Archive for the ‘Vista/7’ Category

Citrix App won’t launch
Citrix app won’t launch in windows 7/Vista and IE9.  you get the “Do you want to open or save this file” dialog when you try to launch it.  IE reset doesn’t fix it, niether does changing the security zone.  Try executing the following:  c:\Program Files (x86)\Citrix\ICA Client\wfica32 /setup  Nope - I don’t know what all that does - other than make it work :)

No Comments

IE 9 with romaing profiles, redirected folders and Vista/7

IE 9 has a problem when running in vista or Windows 7 and using roming profiles and redirected folders (you know, the configuration the MS tells you to do if your users move around???) Anyway, this one manifests it’s self as printing from IE 9 only prints a header and footer and nothing else. the fotter refers to a path in the user’s appdata\local\temp\low folder. when you look for that folder, you find that it didn’t get created. If you create it manually, it still doesn’t work. that’s because the integrity level isn’t set by default on anything that you create yourself. there are some MS Mr. fix-it patches available under KB973479, but they only work on the user/coputer combination you are on, they do not work at the roaming profile level. currently the only way around this is to turn off IE’s protected mode. (I know it’s not the best thing to do - but until MS un-breaks this, it’s all I’ve figured out how to fix it globally. You can turn off IE protected mode via GPO Computer (not user) policy. Administrative Templates, Windows components, Internet Explorer, Internet Control Panel, security Page, Internet Zone. Enable the policy and set protected mode to disabled.

another way around this is to add the following to the user’s login script:

If not exist %localappdata%\Temp\Low (mkdir %localappdata%\Temp\Low)
ICACLS “%localappdata%\Temp\Low” /setintegritylevel (OI)(CI)low



1 Comment

Mapped Drives in Vista/7 when elevated

Having finally been fed up with always having my mapped drives dissapear every time Vista/7 UAC wants elevated credentials and it being hard to search on the solution. Here it is. It involves a registry change at the computer level. The good news is you can make those changes pretty easy now with GPP being built in to Vista/7. so here is the value that needs to be added:


DWORD Value name: EnableLinkedConnections
Value of: 1

No Comments

Funky DNS resolution with cisco VPN and Vista/7

You have Vista or Windows 7 and finally got the latest version of Cisco VPN client ( to install and apparently work. All is well until you try to get to some other internal host after a few minutes or more.  Suddenly no other hosts than the original host resolve! You ping your internal DNS server by address and it responds. NSlookup reports timeouts and cant resolve the host name for the internal DNS server. What the heck is going on here? Is it another Cisco “issue”? The clue is that everything works fine on XP but not on Vista/7.  So what changed between XP and Vista/7?  Well, it turns out that Microsoft rewrote the IP stack for Vista/7 and among other things added a nifty little feature called autotune.  This is supposed to automatically tune the recieve window size based on latenacy, usage and the color of your underware.  So guess what?  Since you don’t resolve internal names over the VPN very much (and you have green undies on), name resolution gets tuned down to practically nothing.  So when you try to use it, it times out.  The fix is to turn off autotune. You can do this as follows:

Disable TCP Auto-Tuning

1.Open elevated command prompt with administrator’s privileges.
2.Type the following command and press Enter:
netsh interface tcp set global autotuning=disabled

Enable TCP Auto-Tuning

1.Open elevated command prompt with administrator’s privileges.
2.Type the following command and press Enter:
netsh interface tcp set global autotuning=normal

How about that law of unintended consequences???


Update:  Sometimes the above does not entirely fix the problem.  Do the following (note: article was originally written for Server 2003 but appears to be applicable to this case too)


The Domain Name System (DNS) client screening feature lets Microsoft Windows Server 2003-based computers determine whether a DNS server is reachable from the configured interface. However, this feature mayalso prevent access to a DNS server that is otherwise available.

This article describes how to turn off the DNS client screening feature.

To turn off the DNS client screening feature, you must first create the ScreenUnreachableServers registry entry. To do this, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type ScreenUnreachableServers, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. Type 0 in the Value data box, and then click OK.
  7. Exit Registry Editor.

    Note You must stop and then start the DNS Client service for the registry change to take effect.

In some configurations, the DNS client screening feature may prevent access to a DNS server that is otherwise available. Typically, this occurs on a server that has more than one network adapter interface. The operating system determines whether a DNS server is reachable, together with the DNS client screening feature.

It is by design that the DNS Client service does not access the DNS servers that appear to be unreachable from the interface on which they are configured. The DNS servers are marked unreachable for the server even though they may be available to the other network adapter on the same server.


MDT 2008 Lite Touch fails with wierd network errors - sometimes
You may not put two and two together but they last time you updated MDT (because MS told you you needed to… (yeah so much for trusting MS)) you actually broke it.  Now you get a Network Timeout (or a wierd access denied error) in Windows PE 2.1 when it’s trying to launch the Lite touch scripts.  Oh, and another thing about launching LiteTouch, don’t have a Windows boot CD (or any CD in the CD drive.  For some wierd reason WPEInit will see that and fail to launch the LiteTouch Script. (no I havn’t figured out why yet)

You get the following error message in MDT 2008 Lite Touch Deployment even though you have the correct nic drivers in Windows PE and the correct bootstrap.ini settings. “A connection to the deployment share \\Server\Distribution$ could not be made. The Deployment will not proceed”  upon further investigation you find out that you get an access denied error when you try to list the \\server\distribuiton$\ directory.  BUT! if you do a Net Use mapping to the folder, it works just fine!  WTF?  AND, it works on some models of computer but not on others.  More WTF?

A network initializion timeout issue in wpeinit.exe in Windows PE 2.1 causes MDT 2008 Lite Touch Deployments to fail.

Give WIndows PE 2.1 a few more seconds by editing startnet.cmd on your LiteTouch_x86.wim (or iso) to look like below.  (It’s in the windows/system32 directory) (Use Imagex /mountrw LiteTouch.wim 1 d:\image to mount the WIM) (Don’t forget to ImageX /Unmount d:\image when you’re done)


wpeutil InitializeNetwork
ping localhost or Pause (or any other command that does nothing but takes a few seconds to complete)

If you want the Deployment Workbench to include the updated startnet.cmd every time you update the Deployment Point just follow the below steps

Configure MDT to use the updated startnet.cmd

  1. Create a folder named ExtraFiles\Windows\System32 in the distribution share and copy the updated startnet.cmd to it.
  2. In the Deployment Workbench, right-click the Deployment Point and select Properties.
  3. In the Windows PE Tab, in the Extra directory to add textbox, type in D:\ExtraFiles
  4. Click OK
  5. Regenerate the WIM files and don’t forget to rebuild the Boot images in WDS otherwise your changes won’t take effect.


No Comments

Converting Roaming Profiles to Mandatory Profiles

When doing the official MS method for creating mandatory profiles, you used to be able to take advantage of a little flaw in XP where XP neglected to remove the cached roaming profile even though you told it to via GPO. Well, they fixed that for the most part in Vista and so now it really does remove the cached profile when you tell it to. So now, everytime you need to refresh your mandatory profiles, you pretty much have to start from scratch creating a new local profile. If only you could convert the mandatory profile back to a roaming one, make the changes then reconvert it back to mandatory! Life would be so much simpler. Guess what there is a way! Go ahead and create or change the roaming profile that is your base, log off to save it to the server. Now simply copy it to where you keep the mandatory profile, fix the permissions on all the files and subfolders, rename ntuser.dat to and whala! you’re done. er….. almost. You probably remember that didnt freakin work. It turns out that all you were missing was to fix the permissions inside the registry. Yup, they’re still set to only allow the user you saved the roaming profile as access to the registry. So, now all you need to do is fire up regedit, load the hive, remove the roaming user, and add the group you want to be able to use the mandatory profile, unload the hive back to the mandatory profile folder - and NOW you’re done! so why doesn’t MS tell you you can do it that way instead of the rigamarole they have you go through???? Because they are MS of course.


No Comments

The user profile service service failed to logon

This is another Vista goodie. All us anal retentive network nazi’s have the habit of cleaning up old profiles from desktop computers when we run accross them. the simplest way was to simply delete the profile folders from the Documents and Settings folder in XP or 2000. As you probably know by now, documents and settings has been replaced by the OSXesq Users folder. So you figure you can do the same thing in this folder. Well, you can, but you are stting up a potential problem in the future. It seems that the registry keeps track of all the users that have every logged on to a machine. Now if you’ve deleted the user’s profile contents by simply deleting their profile folder, then when you try to log into the machine using that profile, Vista barks at you with the titled error. You think WTF? this user can log into every other computer, and other users can log into this computer!!! The fix to this is to go into the registry and remove the references to the deleted profiles. The profile list can be found here: HKLMSoftwareMicrosoftWindows NTCurrent VersionProfileList The prevention is to log into the machine as a local adminitrator and go in to the computer’s Advanced properties and delete the profile from there. that way the folder AND the registry entries will be removed.

Just another “helpfull” feature of Vista…


No Comments

Adobe Acrobat Reader 9.0

Don’t DO it!!!! In case you haven’t figured it out yet, Adobe’s realease 9.0 of acrobat reader cause lots of problems. Known issue #1 - In Vista with IE 7 and a normal user, Reader won’t launch inline in the IE browser window - it just hangs with a blank page. The work around for this has been to turn off the browser integration so Reader launches in it’s own window.

Known Issue #2 - If you have redirected your Application Data folder to a network share, 9.0 has a hissy fit and errors out on open.

The fix to all of this??? why it’s Acrobat reader 9.1 of course! Just another example of why you should be very cautious with dot zero releases. And, cynically, another example of the rediculous buggy bloat that is all things adobe. Yes Adobe seems to be contending with the king of bloat (MS) for the crown. I think they might even get it very soon!

PS: Version 9.1 does indeed fix both of the problems.  HOWEVER, it unintentionally breaks it’s self again.  Or more correctly, it tries to use something that is broken in Vista.  so, when you install 9.1, make sure to install hot fix 228839  available here:

This fixes a problem that shows up when you are using roaming or mandatory profiles and Vista doesn’t create all of the local temp folders.  It’s especially bad if you clear the cached profiles at logout.

Gone insane yet??????

More insanity…

Ok, so the hotfix listed above does indeed fix the problem.  But ONLY for VISTA SP1 !!!  The hot fix won’t install in SP2.  Not only that, but if you do have the hotfix installed (or any other hotfix for that matter) SP2 won’t install via WSUS.  AND MS broke the Local/Low folder generation for situations of folder redirection in SP2 again.  So, basically I give up waiting for MS to fix this and keep it fixed so if you just add the following line to your logon scripts it will create the missing folder if  the logon process doesn’t.  Maybe some day MS will get their head out of their A@# and actually get this fixed (Yes this has been frustrating).

If not exist %userprofile%\appdata\locallow md %userprofile%\appdata\LocalLow



No Comments

Change those unchangable defaults

You can change the default open and save location for all of the Office 2007 programs except Publisher.  How lame is that???  Or can you?

It turns out that Publisher for some unknown reason looks at the following registry key value:  HKEY_USERS\username\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal to figure out where to open and save from.  So if you change this value to where you really want your default to be, thenPublisher (and any other program that looks at the same key) will magically use that as the default path.

Ah, and here is another one just like that.  MS Paint looks at: HKEY_USERS\username\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\My Pictures to figure out where it opens at.  Change that value and whala!  Default changed.  You can use either UNC or Mapped drive.

The big warning is that any other programs that use these keys will get their defaults changed as well, but then again, if you want your default changed for these programs, you probably want it changed for any others as well.  The other big warning is that these values will be ignored if you have folder redirection enabled for My documents either at the user level or via GPO.


No Comments

Vista, Outlook 2007 and RPC over HTTP

Ok, here’s a fun little tidbit.  You’ve been setting up Outlook 2003 and 2007 to operate remotely over HTTP for quite a while now.  You even think you know what you are doing!  And then along comes a problem out of the blue that makes no sense.  After all, you’ve done this lots of times before.  Here’s the situation…. Outlook 2007, Vista, RPC over HTTP, AND self signed certificates.  and the error message is: “Outlook is unable to connect to the proxy server ….” and ends with “(Error code 8 )”.  You, being a smarty pants, realize that you probably forgot to install the certificate.  So, you go ahead pop open IE, go to your OWA page, click on the cert warning and install it - click, click, click, done.  Something you’ve done a thousand times right?  You try Outlook again and - dang it! It still doesn’t work!  Same error.  WTF?  Well, what happened is that Vista puts your self signed cert in the Intermediate category (one of those clicks told IE to put it in the default category) and Outlook 2007 needs the cert to be in the Trusted Root category.  Picky, picky, picky.  Solution?  Watch where you install the cert to when you install it!  But if you already messed that up, then open MMC, add the cert snapin for personal use, then drag the cert from the intermediate folder to the trusted root folder.  Bang done, Outlook 2007 works!  So, now you ask: “Why does MS need to go around messing with stuff like this????”   Ah, now if I had the answer to that!!!!…..


No Comments