Skip to main content

Posts

Showing posts from May, 2012

Problems when modifying the Default User Profile in Windows 7

  When a user logs on to Windows 7 for the first time, there are some tasks that need to run.  Be modifying the default profile, you may inhibit those actions from running.  Below is a list of potential problems. Their list of most frequently run programs is not cleared Whether the user has been introduced to the Start menu (will be set to TRUE for the source account, but should be FALSE for new users). Windows Explorer does some special things the first time you log on to introduce you to the Start menu and other new features. Whether the user is an administrator (and should therefore see the Administrative Tools, etc). The personalized name for “My Documents” will be incorrect. All users documents folders will be called “Administrator's Documents”.  This is documented in the Knowledge Base article “The Desktop.ini File Does Not Work Correctly When You Create a Custom Default Profile” ( http://support.microsoft.com/?id=321281 ). The default download directory for IE will be

How to Prevent Users from Seeing the Security Key for a Wireless Access Point.

There are two ways of doing this.  First off, leave UAC turned on and not provide the user with local administrative privileges.  In the image below, the blue and yellow shield icon represents an action that UAC will ask for elevation of privilege before continuing. In environments that have to turn off UAC or provide end users with administrative rights, we can use Group Policy.  Crate a GPO and scope it based on the logged on user, not the computer. Expand User Configuration / Policies / Administrative Templates / Network / Network Connections Enable the policy called Prohibit access to properties of a LAN connection . This will prevent the user from seeing the above screen.

How to prevent Domain Users from Authenticating to a WDS Share

By default, authenticated users can connect to a WDS share and read the .wim files.  When a user performs a PXE boot using the boot image provided by WDS, their domain credentials can be used for authentication.  This is the default behavior for the share. If this is not desirable in your environment, create a new security group that contains the users that you want to be able to access the share. Grant this group the ability (at minimum) to Read & Execute ,   List Folder Contents , and Read . Then remove the Authenticated Users group. Once this is completed, if a user attempts to authenticate to the WDS server, this is what they see: The user will not be presented with any images.   If the user is in the correct security group, they will get a listing of the available images to select from.  

How do I update the PowerShell V3 Help files for Servers that are not Connected to the Internet?

With the updateable help files in PowerShell V3, this can be a challenge.  Many servers are not made to be on the internet.  For one reason or another, they are isolated.  This is common practice in highly secured networks.  So the question still remains.  How do I update the PowerShell V3 help files?  We use the Save-Help cmdlet.   Save-Help will allow you to save the update files on media and then manually install them in PowerShell. Save-Help –DestinationPath Destination In this case, Destination is where you want to save the file to. To install the help file, go to the server and type: Update-Help –SourcePath Source In this case, Source is where the update file is located at.

PowerShell V3 Help Files

As we continue our journey to Windows 2012, the beta version of PowerShell V3 is out.  You can download it from here .   Remember, the files market WINDOWS6.1 are the installation files for Windows 7.  One thing that I noticed is that the help files are not fully populated.  PowerShell V3 has updateable help files.  Here is how you update them.   Open PowerShell as an Administrator.   Now type Update-Help and press Enter After a few minutes, Windows will need to restart.  After the restart, go ahead and ask for a help file and you will see the contents that you are interested in.

Use PowerShell to see how much file space on the hard drive is unusable because of the block size.

Modern hard drives are divided into blocks.  These blocks can be of various sizes.  512K, 1024K.  The issue that can develop is that once a block contains the data of a file, the unused portion of that block cannot store an other data.  So for example, if you save a 768K file onto a hard drive containing 512K blocks, your file will consume 1024K.  256K will be unusable space.  This script will show you how much space is being wasted.   This script is a quick demo based on a question that popped up in class.  Utilizing FRSM quotas, I set a folder with a hard quota of 6KB.  I then copied a file of 2KB into the folder.  When I copied the same file in again, Windows stated that I exceeded my quota.  Well, logically 2 KB + 2 KB = 4 KB.  My quota was 6 KB. Upon further analysis, we discovered that the file size was actually a few kilobytes larger than 2.5 K.  That means that on my hard drive with block sizes of 512K, we were using 6 blocks or 3 KB.  The second file fit the limit and we re

Switching between Server 2012 Full Installation and Server Core

Over the past several years that I have been instructing Windows classes, I have had a lot of raised eye brows when it comes to the topic of Server Core.  Although my classes agrees with the principals of smaller attack foot print and less management, the whole text based interface do not settle well.  With the release of Server Core 2008 R2, we were given the sconfig tool to help make configuration of the server core a bit easier.  It also made it easier to configure the firewall to allow the core to be managed from a GUI machine. With Windows Server 2012, we have another option.  We can install either Server Core or the Full installation and simply switch between the two of them.  The GUI is now an installable feature that can also be removed.  This will result in a reboot when making the switch and some delay while Windows reboots.  In this scenario, you can run Server Core for daily operations.  If you need to do some work that you would rather do in a GUI, you can add the GUI fe

Policy to Restrict USB Ports

You can restrict the type of USB drives that are allowed on your clients be using group policy. I would like to give a word of caution when implementing this. You should consider having a “Support Device List.” This will allow your organization to formally declare what can and cannot be plugged into your USB drives. Without such a list, a constant flow of requests will come in to add more and more devices. It is best to draw the line early and have a formal review process to make sure that the number of supported devices does not become unmanageable. Settings to control USB Device Access: Policy Location Computer Configuration \ Administrative Templates \ System \ Device Installation \ Device Installation Restriction Policy Name Prevent installation of devices not described by other policy settings Setting Enable Configuration   Description Prevents other USB devices from being installed unless they are specifically allowed in a policy. Procedure to get Plug a

How Many KMS Servers can a single KMS license activate.

Here is the official word from Microsoft :   In particular, this paragraph: What is Key Management Service (KMS) and how does it work? KMS is a lightweight service that does not require a dedicated system and can easily be co-hosted on a system that provides other services. With KMS, you can complete activations on your local network, eliminating the need for individual computers to connect to Microsoft for product activation. A KMS host key is used only to activate the KMS host with a Microsoft activation server. A KMS host key can activate six KMS hosts with 10 activations per host. Each host can activate an unlimited number of computers. If you have an existing machine configured as Windows KMS* host, you will need to enter and activate the Office 2010 KMS host key before the KMS host can activate Office 2010, Project 2010, and Visio 2010. If you need additional KMS activations so you may activate more than 6 KMS hosts, find the telephone number for your Microsoft Activation Cente