Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Wednesday, March 31, 2010

How to connect to another Reliability monitor on a remote Windows 7 client?

One of the best features of Windows Vista was the Reliability Monitor. Those of you who have taken one of my Vista or Server 2008 R1 class know that I refer to it as the “The Lie Detector.” We all know that our users are less than honest when the call for tech support. The question of “What do you install” is usually answered with “Nothing.” As Network Administrators, we know the truth. 80% of all problems on our networks or client computers are caused by our users. With the Reliability monitor in Vista, we could connect to the user’s computer, without their knowledge, and look at what has been done to that machine. In Windows 7, it is not so easy.

You can centrally monitor the Reliability Monitor on your Windows 7 client through Microsoft System Center Operations Monitor. This is a far cry from the Vista version that was an MMC plug in that you could use to connect to other clients. Reliability monitor data is also exposed to Window Management Interface (WMI) and is accessible using PowerShell. Below is a link that provides some examples of how to collect this data.

http://technet.microsoft.com/en-us/magazine/dd535685.aspx

Monday, March 29, 2010

Can you suppress the opening questions in IE 8 for suggested sites and accelerators with GPO.

The Microsoft Internet Explorer 8 Set Up screen allows you to configure your search providers, accelerators, and compatibility view. In an enterprise environment that utilizes Group Policy, you can configure these options for your users. If you do not want them to see the IE8 Set Up screen, enable this policy.

Computer Configureation à Polices à Administrative Templates à Windows Components à Internet Explorer à Prevent performance of First Run Custimization Settings.

Once you enable this policy, you will have to select if you want IE to go to the users home page or to the Welcome to Internet Explorer 8 page.

Wednesday, March 24, 2010

Can you push a list for compatibility mode out through GPOs?

Yes you can. We need to look at two Group Policy objects for this question. Both can be found at Computer Configuration à Policies à Administrative Templates à Windows Components à Internet Explorer à Compatibility View. The first one I want to point out is Include updated Web site lists from Microsoft. This setting will allow the use of a website compatibility list that is maintained by Microsoft. It is updated through Microsoft Update.

The second policy we need to look at is Use Policy List of Internet Explorer 7 Sites. With this setting enabled, you will be able to add specific sites that will run in Compatibility Mode for your users. Your users will still be able to add and remove sites on your own. They will not be able to remove sites that you specify.

Wednesday, March 17, 2010

Can you set up BitLocker to use your domain password?

To both unlock a BitLocker encrypted hard drive and log on at the same time is not possible. When starting up a computer that has its boot drive encrypted by BitLocker, the bitlocker software will prompt for the user to enter their PIN number in before BitLocker allows the OS to start. You can still allow your users to set their BitLocker PIN number to be the same as their domain logon password by turning on enhanced PINs for startup in Group Policy. To do this:
  • Create or edit an existing GPO on you network.
  • Browse to Computer Configuration à Policies à Administrative Templates à Windows Components à BitLocker Drive Encryption à Operting System Drives.
  • Open the setting for Allow Enhanced PINs for startup.
Normally only numbers are used for the PIN. With this setting, all valid characters allowed for a domain password can be used for a startup PIN. If you are looking for a single sign on option with BitLocker, it is not possible. Should your users set their domain password to be identical to the BitLocker PIN, they run the risk of inadvertently typing the wrong PIN in after changing their domain password. Should this happen, the recovery key would be needed to gain access to the hard drive.
Using this method also negates the two factor authentication that is provided with BitLocker. For this reason, I recommend that users do not utilize the same PIN and domain password.

Monday, March 15, 2010

Procedure for Adding Users to Decrypt Your EFS Files

In our conversation about EFS encryption, I mentioned that you can allow others to view your encrypted files. Below is the procedure:

How to encrypt a file for multiple users


To do this, follow these steps:

  1. Start Microsoft Windows Explorer, and then select the encrypted file that you want to add additional users to.
  2. Right-click the encrypted file, and then click Properties.
  3. Click Advanced to access the EFS settings.
  4. Click Details to add additional users.
  5. Click Add. The Add dialog box will display any other EFS-capable certificates in your personal store or those of any other users who may be in your "Other People" and "Trusted People" certificate stores.

    If you do not see the user who you want to add, click Find User to search Active Directory. The Select User window appears. A dialog box displays valid EFS certificates in Active Directory based on your search criteria. If no valid certificate is found for that user, a message will inform you that there are no appropriate certificates for the selected user. In this case, the intended users must send you a copy of their certificate for you to import. You can then add them to your encrypted file.
  6. Select the certificate of the user who you want to add, and then click OK. You will be returned to the Details tab, and the tab will show the multiple users who will have access to the encrypted file and the users' EFS certificates.
  7. Repeat this process until you have added all the users who you want to add. Click OK to register the change and continue.

Note Any user who can decrypt a file can also remove other users if the user who does the decrypting also has write permissions on the file.

Reference: http://support.microsoft.com/kb/223316, http://technet.microsoft.com/en-us/library/bb457116.aspx#EFAA

Wednesday, March 10, 2010

What is the difference between Domain Users and Authenticated User?

This question came about from my recommendation that resources are shared utilizing the Authenticate Users group instead of the Everyone group. The issue was why we do not use the Domain Users group. Reading below you will see that the Domain Users group can be used on domain controllers. For resources on non-domain controllers, you will need to use the Authenticated Users group. For simplicity and a consistent configuration throughout your network, I still recommend the use of Authenticated Users for all resource sharing that is open to all authenticate users of your environments.

Microsoft definition of the Authenticated Users group is: Includes all users with a valid user account on the computer or in Active Directory services. Use the Authenticated Users group instead of the Everyone group to prevent anonymous access to a resource.

Domain Users group: This group contains all domain users. By default, any user account created in the domain becomes a member of this group automatically. This group can be used to represent all users in the domain. For example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group (or add the Domain Users group to a local group, on the print server, that has permissions for the printer).

Everyone Group: Includes all users who access the computer. Windows 2000 will authenticate a user who does not have a valid user account as Guest. The user automatically gets all rights and permissions assigned to the Everyone group. A group that includes all users, even anonymous users and guests. (The anonymous users were removed from this group with Windows Server 2003)  I updated this information on Aug 27, 2012 in another blog posting.

Do not assign resource permissions or user rights to this account. Use Authenticated Users or specific user accounts and groups where necessary

Monday, March 8, 2010

6294: Planning and Managing Windows 7 Desktop Deployments and Environments added to the MCPExpert lineup.

I completely forgot to put this on the blog site. I'm now availabile to contract for 6294: Planning and Managing Windows 7 Desktop Deployments and Environments. This is the class if you want to learn how to automate your deployment of Windows 7. For those of you who have had me in class before, you know that I focus on improving your productivity so you can spend more time on the golf course. This class focuses on the applications to help you get a grip on what you need to do to prepare for Windows 7. We will then go through 4 methods to help you deploy Windows 7 in a more efficient manor. We will then finish up with a look at how to deploy your applications. It is 5 days that will boost your productivity.

Wednesday, March 3, 2010

Configure Windows to Search Additional Folders for Device Drivers

Over the years, one of the things I dreaded doing was rebuilding clients. Almost always I would have to go to the internet to hunt for drivers. The client installation process has greatly improved over the past several years to include image deployments. The problem with images are that you need to service them be able to use them on different hardware platforms. This is because of the device drivers. Now there is a different method that will allow you to use your images on multiple hardware platforms without having to service the image to add new plug-and-play drivers.

When a client boots, it enumerates the plug-and-play devices that are connected to the client. The client then searches its central store and installs the appropriate drivers. If a driver is not found, we then have to provide one. An easy way to make sure the drivers you use are available to all your clients is to store them in a central location.

Be careful whenever you edit the registry. An incorrect setting may require a reinstallation of the operating system

1) Create a shared location on your network that has READ permissions for the Everyone group. In class I discouraged the use of this group but if we are working with a client that has not been added to the domain, you will want the client to get anonymous access to this share. For a more secure method, use the Authenticate Users group

2) Place all you Plug-and-play drivers in this share.

3) Complete the rest of this procedure on the source computer for you deployment image.

4) Start Registry Editor. Click Start, and in the Start Search box type regedit.

5) If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

6) Navigate to the following registry key:

HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/Current Version

7) In the details pane, double-click DevicePath.

8) Add additional folder paths to the setting, separating each folder path with a semi-colon. Ensure that %systemroot%\inf is one of the folders included in the value.

Reference: http://technet.microsoft.com/en-us/library/cc753716(ws.10).aspx

Monday, March 1, 2010

How to change the default location for new user accounts.

New users accounts are stored in the container "Users" by default. Because Group Policy can not applied to this container, this may not be a desirable place to put user account. A scenario where this may be a problem is that you have more then one administrator who can create user accounts. Proper procedure says that all new user accounts must be moved to an OU after creation. This individual did not complete this task and the required Group Polices for user accounts in your organization do not get applied. This can create a undesired security vulnerability.

Below is the procedure to change the default location for new user accounts to the OU of your choice. It is copied from the reference link below.

1. Log on with domain administrator credentials in the z domain where the CN=Users container is being redirected.

2. Transition the domain to the Windows Server 2003 domain functional level or newer in either the Active Directory Users and Computers snap-in (Dsa.msc) or the Domains and Trusts (Domains.msc) snap-in. For more information about increasing the domain functional level, click the following article number to view the article in the Microsoft Knowledge Base:

322692 (http://support.microsoft.com/kb/322692/ ) How to raise domain and forest functional levels in Windows Server 2003

3. Create the organizational unit container where you want users who are created with earlier-version APIs to be located, if the organization unit container that you want does not already exist.

4. Run the Redirusr.exe file at the command prompt by using the following syntax, where container-dn is the distinguished name of the organizational unit that will become the default location for newly created user objects created by down-level APIs:

c:\windows\system32\redirusr Redirusr is installed in the %SystemRoot%\System32 folder on Windows Server 2003-based or newer computers. For example, to change the default location for users who are created with down-level APIs such as Net User to the OU=MYUsers OU container in the CONTOSO.COM domain, use the following syntax:

c:\windows\system32>redirusr ou=myusers,DC=contoso,dc=com

Reference: http://support.microsoft.com/kb/324949