Posts tagged Windows XPe

Windows XP(e) refusing to connect to a terminal server

Jul 23rd

Posted by Christian in Life

Today a error message reappeared I thought I wouldn’t see again. We use Wyse Thin Clients and 2X running on two terminal servers, to provide the thin clients with applications. Now, once a while one of the thin clients (not all at once, just a single one) refuse to connect to the terminal server jabbing about this:

The remote computer disconnected the session because of an error in the licensing protocol.

The error message you get from the 2X client ain’t the slightest bit more helpful.

Die Remote-Sitzung wurde unterbrochen, da kein Terminalserver-Lizenz Server zur Bereitstellung einer Lizenz verfügbar ist.

I remember the solution being not so trivial with the thin clients. As it turns out, Microsoft does have a solution for that kind of problem.

Simply” open up the registry, and clean out HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing. That is the place where the remote desktop client saves the obtained terminal server licensing key.

,
New permissions on HKEY_CURRENT_USER

GPO (behind the scenes)

Jun 5th

Posted by Christian in Life

Well, to begin with we had this really weird problem that the thin clients as well as the terminal server would only load user based group policy if you are a member of the group of local administrators. While that’s ok for the thin clients (users can’t actually change something unless they log in as “Administrator” – don’t ask me why), it’s a real no-no on the terminal server.

We tried redoing *everything* (that is, starting with the domain, then terminal server and after that the thin clients) and yet nothing changed, it didn’t work either. That’s what I’ve been doing the last 2 weeks. Up till now, I always thought a user would have access to the ntuser.dat (that is HKEY_CURRENT_USER), if his NTFS permissions would be correct. But nooooooooooooooooooooo, Microsoft had to introduce another layer of permissions.

Old permissions on HKEY_CURRENT_USER

Old permissions on HKEY_CURRENT_USER

Once you change it to be proper (as in remove the dead user entry and add a group that actually gets you somewhere), it’s all starting to work!

New permissions on HKEY_CURRENT_USER

New permissions on HKEY_CURRENT_USER

, ,

Windows XP Embedded, Windows Server 2003 and GPO settings (the solution)

Jun 4th

Posted by Christian in Life

OK, so about an hour (yeah, yeah; I know .. I shouldn’t be working at that time, but it really gave me sleepless nights) ago, I finally figured out why the hell both my Windows XP Embedded thin clients as well as my Windows Server 2003 systems where showing this real *weird* behaviour when applying group policies, or more precise the user based configuration of a group policy.

The inspiration came to me after reading this and taking a look at regedit myself, where I noticed the entry “Permissions” for the first time ever since I’m using regedit. I also noticed, that the regedit permissions seem to be using the same groups, one would assign to NTFS resources.

That said, it really all boils down to the ntuser.dat (which *IS* HKEY_CURRENT_USER). As I created the profile with a different user than I am using it with (basically, I want ~12.000 users to use this one profile), I needed to change the permissions *INSIDE* regedit to include a group containing all these users. After that, any user could again merge the settings from ntuser.pol into HKEY_CURRENT_USER\Software\Policies, which in return gives you the joy of your fucking policies working again.

TADAAAAAA! About two weeks worth of work spent for such a shitty thing, and noticing it when you’re off work — priceless!

, , , ,

Windows XP Embedded and GPO settings (continued)

May 26th

Posted by Christian in Life

2 comments

Well, as I said in my previous post, I do have some weird things happening. Apparently adding the domain user to the local group “Administrators” makes everything just works fine, yet he can’t do administrator like stuff (like turning off the write protection, changing local user accounts, …).

Also, if you’re looking for a smart way of how to add a certain global group (as in Active Directory group) to a local group, try this:

NET LOCALGROUP Administrators /ADD DOMAIN\GROUPNAME

That simple, doesn’t even need the usual credentials to lookup the object, it apparently bypassed that step *shrug*.

And yet another weird thing is: if I run a certain command from a deployment script, it gives me different result as a manual execution of said script would give me .. *shrug*

NETDOM JOIN %COMPUTERNAME% /domain:barfoo.org \
  /OU:"OU=Thinclients,OU=Computers,DC=barfoo,DC=org" \
  /UserD:%ADMIN% /PasswordD:somepass \
  /User0: Administrator /Password0:Administrator

NET LOCALGROUP Administrators /ADD BARFOO\Domain-Users

If I put that into a rsp (that is Wyse Device Manager script), it ain’t working. Would I be executing it myself without the WDM, everything works like a charm … *yuck*

, , ,

Windows XP Embedded and GPO settings

May 19th

Posted by Christian in Life

3 comments

We’re currently having a weird issue (which we had before); the Windows XP Embedded powering our Wyse V90′s isn’t applying any GPO settings if you log on with a user that has a configured profile.

Googling (is that a valid word yet ?!) for it, only resulted in one useful link, which is apparently a guy with the exact same problem … *shrug* I’m completely out of ideas by now, as I don’t even have a place to start (as in where the reason might be located).

Well, I do have a place to start with (that’s the local Events Viewer), which indeed lists some errors, but only such errors which ain’t making any sense. For example I see this:

  • Userenv:1086 – “Windows cannot do loopback processing for downlevel or local users. Loopback processing will be disabled.
  • SceCli:1704 – “Security policy in the Group policy objects has been applied successfully.
  • Userenv:1085 – “The Group Policy client-side extension Folder Redirection failed to execute. Please look for any errors reported earlier by that extension.
, , ,
12»