RE: [ActiveDir] TS GPO and Citrix Settings
It won't change the settings back unless they are set under the policy -- the settings you want to change aren't actually controlled by policy, are they? If so, the best option would be a separate policy to reverse the settings, as Alan suggested. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, October 10, 2005 2:54 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] TS GPO and Citrix Settings Hi Ryan, The greying out of the settings is a "good thing". Basically any well designed program that provides a user interface to a regitry setting should grey out settings that are managed via the Policy key. This is really saying "This setting is set via policy. Don't fiddle with it". When it used to be ungreyed, I would have thought you still would have had problem, since next time policies applied it would set it back anyway. While you could temporarily change it as Derek suggests, I presume you want to permanently fix it. As you suggested, you can block inheritance for the OU, but this is not nice since it blocks all policies (except those with No Override) from flowing to that OU. Your other options is another policy connected to the OU that reverses the policy setting, or create a group of all your CITRIX machines and put the group in the DENY list for the policy. Alan Cuthbertson Policy Management Software:-http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtmlADM Template Editor:-http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtmlPolicy Log Reporter(Free)http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml- Original Message - From: Derek Harris To: ActiveDir@mail.activedir.org Sent: Tuesday, October 11, 2005 6:05 AM Subject: RE: [ActiveDir] TS GPO and Citrix Settings If you just want to make a quick change, go into the registry and delete the policy subtrees (from HKCU or HKLM, or both). They'll come back on the next policy refresh, but it'll give you a few minutes. I can't remember off the top of my head where those setting are stored: [software\policies], [software\microsoft\windows\current version\policies] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan A. ConradSent: Monday, October 10, 2005 11:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] TS GPO and Citrix Settings We are experiencing what appears to be a strange problem (although it’s probably expected for all I know) with Terminal Service settings on W2K3 boxes. A GPO at our application server container sets various settings (timeout values, encryption, etc…) for all systems (regardless of Admin/Application mode). The behavior is when any TS setting is set by a GPO the setting is grayed out and even administrators cannot change the settings. This itself would not be an issue, however, the default behavior of Citrix is to take the RDP settings and therefore we cannot change the ICA settings which presents a problem. So aside from blocking policy inheritance on the OUs where there are terminal servers does anyone know of a way to un-gray the settings for W2K3? This was not an issue in W2K. Hopefully I’ve explained well enough. Thanks in advance, Ryan
Re: [ActiveDir] TS GPO and Citrix Settings
Hi Ryan, The greying out of the settings is a "good thing". Basically any well designed program that provides a user interface to a regitry setting should grey out settings that are managed via the Policy key. This is really saying "This setting is set via policy. Don't fiddle with it". When it used to be ungreyed, I would have thought you still would have had problem, since next time policies applied it would set it back anyway. While you could temporarily change it as Derek suggests, I presume you want to permanently fix it. As you suggested, you can block inheritance for the OU, but this is not nice since it blocks all policies (except those with No Override) from flowing to that OU. Your other options is another policy connected to the OU that reverses the policy setting, or create a group of all your CITRIX machines and put the group in the DENY list for the policy. Alan Cuthbertson Policy Management Software:-http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtmlADM Template Editor:-http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtmlPolicy Log Reporter(Free)http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml- Original Message - From: Derek Harris To: ActiveDir@mail.activedir.org Sent: Tuesday, October 11, 2005 6:05 AM Subject: RE: [ActiveDir] TS GPO and Citrix Settings If you just want to make a quick change, go into the registry and delete the policy subtrees (from HKCU or HKLM, or both). They'll come back on the next policy refresh, but it'll give you a few minutes. I can't remember off the top of my head where those setting are stored: [software\policies], [software\microsoft\windows\current version\policies] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan A. ConradSent: Monday, October 10, 2005 11:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] TS GPO and Citrix Settings We are experiencing what appears to be a strange problem (although its probably expected for all I know) with Terminal Service settings on W2K3 boxes. A GPO at our application server container sets various settings (timeout values, encryption, etc ) for all systems (regardless of Admin/Application mode). The behavior is when any TS setting is set by a GPO the setting is grayed out and even administrators cannot change the settings. This itself would not be an issue, however, the default behavior of Citrix is to take the RDP settings and therefore we cannot change the ICA settings which presents a problem. So aside from blocking policy inheritance on the OUs where there are terminal servers does anyone know of a way to un-gray the settings for W2K3? This was not an issue in W2K. Hopefully Ive explained well enough. Thanks in advance, Ryan
RE: [ActiveDir] TS GPO and Citrix Settings
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services. Already have tried the deletion but you have to keep on doing it if you want to make changes to Citrix. I was hoping there was a “Disable Secure RDP” registry setting that wouldn’t gray anything out (as in W2K). -Ryan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Monday, October 10, 2005 4:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] TS GPO and Citrix Settings If you just want to make a quick change, go into the registry and delete the policy subtrees (from HKCU or HKLM, or both). They'll come back on the next policy refresh, but it'll give you a few minutes. I can't remember off the top of my head where those setting are stored: [software\policies], [software\microsoft\windows\current version\policies] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan A. Conrad Sent: Monday, October 10, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] TS GPO and Citrix Settings We are experiencing what appears to be a strange problem (although it’s probably expected for all I know) with Terminal Service settings on W2K3 boxes. A GPO at our application server container sets various settings (timeout values, encryption, etc…) for all systems (regardless of Admin/Application mode). The behavior is when any TS setting is set by a GPO the setting is grayed out and even administrators cannot change the settings. This itself would not be an issue, however, the default behavior of Citrix is to take the RDP settings and therefore we cannot change the ICA settings which presents a problem. So aside from blocking policy inheritance on the OUs where there are terminal servers does anyone know of a way to un-gray the settings for W2K3? This was not an issue in W2K. Hopefully I’ve explained well enough. Thanks in advance, Ryan
RE: [ActiveDir] TS GPO and Citrix Settings
If you just want to make a quick change, go into the registry and delete the policy subtrees (from HKCU or HKLM, or both). They'll come back on the next policy refresh, but it'll give you a few minutes. I can't remember off the top of my head where those setting are stored: [software\policies], [software\microsoft\windows\current version\policies] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan A. ConradSent: Monday, October 10, 2005 11:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] TS GPO and Citrix Settings We are experiencing what appears to be a strange problem (although it’s probably expected for all I know) with Terminal Service settings on W2K3 boxes. A GPO at our application server container sets various settings (timeout values, encryption, etc…) for all systems (regardless of Admin/Application mode). The behavior is when any TS setting is set by a GPO the setting is grayed out and even administrators cannot change the settings. This itself would not be an issue, however, the default behavior of Citrix is to take the RDP settings and therefore we cannot change the ICA settings which presents a problem. So aside from blocking policy inheritance on the OUs where there are terminal servers does anyone know of a way to un-gray the settings for W2K3? This was not an issue in W2K. Hopefully I’ve explained well enough. Thanks in advance, Ryan