Thursday 26 July 2012

GPO's for View


Best practice is to create a separate OU(s) for the View desktops and create GPOs for the OUs. By default, a user's policy settings come from the set of GPOs that are applied to the user object in Active Directory. However, in the View environment, GPOs should apply to users based on the computer they log in to.  We can enable loopback processing, to make the policy apply to all users that log in to a particular computer, regardless of their location in Active Directory.

To enable loopback on a GPO using the Group Policy Mgt tool on a Domain Controller and open the GPO.
  • Expand the Computer Configuration folder and then expand the Administrative Templates, System /Group Policy folders.
  • In the right pane, right-click User Group Policy loopback processing mode and select Properties.
  • On the Setting tab, select Enabled and then select a loopback processing mode from the Mode drop-down menu.

I normally choose merge as the mode but you can also use replace to completely ignore the users normal GPOs.
  • Merge - The user policy settings applied are the combination of those included in both the computer and user GPOs. Where conflicts exist, the computer GPOs take precedence.
  •  Replace - The user policy is defined entirely from the GPOs associated with the computer. Any GPOs associated with the user are ignored.


Note that after changing this the View desktop has to apply its computer policy before this takes effect. The easiest and most reliable way is to reboot the OS.

By default I would then add some settings to the User Configuration part of the GPO to disable the Shutdown/ Restart options.
  • Expand the User Configuration folder and then expand the Administrative Templates, Start Menu and Taskbar folders and change the following entries:
  • Add LogOff to the Start Menu = Enabled
  • Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands = Enabled
  • Clear the recent programs list for new users = Enabled


There are other setting in the GPO that you may want to look at to remove or lock down the desktop. (Remove Run is a popular one).
Posted by at No comments:

Disable HotPlug from virtual desktops

I was talking to a customer yesterday who was running a pilot View environment. One of the questions that came up was how to stop end users right clicking on the remove hardware icon in the system tray and removing the NIC or hard disk. Obviously removing these from linked clones is not a good thing for the user on that desktop.

  • Right-click the virtual machine and click Edit Settings.
  • Click the Options tab.
  • Click General > Configuration Parameters > Add Row.
  • Insert a new row with the name devices.hotplug and value false.

I would normally do this to the master VM so all the linked clones have this setting.

There is a VMware KB article covering this (1012225): http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=1012225
Posted by at No comments:
Labels: , ,

Tuesday 3 July 2012

NIC Selection with vSphere Load Balancing

A customer asked me how the load balancing algorithms worked in vSphere and how even the distribution was with 'Route based in the originating virtual port ID’ which is the default policy. Note that the initial placement policy is also the same for the LBT (Load Based Teaming) policy.


I knew that we could check which pNIC a VM had been assigned to using ESXTOP and pressing n to look at the network info. (Unfortunately my lab where I took this screenshot only has a single NIC)




I went searching for the algorithm that is used to determine which pNIC is selected when a VM powers on and found the following:

Algorithm: (virtualPortID>>1) % numActiveNICs

Or in my basic understanding of maths notation:
pNIC selection = (virtualPortID / 2) modulo numActiveNICs

(modulo =  Given two positive numbers, a (the dividend) and n (the divisor), a modulo can be thought of as the remainder, on division of a by n.)

As an example: A NIC team has vmnic3, vmnic4, vmnic5 (active in this order).
Therefore vmnic3 = 0, vmnic4 = 1, vmnic5 = 2

So if we look at the port-ids on a vSwitch we can use this to work out which pNIC the VM will be assigned to.

/net/portsets/<vswitch>/ports/> ls
    67108865/
    67108873/ ===> 67108873 /2 = 33554436 modulo 3 = 0 (VM will use vmnic3)
    67108874/ ===> 67108874 /2 = 33554437 modulo 3 = 1 (VM will use vmnic4)
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)