How to Troubleshoot Client Drive Mapping

Common Client Drive Mapping Inquiries

Hotfix Rollup Pack 7 for XenApp 5 and Presentation Server 4.5 for Microsoft Windows Server2003

CTX127614 – Differences in Client Drive Mapping between XenApp 6.0 and 6.5, PresentationServer 4.5, and XenApp 5.0

CTX127968 – How to Enable Legacy Client Drive Mapping Format on XenApp 6.x andXenDesktop

CTX122327 – How to Enable and Configure the Plug-in Group Policy Settings for Client DriveMapping

The following information applies to legacy versions of Citrix Presentation Server/XenApp and XenApp 5 Windows Server 2008.

Client Drive Mappings Do Not Create For Any User

  1. Ensure the Active Directory profile for the users having the issue have the default Connect client drives at logon box checked, if the ICA-TCP port properties are set to Inherit User Config.

    User-added image

  2. Ensure the option to disable client drive mappings on the ICA-tcp listener in Terminal Services Configuration is not enabled. A Group Policy might gray out the check box selection.

    User-added image

  3. Investigate the usage of Citrix policies, where applicable.

    Removable drives must be inserted / attached to the client computer before the ICA connection. After the removable drive is inserted / attached, ensure the client is not reconnecting to a disconnected session or that the drive is not being restricted by a policy.

  4. For Windows Terminal Server Installations, ensure the following registry entry exists and that the process, wfshell.exe, is running inside the session:

    Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.


    Key: AppSetup

    Value: Cmstart.exe

    CTX983798 – Purpose of CMSTART Command

  5. Ensure the Client Network Service is started. Do not attempt to restart the Client Network Service when there is an existing ICA connection to the server. If the Client Network Service does not appear within services, verify that the key, CdmSerivce, and its subcatergories, Enum and networkProvider, along with their values are present under:

    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices. Check another working server for proper registry settings.

  6. Ensure the RPC Service is started.

  7. Ensure that Client Network is visible under Network Neighborhood. If it is not, complete the following steps:

    1. Start Registry Editor (Regedt32.exe) and browse to the following key:

      HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlNetworkProviderOrder The value for ProviderOrder contained only LanmanWorkstation.

      Add CdmService, so that the Value now reads “CdmService,LanmanWorkstation.”

    2. Ensure the path defined under the CommonFilesDir value from

      HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion is correct.

    3. Restart the server.

  8. Ensure Cdmprov.dll is in the system32 directory.

  9. Ensure Microsoft files Mpr.dll, the Multiple Provider Router dll, and Mup.sys (the Multiple UNC Provider driver) are present.

  10. Does drive mapping fail for the administrator? If not, ensure users have sufficient rights to the dlls, exes, and registry settings outlined in this section.

  11. Does the command chgcdm /default work?

  12. Does the command net use * \clientc$ work? If it does not, a System Error 67 appears.

  13. Is a local Windows policy “Strengthen default permissions of global system objects” disabled? If so, Enable this policy.

  14. Check the event log for CDM error messages.

  15. Can a similar function be performed in a Microsoft network scenario?

  16. Verify that the Cdm.sys file is in the Program FilesCitrixSystem32drivers directory.

  17. Ensure logon scripts, such as Kixstart, do not include statements such as net use * /d.

  18. If using Web Interface, does the template.ica or default.ica file have a value of

    CDMAllowed=Off (for Client version 9.x or earlier) or CDMAllowed=False (for Client version

    10.x or later)?

    See ICA Settings Reference in eDocs – and CTX331178 – Appsrv.ini Parameters Deciphered for more information.

    CTX117315 – Cannot Open More than 20 Files Concurrently Using a Client Mapped Drive byDefault.

    CTX117481 – Manually Mapped Client Drives not Showing when Reconnecting to aDisconnected Session

    CTX113480 – Error: Cannot copy (file name):Invalid MS-DOS Function… when using ClientDrive Mapping and Files Larger than 2 GB.

    CTX103825 – Changes to Client Drive Files are not Immediately Updated

    CTX124356 – How to Enable Read-Only Client Drive Mapping and Clipboard Mapping forXenApp

    CTX124139 – Duplicate Auto-Mapped Local Client Drives in ICA Sessions

How to Map Client Workstation Network Drives in an ICA Session

Use the Net Use command in a logon script to map client network drives, even when the Citrix Management Console policy is enabled. For design and performance reasons, if the client mapped network drive is accessible on the network from the Citrix server, Citrix recommends that you do not use the following solution and that the network drive be mapped in a regular Windows logon script.

Note: The following point items are valid for all versions of XenApp.

  • During logon, the ICA Client informs the server of the available client drives, COM ports, and LPT ports.
  • Client drive mapping allows drive letters on the Citrix server to be redirected to drives that exist on the client device; for example, drive H in a ICA user session can be mapped to drive

    C of the local computer running the Citrix ICA Client. These mappings can be used by the File Manager or Explorer and your applications just like any other network mappings. Client drive mapping is transparently built into the standard Citrix device redirection facilities. The clients disk drives are displayed as share points to which a drive letter can be attached. The Citrix server can be configured during installation to automatically map client drives to a given set of drive letters. The default installation mapping maps drive letters assigned to client drives starting with V and works backwards, assigning a drive letter to each fixed disk and CD-ROM. (Floppy drives are assigned their existing drive letters.)

  • You can use the net use and change client commands to map client devices not automatically mapped at logon. Use the following command and syntax:

    net use y: \clientc$ where y is the drive letter in a session and c is the client drive letter you want to map.

For more information about the location and creation of logon scripts, refer to the MicrosoftHelp and Support site.

Because Presentation Server 4.0 with Hotfix Rollup Pack 1 it automatically maps Network Drives. This is not by design.

[From PSE400W2K3R02][#127532]:

“Network drives for client devices incorrectly map automatically as local client drives.”

How to Prevent Client Workstation Network Drives in an ICA Session

Enable a policy through the management console to prevent these drives from mapping.

Attempting to manually map the remote drive through the net use command will throw an error

“System Error 55 has occurred”. The specified network resource is no longer available.”

How to Disable Specific Client Drive Mappings

Complete the following steps:

  1. Open the Module.ini file in a text editor (for example, Notepad) on the client device. In most cases, this file is in the Program filesCitrixICA client directory.

  2. Add the following entry to the end of the [ClientDrive] section: DisableDrives =A,D,F

  3. Save the changes and exit the text editor.

  4. This entry prevents the client side drive letters A, D, and F from being mapped. The entry is not case-sensitive. If someone attempts to map a “disabled drive” through the client network within an ICA session (that is, net use * \clientD$), the following error message appears:

    “System Error 55 has occurred. The specified network resource is no longer available.”

    The same restriction can be applied to an .ica file (used with published applications) by adding “DisableDrives=” in the [Wfclient] section. Again, use a text editor to make this change.

    Another solution is to enable a policy through the management console.

How to Map Only One Client Drive at Logon

  1. From Terminal Services Configuration, double-click ICA-TCP connection type.

  2. Select Client Settings.

  3. Clear Inherit user config.

  4. Clear Connect Client drives at Logon.

  5. Click OK.

    Note: Do not select Disable Client Drive Mapping; this will disable all future client drive mappings.

  6. Create a logon script (.bat file) in the following format:

    net use y: \clientc$ where y is the drive in a session and c is the client drive you want to map.

    Note: This does not permanently disable clients from mapping another drive when they are logged on.

How to Make the Server Drives Appear as a Client Drive When Using the Pass-Through Client

Local or network drives configured on the server can now be mapped by the pass-through client.

How to Map Client Drives in Pass-Through Sessions –

For legacy version 9.xx

Open the Module.ini file in a text editor and add the following line to the [ClientDrive] section of the file:


For version 10.xx and later

  1. Run Regedit.

  2. Navigate to:



  3. Create the Reg Value: NativeDriveMapping

    Reg Type: REG_SZ

    Add the Value: True

    When this flag is set, the client drives on the client device are not mapped and are not available. The drives configured on the server are mapped and are available to the passthrough client.

    CTX126763 – Client Drive is Not Mapped Using ICA Client Version 12 as Pass-Through Client

How to Ensure Client Drive Connectivity

Certain applications require access to client drive files to operate. When published, the executable can launch before the client redirector can finalize the client connections. This workaround ensures the client drives are available before the server executes the application.


  1. Set user profile connection configuration to allow client drive access.

  2. Publish an application that runs a batch file.

  3. Create a batch file that resembles the following:

    @echo off rem * rem * Wait on redirector to connect client drive. rem * In this case, we are using the V: drive as the client C:. rem * We also need something to look for on the client drive. rem * Adjust the settings accordingly. rem * echo Connecting...:DelayDIR %homedrive% /w > V:tag.txt IF EXIST V:tag.txt GOTO :Connected goto :Delay:ConnectedDEL V:tag.txtSTART /NORMAL /WAIT Explorer.exe

More Information About the IF Statement

IF [NOT] ERRORLEVEL number command

IF [NOT] string1==string2 command

IF [NOT] EXIST filename command

Note: Specifies that Windows NT will carry out the command only if the condition is false.

  • ERRORLEVEL: Number specifies a true condition if the last program run returned an exit code equal to or greater than the number specified. command – Specifies the command to carry out if the condition is met.

  • string1==string2: Specifies a true condition if the specified text strings match.

  • EXIST filename: Specifies a true condition if the specified filename exists.

If Command Extensions are enabled, IF changes as follows:

IF [/I] string1 compare-op string2 commandIF CMDEXTVERSION number command IF DEFINED variable command

where compare-op might be one of:

  • EQU: equal

  • NEQ: not equal

  • LSS: less than

  • LEQ: less than or equal

  • GTR: greater than

  • GEQ: greater than or equal

The /I switch, if specified, indicates to perform case-insensitive string compares. The /I switch can also be used on the string1==string2 form of IF. These comparisons are generic in that if both string1 and string2 are both comprised of all numeric digits, the strings are converted to numbers and a numeric comparison is performed.

The CMDEXTVERSION conditional works like ERRORLEVEL, except that it is comparing against an internal version number associated with the Command Extensions. The first version is that it is incremented by one when significant enhancements are added to the Command Extensions. The CMDEXTVERSION conditional is never true when Command Extensions are disabled.

The DEFINED conditional works like EXISTS except that it takes an environment variable name and returns true if the environment variable is defined.

%ERRORLEVEL% expands into a string representation of the current value of ERRORLEVEL, provided that there is not already an environment variable with the name ERRORLEVEL, in which case you get its value instead. Using this and the preceding numerical comparison operators, you can do the following choice

goto answer%ERRORLEVEL%:answer0echo You typed Y for yes:answer1 echo You typed N for no 

You can also use the numerical comparisons:

IF %ERRORLEVEL% LEQ 1 goto okay 

%CMDCMDLINE% expands into the original command line passed to CMD.EXE prior to any processing by CMD.EXE, provided that there is not already an environment variable with the name CMDCMDLINE, in which case you will get its value instead.

More Information About the START Statement

Starts a separate window to run a specified program or command.

START [“title”] [/Dpath] [/I] [/MIN] [/MAX] [/SEPARATE | /SHARED][/LOW | /NORMAL | /HIGH |

/REALTIME] [/WAIT] [/B] [command/program] [parameters]

  • “title”: Title to display in window title bar. path – Starting directory.
  • /i: The new environment is the original environment passed to Cmd.exe and not the current environment.

  • MIN: Start window minimized.

  • MAX: Start window maximized.

  • SEPARATE: Start 16-bit Windows program in separate memory space.

  • SHARED: Start 16-bit Windows program in shared memory space.

  • LOW: Start application in the IDLE priority class.

  • NORMAL: Start application in the NORMAL priority class.

  • HIGH: Start application in the HIGH priority class.

  • REALTIME: Start application in the REALTIME priority class.

  • WAIT: Start application and wait for it to terminate.

  • B: Start application without creating a new window. The application has ^C handling ignored. Unless the application enables ^C processing, ^Break is the only way to interrupt the application command/program. If it is an internal cmd command or a batch file, the command processor is run with the /K switch to Cmd.exe. This means that the window remains after the command is run. parameters – These are the parameters passed to the command/program.

    If it is not an internal cmd command or batch file, it is a program and runs as either a windowed application or a console application.

Files saved to a client drive is successful but the file is corrupt or the saved file reports an invalid memory location

If the client drive or disk does not have enough space, the file copy passes but the file is truncated or the file will not copy and gives an invalid memory location error. No other feedback is given to the user.

Client Drives content may disappear in Windows Explorer and at a command prompt when applications open more than 20 file handles

Add the bolded entry to the Module.ini [ClientDrive] section. The Module.ini is in the Program FilesCitrixICA Client directory.

MaxOpenContext = (A number ranging from 21 to 1024.)


[ClientDrive] DriverName = VDCDM30.DLL DriverNameWin16 = VDCDM30W.DLL DriverNameWin32 = VDCDM30N.DLL MaxWindowSize = 6276 MaxRequestSize = 1046 CacheTimeout = 600 CacheTimeoutHigh = 0 CacheTransferSize = 0 CacheDisable = FALSE CacheWriteAllocateDisable = FALSE MaxOpenContext = 50 DisableDrives =

Note: The default is 20 file handles per drive. If it becomes necessary to increase this number, it is possible there is a handle leak with the applications accessing the client drives.


The SQL Server service account does not have permission to access Active Directory Domain Services.

  1. DDC loses connection to Hypervisor.
  2. VDAs power state shows up as ‘Unknown’.
  3. Test hosting connection fails with error ‘Check that a connection to the hypervisor can be established’.
  4. On editingupdating hosting connection, we get below exception in Citrix Studio.

Error Id: XDDS:33A6280E

Inner Exception:

DesktopStudio_ErrorId : ConnectionValidationFailure

Exception : PluginUtilities.Exceptions.ManagedMachineGeneralException: Command did not execute: System.Management.Automation.CmdletInvocationException: The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS). (Error ID: 2607)

—> Microsoft.VirtualManager.Utils.CarmineException: The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS).

Ensure that the SQL Server service is running under a domain account or a computer account that has permission to access AD DS. For more information, see “Some applications and APIs require access to authorization information on account objects” in the Microsoft Knowledge Base at —> System.ServiceModel.FaultException`1[Microsoft.VirtualManager.Utils.ErrorInfo]: The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS).

5. Similar error is thrown on connecting to SCVMM console,


  • No Related Posts

Desktop Director User Account Search Process is Slow or Fails

In Information Server (IIS) Management and under the Desktop Director site, select Application Settings and add a new value to search the Active Directory called Connector.ActiveDirectory.ForestSearch.

By default, the value is hidden and configured as True. If you configure the value as False, Desktop Director will only search the current domain.

If the Director Server or the Administrator on the Director Server is not a member of the searchable domain, add the searchable domain or domains in the Connector.ActiveDirectory.Domains field, as displayed in the following screen shot:

User-added image

Example :-



Getting incorrect username or password error when using FAS to single sign on with VDA with event ID 102 and event ID 25 on DC

Some applications have features that read the token-groups-global-and-universal (TGGAU) attribute on user account objects or on computer account objects in the Microsoft Active Directory directory service. Some Win32 functions make it easier to read the TGGAU attribute. Applications that read this attribute or that call an API (referred to as a function in the rest of this article) that reads this attribute do not succeed if the calling security context does not have access to the attribute.

By default, access to the TGGAU attribute is determined by the

Permission Compatibility decision (made when the domain was created during the DCPromo.exe process). The default permission compatibility for new Windows Server 2003 domains does not grant broad access to the TGGAU attribute. Access to read the TGGAU attribute can be granted as required to the new Windows Authorization Access (WAA) group in Windows Server 2003.


Incident with local user.

I need a solution


DLP in version 14.6 linked to the active directory, when entering as a domain user if it generates an incident and performs the assigned blocking action, however, when entering as a local user to the endpoint, it does not generate an incident and much less the response action.

Is there a problem with this version ?, or is it necessary to perform some extra configuration?




Successfully Deploying XenDesktop in a Complex Active Directory Environment

The following environments assume that XenDesktop 5.x is installed on all DDCs and VDAs. This article is based on the registry based Controller Discovery – this is the recommended method for multiple forest registration.

The NetBIOS and Fully Quality Domain Name (FQDN) can be different. For example, the NetBIOS name could be BOB but the FQDN could be parent1.local or the NetBIOS name and FQDN can be the same:

Example: NetBIOS name is parent and the FQDN would be parent.local.

Note: Dots in NetBIOS names are not recommend.

Appropriate user access permissions are given for successful machine creation. In a cross-forest setup, use Delegation Control Wizard to keep permissions to minimum use. Permission must be given for the DDC Administrator to create machines in a different forest in a specific Organizational Unit (OU). The following minimum permission can be given for successful machine creation:

  1. Open Active Directory Users and Computers Microsoft Management Console (MMC).

  2. Right-click your OU and select Delegate Control.

  3. On the first screen, click Next.

  4. In the Users & Groups screen, click Add and pick a user or group you want to delegate rights to and click Next.

    The best practice is to assign a group rather than a single user, as it is easier to manage and audit.

  5. In the Tasks to Delegate screen, select Create a custom task to delegate and click Next.

  6. In the Active Directory Object Type screen, select Only the following objects in folder and select Computer objects.

    User-added image

  7. Select Create selected objects in this folder and click Next.
  8. In the Permissions screen, select General and then select Read and Write.

  9. Click Next.

    User-added image

  10. Click Finish to complete the delegation control.

Different types of Active Directory Setups

Simple Single Domain Deployment

The following diagram illustrates a XenDesktop deployment in a single Active Directory domain, where the DDCs, VDAs, and the users are all in the same domain.

User-added image

In this Single domain setup, all relevant components and objects are based on one single domain. Registration of VDAs with the DDC should be successful and no additional configuration, that is, the registry key changes is required.

Following is a list to check if VDA is unable to register with the DDC:

  1. Check Event Viewer for errors on both the DDC and the VDA.

  2. Ensure that the firewall is open for port 80 between the VDA and the DDC.

  3. Check that the FQDN of the DDC is correct in the registry setting of the VDA machine. On the VDA, check the following Reg Key:

    Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

    HKEY_LOCAL_MACHINESOFTWARECitrixVirtualDesktopAgent and confirm the parameter ListOfDDCs had the correct FQDN.

    If using 64-bit Virtual Machine, the VDA Reg Key is HKEY_LOCAL_MACHINESOFTWAREWow6432NodeCitrixVirtualDesktopAgentListOfDDCs

  4. Ensure that the DNS settings are correct on VDA and DDC, and both the computers can resolve each other by DNS name and reverse lookups. Use the XDPing tool, downloadable from the Knowledge Center article CTX123278 – XDPing Tool to further troubleshoot.

  5. Check that the Time is in sync between the VDA and DDC are correct.

    For further troubleshooting, see Troubleshooting Virtual Desktop AgentRegistration with Controllers in XenDesktop.

Single Forest with Multiple Domains or Single Forest with Multiple Domains with shortcut trusts

The following two diagrams illustrate a XenDesktop deployment in a single forest with multiple domains and a Single Forest with multiple domains with shortcut trusts – where the DDC, VDA, and Users are all based in different domains.

The following is the illustration for Multiple Domains:

User-added image

The following is an illustration for Multiple Domains with short cut trusts:

User-added image

Multiple Domains: DDC, Users, and VDA are based in various domains, by default, a bidirectional transitive trust relationship exists between all domains in a forest.

Multiple Domains with short cut trusts: DDC, Users, and VDA are based in various domains but at two-way shortcut, trust has been manually created between the DDC domain and the VDA domain. Typically, shortcut trusts are used in a complex forest where it can take time to traverse between all domains for authentication. By adding a shortcut trusts, it shortens the trust path to improve the speed of user authentication.

For successful registration of the VDA with the DDC, the following should be configured correctly. DNS Forward/Reverse Lookup Zones are in place and configured on the relevant DNS servers. For further troubleshooting of VDAs not registering, see Following is a list to check if VDA is unable to register with the DDC: mentioned in the Simple Single Deployment section.

Multiple Forests with 2 way or 1 way trusts (external trusts or forest trusts)

The following diagram illustrates XenDesktop deployment in a Multi-Forest Deployment. This is where the DDC is in a different Active Directory forest and the end users and desktops can be either in the same forest or in a separate Active Directory forest.

Note: For Forest trusts, both Forests must be in Win2003 Forest Functional Level.

User-added image

The preceding illustration shows two separate Active Directory forest with a two-way forest trust. DDC and Users are in the same forest (parent.local) but the VDAs are located in different forest (parent2.local).

For successful VDA registration with the DDC, the following must be configured correctly:

DNS, for name and reverse lookups. Depending on the approach taken, the use of DNS Forwarders and Conditional Forwarders, Forward /Reverse lookup zones and Stub zones are all acceptable for name lookup/resolution. As an example, in the preceding illustration, on the DNS server for Parent.local, a Secondary Forward Lookup Zone and a Reverse Lookup zone for Parent2.local has been added and similarly the opposite has been done on the Parent2.local. This means that the DDC should now be able to resolve the VDA by name and IP and the VDA resolves the DDC by name and IP address.

See Managing a Forward Lookup Zone for information on managing Lookup Zones.

On the Desktop Delivery Controller, enable the following registry value on the DDC. This enables support for VDAs, which are located in separate forests: HKEY_LOCAL_MACHINESoftwareCitrixDesktopServerSupportMultipleForest (REG_DWORD)

User-added image

To enable VDAs located in separate forests; this value must be present and set to 1.

After changing the SupportMultipleForest value, you must restart the Citrix Broker Service for the changes to have an effect.

On the Virtual Desktop Agent, enable the following registry value on the VDA to enable support for DDCs located in a separate forest.

  • For a 32-bit VDA: HKEY_LOCAL_MACHINESoftwareCitrixVirtualDesktopAgentSupportMultipleForest (REG_DWORD)

  • For a 64-bit VDA: HKEY_LOCAL_MACHINESoftwareWow6432NodeCitrixVirtualDesktopAgentSupportMultipleForest (REG_DWORD)

To enable support for DDCs located in a separate forest; this value must be present and set to 1.

Note: The next step is only required if External Trusts are only being used.

  1. If the Active Directory FQDN does not match the DNS FQDN or if the domain where the DDC resides has a different NetBIOS name to that of the Active Directory FQDN, you must add the following registry key on the Virtual Desktop Agent machine.
    • For a 32-bit VDA: HKEY_LOCAL_MACHINESoftwareCitrixVirtualDesktopAgentListOfSIDs
    • For a 64-bit VDA: HKEY_LOCAL_MACHINESoftwareWow6432NodeCitrixVirtualDesktopAgentListOfSIDs
    • User-added image

The ListOfSIDs registry key contains the DOMAIN SID of the DDC. By using this key, DNS lookups are using the true DNS name of the DDC.

To obtain the correct domain SID of the DDC, the domain SID can be found in the results of the PowerShell cmdlet Get-BrokerController from an elevated PowerShell prompt on the delivery controller.

Note: You must restart the Citrix Desktop Service for the changes to have an effect.

Multiple Forests with One-Way Selective trusts

The following diagram illustrates XenDesktop deployment in a Multi-Forest Deployment using One-way Selective Trusts. The DDC is in a different Active Directory forest and the end users and existing VDAs (created either manually or through an alternative method) are in a separate Active Directory forest. In a one-way selective trust, automatic creation of Virtual Machines through DDC will fail, because of authentication issues.

For this example, the NetBIOS and FQDN are different in each Forest and domain.

Note: For One-Way Selective trusts, both Forests must be in Win2003 Forest Functional Level or above.

User-added image

Selective authentication is used in environments where users are explicitly granted/ allowed to authenticate to servers and resources on the trusting domain. This method gives domain administrators control on what rights users can be given to access services on the trusting domain. See Enable Selective Authentication over a Forest Trust for more information on Selective trusts.

Configure the following for successful registration of the VDA with the DDC:

  1. DNS for name and reverse lookups. Depending on the approach taken, the use of DNS Forwarders and Conditional forwarders, Forward/Reverse lookup zones, and Stub zones are all acceptable for name lookup/resolution.

  2. Create the Selective trust on the relevant Domain Controllers.

  3. Follow steps provided in the Multiple Forests with trusts (External trusts – NTLM or Forest trusts Kerberos) section.

  4. The VDAs must be granted authentication access to the DDC. This is done through Active Directory Computer and Users snap-in.

    Note: VDAs can be added to a group to make management easier (granting rights). This is recommended.

    a) In Active Directory Computers and Users, browse to the location of the DDCs.

    b) Right-click DDC and click Properties.

    c) Click the Security tab.

    d) Click Add and click Locations to change the domain to where the VDAs reside.

    e) Click on Advanced, and click on Object Types. Choose ‘Computers’

    f) Select all the relevant VDA or Group (recommended) and click OK.

    g) Select the VDA’s or Group and give the rights – Read and Allowed to authenticate, as displayed in the following screen shot:

      1. User-added image

  5. On the DDC, select an Existing Catalog and create a relevant Assignment. When done, the Virtual Machines should show in a Ready State, as displayed in the following screen shot:

    User-added image

For further troubleshooting of VDA not registering, see Following is a list to check if VDA is unable to register with the DDC section.


Moving clients from SEPM Domain to another

I need a solution

Following a side by side Active Directory migration, on our SEPM we ended up with 2 domains. I will call them Olddomain and Newdomain. When i go to Admin-Domains, each domain has clients. I need to move clients from Olddomain to Newdomain so that i can delete Olddomain.

– When i delete Olddomain, it takes the clients with it

– I open Olddomain and try Move clients, but i cant see Newdomain for a target

What would be the best approach?



Workspace Environment Management (WEM): Active Directory search improvements in WEM 4.6


The Active Directory (AD) system built into the WEM Administration Console and WEM Infrastructure Server has been refactored in WEM 4.6 to improve performance and stability.

Although AD searches performed by the WEM Console and WEM Infrastructure server in previous WEM versions have typically returned results quickly, many customer environments consist of multiple AD forests or AD domains. The Active Directory improvements introduced in WEM 4.6 are designed to improve performance and stability; particularly for multi-forest/domain environments.

Active Directory improvements in WEM 4.6

Global Catalog (GC) mechanism: AD searches are initiated against the AD forest’s Global Catalogue Server (GC) instead of searching against each of the forest’s Domain Controllers in turn.

Asynchronous search mechanism: AD searches are performed on all forests (GC servers or domains) at the same time, instead of searching one by one.

AD search timeout mechanism: If the AD User or Machine object lookup points to a forest or domain that is currently unavailable, a configurable timeout been introduced to prevent prolonged searching. The timeout value is set through the WEM Administration Console (Active Directory Objects => Advanced => Active Directory search timeout (msec)), as shown below:

User-added image

The default value is 1 second (1000 msec). The value set here affects AD searches for both the WEM Administration Console and the WEM Infrastructure Server. If an AD search time exceeds the value specified in this field, AD searching will stop.

This can be configured with a preferred value based on real environment conditions. In large environments or in cases where there are dead forest entries, having a higher value, could also cause issues such as an unresponsive/black screen when logging in, since the AD search will continue to run depending on the timeout value set. It is recommended to remove the dead forest’s trust relationship with current forest to avoid the time consuming queries. If this cannot be done, there will be an enhancement coming soon which will greatly decrease the query frequency and made blacklist for dead forests in codes automatically.

NOTE: Citrix recommends using a timeout value of at least 1000 msec to avoid a timeout before the AD search completes.

Troubleshooting Active Directory searches in WEM

If AD searches are failing:

  • Check that the Active Directory search timeout (msec) is appropriate for the environment. This means that there is no specific value to recommend. Consideration needs to be given if the environment includes multiple AD forests or AD domains.
  • Generate WEM Administration Console and WEM Infrastructure Server debug logs that capture the failed AD search occurrences. In the logs, Active Directory-related entries are marked as AD: in the header of the body, right after the function name:

User-added image


PureMessage for Microsoft Exchange: Error 0x80070005 displayed when opening a PureMessage remote console

A user who is not a member of the Active Directory group Sophos PureMessage Administrators will encounter an error when opening a remote console of the PureMessage.

Error retrieving data from the server. Ensure server / database is started and try again

System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Applies to the following Sophos products and versions

PureMessage for Microsoft Exchange 3.1.4

PureMessage for Microsoft Exchange 4.0.4

What to do

In Active Directory, go to the Users folder and add the user in the group Sophos PureMessage Administrators.

Note: For customers using an Exchange Environment with a Single AD (Active Directory) server, this is fine. For customers following the Microsoft Best Practice of deploying at least 2 Peer Domain Controllers or have more than two DCs, use Replication to Force Update. See the following Microsoft articles below:

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable for us to ensure that we continually strive to give our customers the best information possible.


Default Group / log from OU Syncronized – SEPM

I need a solution


You can help me with this two questions:

1_In the SEPM console, the computers in the Default Group can by move manually to another OU? the option “Sync Now” in the default group appears but its not possible to do, its correct? By default all the new computer store in this group? 

2_Its possible to know how are the OU syncronized from my Active directory an how is the OU created in SEPM console? there is any log file to check?


Miguel Angel