RemoteApp: Synergetic access from Home

Finding a decent solution for remote access to Synergetic has always been a problem. The Synergetic loader starts the application from a shared network drive, which is fine when Staff are at School but when they’re offsite, it’s tedious loading Synergetic with a 1Mb upload on the School’s internet link.

RemoteApp was a new feature with Server 2008 and has been refined further with 2008 R2 and Windows 7 with the RemoteApp and Desktop Connections. RemoteApp works similarly to the traditional Windows Terminal Server login used with previous versions of Windows Server, but with more functionality. When you configure a program for RemoteApp, the end user gets the same icon on their desktop or start menu that they would if the application was installed locally. The icon is a shortcut for remote desktop(RDP) that loads a full terminal services login, but hides the session and only shows the application, which is running in the TS session. The user’s printers and mapped drives etc can all be used in the RemoteApp, same as an RP session, but is set per program.

Accessing Synergetic via RemoteApp offsite is as seamless as connecting when at School and doesn’t require a VPN connection. Setting up RemoteApp with signed certificates and opening ports on the firewall is the way to go. Users still have to pass AD authentication, and depending on your Synergetic setup, another username and password to login to Synergetic.

 

Video -  loading Synergetic with RemoteApp

After a brief trial of Synergetic with RemoteApp it looks like we’ll be purchasing the necessary RDS User CAL’s (Check here for changes to TS licensing) and using RemoteApp for Staff access to Synergetic from home and getting them to use this setup for their Academic Report writing and avoid the confusion between Synergetic Network/Stand-Alone and importing/exporting reports.

To setup the trial of Server 2008 R2 and RemoteApp, follow something like the TS RemoteApp Step-by-Step Guide which is pretty straight forward. If you have Windows 7 clients, make sure you check out RemoteApp and Desktop Connections where you can set the Win7 machines to check a URL for a list of available RemoteApps and it will update regularly and automatically put shortcuts on the start menu for users

After you’ve configured the TS services, install Synergetic on the TS box and add it as RemoteApp through the Wizard

wiz1

If your a large Synergetic customer, you probably have multiple databases for different users and need to specify different configuration files with command line arguments.

wiz2

Here’s our test RemoteApps for Synergetic

remoteAppPrograms

Pushing the links for RemoteApps out as *.MSI or RDP files via a script or download makes things nice and easy too

I hadn’t paid much attention to RemoteApp and Microsoft’s VDI offerings, which seems like a mistake on my behalf. With the price of EDU licensing for MS Apps, this is a nice and tidy solution to a problem we’ve had since purchasing Synergetic 10-12 years ago. It might be a good solution for getting applications onto our Student Netbooks too… will see how we go

Windows GPO: Disable Adobe Updater for CS3 and CS4

We’ve known for a while that Adobe updates are too frequent and too large and annoying when you have a couple of hundred machines on the network with the Master Collection installed. Recently, we installed Viewpoint to give us reporting from our Sonicwall firewall, and we saw the impact that Adobe updates had on our internet connection and it was staggering. Adobe updates and Apple iTunes updates were the bulk of our traffic, which is no mean feat when we have 900 Students in the Senior School on Facebook.

Viewpoint_AdobeUsage 
Web Usage Report from Viewpoint

Luckily, Adobe have a registry key that can be used to enable/disable the Adobe Updater, and pushing the entry out to clients via Group Policy seems like the sensible option
http://kb2.adobe.com/cps/408/kb408711.html

On Windows XP or Windows Vista

  1. Using Regedit.exe, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe
  2. Create a new Key in this folder named "Updater"
  3. Create a new DWORD value within this Key named "Enterprise with a value of "1"

To try it out, I created the registry entries on my local machine and imported the entries into a new GPO with the Registry Wizard (Right Click on Registry in the Computer Configuration, and select New –> Registry Wizard)

AdobeGPO1 
Registry Keys imported into GPO

 
AdobeGPO2 
Registry Entries, Action set to Update

It’s important to remember to still update the Adobe applications, especially Acrobat and Flash. The Sophos Security Threat Report 2010 highlights the need to keep these two applications up to date. Malicious code can be executed from flash files embedded in PDF documents, Sebastian Porst has a superb write up on dissecting the Adobe/Flash exploit here, if you’ve got 10 minutes grab a coffee and read up.

You can download the Acrobat Updates manually from Adobe, and push them out to clients with msiexec.exe, check AppDeploy for specifics with your version of Acrobat, but something like this would do the trick

msiexec /p "%installdir%\AcroProStdUpd910_T1T2_incr.msp" /qn /norestart REINSTALL=ALL REINSTALLMODE=omus

msiexec /p "%installdir%\AcrobatUpd912_all_incr.msp" /qn /norestart REINSTALL=ALL REINSTALLMODE=omus

Which is from the Adobe forums and push it out with a script or via GPO

Outlook 2003: Can’t Create File

Just as we’re about to replace the last of our Acer notebooks with XP/Office 2003 SOE we came across this odd error in Outlook 2003 when opening an attachment.

image002

This is a file that’s emailed to Staff almost daily and without problems until this cropped up, seemingly for no reason.

After a little bit of homework, we found that it could be a problem with temporary files and had to check the path for temp files in Outlook via the registry.

reg

When we checked the path Outlook was using for temp files, we were horrified to see this

image003

The Can’t Create File: STUABSD.rtf hit us because Outlook, or probably Windows Explorer, couldn’t create a temp file called STUABSD (100).rtf.

Deleting the temp files cleared up the error straight away

Random AD User Account Lockout

user-account-control-icon The last few weeks we’ve had a problem with one of our IT Staff user accounts where it would regularly get locked out during the day. We suspected some of the Students were trying to guess the password for the account and were probably hoping to get around our web content filter….

This made me realise, we’ve never really looked for account lockouts and and where/why/how they might be happening on the network. I wasn’t excited about scouring the security event logs on our domain controllers to find the info I needed. A quick search brought up the Account Lockout and Management Tools from Microsoft which has been around since 2003, but was new to me. I probably should have been a bit sharper on that one.

One of the applications in the download is that LockoutStatus. This app will take the AD username and return the lockout status and bad password count on each DC for that user.

lockoutstatus

After finding the lockout status if the user you then use the EventCombMT app to search the event logs of the domain controllers. EventCombMT can search the event logs for any event ID but to find events with login issues, I limited the search to the Security logs on the DC’s with event ID’s 529 644 675 676 and 681. More info on usage here

EventComb

EventCombMT produces a text file for each server with the results of the search:

644,AUDIT SUCCESS,Security,Wed Apr 14 10:21:08 2010,NT AUTHORITY\SYSTEM,User Account Locked Out:     Target Account Name: zdjb     Caller Machine Name: STNB4200ZKLC     Caller User Name: IDM$     Caller Domain: TEACH     Caller Logon ID: (0x0,0x3E7)   

644,AUDIT SUCCESS,Security,Wed Apr 14 10:08:14 2010,NT AUTHORITY\SYSTEM,User Account Locked Out:     Target Account Name: zdjb      Caller Machine Name: STTB2710ZJLW     Caller User Name: IDM$     Caller Domain: TEACH     Caller Logon ID: (0x0,0x3E7)  

Straight away I could see the two machines that were causing the account lockout and after calling them back into the Service Desk so we could see what was going on. We were able to work out that it was the Sophos Auto Update causing the problem because these machines had been using the credentials  of this account, with an old password, for receiving updates instead of the update account we normally use.

Solving the problem of the account lockout has prompted some new strategies for monitoring the network that we hadn’t considered before. Now that we have the tools, we can regularly search the event logs for bad passwords on Administrator accounts and follow up the results. Also, we may have started the ball rolling on a project to create more user accounts in AD for different network services. It was lucky that we’d found Sophos was the culprit, but next time it could be difficult to find old credentials being used in an Altiris job for example. By creating different user accounts for services like Sophos, Altiris Jobs, SQL, Exchange and Intranet applications it will help narrow down a search next time we have a password problem and will make it easier to change these passwords on a regular basis.

Vista Black Screen of Death and Altiris SVS

When we rolled out the HP 2730p tablets to Staff last year, we decided to try out the Altiris software virtualisation (SVS).

Since it came bundled with our Altiris purchase it seemed like the easiest choice for getting into software virtualisation. We had tried the demo for VMWare’s Thinapp but were discouraged by the pricing and had been impressed with demos if Microsoft App-V. Software virtualisation would let us have a much smaller SOE with just Vista, Office 2007 and the Adobe CS4 Master Collection, and have every other application installed as an SVS layer. This way we could reduce the time needed for imaging and control the application deployment through Altiris. We could also enable the web portal which would let Staff select which SVS layers they’d like deployed to their machine!

Since the 2730p machines have been imaged, we’ve had a few come back because Vista seems to hang on a black screen after the green progress bar on boot up

Vista Green Bars

The problem seems to be with a driver for SVS (fslx.sys) and after browsing the web for reasons why we’ve had this issue found that it may be a problem with one of the SVS packages we’ve deployed.

A thread on the Symantec forums details some of the SVS KSOD issues that people have had and found that troublesome SVS layers are the culprit. This thread confirmed our suspicions that we were having trouble with SVS packages that we’d made for applications like Skype and iTunes that have regular/frequent updates. The files in the SVS layer can’t be updated when there’s an update or patch for an application. With software virtualisation on the rise it would be handy if the application knew it was virtualised and would warn the user that new versions can’t be installed until the virtualised application is removed.

Anyway, here’s the fix:

· Boot the machine into Safe Mode

· Login as Admin

· Rename C:\Windows\system32\drivers\fslx.sys to C:\Windows\system32\drivers\fslx_old.sys

· Restart the machine

This will disable SVS and all the SVS layers. We’ve had some success with updating the SVS software to a slightly newer version, though, in most cases we’ve still had trouble after updating the SVS client. The best bet is to work out which SVS layer us causing the problem and disable it. Easier said than done.

We’re yet to decide if we’ll consider SVS for the 2010 Staff image. If we do, we’ll have to exclude applications like iTunes and Skype and try to avoid the black screen issues. We also need to decide if we’re going to move to Windows 7 for this image and whether it will be 32 or 64bit. Symantec have released the beta version of Symantec Workspace Virtualization,new version of SVS, which is compatible with 64bit Windows but it’s unlikely that the final version will be released in time for our internal testing.

Netbooks: Setting Student as Admin’s during deployment

3761637114_47d8ac8cf0 As part of our config for the Student Netbook SOE, we’re going to make each Student an Administrator on their netbook. We don’t want to make every student an administrator on the machines, because of the security/privacy issues that may arise. If every Student is an administrator then it’s possible for them to log onto another Students machine and look/edit/delete/copy their files.

When we unboxed the netbooks we attached our Asset tags (BGSID) and used the barcode scanner to grab the BGSID and Serial for each netbook and put them into Excel. We thought we could use this data and run a post imaging script from Altiris to set the student admin on each machine after they’re sysprep’d and before they’re given out to Students.

We created a SQL database with one table, see below. The image shows our test data, but we’re able to copy the BGSID’s and Serials from the spreadsheet to the database and assign a username for each netbook. The database also has a field for MachineName, which is blank initially and is populated when the script is run. Altiris automatically names the machines, according to the template we’ve specified, but we thought it would be handy to grab the machine name and store it next to the Serial as the machines are assigned to Students.
We can also be sneaky, and use the StudentUserName field to query AD and grab the Student’s firstname and surname to make sticky labels for their machine and maybe their bags too… will see

image001

‘______________________ Start SetStudentAdmin.vbs __________________________
‘Option Explicit

dim adoConn, adoRS, adoStrm
Set adoConn = CreateObject(“ADODB.Connection”)
Set adoRS = CreateObject(“ADODB.Recordset”)
Call GetBGSID

‘_______________________________________________________________________

Sub GetBGSID()

Dim NetBookSerial

winmgmt1 = “winmgmts:{impersonationLevel=impersonate}!//.”
Set SNSet = GetObject( winmgmt1 ).InstancesOf (“Win32_BIOS”)

for each SN in SNSet
NetBookSerial = SN.SerialNumber
Next

adoConn.Open “Provider=SQLOLEDB;Data Source=lumberjack;User ID=sa;Password=12345;Initial Catalog=Netbooks;”
adoRS.Open “select * from netbooks where (Serial = ‘” & NetBookSerial & “‘)”, adoConn, 1, 3

Set objWshNet = CreateObject(“WScript.Network”)
strDomain = objWshNet.UserDomain
strComputer = objWshNet.ComputerName
Set objGroup = GetObject(“WinNT://” & strComputer & “/Administrators,group”)

strUser = adoRS.fields.item(3)

Set objUser = GetObject(“WinNT://” & strDomain & “/” & strUser & “, user”)

If Not objGroup.IsMember(objUser.ADsPath) Then
objGroup.Add(objUser.ADsPath)
End If
adoRS.fields.item(4) = strComputer

adoRS.Update
adoRS.Close
adoConn.Close

End Sub
‘______________________ End SetStudentAdmin.vbs ___________________________

Netbook 2010 SOE

We’ve confirmed our SOE for the Student Netbooks for the 2010 pilot program. Nathan Hargreaves confirmed the final list yesterday. The image will be based on Windows 7 Professional with Office 2007 with:

Access
Acrobat Reader 9
Audacity
ClickView Player
Excel
Flash Player 10
Google Earth
Interactive Atlas CD 1.4
Internet Explorer 8
iTunes
Java Runtime Environment 6
Maths Dimensions 9
Office Live Addin
OneNote
Outlook
Photoshop Elements 8
PowerPoint
Premiere 8
Quicktime
Shockwave Player
Silverlight
Visio
VLC Player 1.0.3
Windows Media Player
Word

We’ve decided that the netbooks will added to our domain, which will let the Students use their AD username and password and will provide seamless authentication for web mail, internet access and home drives on he network. We’ll also be able to use EAP-TLS with machine certificates for authentication on the new N wireless network, and we can use Group Policies to set mapped drives, installed network printers and control power settings.

It’s much more work on our behalf to have these machines on the domain and a lot more testing to make sure that the Students get the user experience that they need on the netbooks but still have the same policies, settings and restrictions on our desktop machines. The Students will all be administrators on their netbooks and will be able to install applications and change settings as they like. Finding the balance between letting the Students have the control that they need to feel ownership over the device and controlling GPO settings to ensure a seamless experience on campus will be the trick with having a successful SOE.

Too Cool for School

HP-Mini-5101-Bussiness-Netbook-left

Recently our Headmaster announced that the School was going to trial a 1:1 netbook program with out Year 9 Students. Currently our Students use desktops in Computer Labs and some class sets of notebooks with the same SOE that’s installed on our desktops. The move to netbooks will create new challenges for our Staff, especially with some of the requirements, most notably that Students will need to have administrator access to their netbooks.

The device that we’ve selected for the trial is the HP Mini 5101 which has the same spec’s as the other netbooks, except we’ve optioned these with the HD screen(1366×768) and a 6 cell battery. The SOE that we’re building for the trial includes Windows 7 Professional, Office 2007, Visio, Adobe Photoshop Elements and Premiere Elements. The SOE is pretty simple and the Students can add any other apps that they need when they’re handed over. The only problem with the software has been the Adobe licensing, which has been summed up by Rob Flavell on Learn | You | Good to perfection.

Since we’ve only ever had a notebook program for Academic Staff, we’ve been talking to colleagues at School’s with successful Student notebook programs to help work out a successful plan for Grammar. We want to the Students to feel ownership over the device which will help motivate them to look after their machines and reduce damage and support requests. However, we want the machines to be on the network, on the domain, and be able to push settings and updates out to the Student’s netbooks and ensure they have the correct printers installed, drive mappings and other group policy settings.

During the year we spoke to a School that has a notebook program for their Students(year 7-12) and their IT Staff have 3500 re-image jobs per year. This worked out to be 2 or 3 reimages for each machine in the School which is probably a full time job for someone! We’ve kept this in the forefront of our minds when planning the SOE for the netbooks even though we’re only deploying 150 machines for the pilot, we have to assume that the pilot will be a success and that before long we’ll have 600-700 netbooks to manage.

We’re dealing with the possible flood of reimaging requests with a two pronged attack. The SOE will have two partitions, one for the OS and one for Student data, and we’re working on an imaging method that the Students can run themselves. The dual partitions are setup with the Windows 7 users folder moved to the second partition and creating a junction/symbolic link to the new location, nice explanation from Scott Hanselman here. This setup allows us to reimage the partition with the OS and programs, and leave the data intact. Once we’re confident with the reimaging we won’t need to worry about backing up the Student’s data before reimaging their machine. The Student self imaging will work, at the moment, using a separate imaging VLAN and getting the Students to boot their machine from the network card and loading a custom Altiris WinPE boot image. We looked at options for imaging the netbooks from a hidden partition or via a USB HDD, but we need the imaging job to be initiated by Altiris so the computer will get the right name and settings etc during the sysprep process.

So that’s just the start, we’ve placed the order for the netbooks with HP and should have delivery before Christmas, and will need to have them finished and ready for the Students at the end of January. As we find problems or something interesting the image, netbook or how we’re supporting them, I’ll post here.

Exchange 2007 Edge Server Licence

Earlier this year we migrated our Exchange 2003 setup to Exchange 2007 and all was going well for a while. Until we had noticed that our Edge Server thought it was unlicensed, even though we’d entered all the licence info as part of the initial Exchange config. A quick search found this handy PowerShell command for setting, or resetting, the Product Key for our Edge Server. I’m still impressed with how much PowerShell can do in Exchange/Windows, its definitely worth investing the time to learn.

< Power Shell CMD >
[PS] C:\Windows\System32>get-ExchangeServer

Name                Site                 ServerRole  Edition     AdminDisplayVersion
—-                —-                 ———-  ——-     ————–
JACKAL             BGS                  Mailbox,… Standard    Version 8.1…
CARLOS            BGS                  ClientAc… Standard    Version 8.1…
EDGE                BGS                  Edge        Standard… Version 8.1…
ZORO               BGS                  ClientAc… Standard    Version 8.1…

[PS] C:\Windows\System32>set-ExchangeServer Edge -ProductKey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
[PS] C:\Windows\System32>get-ExchangeServer

Name                Site                 ServerRole  Edition     AdminDisplayVersion
—-                —-                 ———-  ——-     ————–
JACKAL             BGS                  Mailbox,… Standard    Version 8.1…
CARLOS            BGS                  ClientAc… Standard    Version 8.1…
EDGE                BGS                  Edge        Standard    Version 8.1…
ZORO               BGS                  ClientAc… Standard    Version 8.1…

[PS] C:\Windows\System32>

HP 2730p: machine is not in committed state

hp2730pA couple of weeks ago we ran into problems with our new fleet of 2730p Tablets where the machines weren’t booting into Vista. We had a version of the Black Screen of Death, KSOD, that was caused by something upsetting the Altiris SVS client on these machines. While we were troubleshooting the KSOD we tried  updating one of the machines with the latest drivers including the latest BIOS update for the machine from HP. After updating the BIOS to F.0A 31 Jul 2009, the machine rebooted and gave us this error as soon as the machine was powered on:

WARNING!!! – machine is not in committed state!

After some quick Googling I found others had the same issue after a BIOS update on various HP models. Resetting BIOS defaults and installing an older version didn’t make any difference.

Some people suggested running HPSetCfg 1.36, downloaded from here, or later to reset the serial and model number for the machine. This is a handy little tool from HP and runs from a bootable CD or USB stick, seemed to only want to work on FAT (not NTFS), and made the USB stick bootable with HPUSBFW.EXE. This worked nicely but did nothing to remove the Warning on boot….

http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1251435425255+28353475&threadId=1338615

After making my way to the end of that thread on itrc.hp.com I looked at the AMT settings. Checking the AMT settings in the BIOS showed that it was greyed out and not able to be enabled? Thinking that the machine needed a firmware update for the AMT to go with the BIOS update, I attempted to install the 4.1.1.1028 version from the HP site. This should have been the version that was on the machine, Dec 2008, since the machines were purchased in early 2009. The AMT update failed installation so I started the hunt for the AMT Branding Tool that was mentioned in the thread above and found here

This is straight from allaboutmicrosoft.net:

Swapped MB on a HP Elitebook 6930P and need get the serial number into BIOS.
At boot I get a message stating “Warning. Machine is not in committed state. Invalid serial number”, but when entering BIOS there is no way for me to enter it. Read on HP forums that I need HP SetConfig Utility 1.36 to do this, but I can’t find it anywhere. Does anyone have this program or maybe another solution that could help me?

Solution: Machine is not in committed state

use this tool. run it from a bootable flash drive.  read the readme.txt inside the archive.
http://www.naturatek.com/files/amtool.zip

I downloaded the AMT tool and copied it to the bootable USB stick that I’d used before. Because I copied the files to their own folder I had to run Brand.bat from the command line, should have run from autoexec.bat. The Tool checks the current settings and prompts you to see if you’d like to make changes

VPro Uncommitted
Descriptor Unlocked
Management Engine disabled
Flash Protection Override disabled
****************************************

Do you want to enable or disable AMT now [Y, N]?

The text above is copied from the readme.txt that comes with the AMT tool, but is essentially the same as what I saw at the command line. After selecting Y to enable AMT, there was another prompt or two, followed by a reboot. On boot up the warning message was gone and entering the BIOS showed that the AMT was now enabled and I could change the AMT settings etc too!