| Author |
 Topic  |
|
Pesos
Honorable But Hopeless Addict
USA
3519 Posts
Status: offline |
 Posted - 04/14/2010 : 02:27:44 AM
|
Ugh just took me a long time troubleshooting this one... We are migrating our citrix environment from win2003 to win2008r2 so I am redoing my user UI lockdown GPO. Went through all the usual stuff and when I tested it, I noticed that users were not able to unzip zip files (using the built-in windows explorer unzip).
So I undid the policy elements one by one and finally realized that the culprit is the "remove run menu from the start menu" option. Ugh, that is kind of an important one. I am hoping that I can mitigate it for now using GPO preferences to keep it removed and AppLocker to prevent anything I don't want to be launched.
If anyone gets a moment to duplicate this in their environment it would be much appreciated!
Thanks,
Wes
|
-Wes |
|
|
Pesos
Honorable But Hopeless Addict
USA
3519 Posts
Status: offline |
Posted - 04/14/2010 : 02:30:20 AM
|
Looking more closely at the policy I am wondering if this is the part tripping it up:
"--- A UNC path: \\<server>\<share>
---Accessing local drives: e.g., C:
--- Accessing local folders: e.g., \temp>"
Since it prevents the above, and our folder redirects and shared drives are all based on UNC paths, I am wondering if that is the problem. Odd that it works fine in our 2003 environment though... |
-Wes |
 |
|
|
wkasdo
Administrator
Netherlands
7425 Posts
Status: offline |
Posted - 04/14/2010 : 03:38:13 AM
|
UNC paths are required for folder redirection.
> I noticed that users were not able to unzip zip files (using the built-in windows explorer unzip).
Perhaps a TEMP folder is blocked by your policy?
> finally realized that the culprit is the "remove run menu from the start menu" option
Hard to believe.... If I have a moment today I'll try and reproduce this. Did you have a look with procmon? |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
Pesos
Honorable But Hopeless Addict
USA
3519 Posts
Status: offline |
Posted - 04/14/2010 : 12:22:22 PM
|
| I found it hard to believe too - which is why it took me so long to troubleshoot - that was one of the last options I tried disabling!!! I was shocked when it turned out to be it. If you look in my second post, I copied in the extra information contained in the GPO explanation - which appears that this GPO setting does block the TEMP folder (which is my guess as to what is creating the problem). What I'm wondering is why this wasn't an issue with 2003... Is it a change in how the GPO itself applies to 2008r2, or is it a change in how 2008r2 handles unzipping functions via explorer? |
-Wes |
|
|
|
wkasdo
Administrator
Netherlands
7425 Posts
Status: offline |
Posted - 04/14/2010 : 3:36:06 PM
|
Sorry Wes, I misunderstood you.
I created a new domain user, and a new 2008 R2 server without any policies except the default domain policy. I enabled just the policy to remove Run from the Start menu for this test user. Before and after, I could create .zip files and open them using the Explorer zip capabilities.
So you are looking at something more complicated, I'm afraid. Does RSoP give any clues? |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
Pesos
Honorable But Hopeless Addict
USA
3519 Posts
Status: offline |
Posted - 04/14/2010 : 4:39:55 PM
|
| Do you have folder redirection applied? The only other things I have applied are Folder Redirection and a policy to enable our UNC path as part of the Intranet zone. I even tried it without the latter one, and manually added our UNC path to the intranet zone within IE, and I get the same result... |
-Wes |
|
|
|
Pesos
Honorable But Hopeless Addict
USA
3519 Posts
Status: offline |
Posted - 04/14/2010 : 4:41:12 PM
|
 |
-Wes |
|
|
|
Pesos
Honorable But Hopeless Addict
USA
3519 Posts
Status: offline |
Posted - 04/14/2010 : 4:42:15 PM
|
| I get the same result whether I try to unzip on the desktop (which lists the path using the UNC), or in the mapped O drive. |
-Wes |
|
|
|
Pesos
Honorable But Hopeless Addict
USA
3519 Posts
Status: offline |
Posted - 04/14/2010 : 5:08:33 PM
|
| just tested it without folder redirection, and getting the same error as above! |
-Wes |
|
|
|
wkasdo
Administrator
Netherlands
7425 Posts
Status: offline |
Posted - 04/15/2010 : 03:20:52 AM
|
| Wes, I'm not reproducing this. My next step would be to run procmon and see what exactly is getting denied. |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
Pesos
Honorable But Hopeless Addict
USA
3519 Posts
Status: offline |
Posted - 04/15/2010 : 10:27:38 AM
|
| OK, will try to set that up later today - so strange because I don't feel like I'm doing anything out of the ordinary! |
-Wes |
|
|
|
Pesos
Honorable But Hopeless Addict
USA
3519 Posts
Status: offline |
Posted - 04/15/2010 : 7:50:09 PM
|
Faulting application name: Procmon64.exe, version: 2.9.0.0, time stamp: 0x4bc3b84e
Faulting module name: ctxsbxhook64.dll_unloaded, version: 0.0.0.0, time stamp: 0x4b980155
Exception code: 0xc0000005
Fault offset: 0x000007fefd122f60
Faulting process id: 0x23d8
Faulting application start time: 0x01cadcf5c3805a5a
Faulting application path: C:\Users\zuser_alac\Desktop\Procmon64.exe
Faulting module path: ctxsbxhook64.dll
Report Id: 0a335e20-48e9-11df-972f-00155d20281b |
-Wes |
|
|
|
NMDANGE
Honorable But Hopeless Addict
USA
2063 Posts
Status: offline |
Posted - 04/16/2010 : 09:15:31 AM
|
Well I've never seen procmon crash! Can you try on a machine that does not have any Citrix software installed? ctxsbxhook64.dll appears to be part of the Citrix software. I'd compare a straight Remote Desktop Session Host with no 3rd party software with the same GPOs with one with Citrix on it.
|
Michael D'Angelo
(former)MVP-MIIS, Pace University Senior Systems Administrator (Windows)
(MS)NMDANGE
PhoeniX WorX Systems Administrator. If you play Total Annihilation, please join us. http://www.phoenixworx.org |
Edited by - NMDANGE on 04/16/2010 09:16:53 AM |
|
|
|
wkasdo
Administrator
Netherlands
7425 Posts
Status: offline |
Posted - 04/17/2010 : 3:25:52 PM
|
| In support of Michael's view: it is know that procmon can be a victim of a misbehaving app with corrupt internal datastructures. Looks to be something seriously wrong here. One thing to try is to disable all the citrix stuff, reboot, and then see what happens. |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
Pesos
Honorable But Hopeless Addict
USA
3519 Posts
Status: offline |
Posted - 04/17/2010 : 3:29:37 PM
|
Well everything works swimmingly without that GPO set :-)
Will try to make time to test without citrix. |
-Wes |
|
|
|
Xenophane
Honorable But Hopeless Addict
Denmark
3070 Posts
Status: offline |
Posted - 04/18/2010 : 1:59:18 PM
|
Wes, I have a citrix consultant coming in tomorrow, and I know that he has had some trouble with GPO's, but on R2 only... I spoke with him last week, and he has a case open with MS, I am not sure it is 100% the same problem as yours, but MS acknowledged that it was a bug in Windows.
I will see if I can some more information tomorrow and post it. |
Microsoft Powershell MVP
SIG> George Bernard Shaw : The power of accurate observation is commonly called cynicism by those who have not got it. </SIG>
You can read my blog at www.xipher.dk |
|
|
|
Pesos
Honorable But Hopeless Addict
USA
3519 Posts
Status: offline |
Posted - 04/18/2010 : 5:48:46 PM
|
| Cool thanks! |
-Wes |
|
|
|
Pesos
Honorable But Hopeless Addict
USA
3519 Posts
Status: offline |
Posted - 04/19/2010 : 11:49:27 AM
|
| Finally made time to build up a new 2008 R2 terminal server - nothing installed but Acrobat, Office 2010, and Communicator 2007 R2. Can unzip just fine. Apply nothing but the "remove run" GPO setting, and get the same error. So doesn't look like Citrix is the culprit... Let me know what you find out Claus. For now I can get by without this setting, other lockdown options should prevent run from being accessible. |
-Wes |
|
|
|
wkasdo
Administrator
Netherlands
7425 Posts
Status: offline |
Posted - 04/19/2010 : 12:02:20 PM
|
| Does procmon run on this newly installed server? |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
Pesos
Honorable But Hopeless Addict
USA
3519 Posts
Status: offline |
Posted - 04/19/2010 : 12:03:13 PM
|
| about to try that now! |
-Wes |
|
|
|
JSCLMEDAVE
Administrator
USA
6139 Posts
Status: online |
Posted - 04/19/2010 : 12:06:25 PM
|
| Shouldn't you actually run this from another server to avoid the Heisenberg effect? To avoid changing the monitored system by the very act of monitoring it..? |
Tim-
“This too shall pass" |
|
|
|
Pesos
Honorable But Hopeless Addict
USA
3519 Posts
Status: offline |
Posted - 04/19/2010 : 12:27:14 PM
|
the only thing I can see in procmon that seems to be related is this:
Date & Time: 4/19/2010 9:26:38 AM
Event Class: Registry
Operation: RegEnumKey
Result: NO MORE ENTRIES
Path: HKCR\Drive\SHELLEX\FolderExtensions
TID: 2096
Duration: 0.0000023
Index: 1
Length: 288 |
-Wes |
|
|
|
wkasdo
Administrator
Netherlands
7425 Posts
Status: offline |
Posted - 04/19/2010 : 1:42:43 PM
|
| Could be anything, really. Sorry, my remote debugging skills stop here, especially because I'm not reproducing! You're not in a position to log a case yourself, I suppose? |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
Pesos
Honorable But Hopeless Addict
USA
3519 Posts
Status: offline |
Posted - 04/19/2010 : 1:45:04 PM
|
| Yep, thanks for trying! Very strange that you can't reproduce, especially since I can on a fresh new server. |
-Wes |
|
|
|
wkasdo
Administrator
Netherlands
7425 Posts
Status: offline |
Posted - 04/19/2010 : 2:39:44 PM
|
| Well, I have no TS, no office, no acrobat, no nothing. Just a clean server. The truth is somewhere in between, I suppose. |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
Pesos
Honorable But Hopeless Addict
USA
3519 Posts
Status: offline |
Posted - 04/19/2010 : 3:04:53 PM
|
| Oh, no TS... hmm I wonder if that has something to do with it... Don't suppose you could install RDSH? |
-Wes |
|
|
|
JSCLMEDAVE
Administrator
USA
6139 Posts
Status: online |
Posted - 04/19/2010 : 5:21:10 PM
|
Just a WAG and not having a R2 server to test on myself I have to ask, are you running it with an elevated cmd prompt? I'm at a loss, especially without a test R2 box...
Did you check ALL the GPs being applied line by line? You may be surprised what someone may have set for you. |
Tim-
“This too shall pass" |
|
|
|
Pesos
Honorable But Hopeless Addict
USA
3519 Posts
Status: offline |
Posted - 04/19/2010 : 5:27:01 PM
|
| Hi Tim, there are no other GPs applied except the one I specifically created separate to test with, applying only this one change (confirmed in GPMC)... And no command prompt involved, elevated or otherwise... |
-Wes |
|
|
|
JSCLMEDAVE
Administrator
USA
6139 Posts
Status: online |
Posted - 04/19/2010 : 5:40:51 PM
|
| I mean line by line in the default GP..? Try using an elevated level to run the app. Just out of curiosity... |
Tim-
“This too shall pass" |
|
|
|
Pesos
Honorable But Hopeless Addict
USA
3519 Posts
Status: offline |
Posted - 04/19/2010 : 5:42:38 PM
|
hmm, the "app" is windows explorer... so I guess I could try it by applying the custom GP to an admin account on the server?
the default GP has nothing altered at all other than password policy... |
-Wes |
|
|
|
XDGrim
Welcome Newcomer
1 Posts
Status: offline |
Posted - 02/09/2012 : 12:50:21 AM
|
Hi guys, this still appears to be an issue with Folder Redirection.
I'm having the same problem with 2008 R2 SP1.
Can you shed any light? |
|
|
|
Topic |
|
serious bug with GPO win7/2008r2!
