Skip to main content

Posts

Showing posts from September, 2010

How to backup and restore WSUS

WSUS is a key technology in maintaining any Windows network. From servers to clients to major Microsoft software packages, WSUS will make life easier on you. The following instructions were taken from http://technet.microsoft.com/en-us/library/cc708546(WS.10).aspx. To back up the update file storage folder 1. On your WSUS server, click Start , and then click Run . 2. In the Open box, type %systemdrive% \ %windir% \ system32 \ ntbackup.exe and then click OK . 3. In the Backup or Restore Wizard, click Next . 4. Verify that Back up files and settings is selected, and then click Next . 5. Click Let me choose what to back up , and then click Next . 6. Select the WSUSContent folder (under %systemdrive% \WSUS\), and then click Next . 7. Use the Browse button to choose a place to save your backup, type a name for the backup, and then click Next . 8. If you want to set additional specifications for your backup, including whether it ...

How to prevent a client from updating from Windows Update

I did some casual testing on a Windows Vista machine for this one. • Create and edit a group policy. • Expand User Configuration / Policies / administrative Templates / Start Menu and Taskbar. • Double click Remove links and access to Windows Update. Enabling this policy will remove the Windows Update links from your clients. In my test, I was not able to browse to the website.

Set default printers with Powershell

The original question from class is how to set the default printer for your users. I’ve been working through different types of PowerShell remoting with no success. The actual method in the WMI class Win32_Printer will not let you set the default printer from a remote client. I attempted to use both remote sessions and the invoke-command cmdlet. I finally decided to do it via group policy. The code for the script dropped significantly when I went to this approach. There are a few requirements to this process. You need to have a Windows Server 2008 R2 and this can only be applied to your Windows 7 clients. Below is the script: ============================================= Script Name: DefaultPrinter.ps1 Auther: Jason A. Yoder, MCT MCTExpert, Inc. Website: www.MCTExpert.com Blog: www.MCTExpert.blogspot.com Date: 2010AUG22 Script Purpose: Set the default printer on clients. Requirments: This script is designed to be used as a logon s...

How to prevent users from doing a Copy and Paste in AD RMS protected content.

AD RMS allows your users to establish rules to determine who in an organization can do what with the content the user generates. This in no way takes away the administrators control of network security. It simply allows the user to determine the appropriate level of access for other users with out the intervention of the IT staff. When dealing with compliancy or confidential material, AD RMS can allow you to meet stringent guidelines. There are many different rights that can be assigned to content. Different applications may interpret the rights differently so testing is advisable prior to deploying to your organization. The AD RMS right that controls the copy / paste functionality is Extract . The list below summarizes the AD RMS rights. Full Control – If granted, this right allows a user to exercise all rights in the license, whether or not the rights are specifically granted to that user. View – If this right is granted, the AD RMS cli...

Can you have different Active Directory passwords on different Domain Controllers in the same domain?

To test this one out, I created to domain controllers in the same domain. Both origionally have the same ADRM password. I used the following procedure to change the ADRM password on DC2: · Logged on DC2 and the domain administrator · Opened a command prompt. · Type ntdsutil and press Enter . · Type set dsrm password and press Enter . · Type reset password on server null and press Enter . · I entered and confirmed the password or password123 · I then types Q and pressed Enter twice. · Close the command prompt. My next step is to see if DC 1 was using the new or old AD dsrm password or not. · When the server reboots, press F8 to enter the Windows Advanced Options. · Select Directory Services Restore Mode · Once the server boots, log in with the local administrator account, using the dsrm password. On DC1, the original password worked. On DC2, the password w...

What is the Hostmaster.woodgrovebank.com in the DNS SOA record?

We had a question about and entry in the SOA (Start of Authority) field in the DNS record of our VMs. In the properties of the SOA record, you will notice an entry in the Responsible Person field. It is also visible in the Forward Lookup Zone in the Data filed of the SOA record. It is the email address of the person that problems should be reported to. The “@” symbol is not used because “@” is also used in the zone file. That is why it appears as hostmaster.domain.com .

What functional level does you network need to be at to allow for GlobalNames zone?

GlobalNames zone is used on Windows Server 2008 DNS servers to provide single name support for static resources that cannot utilize DNS. It is an upgrade mitigation strategy designed to help organizations move away from WINS. To allow for the GlobalNames zone to be functional, all authorative DNS servers must be running Windows Server 2008. Your domain controllers do not need to be running Windows Server 2008, only the DNS servers. For that reason, a funcation level of 2003 will allow the GlobalNames zone to be functional. http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/8953820a-3f2f-4929-9a3e-2b0731b80e04

How to create a custom Windows PE Disk

Windows PE allows you to boot a PC into an operating system that is resident in RAM disk. This means you can do what you want to the hard drive. This includes formatting, creating, and imaging the disk. In class I demonstrated using a Windows PE disk that resided on a USB memory stick. With a large enough USB flash drive and volume licensing, you can actually use this setup to deploy an image of Windows Vista, Windows 7, or Windows 2008 should a network based image deployment not be an option. The following link will guide you in creating a Windows PE image suitable for you needs. You will need to download and install the Windows Automated Installation Kit prior to proceeding. WAIK Download:  http://www.microsoft.com/download/en/details.aspx?id=5753 Windows PE build instructions: http://technet.microsoft.com/en-us/library/cc709665(WS.10).aspx

How to determine the maximum page file usage in Windows 7?

In Widows XP, we could utilize the Task Manager to discover this. On the Performance tab, look under Commit Charge (K) and look at the Peak attribute. On Vista and Windows 7, this information is no longer part of the Task Manager. To discover the value of this attribute, I utilized PowerShell and WMI. On your client with Powershell installed: - Click Start / All Programs / Accessories / Windows Powershell / Windows PowerShell ISE - In the code pane at the top, enter this code: $Computer = “LocaHost” $Namespace = “Root\CIMv2” Get-WMIObject –Class Win32_PageFileUsage –Computername $Computer –Namespace $Namespace | Select-Object PeakUsage The value returned from this will be in MB and represent the largest amount of information the page file has stored since the client has been on.

How to control how long an object is recoverable in the AD Recycle Bin.

The active Directory Recycle Bin is your tool to recover a deleted object, and all it’s associated properties. An object is only recoverable for a certain length of time. You can configure this period of time to meet your organizations needs. First you need to turn on the AD Recycle Bin. The command below will do this: Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC= Your forest root domain’ –Scope ForestOrConfigurationSet –Target ‘ Your forest root domain ’ Once you have turned it on, any object delete after this point can be recovered. By default, the retention period is 180 days. To control the amount of time that you have to execute the recovery: Set-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC= " -Partition "CN=Configuration,DC= " -Replace:@{"msDS-DeletedObjectLifetime" = } On a final note, ...

Can a user read data if they have NTFS Write and not NTFS Read?

In class we had some confusion between some NTFS permissions. Here is the official word from Microsoft on the ones in question. Modify - Users can view and modify files and file properties, including deleting and adding files to a directory or file properties to a file. Write - Users can write to a file. Read & Execute - Users can run executable files, including scripts. Read - Users can view files and file properties. After testing this, yes the user with only Write access to the folder and its files can also read them. Another part of this question is what happens to a high level permission when you explicitly remove some of the lower level permissions. With the Modify permission set, you are also given Read & Execute, List folder contents, Read, and Write . By removing Read permission, you also lose Modify and Read & Execute . If you remove Write you only lose Modify . Pay close attention to what rights you are giving, and removing from...