New KB: GP Preferences Local Groups do not accept long names

A new KB article was recently released regarding the creation of local groups (and users) using Group Policy Preferences.

“…Create a Group Policy Preference Setting for "Local User and Groups"
Computer Configuration => Preferences  => Control Panel Settings => Local User and Groups New => Group
In the "Group name" edit field, it is not possible to enter a Group/Username longer than the displayed field.
The "Group name" edit field does not allow to scroll the content, so the length is limited by the visible length of the field…”

I personally never noticed this before, but did some quick testing on Windows Server 2008 R2, the limit seems to be 32 characters. This has been fixed in Windows Server 2012.

Source and suggested workarounds:
http://support.microsoft.com/kb/2616766/en-us?sd=rss&spid=14134

Overview of all new Windows 2012 GPO’s related to Remote Desktop Services

The Group Policy Settings Reference for Windows and Windows Server has been updated with Windows Server 2012.

The download offers Excel Sheets with all the GPO’s policies available and also contains a “Status” column to allow you to filter on New GPO settings and a “Registry information” column to get the registry equivalent of the GPO setting.

Below an overview of all the new GPO settings related to Remote Desktop Services:

Terminalserver-Server.admx
Turn off Fair Share CPU Scheduling
Machine
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections

Terminalserver-Server.admx
Use the hardware default graphics adapter for all Remote Desktop Services sessions
Machine
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment

TerminalServer-WinIP.admx
Configure image quality for RemoteFX Adaptive Graphics
Machine
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment

TerminalServer-WinIP.admx
Configure RemoteFX Adaptive Graphics
Machine
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment

TerminalServer-WinIP.admx
Enable Remote Desktop Protocol 8.0
Machine
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment

TerminalServer-WinIP.admx
Select network detection on the server
Machine
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections

TerminalServer-WinIP.admx
Select RDP transport protocols
Machine
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections

TerminalServer-WinIP.admx
Turn Off UDP On Client
Machine
Windows Components\Remote Desktop Services\Remote Desktop Connection Client

TerminalServer.admx
Limit maximum display resolution
Machine
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment

TerminalServer.admx
Suspend user sign-in to complete app registration
Machine
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections

TerminalServer.admx
Configure image quality for RemoteFX Adaptive Graphics
Machine
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment

TerminalServer.admx
Configure RemoteFX Adaptive Graphics
Machine
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment

TerminalServer.admx
Allow RDP redirection of other supported RemoteFX USB devices from this computer
Machine
Windows Components\Remote Desktop Services\Remote Desktop Connection Client\RemoteFX USB Device Redirection

TerminalServer.admx
Configure RemoteFX
Machine
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2

TerminalServer.admx
Optimize visual experience when using RemoteFX
Machine
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2

TerminalServer.admx
Enable RemoteFX encoding for RemoteFX clients designed for Windows Server 2008 R2 SP1
Machine
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment

TerminalServer.admx
Specify default connection URL
User
Windows Components\Remote Desktop Services\RemoteApp and Desktop Connections

TerminalServer.admx
Select network detection on the server
Machine
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections

TerminalServer.admx
Select RDP transport protocols
Machine
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections

TerminalServer.admx
Turn Off UDP On Client
Machine
Windows Components\Remote Desktop Services\Remote Desktop Connection Client

Setting the default RemoteApp connection URL on your clients using GPO

Before Windows Server 8 beta (soon to be Windows Server 2012) there was an option in the control panel of the user called Remote App and Desktop Connections. Using this Control Panel option the user was able to set the URL needed to build the connection to the RD WebAccess to be able to have the RemoteApps available. Remember that in this Feature highlight blog post I wrote that Window Server 8 beta added a new option so that users would also be able to enter their corporate e-mail address in stead of the connection URL, which is of course much more user friendly.

Windows Server 8 Beta also comes with a new GPO setting to set the default connection URL so that the user would not have to configure anything at all!

The setting is inside a new container called “RemoteApp and Desktop Connections”

And is called “Specify default connection URL”

If you enable this setting you are able to set the default connection URL. The details of the setting are shown below.

Setting: Specify default connection URL
Supported on: At least Windows 8 Consumer Preview
Comment: This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL is a specific connection that can only be configured by using Group Policy. In addition to the capabilities that are common to all connections, the default connection URL allows document file types to be associated with RemoteApp programs.

The default connection URL must be configured in the form of http://contoso.com/rdweb/Feed/webfeed.aspx.

If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL.

If you disable or do not configure this policy setting, the user has no default connection URL.

Note: RemoteApp programs that are installed through RemoteApp and Desktop Connections from an untrusted server can compromise the security of a user's account.

My first article at VirtualizationAdmin.com

Today my first article at VirtualizationAdmin.com was published. You can read the introduction of the article below. Use the link to read the complete article!

Printing in Microsoft RDS environments and how it evolved in todays technology

"...As you might know RDS stands for Remote Desktop Services, previously known as Terminal Services and designed to have multiple user sessions hosted on a single server. Now it is called Session Virtualization. These sessions have grown out to becoming complete local desktop replacements. What activity is one of the most frequent user actions on a desktop? Exactly, printing!
Therefore, whether to allow printing from a session is not the question. The question is how to configure it in the most convenient way from the end-users perspective and easy to maintain from the administrators perspective. In this article, we’ll discuss printing in Microsoft RDS environments, what printing from a remote session was like in the past and how it evolved in today’s technology..."

Read the complete article here:
http://www.virtualizationadmin.com/articles-tutorials/vdi-articles/general/printing-microsoft-rds-environments-how-evolved-todays-technology.html

Looking for a specific GPO setting, corresponding registry key or corresponding .admx file?

When you work with Group Policy Objects (GPO’s) regularly, or even better, when you don’t work with GPO’s regularly, the following scenario’s will sound familiar.

- I know this GPO setting exists, I know it had the words “Delegating Saved Credentials” in it but where is that specific policy in the GPO tree?

- I have this GPO setting here, but what is the corresponding registry key?

- I have this GPO setting here, but what is the corresponding .admx file?

- I have this GPO setting here, but is a logoff required

Save yourself some time searching the net and bookmark the following page: (or this blog post J)
http://www.microsoft.com/download/en/details.aspx?id=25250

It contains several fully searchable Excel sheets, which contain GPO settings with columns like policy setting name, scope, admx file, registry key etc!

These sheets have been around for some time, but I thought it might be useful information to give it some extra attention.

There also is a online variant here: http://gps.cloudapp.net/

“Allow Logon through Terminal Services” GPO and the “Remote Desktop Users” group.

In case you're confused about the GPO setting “Allow Logon through Terminal Services” and the security group  “Remote Desktop Users”, a new blog post by the Ask the Performance Team was just posted on blogs.technet.com on this subject. It provides a clear explanation on the differences and the combination of those two settings.

"...I am sure many of you are already familiar this GPO and this group. But still there has been some confusion around whether you should be using the GPO for allowing the user to RDP to the server or should be using the Remote desktop users group or both. And at times, even what to choose between them and what is the best recommended practice.

Hence I wanted to provide a short simple explanation about this group policy and the user group and how they are interrelated.

To start with, there are two types of user rights; Logon rights & Privileges. In simpler terms these are:
1) Remote Logon: rights to machine
2) Logon: privileges for access to the RDP-TCP Listener

These play the vital part in allowing an RDP session to the server.
When a user is able to validate the above two conditions successfully, only then is the user provided with a successful RDP connection to the server.

The Remote Logon is governed by the “Allow Logon through Terminal Services” group policy. This is under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
By default, the Administrators and Remote Desktop Users groups are given remote logon rights. So, users who are a part of these groups will be authorized to logon remotely to the server.

Now, if you have a user account which is not a part of the Administrators or the Remote Desktop Users groups and you go ahead and add him to the GPO for “Allow Logon through Terminal Services”, they will still not be able to create a successful RDP connection to the server. The reason being that adding a user to this GPO only authorizes him for a Remote Logon to the server but does not give him the permissions to connect to the RDP-Listener.

Now comes into play the Logon privileges for the RDP-Listener. Once the user is authorized for remote logon his privileges to connect to the RDP-Listener is verified. If the user has permissions on the listener then the connection is successful. These permissions can be verified from RDP-TCP Listener properties..."
Source: http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx

No access to allowed applications managed by AppLocker

This new update fixes the issue where you manage software restriction policies by applying AppLocker rules from a Group Policy Setting (GPO). In this scenario, you cannot access allowed applications because the synchronization mechanism between Group Policy and AppLocker is broken.

Article ID: 2568041 - Last Review: August 10, 2011 - Revision: 1.0

You cannot access allowed applications that are managed by AppLocker in Windows 7 or in Windows Server 2008 R2

Source: http://support.microsoft.com/kb/2568041/en-us?sd=rss&spid=14134