This really inst a huge issue to most environments, as users will probably want to enumerate their printers at one stage or another. But in a RES Workspace manager environment, RES provide a much better interface for printer management which really defunct’s and eliminates the need for the windows method.

The culprit can be seen below:

This problem for me, all stems from the “NoSetFolders” chestnut, anyone who’s tried to lock down a Terminal services environment from Windows Server 2000 onwards will be aware that this “handy” group policy removes the users ability to use [Windows Key] and [E] to open explorer. This issue still isn’t fixed in 2008 R2 and I’m beginning to think Microsoft just wont fix it. Hey no big deal right? Yes, quite a big deal if you ask pedantic users.

Anyway, I digress. Once you remove the NoSetFolders key, the user has the ability to see the devices and printers as below on the start menu, hence my situation.

To remove this folder view for all users, its time to hack the registry!

The Class ID belonging to this start menu item can be found here:

HKEY_CLASSES_ROOT\CLSID\{A8A91A66-3A7D-4424-8D24-04E180695C7A}

This dastardly key also has a 32bit relation that can be found here:

HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{A8A91A66-3A7D-4424-8D24-04E180695C7A}

As with my previous post about removing screen resolution and personalise, its just a matter of removing the users ability to see this registry key.

So below you will find the steps to take to remove this item:

1. Take a backup of this key, you’ll thank me if you get it wrong!
2. Browse down to HKEY_CLASSES_ROOT\CLSID\{A8A91A66-3A7D-4424-8D24-04E180695C7A}
3. right click this key, choose permissions, click advanced then owner
4. Select administrators from the list, then choose “Apply”.
5. browse to the permissions tab and remove the “users” group. (you may need to remove inheritance)
6. Click “apply”, then “ok”.
7. Repeat step 2 to 6 on HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{A8A91A66-3A7D-4424-8D24-04E180695C7A}
8. Tada! go grab a coffee to celebrate your domination over the windows operating system.

And that’s it, even if the user tries to view the option theres a blank place on the start menu where devices and printers should be. Check back next week and I’ll show you how to replace this shell icon with PowerPrint from RES software.

PS: You can also quite easily script this, Remko provided me with a great script that I’ve modified below to suit this purpose.

## #############################################################################
## 	Restrict certain Explorer items via registry key.
## #############################################################################
if (!(get-psdrive hkcr -ea 0)){New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | out-null}

 function get-elevatedprivileges{
$definition = @"
    using System;
    using System.Runtime.InteropServices;

    namespace Win32Api
    {

       public class NtDll
       {
          [DllImport("ntdll.dll", EntryPoint="RtlAdjustPrivilege")]
          public static extern int RtlAdjustPrivilege(ulong Privilege, bool Enable, bool CurrentThread, ref bool Enabled);
       }
    }
"@
    Add-Type -TypeDefinition $definition -PassThru | out-null

    $bEnabled = $false

    # Enable SeTakeOwnershipPrivilege
    $res = [Win32Api.NtDll]::RtlAdjustPrivilege(9, $true, $false, [ref]$bEnabled)
}

function take-ownership{
    param(
        [Parameter(Mandatory = $true,Position = 0,valueFromPipeline=$true)]
        [string]$regkey)
    $key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey($regkey, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
    $acl = $key.GetAccessControl()
    $acl.SetOwner([System.Security.Principal.NTAccount]"Administrators")

    #taking ownership first
    $key.SetAccessControl($acl)

    #my bit - give admin full access
    $rule = New-Object System.Security.AccessControl.RegistryAccessRule("Administrators","FullControl","allow")
    $acl.addaccessrule($rule)
    $key.SetAccessControl($acl)
    #end bit

}#end ownership function.

function remove-useracl{
     param(
        [Parameter(Mandatory = $true,Position = 0,valueFromPipeline=$true)]
        [string]$regkey)
    write-host "$regkey"
    $acl = Get-Acl $regkey
    foreach ($rule in $acl.access){if ($rule.identityreference -eq "BUILTIN\Users"){$acl.RemoveAccessRuleSpecific($rule)}}
    set-acl $regkey -AclObject $acl
}#end acl function.

#define keys to be restricted
$keys=@("CLSID\{A8A91A66-3A7D-4424-8D24-04E180695C7A}", # printers and devices
"Wow6432Node\CLSID\{A8A91A66-3A7D-4424-8D24-04E180695C7A}" # 32bit Printers and devices
)

#elevate priviledges

get-elevatedprivileges

#restrict each key
foreach ($key in $keys){
    if (test-path "hkcr:\$key"){
        take-ownership -regkey $key
        remove-useracl -regkey "hkcr:\$key"
    }
}

All the information on how to use the module is included in the previous post, so I wont re-invent the wheel. Have a read of the previous post for any caveats or pre-emptive misunderstandings.

Below are two code snippets to use OU membership with either the Quest or Microsoft cmdlets for active directory, just modify the OU Path below, I’ve tried to include a long example to ensure there’s no confusion.

 Quest Active directory Snap-in:

#Quest Active directory module
import-module "C:\citrix.edgesight.cmdlets.psm1"
add-pssnapin Quest.ActiveRoles.ADManagement
$ADOU='domain.domain.com/Country/Users/advanced/Helpdesk'
$esgroupid=20

#clear the group before import
clear-esgroupmembers -groupid $esgroupid

#get users from group, then import them into edgesight
foreach ($user in get-QADUser -SearchRoot $ADOU -SizeLimit 0){
    $prid = get-ESUserPrid $user.logonname
    if ($prid -NE $null){
    Add-ESGroupMember -groupid $ESgroupid -prid $prid
    }
}#end For

Microsoft Active directory module:

#Microsoft active directory module
import-module "C:\citrix.edgesight.cmdlets.psm1"
import-module activedirectory
$ADOU="OU=helpdesk,OU=advanced,OU=Users,OU=Country,DC=domain,DC=domain,DC=com"
$esgroupid=20

#clear the group before import
clear-esgroupmembers -groupid $esgroupid

#get users from group, then import them into edgesight
foreach ($user in get-ADUser -filter * -searchbase $ADOU){
    $prid = get-ESUserPrid $user.samaccountname
    if ($prid -NE $null){
        Add-ESGroupMember -groupid $ESgroupid -prid $prid
    }
}#end For

This script is fairly “Niché” so I’ve not included my usual list of options and explanations, feel free to request more detail if needed.

This script will pull alot of useful information of the device, from mac address to firmware id and return a full table of contents from your Universal Management Server. as below:

This script only supports trusted connections, so the account you run the script as needs access to the database. If you need to configure non trusted connections, have a look at my Edgesight or SQL backup scripts for inspiration.

The only options you need to configure are the SQL servername and database name, these can be found at the start of the script as below:

The script itself can be found after the jump:

$SQLServer = "servername"
$SQLDatabase = "rmlogin"

$SQLTrustedConnection=$true
$SQLConn = New-Object System.Data.SQLClient.SQLConnection
$SQLConn.ConnectionString = "Server=$SQLServer; Database=$SQLDatabase; Trusted_Connection=True"

if ($SQLserver -eq ""){write-warning "The SQL Server variable must be defined, Closing without fully loading module, please ensure you've defined this entry and try import this module again.";break}
if ($SQLDatabase -eq ""){write-warning "The SQL Database variable must be defined, Closing without fully loading module, please ensure you've defined this entry and try import this module again.";break}
write-host "Attempting to connect to the EdgeSight Database: " -nonewline -foregroundcolor yellow
try {$SQLConn.Open()}
catch {
write-host "Failed!" -foregroundcolor Red
Write-warning "An exception was caught while attempting to open the SQL connection, please confirm the login details are correct and attempt to Re-Import this module."
Break}
write-host "Success!" -foregroundcolor Green
$sqlconn.close()

function get-thinclients{

    if ($SQLconn.state -ne "Open"){
        $SQLConn.Open()}

    $SQLCmd = New-Object System.Data.SQLClient.SQLCommand
    $SQLCmd.CommandText ="SELECT s.tcname,s.macaddress,s.site,s.tccomment,s.lastknownip,p.devicetype,s.Productid,p.ostype,p.cpu_speed,p.cpu_type,p.flashsize,p.memorysize,p.graphicschipset0,f.modelname,f.version
				FROM rmlogin.ADDITIONAL_SYSTEM_INFORMATION AS p
                INNER JOIN rmlogin.THINCLIENT AS s ON s.macaddress = p.mac
                INNER JOIN rmlogin.firmware as f on s.firmwareid = f.firmwareid"
    $SQLCmd.Connection = $SQLConn
    $SQLAdapter = New-Object System.Data.SQLClient.SQLDataAdapter
    $SQLAdapter.SelectCommand = $SQLCmd
    $DataSet = New-Object System.Data.DataSet
    $SQLAdapter.Fill($DataSet) | out-null
    $dataset.tables[0] | % {$members+=@($_)}
    $SQLconn.close()
    return $members
}

While working in a XenApp 6 proof of concept I came accross this little feature and decided its time to share it!

When a user right clicks on the desktop, by default they get access to commands to manipulate the appearance of the desktop. As I restricted access to the control panel, the two options below were generating errors in the users sessions:

The error generated is your standard group policy restrictions error message as below:

While digging into this further I found the following registry key that corresponds to the two prompts we see above.

HKEY_CLASSES_ROOT\DesktopBackground

Under this key, you can see both entries that appear on the shell extension menu;

The problem with this key is, its owned by the TrustedInstaller account, and by default administrators cannot modify it. To modify this  key and hide this menu from users (but maintain it for administators) please follow the below steps.

Please note, any hotfixes from microsoft may remove your hard work, so be prepared to redo this work if Microsoft decide to work with this key in future.

1. Take a backup of this key, you’ll thank me if you get it wrong!
2. Browse down to desktopbackground\shell\display
3. right click this key, choose permissions, click advanced then owner
4. Select administrators from the list, then choose “Apply”.
5. browse to the permissions tab and remove the “users” group.
6. Click “apply”, then “ok”.
7. The “screen resolution” menu should now disappear from any current and future sessions.
8. Repeat step 2 to 8 on DesktopBackground\Shell\Personalize.
9. Tada! go grab a coffee to celebrate your domination over the windows operating system.

And that’s it, you should now have a lean, clean and  error free shell extension menu when right clicking on the desktop.

Pedantic, begrudging scripters note:

Now if you’re a pedantic scripting so and so like me, you wont be satisfied to leave this job as a manual task. And despite spending more time than I’d like to admit, I couldn’t perform this work in powershell despite what I tried. Luckily the task was extremely easy to do with Helge Klein‘s setacl program.

Below is an example of a script to achieve this:

setacl.exe -on HKLM\software\classes\DesktopBackground -ot reg -actn setprot -op dacl:p_nc;sacl:p_nc -rec yes

SetACL.exe -on HKLM\software\classes\DesktopBackground -ot reg -actn ace -ace “n:system;p:read” -ace “n:administrators;p:read” -actn clear -clr “dacl,sacl” -actn rstchldrn -rst “dacl,sacl” -rec yes

I immediately jumped to the registry HKEY_LOCAL_MACHINE\Cluster\Resources and found the resource by guid of my misbehaving file cluster. I could see all the shares missing were still published as resources as below:

Upon reviewing the event logs, each time the cluster was failed over, each missing share was logging the following event:

Log Name: System
Source: Microsoft-Windows-FailoverClustering
Date: xx/xx/xxxx 08:00:27
Event ID: 1068
Task Category: File Server Resource
Level: Warning
Keywords:
User: SYSTEM
Computer: XXXXXXXXXXX.Domain.com
Description:
Cluster file share resource 'File Server FileServer' cannot be brought online. Creation of file share 'Vedeni' (scoped to network name Fileserver) failed due to error '5'. This operation will be automatically retried.

Upon reviewing the share permissions, an over zealous administrator had trimmed the NTFS permissions, removing the local system account. Upon each cluster resource coming online, the cluster uses the local system account to enumerate the shares and present them. Remove this account and your shares wont come online!

This  account doesnt need to be on every folder, just each folder a share is based on. E.g. if you share d:\share\finance as \\server\finance, only the finance folder needs access granted to the system account.

To resolve, configure the system account to have access to the folder on “this folder only” then restart the file server resource. The resource will come on-line and your shares will be available again!

I recently needed to audit the version of adobe flash on the machines a script was running. This code was originally written for visual studio but translates well to powershell.

to retrieve the version of adobe flash on the local machine, use get-adobeflashversion. The code for the get-adobeflashversion can be found below:

function get-adobeflashversion{
    try{
        $flashobject = new-object -ComObject "shockwaveflash.shockwaveflash"
        $version=(($flashobject.getvariable("`$version")).replace(",",".")).trimstart("WIN ")
    }
    Catch{
        write-warning "Could not create Com Object, are you sure Adobe Flash is installed?"
    }
    return $version
}

This module should be used before using my xenapp 6 backup, reset and restore commands or Edgesight scripts. You can get a copy of it here.

To import the module, run the below command (assuming you have saved the module to c:\).

import-module c:\sql.backup.psm1

Module functions:

• Backup-SQLdatabase
• Restore-SQLdatabase

Backup-SQLdatabase

This module allows you to connect to an SQL server and use native SQL commands to perform the backup to a file from pretty much any windows machine with powershell installed.

This module supports trusted and untrusted connections and has built in error checking to catch typical problems and returns a job report as an object. The module will first try to connect and ensure you have the neccessary access rights, attempt to create the backup file, and assuming all has gone well then perform the task at hand:

Backup-SQLdatabase -SQLServer "sqlserver" -SQLDatabase "database" -Path "\\server\share$\backup.bak" -SQLTrustedConnection

(Private information ommitted)

Restore-SQLDatabase

This module allows you to connect to an SQL server and use native SQL commands to perform a restore from a file from pretty much any windows machine with powershell installed.

This module supports trusted and untrusted connections and has built in error checking to catch typical problems and returns a job report as an object. The module will first try to connect and ensure you have the neccessary access rights, attempt to locate the backup file, set the sql database to single user mode and assuming all has gone well then perform the task at hand.

restore-SQLdatabase -SQLServer "sqlserver" -SQLDatabase "database" -Path "\\server\share$\backup.bak" -SQLTrustedConnection

(Private information ommitted)

If for any reason, the restore doesn’t work correctly the function will take the corrective action of setting the database back to multi-user.

A full copy of the module to be viewed can be found after the jump below:

<#
    Author: Andrew Morgan (@andyjmorgan on Twitter, http://www.andrewmorgan.ie)
    Allows backup of sql servers to disk and restoration
    Version: 1.0
    Any comments/ feedback welcome, ping me on twitter, drop me a comment on the blog or via e-mail (andrew at andrewmorgan dot ie)
#>

Function Backup-SQLdatabase{
    <#
        .SYNOPSIS
            Backs up an sql database to local or remote disk.

        .DESCRIPTION
            This script will perform a full backup of the specified database and save it to a local or network disk.

        .PARAMETER  SQLServer
            Specifies the sqlserver or instance name you wish to connect to and backup.

        .PARAMETER SQLDatabase
            Specifies the Database name you wish to connect to and backup.

        .PARAMETER Path
            Specifies the path to which you wish to backup the database, it can be the local disk on the sql server or network share.

        .PARAMETER TrustedConnection
            Specifies to the function that you wish to connect via your current credentials.

        .PARAMETER SQLusername
            Specifies the username you wish to use to connect to the SQL server. Use this when you dont wish to use a trusted connection.

         .PARAMETER SQLpassword
            Specifies the password you wish to use to connect to the SQL server. Use this when you dont wish to use a trusted connection.

        .EXAMPLE
            PS C:\> Backup-SQLdatabase -SQLServer "sqlserver" -SQLDatabase "database" -Path "\\server\share$\backup.bak" -SQLTrustedConnection

            This command backs up the database "database" on sql server "sqlserver" to the specified path using the local credentials.

        .EXAMPLE
            PS C:\> Backup-SQLdatabase -SQLServer "sqlserver" -SQLDatabase "database" -Path "\\server\share$\backup.bak" -SQLusername "user" -sqlpassword "password"

            This command backs up the database "database" on sql server "sqlserver" to the specified path using the account name user and password of password.

        .INPUTS
            Switch

        .OUTPUTS
            Results

        .NOTES
             http://www.andrewmorgan.ie for support information.

        .LINK
            http://www.andrewmorgan.ie for more information
            backup-sqldatabase
            restore-sqldatabase
    #>

    param(
        [Parameter(Mandatory=$true)]
        [string]$SQLServer,
        [Parameter(Mandatory=$true)]
        [string]$SQLDatabase,
        [parameter(Mandatory=$true)]
        [string]$Path,
        [switch]$TrustedConnection,
        [string]$SQLusername,
        [string]$SQLpassword
    )

    ## Performing error checking ##

    if ($path -notlike "*.bak"){
        write-warning "the file extension should be .bak, Closing."
        break}

    if ($TrustedConnection -eq $false){
        if ($SQLUsername -eq ""){
            write-warning "The SQL Username variable must be defined, Closing without fully loading module, please ensure you've defined this entry and try import this module again."
            break}

        if ($SQLPassword -eq ""){
            write-warning "The SQL Password variable must be defined, Closing without fully loading module, please ensure you've defined this entry and try import this module again."
            break}
    }

    new-item $path -itemtype File -ErrorAction SilentlyContinue | OUT-NULL
    if (!(test-path $path)){
        write-warning "Could not create the backup file, closing"
        break
    }

    $SQLConn = New-Object System.Data.SQLClient.SQLConnection

    #checks for a trusted SQL connection
    if ($TrustedConnection -eq $false){
        #Using an SQL account for login
        $SQLConn.ConnectionString = "Server=$SQLServer; user id=$SQLusername ; Password=$SQLpassword; Trusted_Connection=False"}
    Else {
        #Using a trusted connection
        $SQLConn.ConnectionString = "Server=$SQLServer; Trusted_Connection=True"
    }

## Trying a connection and capture a failure ##

    write-host "Attempting to connect to the Specified SQL server: " -nonewline -foregroundcolor yellow
    try {
        $SQLConn.Open()
        write-host "Success" -foregroundcolor Green
    }
    catch {
        write-host "Failed!" -foregroundcolor Red
        Write-warning "An exception was caught while attempting to open the SQL connection, please confirm the login details are correct and try again."
        Break
    }

    $SQLCmd = New-Object System.Data.SQLClient.SQLCommand
    $SQLcmd = $SQLconn.CreateCommand()
    $sqlcmd.commandtimeout=0
    $SQLcmd.CommandText="BACKUP DATABASE $sqldatabase TO DISK = '$path' WITH INIT"
    $starttime = Get-date
    try{
            $SQLcmd.Executenonquery() | out-null
            $backupsize=[math]::round((Get-ItemProperty $path).LENGTH / 1048576,0)
            $result="Success"
        }
    catch{
            $result="Failed"
            write-warning "An Exception was caught while backing up the database!"
            write-warning "$_"
        }
    finally{

            $timetaken=[math]::round(((get-date) - $starttime).totalseconds,0)
            $SQLconn.close()
            $report=new-object PSObject -Property @{
                SQLServer=$SQLserver;
                Database=$sqlDatabase;
                Result=$result;
                Timetaken="$timetaken Seconds";
                BackupSize="$backupsize MB";
                BackupFile=$path
            }
        }
        return $report

}

Function Restore-SQLdatabase{
    <#
        .SYNOPSIS
            Restore an sql database from local or remote disk.

        .DESCRIPTION
            This script will perform a full restore of the specified database from a local or network disk.

        .PARAMETER  SQLServer
            Specifies the sqlserver or instance name you wish to connect to and restore.

        .PARAMETER SQLDatabase
            Specifies the Database name you wish to connect to and restore.

        .PARAMETER Path
            Specifies the path to which you wish to restore the database from, it can be the local disk on the sql server or network share.

        .PARAMETER TrustedConnection
            Specifies to the function that you wish to connect via your current credentials.

        .PARAMETER SQLusername
            Specifies the username you wish to use to connect to the SQL server. Use this when you dont wish to use a trusted connection.

         .PARAMETER SQLpassword
            Specifies the password you wish to use to connect to the SQL server. Use this when you dont wish to use a trusted connection.

        .EXAMPLE
            PS C:\> restore-SQLdatabase -SQLServer "sqlserver" -SQLDatabase "database" -Path "\\server\share$\backup.bak" -SQLTrustedConnection

            This command restores the database "database" on sql server "sqlserver" from the specified path using the local credentials.

        .EXAMPLE
            PS C:\> restore-SQLdatabase -SQLServer "sqlserver" -SQLDatabase "database" -Path "\\server\share$\backup.bak" -SQLusername "user" -sqlpassword "password"

            This command restores the database "database" on sql server "sqlserver" from the specified path using the account name user and password of password.

        .INPUTS
            Switch

        .OUTPUTS
            Results

        .NOTES
             http://www.andrewmorgan.ie for support information.

        .LINK
            http://www.andrewmorgan.ie for more information
            backup-sqldatabase
            restore-sqldatabase
    #>
    param(
        [Parameter(Mandatory=$true)]
        [string]$SQLServer,
        [Parameter(Mandatory=$true)]
        [string]$SQLDatabase,
        [parameter(Mandatory=$true)]
        [string]$Path,
        [switch]$TrustedConnection,
        [string]$SQLusername,
        [string]$SQLpassword
    )

    ## Performing error checking ##

    if ($path -notlike "*.bak"){
        write-warning "the file extension should be .bak"
        break}

    if ($TrustedConnection -eq $false){
        if ($SQLUsername -eq ""){
            write-warning "The SQL Username variable must be defined, Closing without fully loading module, please ensure you've defined this entry and try import this module again."
            break}

        if ($SQLPassword -eq ""){
            write-warning "The SQL Password variable must be defined, Closing without fully loading module, please ensure you've defined this entry and try import this module again."
            break}
    }

    if (!(test-path $path)){
        write-warning "Could not find the backup file, closing"
        break
    }

    $SQLConn = New-Object System.Data.SQLClient.SQLConnection

    #checks for a trusted SQL connection
    if ($TrustedConnection -eq $false){
        #Using an SQL account for login
        $SQLConn.ConnectionString = "Server=$SQLServer; user id=$SQLusername ; Password=$SQLpassword; Trusted_Connection=False"}
    Else {
        #Using a trusted connection
        $SQLConn.ConnectionString = "Server=$SQLServer; Trusted_Connection=True"
    }

## Trying a connection and capture a failure ##

    write-host "Attempting to connect to the Specified SQL server: " -nonewline -foregroundcolor yellow
    try {
        $SQLConn.Open()
        write-host "Success" -foregroundcolor Green
    }
    catch {
        write-host "Failed!" -foregroundcolor Red
        Write-warning "An exception was caught while attempting to open the SQL connection, please confirm the login details are correct and try again."
        Break
    }

    $SQLCmd = New-Object System.Data.SQLClient.SQLCommand
    $SQLcmd = $SQLconn.CreateCommand()
    $sqlcmd.commandtimeout=0
    $SQLcmd.CommandText="ALTER DATABASE $SQLDatabase
                        SET SINGLE_USER WITH
                        ROLLBACK IMMEDIATE
                        RESTORE DATABASE $SQLDatabase
                        FROM DISK = '$path'
                        WITH REPLACE"
    $starttime = Get-date
    try{
            $SQLcmd.Executenonquery() | out-null
            $result="Success"
        }
    catch{
            write-warning "An Exception was caught while restoring the database!"
            write-warning "$_"
            write-warning "attempting to recover the database"
            $SQLcmd.CommandText="ALTER DATABASE $SQLDatabase SET MULTI_USER"
            $SQLcmd.Executenonquery() | out-null
            $result="Failed"
        }
    finally{
            $SQLconn.close()
            $timetaken=[math]::round(((get-date) - $starttime).totalseconds,0)
            $report=new-object PSObject -Property @{
                SQLServer=$SQLserver;
                Database=$sqlDatabase;
                Result=$result;
                Timetaken="$timetaken Seconds";
            }

    }
    Return $Report

}

The script is fairly self explanatory but quite scary if you get it wrong, for that reason I’ve included the -whatif parameter to show you what will happen if you overzealously just copy and paste the code. Once you are happy it works, remove the whatif parameters.

This script relies on the powershell module for active directory, you can see if its installed as below:

I’m also aware this code is quite inefficient by searching twice, but it was the cleanest appearance I could muster to ensure the end user understands what is happening.

#Load the required Snapins
if (!(import-module "activedirectory" -ea 0)) {
	    Write-Host "Loading active directory module." -ForegroundColor Yellow
	    import-module "activedirectory" -ea Stop
}#endif

#users
foreach ($user in search-adaccount -UsersOnly -AccountInactive -TimeSpan 90.00:00:00){
    move-adobject -identity $user.DistinguishedName -targetpath "OU=Old Users,DC=some,DC=domain,dc=net" -whatif
}

#computers
foreach ($computer in search-adaccount -Computersonly -AccountInactive -TimeSpan 90.00:00:00){
    move-adobject -identity $computer.DistinguishedName -targetpath "OU=Old Computers,DC=some,DC=domain,dc=net" -whatif
}

I set about recently to load balance app-v lightweight streaming servers traffic across Netscalers. I found this task a little more tricky than I had hoped and decided it would be useful to break this task down to its most basic steps and publish this to help anyone else who needs to do this in future.

Despite great articles on Technet and hakabo.com, the sooner doesn’t have any fault tolerance for RTSP specific issues and focuses on the command line, which many administrators morbidly fear on the Netscaler. The later is geared at management servers which have slightly different requirements to LWS servers, the monitor recommended utilises commands which the LWS server does not support. Which results in downstate App-V servers at all times.

So below you will find an idiot proof guide (tested by this idiot) to marry two of my favourite pieces of technology into a kick ass solution.

What you will need:

• Netscalers!
• at least 2 App-V Light Weight streaming servers!
• One netscaler Virtual IP address to load balance the traffic
• About 30 minutes of time (including testing).

1: To start, take a note of the ip addresses currently configured on your App-V LWS servers.

2: Log into your wonderful netscalers.

First up, we’ll configure the monitor. This monitor will poll your App-V servers and ensure they are up and working.

3: From the configuration page, select Load Balancing > Monitors > Add:

4: Name the monitor something specific and easily identifed, then configure the below options:

• type = RTSP
• Interval =20
• Destination port = 554

5: Click the Special Parameters tab, Then set the below values:

• RTSP Request = Options *
• Response Codes: 401

(yes yes, 401 is an error response, but the LWS server has to be actively accepting connections to throw this error)

6: Once finished, hit Create:

And that’s it, monitor configured!

Next, we’ll create a service group, this service group is a logical collection of our App-V servers. Here we will configure the ports and monitoring configuration to catch outages.

7: Browse to Load Balancing > Service Groups, then choose Add:

8: Name the Service group something specific and easily identifed, then define the following options:

• Protocol = Any

9: Enter each IP address of the App-V server, ensure to choose * as the port and click Add. Repeat this step for each subsequent App-V server.

10: Once you’ve entered all your IP addresses, it should look as below: (ip addresses omitted)

11: Now flick to the Monitors tab and select the service group we created earlier:

12: Once finished, save your changes, the service group is done.

We’re on the home straight, now we’ll tie it all to a virtual IP and configure the load balancing specific settings:

13: Now to the Virtual server, browse to Load Balancing > Virtual Servers > Add.

14: Name the Virtual Server something specific and easily identifed, then define the following options:

• Protocol = Any
• IP address = the virtual ip address to be hosted by the netscaler.
• Port = *

15: Flick to the Service Groups tab, then select the service group we just created:

16: Flick to the Method and Persistence tab, then configure the following options:

• Method = Least connection
• Persistence = Source IP
• ipv4 Netmask = 255.255.255.255

17: Now flick to the Advanced tab, then configure the following options:

• Redirection mode = IP Based

Thats it, we’re done! time to test.

18: Open up a telnet client, and attempt to telnet to the newly configured virtual server:

19: If all has gone to plan, the window should empty its contents and appear as below:

20: Now go celebrate your success and genius. If for some reason it has not worked, feel free to drop a comment and I’ll see what I can assist you with.

To alleviate the issue, I added a simple shell extension to perform unattended installs of each of the msi’s:

I’ve made the registry file available here for download should you also be stuck with this task at some point.

The registry file is very simple as you can see below: