Successfully Deploying XenDesktop in a Complex Active Directory Environment

The following environments assume that XenDesktop 5.x is installed on all DDCs and VDAs. This article is based on the registry based Controller Discovery – this is the recommended method for multiple forest registration.

The NetBIOS and Fully Quality Domain Name (FQDN) can be different. For example, the NetBIOS name could be BOB but the FQDN could be parent1.local or the NetBIOS name and FQDN can be the same:

Example: NetBIOS name is parent and the FQDN would be parent.local.

Note: Dots in NetBIOS names are not recommend.

Appropriate user access permissions are given for successful machine creation. In a cross-forest setup, use Delegation Control Wizard to keep permissions to minimum use. Permission must be given for the DDC Administrator to create machines in a different forest in a specific Organizational Unit (OU). The following minimum permission can be given for successful machine creation:

  1. Open Active Directory Users and Computers Microsoft Management Console (MMC).

  2. Right-click your OU and select Delegate Control.

  3. On the first screen, click Next.

  4. In the Users & Groups screen, click Add and pick a user or group you want to delegate rights to and click Next.

    The best practice is to assign a group rather than a single user, as it is easier to manage and audit.

  5. In the Tasks to Delegate screen, select Create a custom task to delegate and click Next.

  6. In the Active Directory Object Type screen, select Only the following objects in folder and select Computer objects.

    User-added image

  7. Select Create selected objects in this folder and click Next.
  8. In the Permissions screen, select General and then select Read and Write.

  9. Click Next.

    User-added image

  10. Click Finish to complete the delegation control.

Different types of Active Directory Setups

Simple Single Domain Deployment

The following diagram illustrates a XenDesktop deployment in a single Active Directory domain, where the DDCs, VDAs, and the users are all in the same domain.

User-added image

In this Single domain setup, all relevant components and objects are based on one single domain. Registration of VDAs with the DDC should be successful and no additional configuration, that is, the registry key changes is required.

Following is a list to check if VDA is unable to register with the DDC:

  1. Check Event Viewer for errors on both the DDC and the VDA.

  2. Ensure that the firewall is open for port 80 between the VDA and the DDC.

  3. Check that the FQDN of the DDC is correct in the registry setting of the VDA machine. On the VDA, check the following Reg Key:

    Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

    HKEY_LOCAL_MACHINESOFTWARECitrixVirtualDesktopAgent and confirm the parameter ListOfDDCs had the correct FQDN.

    If using 64-bit Virtual Machine, the VDA Reg Key is HKEY_LOCAL_MACHINESOFTWAREWow6432NodeCitrixVirtualDesktopAgentListOfDDCs

  4. Ensure that the DNS settings are correct on VDA and DDC, and both the computers can resolve each other by DNS name and reverse lookups. Use the XDPing tool, downloadable from the Knowledge Center article CTX123278 – XDPing Tool to further troubleshoot.

  5. Check that the Time is in sync between the VDA and DDC are correct.

    For further troubleshooting, see Troubleshooting Virtual Desktop AgentRegistration with Controllers in XenDesktop.

Single Forest with Multiple Domains or Single Forest with Multiple Domains with shortcut trusts

The following two diagrams illustrate a XenDesktop deployment in a single forest with multiple domains and a Single Forest with multiple domains with shortcut trusts – where the DDC, VDA, and Users are all based in different domains.

The following is the illustration for Multiple Domains:

User-added image

The following is an illustration for Multiple Domains with short cut trusts:

User-added image

Multiple Domains: DDC, Users, and VDA are based in various domains, by default, a bidirectional transitive trust relationship exists between all domains in a forest.

Multiple Domains with short cut trusts: DDC, Users, and VDA are based in various domains but at two-way shortcut, trust has been manually created between the DDC domain and the VDA domain. Typically, shortcut trusts are used in a complex forest where it can take time to traverse between all domains for authentication. By adding a shortcut trusts, it shortens the trust path to improve the speed of user authentication.

For successful registration of the VDA with the DDC, the following should be configured correctly. DNS Forward/Reverse Lookup Zones are in place and configured on the relevant DNS servers. For further troubleshooting of VDAs not registering, see Following is a list to check if VDA is unable to register with the DDC: mentioned in the Simple Single Deployment section.

Multiple Forests with 2 way or 1 way trusts (external trusts or forest trusts)

The following diagram illustrates XenDesktop deployment in a Multi-Forest Deployment. This is where the DDC is in a different Active Directory forest and the end users and desktops can be either in the same forest or in a separate Active Directory forest.

Note: For Forest trusts, both Forests must be in Win2003 Forest Functional Level.

User-added image

The preceding illustration shows two separate Active Directory forest with a two-way forest trust. DDC and Users are in the same forest (parent.local) but the VDAs are located in different forest (parent2.local).

For successful VDA registration with the DDC, the following must be configured correctly:

DNS, for name and reverse lookups. Depending on the approach taken, the use of DNS Forwarders and Conditional Forwarders, Forward /Reverse lookup zones and Stub zones are all acceptable for name lookup/resolution. As an example, in the preceding illustration, on the DNS server for Parent.local, a Secondary Forward Lookup Zone and a Reverse Lookup zone for Parent2.local has been added and similarly the opposite has been done on the Parent2.local. This means that the DDC should now be able to resolve the VDA by name and IP and the VDA resolves the DDC by name and IP address.

See Managing a Forward Lookup Zone for information on managing Lookup Zones.

On the Desktop Delivery Controller, enable the following registry value on the DDC. This enables support for VDAs, which are located in separate forests: HKEY_LOCAL_MACHINESoftwareCitrixDesktopServerSupportMultipleForest (REG_DWORD)

User-added image

To enable VDAs located in separate forests; this value must be present and set to 1.

After changing the SupportMultipleForest value, you must restart the Citrix Broker Service for the changes to have an effect.

On the Virtual Desktop Agent, enable the following registry value on the VDA to enable support for DDCs located in a separate forest.

  • For a 32-bit VDA: HKEY_LOCAL_MACHINESoftwareCitrixVirtualDesktopAgentSupportMultipleForest (REG_DWORD)

  • For a 64-bit VDA: HKEY_LOCAL_MACHINESoftwareWow6432NodeCitrixVirtualDesktopAgentSupportMultipleForest (REG_DWORD)

To enable support for DDCs located in a separate forest; this value must be present and set to 1.

Note: The next step is only required if External Trusts are only being used.

  1. If the Active Directory FQDN does not match the DNS FQDN or if the domain where the DDC resides has a different NetBIOS name to that of the Active Directory FQDN, you must add the following registry key on the Virtual Desktop Agent machine.
    • For a 32-bit VDA: HKEY_LOCAL_MACHINESoftwareCitrixVirtualDesktopAgentListOfSIDs
    • For a 64-bit VDA: HKEY_LOCAL_MACHINESoftwareWow6432NodeCitrixVirtualDesktopAgentListOfSIDs
    • User-added image

The ListOfSIDs registry key contains the DOMAIN SID of the DDC. By using this key, DNS lookups are using the true DNS name of the DDC.

To obtain the correct domain SID of the DDC, the domain SID can be found by using a tool such as ADExplorer from sysinternals or by using the XDPingtool.

Note: You must restart the Citrix Desktop Service for the changes to have an effect.

Multiple Forests with One-Way Selective trusts

The following diagram illustrates XenDesktop deployment in a Multi-Forest Deployment using One-way Selective Trusts. The DDC is in a different Active Directory forest and the end users and existing VDAs (created either manually or through an alternative method) are in a separate Active Directory forest. In a one-way selective trust, automatic creation of Virtual Machines through DDC will fail, because of authentication issues.

For this example, the NetBIOS and FQDN are different in each Forest and domain.

Note: For One-Way Selective trusts, both Forests must be in Win2003 Forest Functional Level or above.

User-added image

Selective authentication is used in environments where users are explicitly granted/ allowed to authenticate to servers and resources on the trusting domain. This method gives domain administrators control on what rights users can be given to access services on the trusting domain. See Enable Selective Authentication over a Forest Trust for more information on Selective trusts.

Configure the following for successful registration of the VDA with the DDC:

  1. DNS for name and reverse lookups. Depending on the approach taken, the use of DNS Forwarders and Conditional forwarders, Forward/Reverse lookup zones, and Stub zones are all acceptable for name lookup/resolution.

  2. Create the Selective trust on the relevant Domain Controllers.

  3. Follow steps provided in the Multiple Forests with trusts (External trusts – NTLM or Forest trusts Kerberos) section.

  4. The VDAs must be granted authentication access to the DDC. This is done through Active Directory Computer and Users snap-in.

    Note: VDAs can be added to a group to make management easier (granting rights). This is recommended.

    a) In Active Directory Computers and Users, browse to the location of the DDCs.

    b) Right-click DDC and click Properties.

    c) Click the Security tab.

    d) Click Add and click Locations to change the domain to where the VDAs reside.

    e) Click on Advanced, and click on Object Types. Choose ‘Computers’

    f) Select all the relevant VDA or Group (recommended) and click OK.

    g) Select the VDA’s or Group and give the rights – Read and Allowed to authenticate, as displayed in the following screen shot:

      1. User-added image

  5. On the DDC, select an Existing Catalog and create a relevant Assignment. When done, the Virtual Machines should show in a Ready State, as displayed in the following screen shot:

    User-added image

For further troubleshooting of VDA not registering, see Following is a list to check if VDA is unable to register with the DDC section.

Related:

  • No Related Posts

Default Group / log from OU Syncronized – SEPM

I need a solution

Dear,

You can help me with this two questions:

1_In the SEPM console, the computers in the Default Group can by move manually to another OU? the option “Sync Now” in the default group appears but its not possible to do, its correct? By default all the new computer store in this group? 

2_Its possible to know how are the OU syncronized from my Active directory an how is the OU created in SEPM console? there is any log file to check?

Regards

Miguel Angel

0

Related:

  • No Related Posts

Microsoft Windows Security Updates April 2019 overview

Microsoft released security updates for supported versions of Windows and other company today on the April 9, 2019 Patch Tuesday.

Updates are provided in various ways: via Windows Update, as direct downloads, and through Enterprise updating systems.

Our monthly overview of Microsoft’s Patch Day offers detailed information on updates, additional information that is relevant, and links to supported articles.

It starts with an executive summary, and is followed by the statistics, the list of released updates, known issues, and direct download links.

You can check out last month’s Patch Day in case you have missed it. As always, it is recommended that systems are backed up before new patches are installed. Note that some users had troubles installing the last cumulative update for Windows 10 version 1809; you can check a possible fix for System Service Exception blue screens here.

Attention: Reports of Windows 7 and 8.1, and Server 2008 R2 / 2012 R2 machines freezing after update installation. Is apparently related to Sophos products, only solution right now is to uninstall the update.

Microsoft Windows Security Updates April 2019

Download the following Excel spreadsheet listing security updates and related information for updates that Microsoft released in April 2019. Click on the following link to download the spreadsheet to your local system: microsoft-windows-security-updates-april-2019.zip

Executive Summary

  • Windows 10 version 1607 reached end of support for Enterprise and Education customers today.
  • Windows 10 version 1709 reached end of support for Home, Pro and Pro for Workstations today.
  • Microsoft released security updates for all client and server versions of Windows.
  • Other Microsoft software with security updates: Microsoft Edge, Internet Explorer, Microsoft Exchange Server, Team Foundation Server, Azure DevOps Server, Windows Admin Center, Microsoft Office
  • Microsoft fixed many long standing known issues.
  • The Update Catalog lists 133 updates.

Operating System Distribution

  • Windows 7: 29 vulnerabilities of which 6 are rated critical and 23 are rated important (links see W10 1809)
    • CVE-2019-0791 | MS XML Remote Code Execution Vulnerability
    • CVE-2019-0792 | MS XML Remote Code Execution Vulnerability
    • CVE-2019-0793 | MS XML Remote Code Execution Vulnerability
    • CVE-2019-0795 | MS XML Remote Code Execution Vulnerability
    • CVE-2019-0845 | Windows IOleCvt Interface Remote Code Execution Vulnerability
    • CVE-2019-0853 | GDI+ Remote Code Execution Vulnerability
  • Windows 8.1: 31 vulnerabilities of which 7 are rated critical and 24 are rated important (links see W10 1809)
    • CVE-2019-0790 | MS XML Remote Code Execution Vulnerability
    • CVE-2019-0791 | MS XML Remote Code Execution Vulnerability
    • CVE-2019-0792 | MS XML Remote Code Execution Vulnerability
    • CVE-2019-0793 | MS XML Remote Code Execution Vulnerability
    • CVE-2019-0795 | MS XML Remote Code Execution Vulnerability
    • CVE-2019-0845 | Windows IOleCvt Interface Remote Code Execution Vulnerability
    • CVE-2019-0853 | GDI+ Remote Code Execution Vulnerability
  • Windows 10 version 1607: 33 vulnerabilities of which 7 are critical and 26 are important
    • critical issues same as W10 1809 except for CVE-2019-0786 which is not listed.
  • Windows 10 version 1703: 35 vulnerabilities of which 7 are critical and 28 are important
    • critical issues same as W10 1809 except for CVE-2019-0786 which is not listed.
  • Windows 10 version 1709: 37 vulnerabilities of which 8 are critical and 29 are important
    • critical issues same as W10 1809
  • Windows 10 version 1803: 37 vulnerabilities of which 8 are critical and 29 are important
    • critical issues same as W10 1809
  • Windows 10 version 1809: 36 vulnerabilities of which 8 are critical and 28 are important

Windows Server products

  • Windows Server 2008 R2: 29 vulnerabilities of which 6 are critical and 23 are important.
    • same as Windows 7
  • Windows Server 2012 R2: 31 vulnerabilities of which 7 are critical and 24 are important.
    • critical issues same as W10 1809 except CVE-2019-0786 which is not listed.
  • Windows Server 2016: 33 vulnerabilities of which 7 are critical and 26 are important
    • critical issues same as W10 1809 except CVE-2019-0786 which is not listed.
  • Windows Server 2019: 36 vulnerabilities of which 8 are critical and 28 are important.
    • Critical issues same as W10 1809

Other Microsoft Products

  • Internet Explorer 11: 5 vulnerability, 1 critical, 4 important
  • Microsoft Edge: 9 vulnerabilities, 7 critical, 2 important

Windows Security Updates

Windows 7 Service Pack 1

Monthly rollups won’t include PciClearStaleCache.exe anymore starting with this update. Microsoft advises that administrators make sure that updates between April 20, 2018 and March 12, 2019 are installed prior to installing this update and future monthly rollup updates to make sure that the program is on the system.

The following symptoms may be experienced if the file is not available:

  • Existing NIC definitions in control panel networks may be replaced with a new Ethernet Network Interface Card (NIC) but with default settings. Any custom settings on the previously NIC persist in the registry but were unused.
  • Loss of static IP address settings.
  • Network Flyout does not display certain Wi-Fi profile settings.
  • Disabling of Wi-Fi network adapters.

KB4493472 — Monthly Rollup

  • Provides protections against Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754) for VIA-based computers.
  • Fixed an issue that caused the error “0x3B_c0000005_win32k!vSetPointer”.
  • Fixed the netdom.exe error “The command failed to complete successfully” appears.
  • Fixed the Custom URI Schemes issue.
  • Fixed the WININET.DLL issue.
  • Security updates

KB4493448 — Security only update

  • Same as monthly rollup except for error “0x3B_c0000005_win32k!vSetPointer” and Custom URI Schemes.

Windows 8.1

KB4493446 — Monthly Rollup

  • Provides protections against Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754) for VIA-based computers.
  • Fixes an issue with MSXML6 that could cause programs to stop responding.
  • Fixed an issue with the Group Policy Editor that caused it to stop responding when editing Group Policy Preferences for Internet Explorer 10 Internet settings.
  • Fixed an issue with Custom URI schemes for Application Protocol Handlers.
  • Fixed an authentication issue in Internet Explorer 11 and other apps that use WININET.DLL.
  • Security updates for various components.

KB4493467 — Security-only Update

  • Same as the Monthly rollup except the Custom URI schemes fix (not listed)

Windows 10 version 1607

KB4493470

  • Fixed several known issues.
  • Fixed an issue to meet GB18030 certificate requirements.
  • Security updates.

Windows 10 version 1703

KB4493474

  • Fixed several known issues
  • Security Updates

Windows 10 version 1709

KB4493441

  • Fixed several known issues
  • Security Updates

Windows 10 version 1803

KB4493464

  • Fixed several known issues
  • Addresses a stop error that occurs when attempting to start the Secure Shell (SSH) client program from Windows Subsystem for Linux (WSL) with agent forwarding enabled using a command line switch (ssh –A) or a configuration setting.
  • Security updates.

Windows 10 version 1809

KB4493509

  • Fixed several known issues including EUDC blue screen, MXSML6 stop responding, Group Policy Editor stops responding, WININET.DLL
  • Security updates

Other security updates

KB4493435 — Cumulative Security Update for Internet Explorer

KB4491443 — Remote code execution vulnerability in Windows Embedded POSReady 2009

KB4493448 — Security Only Quality Update for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2

KB4493450 — Security Only Quality Update for Windows Embedded 8 Standard and Windows Server 2012

KB4493451 — Security Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012

KB4493458 — Security Only Quality Update for Windows Server 2008

KB4493471 — Security Monthly Quality Rollup for Windows Server 2008

KB4493472 — Security Monthly Quality Rollup for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2

KB4493478 — Security Update for Adobe Flash Player

KB4493563 — Remote code execution vulnerability in Windows Embedded POSReady 2009

KB4493730 — Security Update for Windows Server 2008

KB4493790 — Remote code execution vulnerability in Windows Embedded POSReady 2009

KB4493793 — Remote code execution vulnerability in Windows Embedded POSReady 2009

KB4493794 — Remote code execution vulnerability in Windows Embedded POSReady 2009

KB4493795 — Remote code execution vulnerability in Windows Embedded POSReady 2009

KB4493796 — Remote code execution vulnerability in Windows Embedded POSReady 2009

KB4493797 — Remote code execution vulnerability in Windows Embedded POSReady 2009

KB4493927 — Information disclosure vulnerability in Windows Embedded POSReady 2009

KB4494059 — Remote code execution vulnerability in Windows Embedded POSReady 2009

KB4494528 — You receive an Error 1309 message when you install an .msi file on Windows Embedded POSReady 2009

KB4495022 — Information disclosure vulnerability in Windows Embedded POSReady 2009

Known Issues

Windows 7 Service Pack 1

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. Workarounds available.

Windows 8.1

Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires. Workarounds available.

Windows 10 version 1607

For hosts managed by System Center Virtual Machine Manager (SCVMM), SCVMM cannot enumerate and manage logical switches deployed on the host after installing the update.

After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.

And the Windows 7 SP1 issue.

Windows 10 version 1607 and newer

After installing the Internet Explorer cumulative update, custom URI schemes for application protocol handlers may not work properly in Internet Explorer. Workaround available.

Windows 10 version 1803

Same as Windows 7 SP1

Windows 10 version 1809, Windows Server 2016

Same as Windows 7 SP1

Security advisories and updates

ADV190011 | April 2019 Adobe Flash Security Update

ADV990001 | Latest Servicing Stack Updates

Non-security related updates

KB4487990 — Update for POSReady 2009

KB890830 — Windows Malicious Software Removal Tool – April 2019

Microsoft Office Updates

You find a list of all released updates for Microsoft Office — security and non-security – here.

How to download and install the April 2019 security updates

microsoft updates windows april 2019

Windows Updates get installed automatically on Home systems by default. You can block or delay the installation of updates on these systems.

It is not recommended to run a manual check for updates as it may lead to the installation of preview updates or feature updates, but you may do so in the following way:

  1. Open the Start Menu.
  2. Type Windows Update.
  3. Click on the “check for updates” button to run a manual check.

You may use third-party tools like the excellent Windows Update Manager or Windows Update Minitool to download updates.

Direct update downloads

Microsoft makes available all cumulative updates that it releases for Windows as direct downloads on the Microsoft Update Catalog website. Follow the links listed below to go there for the listed version of Windows.

Windows 7 SP1 and Windows Server 2008 R2 SP

  • KB4493472 — 2019-04 Security Monthly Quality Rollup for Windows 7
  • KB4493448 — 2019-04 Security Only Quality Update for Windows 7

Windows 8.1 and Windows Server 2012 R2

  • KB4493446 — 2019-04 Security Monthly Quality Rollup for Windows 8.1
  • KB4493467 — 2019-04 Security Only Quality Update for Windows 8.1

Windows 10 and Windows Server 2016 (version 1607)

  • KB4493470 — 2019-04 Cumulative Update for Windows 10 Version 1607

Windows 10 (version 1703)

  • KB4493474 — 2019-04 Cumulative Update for Windows 10 Version 1703

Windows 10 (version 1709)

  • KB4493441 — 2019-04 Cumulative Update for Windows 10 Version 1709

Windows 10 (version 1803)

  • KB4493464 — 2019-04 Cumulative Update for Windows 10 Version 1803

Windows 10 (version 1809)

  • KB4493509 — 2019-04 Cumulative Update for Windows 10 Version 1809

Additional resources

Summary
Microsoft Windows Security Updates April 2019 overview
Article Name
Microsoft Windows Security Updates April 2019 overview
Description
Microsoft released security updates for supported versions of Windows and other company today on the April 9, 2019 Patch Tuesday.
Author
Martin Brinkmann
Publisher
Ghacks Technology News
Logo
Ghacks Technology News
Advertisement

Related:

  • No Related Posts

Image Preparation Utility: “Automatic Updates is currently turned on”

The purpose for this requirement is to make sure that Windows Updates do not creep into any of your app layers or published images. Windows Updates need to happen only in the OS layer. (Similarly, Office Updates need to happen only in the Office layer.) When you wish to update Windows, you need to re-enable the setting, do the updates, and then disable them again.

The installer specifically is looking at HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdateAU. It requires that the value for “NoAutoUpdate” is set to a 1. If you look in your registry and that value is not set, then you may think that you disabled windows updates, but you actually have not. That setting is the only one that will absolutely prevent any OS updates from taking place in Windows 10.

(For Windows 7, simply set the Windows Updates pull-down to Never.)

Related:

  • No Related Posts

Need to update Client list to remove old licenses

I need a solution

So, we recently rolled out several new computers on our network, and now we’re getting an Over-Deployed warning.  We’re currently synced with Active Directory so we’re unable to remove the clients from the Manager directly, and deleting the computers from the Active Directory is out of the question.  I’ve already updated the time period to remove old clients from the network from 10 days to 3, but it appears that change hasn’t applied yet, as some of the clients that are almost a week old and off the network are still listed.

What I’d like to do is force the SEPM to poll the network and delete any clients that meet the new timing window, if that’s possible

0

Related:

  • No Related Posts

Change Password Option in StoreFront Not Shown, Available Only for Admins

Set permissions on AD following this article https://support.microsoft.com/en-us/kb/2281774

The users AD accounts need READ access to the following objects:

  • Domain Root Object: It looks up the primary domain of the Domain Controller and opens the domain for reading, which in turn opens the AD object for the domain, like DC=contoso,dc=com.
  • Builtin container: This is the root object of the builtin domain. It is opened as the caller wants to verify its existence. Thus the caller needs read access to the container CN=Builtin,DC=contoso,dc=com.
  • SAM server object: This object stores general permissions about general SAM account access and enumeration. It will be used on certain calls only. The object name is cn=server,cn=system,DC=contoso,dc=com.

As stated in the Microsoft article “In most Active Directory domains, permissions to these objects are granted based on the membership in generic groups like “Authenticated Users”, “Everyone” or the “Pre-Windows 2000 Compatible Access” group”. If possible these should be restored their Read permissions and/or the users accounts added back to these groups.

If that is not possible

  1. In Active Directory Users and Computers select View -> Advanced Features
  2. Create a new AD group containing the users that need access to the Change Password feature
  3. Right click the domain root object -> Properties -> Security
  4. Add the new AD group with Read permissions -> Apply -> OK
  5. Right click the Builtin container -> Properties -> Security
  6. Add the new AD group with Read permissions -> Apply -> OK
  7. Select the System Container -> Right click the Server samServer object -> Properties -> Security
  8. Add the new AD group with Read permissions -> Apply -> OK

Related:

  • No Related Posts