Policy was applied: 22/07/2014 at 20:34:10
Group Policy was applied from: DC01.beckett.local
Group Policy slow link threshold: 500 kbps
Domain Name: BECKETT
Domain Type: Windows 2000

Applied Group Policy Objects
—————————–
Default Domain Controllers Policy
Default Domain Policy
ThinPrint

The following GPOs were not applied because they were filtered out
——————————————————————-
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups
——————————————————-
BUILTIN\Administrators
Everyone
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Users
Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
DC01$
Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Denied RODC Password Replication Group
System Mandatory Level

USER SETTINGS
————–
CN=Administrator,CN=Users,DC=beckett,DC=local
Last time Group Policy was applied: 22/07/2014 at 20:33:40
Group Policy was applied from: DC01.beckett.local
Group Policy slow link threshold: 500 kbps
Domain Name: BECKETT
Domain Type: Windows 2000

Applied Group Policy Objects
—————————–
N/A

The following GPOs were not applied because they were filtered out
——————————————————————-
Default Domain Policy
Filtering: Not Applied (Empty)

ThinPrint
Filtering: Not Applied (Empty)

Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups
—————————————————
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Group Policy Creator Owners
Domain Admins
Schema Admins
Enterprise Admins
Denied RODC Password Replication Group
High Mandatory Level

  • RSoP (Resultant Set of Policies) is basically a graphical representation of what you see above, which is actually quite helpful when you have a specific issue you want to troubleshoot. To run the report, go to Start | Run | rsop.msc and after the report has been generated, you kind of get a read only group policy view with details of policy settings.

rsop

 

  • Group Policy Management – One other thing to check is the Group Policy Management MMC tool. This can be accessed by going to Administrative Tools | Group Policy Management. Once within this tool, select a particular OU that you want to troubleshoot and click the Group Policy Inheritence tab. This displays which GPOs are in place and what their priorities are.

gpo

 

  • Implement PCoIP and RDP Group Policy templates – As discussed in a previous article, PCoIP can be managed by importing the pcoip.adm policy template from the C:\Program Files\VMware\VMware View\Server\extras\GroupPolicyFiles folder into the Group Policy Management  MMC view.
    • RDP can be managed via Group Policy from Group Policy Management under  Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services. From here, configure which settings you want to enable or disable etc, as shown below:-

RDP-GPO

 

 

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s