Group Policy Vs Registry Editor

Found a cool link in MSDN to find out which microsoft application settings will lead to which registry settings and group policy settings. Very Informative and helpful.

http://gpsearch.azurewebsites.net/default.aspx?ref=1


Enjoy!!!!!

Outstanding Issue

Yesterday, i was working on a issue where user is trying to open XML Document ( EXCEL 2010) file an Application from published IE.

Troubleshooting.

1. Shadowed user to find out where exactly she is trying to click on the icon to open an Excel document.
2. Deleted user profile and told to re try but did not worked.
3. Told to log off and log on again so that she will hit a different server, but did not worked either.
4. Before clicking on Connections Icon, Could you please verify whether the default client is Java or Native Client under settings.
5. Could you please share your user name and password to me so that I will try to launch people soft from using administrative privileges.
6. I tried from my admin privleges it worked. So, group policies are obstructing the user to perform her task.
7. Logged from a UAT Desktop and launched published IE and went into Internet Options>Security> Internet> Custom level.
8. Need to select the "Automatic Prompting for Download" as Enabled.

iSCSI

iSCSI storage:

is an abbreviation of Internet Small Computer System Interface, an Internet Protocol (IP)-based storage networking standard for linking data storage facilities. By carrying SCSI commands over IP networks, iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances. iSCSI can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval. The protocol allows clients (called initiators) to send SCSI commands (CDBs) to SCSI storage devices (targets) on remote servers. It is a storage area network (SAN) protocol, allowing organizations to consolidate storage into data center storage arrays while providing hosts (such as database and web servers) with the illusion of locally-attached disks. Unlike traditional Fibre Channel, which requires special-purpose cabling, iSCSI can be run over long distances using existing network infrastructure.

iSCSI uses TCP (typically TCP ports 860 and 3260). In essence, iSCSI simply allows two hosts to negotiate and then exchange SCSI commands using IP networks. By doing this iSCSI takes a popular high-performance local storage bus and emulates it over wide-area networks, creating a storage area network (SAN). Unlike some SAN protocols, iSCSI requires no dedicated cabling; it can be run over existing IP infrastructure. As a result, iSCSI is often seen as a low-cost alternative to Fibre Channel, which requires dedicated infrastructure except in its FCoE (Fibre Channel over Ethernet) form. However, the performance of an iSCSI SAN deployment can be severely degraded if not operated on a dedicated network or subnet (LAN or VLAN).

Network booting

For general data storage on an already-booted computer, any type of generic network interface may be used to access iSCSI devices. However, a generic consumer-grade network interface is not able to boot a diskless computer from a remote iSCSI data source. Instead it is commonplace for a server to load its initial operating system from a TFTP server or local boot device, and then use iSCSI for data storage once booting from the local device has finished.
A separate DHCP server may be configured to assist interfaces equipped with network boot capability to be able to boot over iSCSI. In this case the network interface looks for a DHCP server offering a PXE or bootp boot image. This is used to kick off the iSCSI remote boot process, using the booting network interface's MAC address to direct the computer to the correct iSCSI boot target.
Most Intel Ethernet controllers for servers support iSCSI boot.^[1]

Initiator

Further information: SCSI initiator

An initiator functions as an iSCSI client. An initiator typically serves the same purpose to a computer as a SCSI bus adapter would, except that instead of physically cabling SCSI devices (like hard drives and tape changers), an iSCSI initiator sends SCSI commands over an IP network. An initiator falls into two broad types:

Software initiator

A software initiator uses code to implement iSCSI. Typically, this happens in a kernel-resident device driver that uses the existing network card (NIC) and network stack to emulate SCSI devices for a computer by speaking the iSCSI protocol. Software initiators are available for most popular operating systems and are the most common method of deploying iSCSI.

Hardware initiator

A hardware initiator uses dedicated hardware, typically in combination with software (firmware) running on that hardware, to implement iSCSI. A hardware initiator mitigates the overhead of iSCSI and TCP processing and Ethernet interrupts, and therefore may improve the performance of servers that use iSCSI.

Host Bus Adapter

An iSCSI host bus adapter (more commonly, HBA) implements a hardware initiator. A typical HBA is packaged as a combination of a Gigabit (or 10 Gigabit) Ethernet NIC, some kind of TCP/IP offload engine (TOE) technology and a SCSI bus adapter, which is how it appears to the operating system.
An iSCSI HBA can include PCI option ROM to allow booting from an iSCSI

TCP Offload Engine

Main article: TCP Offload Engine

A TCP Offload Engine, or "TOE Card", offers an alternative to a full iSCSI HBA. A TOE "offloads" the TCP/IP operations for this particular network interface from the host processor, freeing up CPU cycles for the main host applications. When a TOE is used rather than an HBA, the host processor still has to perform the processing of the iSCSI protocol layer itself, but the CPU overhead for that task is low.
iSCSI HBAs or TOEs are used when the additional performance enhancement justifies the additional expense of using an HBA for iSCSI, rather than using a software-based iSCSI client (initiator).

Target

See also: SCSI target

The iSCSI specification refers to a storage resource located on an iSCSI server (more generally, one of potentially many instances of iSCSI storage nodes running on that server) as a target.
"iSCSI target" should not be confused with the term "iSCSI" as the latter is a protocol and not a storage server instance.
An iSCSI target is often a dedicated network-connected hard disk storage device, but may also be a general-purpose computer, since as with initiators, software to provide an iSCSI target is available for most mainstream operating systems.
Common deployment scenarios for an iSCSI target include:

Storage array

In a data center or enterprise environment, an iSCSI target often resides in a large storage array, such as a EqualLogic, Nimble Storage, Isilon, NetApp filer, EMC NS-series, CX4,VNX, VNXe, VMAX or a HDS HNAS computer appliance. A storage array usually provides distinct iSCSI targets for numerous clients.^[2]

Software target

See also: List of SAN network management systems

Nearly all modern mainstream server operating systems (such as BSD, Linux, Solaris or Windows Server) can provide iSCSI target functionality, either as a built-in feature or with supplemental software. Some specific-purpose operating systems (such as FreeNAS, Openfiler or OpenMediaVault) implement iSCSI target support.

Logical Unit Number

Main article: Logical Unit Number

In SCSI terminology, LUN stands for logical unit number. A LUN represents an individually addressable (logical) SCSI device that is part of a physical SCSI device (target). In an iSCSI environment, LUNs are essentially numbered disk drives. An initiator negotiates with a target to establish connectivity to a LUN; the result is an iSCSI connection that emulates a connection to a SCSI hard disk. Initiators treat iSCSI LUNs the same way as they would a raw SCSI or IDE hard drive; for instance, rather than mounting remote directories as would be done in NFS or CIFS environments, iSCSI systems format and directly manage filesystems on iSCSI LUNs.
In enterprise deployments, LUNs usually represent slices of large RAID disk arrays, often allocated one per client. iSCSI imposes no rules or restrictions on multiple computers sharing individual LUNs; it leaves shared access to a single underlying filesystem as a task for the operating system.

Addressing

Special names refer to both iSCSI initiators and targets. iSCSI provides three name-formats:

iSCSI Qualified Name (IQN)

Format: The iSCSI Qualified Name is documented in RFC 3720, with further examples of names in RFC 3721. Briefly, the fields are:

• literal iqn
• date (yyyy-mm) that the naming authority took ownership of the domain
• reversed domain name of the authority (org.alpinelinux, com.example, to.yp.cr)
• Optional ":" prefixing a storage target name specified by the naming authority.

From the RFC:

                  Naming     String defined by
     Type  Date    Auth      "example.com" naming authority
    +--++-----+ +---------+ +-----------------------------+
    |  ||     | |         | |                             |     
 
    iqn.1992-01.com.example:storage:diskarrays-sn-a8675309
    iqn.1992-01.com.example
    iqn.1992-01.com.example:storage.tape1.sys1.xyz
    iqn.1992-01.com.example:storage.disk2.sys1.xyz

^[3]

Extended Unique Identifier (EUI)

Format: eui.{EUI-64 bit address} (e.g. eui.02004567A425678D)

T11 Network Address Authority (NAA)

Format: naa.{NASA 64 or 128 bit identifier} (e.g. naa.52004567BA64678D)

IQN format addresses occur most commonly. They are qualified by a date (yyyy-mm) because domain names can expire or be acquired by another entity.
The IEEE Registration authority provides EUI in accordance with the EUI-64 standard. NAA is part OUI which is provided by the IEEE Registration Authority. NAA name formats were added to iSCSI in RFC 3980, to provide compatibility with naming conventions used in Fibre Channel and Serial Attached SCSI (SAS) storage technologies.
Usually an iSCSI participant can be defined by three or four fields:

1. Hostname or IP Address (e.g., "iscsi.example.com")
2. Port Number (e.g., 3260)
3. iSCSI Name (e.g., the IQN "iqn.2003-01.com.ibm:00.fcd0ab21.shark128")
4. An optional CHAP Secret (e.g., "secretsarefun")

iSNS

Main article: Internet Storage Name Service

iSCSI initiators can locate appropriate storage resources using the Internet Storage Name Service (iSNS) protocol. In theory, iSNS provides iSCSI SANs with the same management model as dedicated Fibre Channel SANs. In practice, administrators can satisfy many deployment goals for iSCSI without using iSNS.

Security

Authentication

iSCSI initiators and targets prove their identity to each other using the CHAP protocol, which includes a mechanism to prevent cleartext passwords from appearing on the wire. By itself, the CHAP protocol is vulnerable to dictionary attacks, spoofing, or reflection attacks. If followed carefully, the rules for using CHAP within iSCSI prevent most of these attacks.^[4]
Additionally, as with all IP-based protocols, IPsec can operate at the network layer. The iSCSI negotiation protocol is designed to accommodate other authentication schemes, though interoperability issues limit their deployment.

Restricting Print Driver Installations on XenApp


Summary
This document provides a workaround to prevent all print drivers from being installed on a XenApp server.
Background
The vast majority of printing problems in Terminal Services and XenApp environments are caused by non-native, manufacturer provided, print drivers that exhibit poor multi-threaded performance. Unfortunately, print drivers can get installed on a server from many sources, including replication, RDP connections, connection to network printers, user profiles, and so on.
Procedure
For XenApp on Windows 2008 see CTX128775 – How to Customize Client Selective Trust and User Defined Client Device Settings
Use the steps below to complete the task. You might want to remove all non-native, manufacturer provided print drivers beforehand. The Print Detective utility at CTX116474 - Print Detective allows for quick filtering and deleting of these print drivers.
Caution! This procedure requires you to edit the registry. Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use the Registry Editor at your own risk. Back up the registry before you edit it.

From the XenApp Advanced Configuration Console, select Policies > Create Policy. Name the policy and click OK.
Select the new policy, expand Printing, and expand Drivers.
Select Native printer driver auto-install.
Select Enabled and Do not automatically install drivers. This prevents the XenApp printing subsystem from attempting to install native print drivers when users connect.
Right-click the policy and select Apply this policy to.
Select the Servers filter and apply it to one or more servers in the environment as needed.
Open the following registry key on the servers where the newly created Citrix policy is being applied:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Environments\Windows NT x86\Drivers\Version-3
Right-click the Version-3 key and set permissions for all accounts on the ACL to read. You must copy the default inherited permissions before modifying. To prevent 64-bit print drivers from being installed (whether the system is 64-bit or not) adjust the permissions on the same Version-3 key under Windows x64 instead of Windows NT x86.

Now if a print driver installation attempt is made, it should fail and present an access denied error message. If drivers need to be installed at some point, add back the modify privilege to the appropriate accounts .

Citrix Ports and Port Numbers

Most Command Port for Citrix Environment:

Citrix License Server
Component                           Type     Port     Details
License Manager Daemon     TCP     27000  Handles initial point of contact for license requests (Lmadmin.exe)
Citrix Vendor Daemon          TCP    7279   Check-in/check-out of Citrix licenses (Citrix.exe)
License Management Console  TCP  8082   Web-based administration console (Lmadmin.exe)

Citrix Provisioning Services:

Provisioning Server - UDP - 6890-6909
Microsoft SQL Server - TCP 1433
Domain Controller - TCP - 389
Broadcast/ PXE Service - UDP - 67/4011 ( Obtaining Network Boot Infromation in case DHCP Options 66 - TFTP Server Name (Bootstrap Protocol Server) and 67 - Bootfile Name (Bootstrap Protocol Client) are not configured or boot from ISO / local disk not user.
TFTP Server UDP - 69 Trivial File Transfer (TFTP) for Bootstrap delivery
Provisioning Server UDP 6910 Target Device logon at provisioning services
                              UDP 6910-6930 vDisk Streaming (streaming service) (Configurable)
                              UDP 6969 Two Stage Boot. Used in boot from ISO or USB
Provisioning Server TCP 54321 SOAP Service
                               TCP 54322 SOAP Service

Using Citrix Provisioning Services

Citrix Provisioning Services enables you to stream a single desktop image to create multiple virtual desktops on one or more servers in a data center. This facility greatly reduces the amount of storage required compared to other methods of creating virtual desktops.

If you are installing Provisioning Services in your environment, you can configure pooled virtual desktops to revert to a clean state after users log off. To do this, complete the following tasks:

• Create the virtual machine to use as your base image and install the following software on that virtual machine:
  

  • Citrix Virtual Desktop Agent
  • Integration Services
  • Citrix Provisioning Services Target Device for x86 Platform
• Create a Provisioning Services virtual disk (vDisk) based on the virtual machine image, using the Provisioning Services Virtual Image Builder.
• Set the access mode for the vDisk to Standard Image (multi-client, write cache enabled).
• Assign the vDisk to the virtual machines you will use as pooled virtual desktops.
• On the Logoff Behavior page of the Create Desktop Group wizard, select Restart the virtual desktop.