Monthly Archives: January 2012

Thinkiosk: Turn your current PC’s into Citrix ready thin clients, with minimum hassle.

48 Comments

Note:

this post is a reference to the 1.0 release, please go to http://www.andrewmorgan.ie/thinkiosk for the latest information or use the menu’s above.

With alot of uncertainty in the Citrix Thin Client market (Citrix SoC), the increasing demands for client offloading (HDX redirection) and the abundance of suitable hardware in your current infrastructure, there has never been a greater need for hardware recycling.

Using current defunct hardware to provide a better experience to the user can slash the cost of new customer roll outs and also provide a stop gap solution as we all patiently wait to see what Citrix will deliver with their System on Chip design.

With this in mind I recently set about evaluating products in this market. I tested both Linux based distro’s and the Citrix Desktop appliance lock.

  • The linux devices had driver related issues and didnt support the full feature list of Citrix’s HDX technologies.
  • The Citrix Desktop Appliance lock (although great) lacked control and flexibility.

Ultimately, not satisfied with my options I decided to develop my own solution to this Problem

ThinKiosk:

The product I have developed, ThinKiosk, is a lightweight .Net framework application designed to replace the shell of the pc it runs on. ThinKiosk is free to use and the source code will also be available for further development.

ThinKiosk is a secure browser window that is designed to leverage the configuration and flexibility provided by the Citrix Web interface. Thin Kiosk allows the users to use multiple desktops, applications etc and adds additional configuration options to empower the user. Allowing users to configure screen resolution, keyboard, audio etc without allowing too much access to the pc.

With ThinKiosk you can present multiple desktops or individual applications to whoever logs into the kiosk.

ThinKiosk allows companies to leverage all of the Citrix HDX components, along with the Branch repeater plugin on top of hardware capable of client side rendering, at no additional cost.

As ThinKiosk will run on Windows devices, you can use your current antivirus and Windows Update products to manage these devices. No extra configuration, no messing.

Licensing:

ThinKiosk is free to use for any individual or business. So feel free to use it!

That being said, I don’t consent to ThinKiosk being used as follows:

  • Included as part of a bundle package.
  • Integrated into a “paid for” service
  • Sold as a service.

Deployment:

ThinKiosk can be deployed using an MSI and a very simple Group Policy ADM file.

ThinKiosk has been designed to replace the windows shell option using the Group Policy Custom User Interface option. This allows you, as the administrator to replace the shell based on computer or user policies, Allowing quick fall back to the native desktop during testing.

Tested Configurations:

The below operating systems have been tested with HDX  and Flash redirection:

  • Windows XP.
  • Windows Thin PC.
The below software components have been tested and are recommended:
  • Windows Media Player 11
  • Internet Explorer 8 & above
  • Adobe Flash Player 11
  • Citrix Receiver Enterprise 3.1
  • Microsoft .net framework 2 to 3.5 sp1.

.net framework 4.0 has mixed results

Setup:

ThinKiosk can bedeployed to an auto login account, domain or local. Thin Kiosk can also be configured to run as the end user. The setup options are flexible to how you wish to deploy it.

A recommended configuration for ThinKiosk would be to configure an auto login account on the PC’s, so when the PC boots it auto logs in presenting the web interface for the user to log in as themselves.

This allows for quick boot times, removes any complications provided by the users group policies and allows users to fall back to their own profile in the event of missing functionality during initial testing.

Group Policy Configuration options:

Below are the configuration options available in the ADM file:

URL – The Web Interface URL.

E.G. http://citrix/Citrix/XenApp

ShowAdminMenu – Displays an admin menu in thinkiosk.

This admin menu contains cmd, explorer, a custom url and resizing options. These tools are handy for troubleshooting

ShowLogOff – Displays the LogOff button to the users.

Allowing a user to log off.

WindowMode – Displays ThinKiosk in a window instead of fullscreen.

Window mode allows users to stack open applications at the bottom of the screen, handy for users who need multiple applications.

WindowModePercent – The percentage of the primary monitor to be used by ThinKiosk.

e.g. 90%

Auto Login Options:

As part of the Group Policy template, I’ve configured options to make configuring the default login as part of the policy. These options aren’t currently available in Microsoft Group Policies and have been provided for extra value. These settings Dont need to be used.

Registry control:

All configuration of ThinKiosk is via the ADM file, but the corresponding registry keys will be published for non domain use below:

ThinKiosk checks both machine and user keys on load in that preference.

Machine keys take preference over user keys.

  • HKEY_LOCAL_MACHINESOFTWAREThinKiosk
  • HKEY_CURRENT_USERSOFTWAREThinKiosk
Under these keys, the following registry items can be configured:
URL – REG_SZ – e.g. http://citrix/Citrix/XenApp
SHOWADMINMENU – REG_DWORD e.g. 1
SHOWLOGOFF – REG_DWORD e.g. 1
WINDOWMODE – REG_DWORD e.g. 1
WINDOWMODEPERCENT – REG_SZ e.g. 95

Recommended Group Policy:

Below you will find a quick screenshot of the recommended group policies to configure with ThinKiosk:
These policies aren’t a bible, just a recommendation of what I’ve found to work well.

Citrix Web Interface Considerations:

Below are some quick fire recommendations to make the web interface configuration faster and easier.

Dedicated web interface site for ThinKiosk:

As a number of the configuration options needed for ThinKiosk will not suit a standard web interface site, I suggest you configure a dedicated site for ThinKiosk.

Session time out:

As users will be authenticating on this web interface then most likely launching a desktop, I suggest a session time out as low as 5 minutes.

Default ICA file options:

Below are a few Default ICA options that are useful for ThinKiosk:

Forcing the use of the desktop viewer:

[ApplicationName]
....
connectionbar=1
TWIMode=Off

Force the Citrix receiver to use full screen:

[Application]
...
DesktopViewer-ForceFullScreenStartup=true

Download:

head over to the downloads page for more information.


Known issues:

  1. The first login after installing the receiver causes ThinKiosk to hang on client detection.

Update: this issue only happens with < Web interface 5.3, Web interface 5.4 works fine. If this does happen, just restart the endpoint.

Future Improvements:

  1. Multi User language packs for Spanish, Greek and French are being developed.
  2. Central management for Shutdown and Boot options.
  3. Keystroke to enter admin mode. This is in progress and expected soon.
  4. Auto add the Web interface to Trusted Sites.

Feedback:

I’m really interested in feedback and your use case for ThinKiosk, drop me an email on andrew [at] andrewmorgan [dot] ie and let me know what you like and more importantly, what you need.

Credits:

A big thank you to@shanekleinert for initial testing and feedback.

Translations:

A big thank you to the following people for providing translation help:

Replacing Windows Devices and Printers with RES Workspace Manager PowerPrint

14 Comments

This post is with thanks to @patrickdamen for the great idea of using a building block and @antonvanpelt for taking time from his busy weekend to test the fix, thanks gents!

So one of the great features of RES Workspace manager is PowerPrint. Powerprint, among other things allows for you to map printers and track preferences depending on your location. Powerprint is so powerful most administrators will remove users ability to use the native windows functionality in favour of this tool.

A downside to the latest incarnation of Workspace manager is that PowerPrint is quite hard to find for the users, instead of being on the root of the Windows xp style start menu, its not moved down two tiers into the Workspace manager start menu folder on the windows 7 style desktop.

With the attached building block, you can replace the native windows shortcut to “Devices and Printers” with a link instead to powerprint!

This building block works by hacking and taking over the Class ID for Devices and Printers and populating the class id with entries for PowerPrint. In order to use this building block, follow my previous blog post on how to hide the Windows “Devices and Printers” from the users.

The great thing about this hack, is it reuses native windows functionality the user will be used to and makes powerprint much easier to access by the user. That being said, I’m not sure RES will be enthusiastic with this hack, so use it at your own risk.

The (32 bit) addition to the name is a bit of a mystery at the moment, I’ve a call open with RES and I suspect its wow6432 related.

Download the building block here:

Removing users access to “Devices and Printers” in a Server 2008 R2 / Win 7 Environment.

1 Reply

I love a good challenge. Recently I read the following article from Microsoft about how to tackle the title of this blog. This hack didn’t actually stop the users from accessing the cpl as clever users will just use rundll32 to get around the limitation. This also knocked other “show the following control panel items” policies out.

This really inst a huge issue to most environments, as users will probably want to enumerate their printers at one stage or another. But in a RES Workspace manager environment, RES provide a much better interface for printer management which really defunct’s and eliminates the need for the windows method.

The culprit can be seen below:

This problem for me, all stems from the “NoSetFolders” chestnut, anyone who’s tried to lock down a Terminal services environment from Windows Server 2000 onwards will be aware that this “handy” group policy removes the users ability to use [Windows Key] and [E] to open explorer. This issue still isn’t fixed in 2008 R2 and I’m beginning to think Microsoft just wont fix it. Hey no big deal right? Yes, quite a big deal if you ask pedantic users.

Anyway, I digress. Once you remove the NoSetFolders key, the user has the ability to see the devices and printers as below on the start menu, hence my situation.

To remove this folder view for all users, its time to hack the registry!

The Class ID belonging to this start menu item can be found here:

HKEY_CLASSES_ROOTCLSID{A8A91A66-3A7D-4424-8D24-04E180695C7A}

This dastardly key also has a 32bit relation that can be found here:

HKEY_CLASSES_ROOTWow6432NodeCLSID{A8A91A66-3A7D-4424-8D24-04E180695C7A}

As with my previous post about removing screen resolution and personalise, its just a matter of removing the users ability to see this registry key.

So below you will find the steps to take to remove this item:

  1. Take a backup of this key, you’ll thank me if you get it wrong!
  2. Browse down to HKEY_CLASSES_ROOTCLSID{A8A91A66-3A7D-4424-8D24-04E180695C7A}
  3. right click this key, choose permissions, click advanced then owner
  4. Select administrators from the list, then choose “Apply”.
  5. browse to the permissions tab and remove the “users” group. (you may need to remove inheritance)
  6. Click “apply”, then “ok”.
  7. Repeat step 2 to 6 on HKEY_CLASSES_ROOTWow6432NodeCLSID{A8A91A66-3A7D-4424-8D24-04E180695C7A}
  8. Tada! go grab a coffee to celebrate your domination over the windows operating system.

And that’s it, even if the user tries to view the option theres a blank place on the start menu where devices and printers should be. Check back next week and I’ll show you how to replace this shell icon with PowerPrint from RES software.

PS: You can also quite easily script this, Remko provided me with a great script that I’ve modified below to suit this purpose.

Continue reading

Using my Citrix Edgesight Powershell module with Active directory OU’s.

Leave a reply

I received a request on twitter late last night and it was an interesting one. The person in question wanted to use my current edgesight module to import users from active directory into the static Citrix Edgesight groups, but instead of group membership in Active Directory, they wanted to use Active Directory Organisational Units.

All the information on how to use the module is included in the previous post, so I wont re-invent the wheel. Have a read of the previous post for any caveats or pre-emptive misunderstandings.

Below are two code snippets to use OU membership with either the Quest or Microsoft cmdlets for active directory, just modify the OU Path below, I’ve tried to include a long example to ensure there’s no confusion.

 Quest Active directory Snap-in:

[sourcecode language=”Powershell”]
#Quest Active directory module
import-module "C:citrix.edgesight.cmdlets.psm1"
add-pssnapin Quest.ActiveRoles.ADManagement
$ADOU=’domain.domain.com/Country/Users/advanced/Helpdesk’
$esgroupid=20

#clear the group before import
clear-esgroupmembers -groupid $esgroupid

#get users from group, then import them into edgesight
foreach ($user in get-QADUser -SearchRoot $ADOU -SizeLimit 0){
$prid = get-ESUserPrid $user.logonname
if ($prid -NE $null){
Add-ESGroupMember -groupid $ESgroupid -prid $prid
}
}#end For
[/sourcecode]

Microsoft Active directory module:

 

[sourcecode language=”Powershell”]
#Microsoft active directory module
import-module "C:citrix.edgesight.cmdlets.psm1"
import-module activedirectory
$ADOU="OU=helpdesk,OU=advanced,OU=Users,OU=Country,DC=domain,DC=domain,DC=com"
$esgroupid=20

#clear the group before import
clear-esgroupmembers -groupid $esgroupid

#get users from group, then import them into edgesight
foreach ($user in get-ADUser -filter * -searchbase $ADOU){
$prid = get-ESUserPrid $user.samaccountname
if ($prid -NE $null){
Add-ESGroupMember -groupid $ESgroupid -prid $prid
}
}#end For
[/sourcecode]

Pulling detailed thin client reports from Igel’s UMS with Powershell.

Leave a reply

I needed a full and detailed list recently of all Igel thin client devices and was disapointed with Igels built in views and reporting options. As with my previous Powershell and SQL scripts I set about getting into the Igel database and pulling the information I required.

This script is fairly “Niché” so I’ve not included my usual list of options and explanations, feel free to request more detail if needed.

This script will pull alot of useful information of the device, from mac address to firmware id and return a full table of contents from your Universal Management Server. as below:

This script only supports trusted connections, so the account you run the script as needs access to the database. If you need to configure non trusted connections, have a look at my Edgesight or SQL backup scripts for inspiration.

The only options you need to configure are the SQL servername and database name, these can be found at the start of the script as below:

The script itself can be found after the jump:

Continue reading