Archive
I need your help Server Based Computing / VDI Experts!
Hi Guys and Gals. I’m currently fighting the good fight with Microsoft support and require your help and backing in order to close down a long standing bug in the Windows Explorer Shell.
As you are all aware, hiding the c: drive and restricting access has been a utility we use frequently in shared computing and VDI environments. Restricting this functionality removes views of the shared drive from users and adds a layer of security and complexity* to ensure the users in question have access to only what they need in order to do their jobs day to day.
*I’m not looking to argue the merit of doing this either, it really depends on the business case or environment to dictate whether this option is set. I’m NOT saying it should be done in every case.
We all know it’s not fool proof, there are certain ways for users to circumvent this layer and I particularly don’t want to discuss them here to give potential devious users a landing page for idea’s!
The problem:
Prior to windows Vista, when you hide the c: drive and an application requests access to a c: drive folder, be it from an “open save dialog” or otherwise, Windows detects this event knows that the folder is restricted and merely redirects them to the desktop which they can see then browse to where they wish to open or save a document. This has worked fine to memory since windows server 2000.
But with the changes to Windows Vista’s windows explorer, repeating the above steps will result in the following annoying, unnecessary and interrupting error message “This operation has been cancelled due to.. bla bla blah”:
This issue can be easily recreated, simply hide and restrict the c: drive, then click start > run > browse… bang.
The more annoying problem here, is after the error message, windows simply redirects back to visible folder. In most cases this is the documents library. So the error message is simply poping up then reverting to the functionality seen in previous operating systems.
So to review:
- Issue introduced in Vista / 2008 and above.
- error message displays.
- Previous redirect functionality is still there and occurs after ok is pressed.
To Microsoft!
Being a pedantic individual, along with my colleague we brought this to Microsoft support and somehow lost months in the conversation as follows:
- Microsoft then redirected us to RES Software.
- Who (although very nice about it) sent us back to Microsoft.
- At which point I got involved.
Now with the correct audience and suitable severity, this problem has been identified as “introduced in Windows Vista” as an “Added Security feature“. How an annoying pop up box, masking previous functionality is a security feature is anyones guess, but it’s bloody annoying…
We have raised this as a bug and have requested Microsoft to fix it. The change in question was deemed as large change or substantial change due to WIndows explorer being used by all of the operating systems and basically told, without significant backing, this change wont be implemented.
Bureaucracy and broken policies, yes but that doesn’t help my customer.
Here’s where I need you:
In order to bolster this change and fix an issue in our beloved operating systems for Server Based Computing and VDI environments I need to hear from you and your customers to confirm they have had this issue, or currently face the issue and wish for a fix.
- If you are a customer and suffer this issue, email me.
- If you are a consultant and have customers with this issue, email me.
- If you or your customer have enterprise support with Microsoft, I ESPECIALLY want to hear from you.
What’s in it for you?
Microsoft have provided us a work around, as a process that watches window messages and suppresses this dialog box when it occurs. If you get in touch, I’ll recompile this application with Microsofts permission and pass it on to you for use in your environment while we get “The Man” to fix it!
This fix is a bit of hack, as it’s scraping window messages but it’s light weight and scalable. Use this process for now and I’ll provide you with updates on a fix as and when I get them.
How do you contact me?
Please drop me and email on andrew{at}andrewmorgan{dot}ie with the following information:
- Customer name:
- Affected users:
- Has enterprise support: (yes/no)
Once I have that information, I’ll send you back an executable via dropbox and keep you updated on the call process. This information is merely going to be fed straight to Microsoft with my personal guarantee of confidentiality. No funny business.
If you can’t share customer information, but have suffered this issue in the past, no problem! Please comment on this blog post the number of seats that were affected and roughly how many times you’ve seen it.
That’s it!
Thanks for entertaining my request for help and hopefully you too want to get this issue fixed as much as I.
Announcing SBC Printers, A simple printers interface for XenApp / VDI
A little irk of mine with Windows 7 and server 2008 R2 was the Devices and Printers interface. This mix of peripherals is fine for standard desktops, but in SBC / VDI the devices list generally contained items you didn’t want users seeing, or ejecting for that matter!
Not happy with the Irk, and still on my app developing buzz, i decided to write SBC Printers:
SBC-Printers is a simple little .net 4 application, leveraging WMI for printer enumeration and control.Because SBC Printers is an executable, it can published as a XenApp application. Sbc Printers can also be installed as the default printers interface on the start menu:
So really your users won’t know the difference or care for that matter!
SBC-Printers also comes with securable options for adding or deleting local printers:
The display of add or delete can be controlled via the settings file in the installation directory:
Installation:
- Download the following MSI
- Install the MSI to the default directory.
To restrict the standard printers dialog from users, but leaving it accessible to administrators:
- Browse to c:\program files (x86)\SBC-Printers\bin
- run the powershell script below, make sure to run it as an administrator!
That’s it, once the Powershell script runs. it removes the users access to the registry classes giving them access to the standard devices and printers interface. Which means we’re now ready to provision SBC-Printers to replace it.
Provisioning the replacement to the user:
Now just import the userkey.reg into the users profile on login, you can do this via your user profile manager of choice, or use Group Policy preferences.
That’s it!
As you can see I haven’t streamlined the install process too much, this is mostly down to the simplicity of the tool. If you like SBC-Printers but would like a better installer, just drop me a comment below.
Roll back:
if you need to restore the standard interface, uninstall SBC-Printers then add the (local computer\users) group back to the following registry keys ACL:
- HKCR\software\classes\CLSID\{A8A91A66-3A7D-4424-8D24-04E180695C7A}
- HKCR\software\Wow6432Node\CLSID\{A8A91A66-3A7D-4424-8D24-04E180695C7A}
Customising the Citrix Receiver for Mac OS
Here’s a fun little customisation if you grow tired of the green bubbles of gloom.
The background above is a png file, with the following dimensions:
- Height: 2048
- Width: 1056
So if you want to replace this file, go find your replacement picture and ensure your picture is of a similar enough size.
Once you have a png file with similar enough dimensions, open the finder application, open the applications folder and right click the Citrix Receiver app, choose “Show Package Contents”.
Browse down to: contents > resources
In this folder, you will find a file “backgroundImage_big_b.png”, before you start, rename this file to back it up.
Now simply copy your replacement file into this folder, using the above name:
And that’s it! You’ve now got a lovely custom Citrix Receiver:
PS: I wouldn’t try to do this with windows, the file is an embedded resource and would require resource hacker to change the file.
Viewing open files on a file server from powershell.
So this is a situation you should all be aware of in an SBC / VDI environment, despite all warnings, you’ve redirected folders to your network drive and your file servers are screaming in agony?
Having been in this situation recently, I needed to audit and report on the types of files open on the file server, my hunch was a certain select number of users were running applications (like *gulp* lotus notes) from the network share.
Disappointed with the powershell scripts on the interwebs, I decided to write my own function to perform this task:
function get-openfiles{
param(
$computername=@($env:computername),
$verbose=$false)
$collection = @()
foreach ($computer in $computername){
$netfile = [ADSI]"WinNT://$computer/LanmanServer"
$netfile.Invoke("Resources") | foreach {
try{
$collection += New-Object PsObject -Property @{
Id = $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
itemPath = $_.GetType().InvokeMember("Path", 'GetProperty', $null, $_, $null)
UserName = $_.GetType().InvokeMember("User", 'GetProperty', $null, $_, $null)
LockCount = $_.GetType().InvokeMember("LockCount", 'GetProperty', $null, $_, $null)
Server = $computer
}
}
catch{
if ($verbose){write-warning $error[0]}
}
}
}
Return $collection
}
The function above (get-openfiles) has been written to accept an array of servers to the command line and it will return the following items:
- The ID of the open file.
- The server it’s open from.
- The username who has the file open.
- The amount of locks the file has.
A couple of quick examples for using this command are below:
Retrieving open files from server1:
get-openfiles -computername server1 | select server,itempath,lockcount
Retrieve a count of open files that end with the nsf file type (Lotus Notes):
(get-open files -computername server1,server2 | ? {$_.itempath -like "*.nsf*"}).count()
Retrieve a report of total open files on a number of file servers:
get-openfiles -computername server1,server2,server3,server4,server5 | group -property server
Announcing ThinKiosk 3.1
With great pleasure I’m announcing the general availability of ThinKiosk 3.1. Quite a bit of change under the hood and some nice features added to match.
New features:
VMware View enhanced support:
VMware View has gotten some love in this update, A big thanks to Jarian Gibson for the help.
You can now enforce end of session options for VMware view:
You can also now choose to wipe the last users details from the Kiosk between View sessions:
FTP policy management:
With ThinKiosk 3.1, you no longer are tied to manage the thinkiosk devices by Group Policy or local registry settings, you can now also use an ftp server with a shared xml configuration file:
Just configure a Device as you would like it to appear, unlock the admin menu and you can export the configuration to xml:
Then move it to your ftp server!
Encryption:
The unlock password in group policy can now be encrypted to save it appearing in plain text to anyone capable of viewing the policy. ThinKiosk 3.1 ships with a password encryption tool you can use to encrypt your password.
You can also test reversing the password to plain text to make sure you get it right before applying it en-mass and locking yourself out!
This encryption functionality has now been added to both the offline configuration tool:
And by default the FTP password will be encrypted too!
Battery Awareness:
ThinKiosk is now aware of batteries in laptop devices and will report their status.
When the battery begins to run out, ThinKiosk will throw a warning in the foreground as below:
You can additionally disable this functionality with the offline configuration tool.
Pre launch Citrix Receiver:
A rare issue seen with the latest versions of the receiver was a bit of a hang, pause or complete lock up as receiver came to life. To combat this, you can now choose to early launch the receiver for Citrix, allowing it to gracefully start up in the background before the user requires it.
Early launch process:
A number of customers needed to have third party software launched as soon as ThinKiosk started each day. I’ve now added the ability to early launch a process 
You can also choose to launch this process as hidden, away from the user.
Browser navigation buttons:
ThinKiosk can now act as a locked down browser by adding back and forward buttons.
AM / PM clock:
This feature was asked for quite a few times, so now you can set the clock to 12 hour.
Debug Mode:
A fully fledged debug window has been added to help timing issues. The debug menu can be accessed via command line (-debug) or via the admin menu in ThinKiosk.
Zorder awareness:
In rare situations (and I’ve been unable to reproduce it) ThinKiosk can jump above the citrix session when a log off of the web interface happens or during the login process.
Zorder awareness will tell ThinKiosk to send itself to the back of the Zorder when the browser finishes rendering. It will also display a hide button, which will send ThinKiosk to the back in this rare event.
Please use this setting as a troubleshooting tool, not a production setting. If this setting fixes the issue for you, please drop me an email and I’ll write it in. As I’ve been unable to reproduce this issue, it’s a bit rough around the edges.
Citrix Storefront timeout screen:
ThinKiosk is now aware of the timeout screen and will automagically redirect back to the login screen if it see’s it.
Hide ThinKiosk when a desktop is active:
If you wish to outright hide ThinKiosk while a desktop is active, you can now do so!
Even More sites:
Support for up to 20 sites has been added, thanks Martijn!
Sticky Home Page:
A request came through to allow the home page always be site 1, this has now been included.
Bug Fixes:
- support for environment variables in custom tools and prelaunch commands. (thanks Nathan).
- Offline config tool not setting password correctly.
- VB Powerpack accidentally bundled with ThinKiosk 3.0
- In process launch mode, power options were intermittently being applied.
And it’s still free!
ThinKiosk development has taken quite some time and it takes time to support you via email. If you use ThinKiosk in your environment or appreciate the savings its made for you, please consider making a donation or paying for enterprise support to help me keep this project alive… I would really appreciate it as it will allow me to invest in better development tools to make the product look and feel even better!
Profile:
Donate:
If ThinKiosk or any of my blogs, scripts or applications were useful to you, please consider donating!
Recent Comments