The Sysadmins

Tips and tricks from the Sysadmins

Category: Citrix

Deploying Microsoft LAPS – Non-Persistent VDI

Deploying Microsoft LAPS to a non-persistent VDI environment requires a slightly difference approach to traditional machines, especially for those environments that force a reboot after user log off (e.g. Citrix XenDesktop using PVS).

Issue

  1. Computer Boots up for the first time after LAPS installation and GPO configuration
  2. LAPS CSE views ms-Mcs-AdmPwdExpirationTime when Group Policy is refreshed which will read 0 as a password has never been set for given computer
  3. New password is set on the Computer, written to Active Directory and the ms-Mcs-AdmPwdExpirationTime attribute is updated giving an expiry date for the password (as per the Group Policy “password age (days)” setting)
  4. Computer is restarted and boots the golden image
  5. LAPS CSE views ms-Mcs-AdmPwdExpirationTime when Group Policy is refreshed, the value is now populated with an expiry time for the password set in step 2
  6. Computer does not update password
  7. LAPS is not functional

Fix

Originally I looked at clearing the ms-Mcs-AdmPwdExpirationTime attribute on shutdown with VBS.

Set objSysInfo = CreateObject("ADSystemInfo")
Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName)
' Change ms-Mcs-AdmPwdExpirationTime attribute to 0 
objComputer.Put "ms-Mcs-AdmPwdExpirationTime", "0"
' Write change to AD 
objComputer.SetInfo

This can also be accomplished with PowerShell but requires you install the Remote Server Administration Tools which wasn’t desirable. Running the script on shutdown was unsuccessful, due to an issue with how Citrix Delivery Controllers manage the shutdown process of the virtual desktops, essentially preventing the script from running. More information here: Logoff Script is terminated early on XenDesktop.  This may not be an issue for you if you are using another VDI solution.

After trying a few other methods, the following has proven to be reliable. The VBS script sets the ms-Mcs-AdmPwdExpirationTime attribute to 0, waits 3 minutes and then runs GPUpdate to trigger a password update. The 3 minute pause is insurance that the ms-Mcs-AdmPwdExpirationTime change has been replicated to other DCs within the same site. With this method you are essentially setting a new password and expiry date at every startup, maybe Microsoft will add this as a feature in a future release of LAPS.

Add this to a startup script either in Group Policy or locally on the golden image with gpedit.msc and enjoy LAPS within your VDI environment!

LAPSVDI.vbs

Set objSysInfo = CreateObject("ADSystemInfo")
Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName)
' Change ms-Mcs-AdmPwdExpirationTime attribute to 0 
objComputer.Put "ms-Mcs-AdmPwdExpirationTime", "0"
' Write change to AD
objComputer.SetInfo
' Sleep 3 minutes
WScript.Sleep(180000)
Set WshShell = CreateObject("Wscript.Shell")
' Run GPUpdate force and target only the computer policies
Result = WshShell.Run("cmd /c echo n | gpupdate /target:computer /force",0,true)
' Exit with code
Wscript.Quit(Result)

Deploying XenClient Enterprise Engine with SCCM

This post will explain how to automate the deployment of XenClient Enterprise Engine 5.5.5 using SCCM 2012 R2. There is very little information on how to achieve this, so hopefully this will help those looking for a solution. Thanks goes to a post made by Greg Roll early last year on the Citrix discussion forums which pointed me in the right direction. There were a few bits missing and lacking detail, which I will cover.

Preparing the files

Download the XenClient Windows Installer (xce-engine-setup-5.0.exe under additional software) and run it on a disposable Virtual Machine. When prompted, select the latest Engine ISO and continue

XenClient_SCCM_1

Select Resize Windows

XenClient_SCCM_2

Leave these options unticked

XenClient_SCCM_3

Next to start the installation and select no when prompted to reboot

Continue reading