September 2005 - Posts
Today, Microsoft Released the Windows XP Shared Computer ToolKit version 1.0. It's a very powerful tool for administrators of public computers. It combined almost all the tasks that administrators need to do with shared computers to eight simple steps. The figure below shows the interface.
To configure a secure shared computer, we need to configure selected or all (recommended) steps from the 1st to the 8th. Click “Step 1” we will see the details of this step. It's a cool instruction to teach us how to adjust the partitions for public computers. In “Step 2” we can do a couple of security settings, such as “Remove Shut Down and Turn Off Computer logo options”. “Test your Password”in “Step 2”can be used to test the complexity of the Password of the current logged-on user account. In my case, my Password is really strong so I passed the test (See the figure below).
“Step 3” enables us to create a public user account, to prevent using an account with administrator permissions. “Step 4”is a shortcut to log off the current user account, and it includes the instructions to let us log in to the new public user account we've just created using “Step 3” and modify the profile of this user account to make it really “public”.
“Step 5“ is really powerful. It's a tool for restricting and locking user profiles. For example, we can restrict the user from saving internet histories to the account profile with this tool. The figure below shows this powerful tool.
“Step 6“ is a shortcut to log off the computer, so that we can log on as the new user account to test it funcionalities. For example, testing its restrictions and security, etc.
“Step 7“, Windows Disk Protection. It's for scheduling the installation of Windows Updates and it can be used to clear or retain user changes to Windows partition (usually C:\). I want to explain some of these options here:
- Clear changes with each restart
Each time the computer is restarted, all user changes to the Windows partition are cleared.
- Save changes with next restart
If we want to save user changes to Windows partition for one time, we should select this option. It will save user changes with next restart, then, the option will be automatically changed to “Clear changes with each restart”.
- Retain changes for one restart
If we want to install and run a new program, this is the right option to select. It will retain user changes to Windows partition for one restart (i.e. installed a new program and restarted the computer). The option will be automatically changed to “Clear changes with each restart”when we restart the computer for the second time.
- Retain changes indefinately
If we select this option, it will allow users to save changes to Windows partition until we change to another option.
“Step 8“, the last step, is to get more resources about configuring public computers. We can also view help of Windows XP Shared Computer ToolKit here.
Well, this is the brand new Windows XP Shared Computer ToolKit version 1.0. Genuine Windows XP Users can download this program for free at www.microsoft.com/sharedaccess. Try it, and enjoy it!
Windows NT Defragment Tool doesn't defragment pages files and the registry hives. However, in some situations, we need to do this. For example, when we installed a new version of Windows Operating System with the upgrade install option.
PageDefrag can help us with defragmenting page files and registry hives.
Click “Defragment at next boot” radio box, and click “OK”, it will run defragment at the next time we start the computer. We can also set it to defragment at every boot, though I don't recommend to do so.
PageDefrag can be downloaded on sysinternals.com.
I bought a new Dell Dimension 9100 computer last week with Windows XP Home. As an IT person, Windows XP Home edition is obviously not powerful enough for me. Luckily, I have an MSDN Universal subscription, so I planned to install Windows XP Professional for the new box.
The first work to do was to create unattended installation. Why unattended? Because my new box comes without a floppy disk, but it comes with SATA hard drives. You know, I cannot press [F6] during text step mode without a floppy.
I originally tried to create the unattended answer file and the custom setup CD by myself. That is, to download the SATA controller driver, then to create a new folder in the setup CD named $OEM$ (in the same folder as i386 in). And then I created a sub-folder named Drivers in $OEM$ and created a sub-folder named 01 in Drivers. Then I put the driver files in the folder named 01. Well, this is not what I want to say. Actually I don't need to do this because another MVP gave me a link to a Microsoft KB article. There I can download the standard SCSI controller driver (which can be used for my SATA drive controller).
http://support.microsoft.com/kb/318812
I thought I was all set at this time, so I started the installation:
C:\> M:
(M:\xpcd is the folder my setup files in.)
M:\>cd xpcd
M:\ xpcd> cd i386
M:\ xpcd \ i386> winnt32.exe /unattend:unattend.txt
(I've copied the unattend.txt file to i386 folder.)
Everything went well for the text mode setup, then, I got into the graphical based setup.
The processing bar stopped at the 34-minutes-left status. I waited there for a long time (approx. half an hour), it then popped up a new window mentioned the IEEE 1394 Controller didn't pass the Windows Logo Testing. Normally I should either click OK here to install the driver or click NO here not to install the driver. However, I couldn't do either one. The mouse and keyboard stopped responds at this time. I tried to re-boot with different keyboards and mouses, but I got same result. I guess if I use PS2 keyboard or mouse there wouldn't be this problem because I think the driver for the USB controller was temporarily unloaded at that time. However I don't have a PS2 interface on my box.
Then, the only idea I had was to add a line to the unattend.txt file to ignore or allow all unsigned drivers. I searched the KB with my laptop and found this article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;293765
But, it was late. I created a new unattend.txt with ignoring all unsigned drivers, and then started a new setup. I finished the setup successfully.
The significance of this post is to remind people to mention what to do with the unsigned drivers during setup in the unattend.txt answer file. Note if your UnattendMode is set to fullunattended, you don't have to do anything specially with unsigned drivers.
The following KB describes why the logon screen turns black after you press CTRL+ALT+DELETE to log on to Windows Server 2003 and how to solve this problem. It's pretty useful. This article also remind us, small problems may have serious effects and make administrators very confusing. As an IT Administrator, we should not forget to check small problems before additional diagnostics.
http://support.microsoft.com/default.aspx?scid=kb;en-us;906510
IT Administrators may use MMC every day. Almost all Microsoft Windows Administrative Tools are built into MMC. For example, Active Directory Users and Computers, Internet Information Server, DHCP, DNS, etc.
However, not all administrators discovered all great features offered by MMC. Actually MMC is a very flexible tool to create flexible administrative or management tools.
First, let's see “Taskpad View”.
Create a new MMC project by clicking on “start - run - mmc”. In this example let's change the name of the Console Root to “Server Tools“. Right click on “Console Root“, and click on “Rename”. Enter the new name “Server Tools”. Then, let's create a sub-folder named “Active Directory Tools”. Click on “File - Add/Remove Snap-in...”. Make sure “Server Tools” is selected for the “Snap-ins added to” dropbox. Click on “Add” botton and choose “Folder”. Click on “Add” on the new “Add Standalone Snap-in” window and click on “Close“. Click on “OK” to close the “Add/Remove Snap-in” window. Now we have a new folder under “Server Tools” created. Let's right-click on it and click on “Rename”, input a new name such as “Active Directory Tools”. Then we need to add snap-ins to the “Active Directory Tools” folder. Click on “File - Add/Remove Snap-in...”. Make sure “Active Directory Tools” is selected for the “Snap-ins added to” dropbox. Click on “Add” botton and double-click “Active Directory Domains and Trusts”, “Active Directory Schema”, “Active Directory Sites and Services”, “Active Directory Users and Computers”. Click on “Close” on the “Add Standalone Snap-in” window then click on “OK” to close the “Add/Remove Snap-in” window. The next, we will create taskpad view for the current management console. Right-click on “Active Directory Tools” folder and click on “New Taskpad View”. Click on “Next” on the wizard, and we will need to choose the style of the details pane. For a vertical list, categories and tasks will list on opposite (left/right) side of the detials pane. For a horizontal list, categories will list on the space above of the tasks in the detials pane. Let's select “Horizontal list” and click on “Next” to continue. On this step we will need to select whether this taskpad view will apply to current tree item only or apply to all same-type tree items. Let's select “Selected tree item” to prevent changing other tree items' taskpad view settings. Click on “Next” to continue. Then we need to input the taskpad name and description. Both of these will display on the taskpad. Let's choose the name of the taskpad as “Active Directory Tools” and input a description like “Access all AD Tools here“. Then click on “Next” to continue. We can now finish the wizard, at the same time, we can start the “New Task Wizard”. If we don't create a new task, nothing will be in the taskpad view. So, select the “Start New Task Wizard” check box and click on “Finish”. We will be guided to “New Task Wizard“, click on “Next“ to continue. We will have a chance to select which kind of command we will add to the taskpad list. “Menu command“ means we can add a command to run from menu; “Shell command” allows us to run a script, start a program or open a web page; “Navigation” allows us to neviagate to a view from our “Favorite” tab. Let's select “Menu command“ and click on “Next“ to continue. We can choose from 2 command sources: “List in details pane“ and “Tree item task“. Any one is ok. Select a list or console tree node, for example, “Active Directory Domains and Trusts”. Then select a command to add to the task, for example, “Connect to domain controller“. Click on “Next“ to continue. We are able to review and change task name and description. When everything is OK, click on “Next“ to continue. Now choose a icon and click on “Next“ to continue. Review and finish!
Let's see our taskpad view. Click on “Active Directory Tools“ node of the console tree. We can see our taskpad appears in the details pane, with 4 large icon (list). Click on “Active Directory Domains and Trusts“, we can see the task we have added before listed below. We can add more tasks, under any list items (categoreis).
Actually with the taskpad view feature of MMC, you can create more powerful management tools and tasks packs. However, I will not try to demostrate those here, try out by yourself!
Secondly, take a look at “Options“.
After creating a so powerful administrative or management pack, you can save it and distribute it to other administrators or users. However, you need to configure something to prevent users from modifying your achievement. As the result, you will come to “Options“.
First save the results by clicking on “File - Save“ then enter a path and click on “OK“. Then, click on “File“ and “Options“. We can see “Console Mode“ dropbox here. “Author Mode“ means users of this file can grant full access, and can fully modify it. “User Mode - full access“ means the users of this file can grant full access, but cannot add or remove snap-ins or change properties. “User Mode - limited access, mutiple window“ means users can access only the current visible console tree items, users can create new windows but cannot close existing windows. “User Mode - limited access, single window“ means users have exactly same access with “User Mode - limited access, mutiple window“ but they cannot open new windows.
Note there is a checkbox below, it's “Do not save changes to this console“. This is a pretty good option that will prevent user from saving their changes to the console.
The settings in the “Options“ seems to be great! However, your users will still able to make changes to your .msc file unless you implement Active Directory and Group Policy. What they can change without Group Policy? Almost all, include changing the Console Mode or other settings in the options. Be in mind that they can change anything when they changed the Console Mode to Author. Anyway, Active Directory and Group Policy are obviously not the topic I want to talk about in this post. I will mention that later soon, maybe next post, I'm not sure. Be sure you will come back and read more technical posts here!
Thanks.
TO BE CONTINUED! COME BACK AGAIN. I WILL CONTINUE ADDING AND REVISING CONTENT TO/OF THIS POST.
Have you ever met a problem displaying an error message like “Error 066“? You will want to know what these numeric error messages mean under Windows XP and Windows Server 2003. Be sure, you can know that.
Simple click “start - run”, and enter “cmd” to open Command Console. Run the following command:
C:\> net helpmsg ERROR_NUMBER
For example, enter “net helpmsg 066”, it will display “The network resource type is not correct.”