Active Directory (21 entries)
System Administration (11 entries)


March 09, 2005

Initial Setup

Once you've contacted to join the ADSTEST domain, there are a few simple steps to get you on your way. Step #1 is to setup Kerberos so you can log in using your campus ID and password:

C:\> ksetup /addkpasswd INS.CWRU.EDU KERBEROS.CWRU.EDU
C:\> ksetup /mapuser * *

The ksetup.exe tool is part of the Windows XP Service Pack 2 Support Tools or can also be found in the SUPPORT.CAB file on your Windows 2000/XP/2003 install disc.

Next, join the computer to the ADSTEST domain.

1. Go to the System Control Panel and click on the "Computer Name" tab.
2. Click the "Change" button. Set the domain as ""
3. Click the "More" button. Set the Primary DNS suffix of the computer to "" and uncheck the box labeled "Change primary DNS suffix when domain membership changes".


Reboot and you should now be able to log onto the machine either with your OU Administrator account into the ADSTEST domain or with your campus ID & password using the INS.CWRU.EDU Kerberos Realm. Follow the same procedure for subsequent machines, except you MUST first pre-create the computer object in the Organizational Unit you'd like it to reside in. To do this and administer other aspects of your Organizational Unit install the following tools on atleast one machine:

Download the Windows Server 2003 Service Pack 1 Administration Tools Pack which will add the Active Directory Users and Computers Control Panel to your system (among others). Next, download and install the Group Policy Management Console, which requires the .NET runtime to be installed. Installing .NET took me several reboots; After installing the .NET runtime a service pack appeared in windows update, and then on the second reboot a security update for the service pack appeared. This adds the "Group Policy Management" control panel, which along with the Active Directory Users and Computers Control Panel are pretty much all you need.

Posted by djc6 at 08:22 PM | Comments (0) | TrackBack (0)

*THE* book for OU Administrators

Bill Wichert from EECS recommended the book Group Policy, Profiles, and IntelliMirror for Windows 2003, Windows 2000, and Windows XP and it is well worth it. Its topic is narrow unlike a lot of Active Directory books, focusing on Group Policy and Profiles which are the most relevent to Case AD users.

Another book worth mentioning is O'Reilly's Active Directory Cookbook, and the full text is available from on campus via Safari. I didn't find it as useful as Bill Wichert's recommendation.

Posted by djc6 at 09:01 PM | Comments (0) | TrackBack (0)

Creating Custom Policies (.ADM files)

This website:

talks about how to create custom Administrative Template (.adm) files and includes a complete reference for the .adm language. You can use this to create policies in addition to the defaults provided in the Group Policy Editor. Some custom policies I've written include one to automatically log off users via the winexit.scr screensaver, and a policy to customize the default windows XP login prompt.

Posted by djc6 at 09:01 PM | Comments (0) | TrackBack (0)

Automatically log off users

One of the concerns I had with Active Directory in the Nord Computer Lab was that users would forget to log off their account. Previously, the computers automatically logged on as a generic user, so people had a habit of not logging off. One way to remedy this situation is the WINEXIT.SCR screensaver which is part of the Windows Server 2003 Resource Kit Tools

Copy the file to C:\WINDOWS\SYSTEM32 on each computer, and use the group policy management console to set this as the default screensaver and set the timeout period. You MUST also change the permission on a registry key for the screensaver to work for all users of the machine. See KB156677: Logoff Screen Saver Does Not Function in Windows NT

By default, WINEXIT.SCR presents the user with a dialog box 30 seconds before they are to be logged off, which is determined by when you've set the 'screensaver' to kick on. I wanted the dialog box to come on a lot earlier, say 5 minutes before hand to give the user time to react. You can also set WINEXIT.SCR to Force application termination, and insert a custom message. The following ADM file I wrote can be used with the group policy management console to configure these settings. Installing this will put a group of settings entitled "Winexit.scr Policy settings" under "User Configuration->Administrative Templates" in the GPMC.

;; Remember in GPMC to go View->Filtering ;; and uncheck "Only show policy settings that can be fully managed" ;; ;; David Carlin ( 2/25/2005 ;; ;; WINEXIT.SCR is located in the Windows Server 2003 Resource Kit CLASS USER CATEGORY !!Screen_Saver_Policy POLICY !!TERMINATE_APPS KEYNAME "Control Panel\Screen Saver.Logoff" VALUENAME ForceLogoff VALUEON "1" VALUEOFF "0" END POLICY POLICY !!COUNTDOWN_TIMEOUT KEYNAME "Control Panel\Screen Saver.Logoff" VALUENAME CountDownTimer VALUEON "300" END POLICY POLICY !!ENTER_DIALOG_MESSAGE KEYNAME "Control Panel\Screen Saver.Logoff" PART !!ENTER_DIALOG_MESSAGE EDITTEXT DEFAULT !!DEFAULT_MESSAGE VALUENAME DialogMessage END PART END POLICY END CATEGORY [strings] Screen_Saver_Policy="Winexit.scr Policy settings" TERMINATE_APPS="Terminate running applications" COUNTDOWN_TIMEOUT="Enable 5 minute warning logoff notice" ENTER_DIALOG_MESSAGE="Warning message about being logged off" DEFAULT_MESSAGE="You are about to be logged out. Press the cancel button to stop this process."

Posted by djc6 at 11:00 PM | Comments (23) | TrackBack (0)

March 10, 2005

Custom Login prompt: Helping users log in

One day while working in the Peter B. Lewis computer lab (a favorite hideout of mine, and an excellent lab), I noticed they had modified the login prompt of XP to include what computer image revision that computer was using. I decided to figure out how they did that so I could add instructions to the login box telling users to select the INS.CWRU.EDU domain when logging in. The results look like this:


I also set a registry entry to make INS.CWRU.EDU the default domain to log into. However, if it is changed (say to log in as your OU Administrator account into ADS), it doesn't get reset to INS.CWRU.EDU until the next reboot or until someone logs into the Kerberos Realm. If anyone knows how to permanently make this the default, I'd love to know!! But this works good enough for now..

This was accomplished using the following ADM file added to the GPMC:

;; Remember in GPMC to go View->Filtering ;; and uncheck "Only show policy settings that can be fully managed" ;; ;; David Carlin ( 2/25/2005 ;; CLASS MACHINE CATEGORY !!Winlogon POLICY !!DefaultDomainNameBox KEYNAME "Software\Microsoft\Windows NT\CurrentVersion\Winlogon" PART !!DefaultDomainNameBox EDITTEXT DEFAULT !!DefaultDomainName_default VALUENAME "DefaultDomainName" END PART END POLICY POLICY !!WelcomeBox KEYNAME "Software\Microsoft\Windows NT\CurrentVersion\Winlogon" PART !!WelcomeBox EDITTEXT DEFAULT !!Welcome_default VALUENAME "Welcome" END PART END POLICY POLICY !!LogonPromptBox KEYNAME "Software\Microsoft\Windows NT\CurrentVersion\Winlogon" PART !!LogonPromptBox EDITTEXT DEFAULT !!LogonPrompt_default VALUENAME "LogonPrompt" END PART END POLICY END CATEGORY [strings] Welcome_default="- READ CAREFULLY - Nord Computer Lab" LogonPrompt_default="NOTICE: Use your Case Email ID and Password. You must set 'Log on to: INS.CWRU.EDU' !!!!" DefaultDomainName_default="INS.CWRU.EDU" WelcomeBox="Enter Login screen title" LogonPromptBox="Enter custom login prompt" DefaultDomainNameBox="Enter Default Domain Name" Winlogon="Configure Login Prompt & Default Domain"

Posted by djc6 at 10:43 AM | Comments (8) | TrackBack (0)

How come some users can't log in?

If you have a current student, staff, or faculty member who cannot log into the Active Directory, it is almost always because they have not changed their password since September 1999. This coincides with Case's Kerberos KDC being upgraded from v4 to v5. Active Directory does not support v4 salt keys, and the only way to pick new v5 salt keys is by changing your password.

The ADS Administrator says there are more than 22,000 users who have not changed their password since 9/1999.

Posted by djc6 at 11:00 AM | Comments (0) | TrackBack (1)

Quick login script

Previously, I used batch files for login scripts, but this time around I decided to give VB script a whirl. Here is a small script that accomplishes some very important things:

' Create printers, set default printer, and map home Directory. ' Dim net Set net = CreateObject("WScript.Network") net.MapNetworkDrive "N:", "\\servername\homedir\" & net.UserName & "\My Documents" net.AddWindowsPrinterConnection "\\servername\Black & White" net.AddWindowsPrinterConnection "\\servername\Copier" net.AddWindowsPrinterConnection "\\servername\Color Printer" net.SetDefaultPrinter "\\servername\Black & White"

The script adds the three lab printers being shared by the print server, sets the default, and also maps the user's home directory. This is the equivalent of:

NET USE N: \\servername\homedir\%USERNAME%\My Documents

Posted by djc6 at 11:10 AM | Comments (5) | TrackBack (0)

March 12, 2005

Connecting to share without binding to Active Directory

I wanted to find a way for machines outside of the active directory to connect to shares on my file server. The purpose of this was for stduents to be able to access their lab home directory from the dorms. Unfortunately, I've so far only been able to do this from MacOS X and not windows clients. I found these instructions on UC Berkeley's website. Here is the /Library/Preferences/ file I used:

[libdefaults] default_realm = INS.CWRU.EDU [realms] INS.CWRU.EDU = { kdc = KERBEROS.CWRU.EDU kdc = KERBEROS2.CWRU.EDU admin_server = KERBEROS.CWRU.EDU default_domain = } [domain_realm] = INS.CWRU.EDU = INS.CWRU.EDU

Posted by djc6 at 01:34 PM | Comments (0) | TrackBack (0)

Applying User Policies

In the Case Active Directory, User Configuration Policies must be applied on a per computer basis using Loopback Processing of Group Policy. This is because the User and Computer objects aren't in the same OU container that the Group Policy Object is linked to. To accomplish this, open up the Group Policy Management Console and click Computer Configuration. Locate Administrative Templates, click System, click Group Policy, and then enable the User Group Policy loopback processing mode. Set the processing mode to Replace.

You can now set user configuration policies in the linked GPO and have them apply to any user logged into the computers in the OU. For instance, this is neccessary to configure the default user background for anyone using computers located in the Nord Lab Computers OU. For more information read KB231287: Loopback Processing of Group Policy.

Posted by djc6 at 02:37 PM | Comments (0) | TrackBack (0)

Roaming Profiles w/Case ADS

Roaming profiles not only make sense for a lab environment, but an office environment as well. In the Engineering Dean's Office I use them as a means of backing up all of a user's settings. If something happens to their PC, I can quickly put a backup machine in place while their office machine is repaired. The user simply logs in, and their previous settings are restored. This is how roaming profiles work with the campus ADS:

  • Every campus account in ADS and ADSTEST now has their profile set to: \\%ProfileServer%\%ProfileShare%\%Username%
  • The 'Only allow local user profiles' group policy is now enabled by default, so there is no error message like 'can't find roaming profile' should you not define these variables.
  • On each machine you want to roam, you need to define the variables %ProfileServer% and %ProfileShare% (these are not normally part of windows) system wide. You can create these variables in the system control panel - make sure you add them to the system environment variables and not the user environment variables. For example, you can simply set %ProfileServer% = skybridge and %ProfileShare% = nord-profile$ (examples from my setup - $ makes it a hidden share).
  • Create a group policy object linked to the OU you'd like to roam, and set this policy to "Disabled":
  • Computer Configuration -> Administrative Template -> System -> User Profiles -> Only allow local user profiles

  • Unique to my configuration was turning off caching of roaming profiles. Eventually the lab machines would have filled up with hundreds of cached copies of profiles. It makes sense to cache them in an office environment, but not in a lab:

    Computer Configuration -> Administrative Templates -> System -> Logon -> Delete cached copies of roaming profiles

  • Reboot the computer so these policies and the system environment variables take effect.
  • Now when you log in as a user in the kerberos realm, a profile should be automatically created on your server's %ProfileShare% - if not check the permissions on the share. The minimum permissions needed are "List Folder/Read data", "Read Attributes", and "Create Folder/Append data" applied to scope "This folder only". For my setup, I applied these permissions to the Group "Authenticated Users". Share permissions were set to "Authenticated Users" Full Control
  • The Cache Option for Offline Files Must Be Disabled on Roaming User Profile Shares. See KB287566

  • The profile should roam between two or more computers that have been setup with the above steps.
  • The Policies "Allow Cross-Forest User Policy and Roaming User Profiles" and "Add the Administrators security group to roaming user profiles" have been turned on by default. The first is necessary to make this work, and the second is so you can access users' profiles without having to change the permissions to include you first. The group added is %ProfileServer%\Administrators
Other methods exist for setting the environment variables, so you can more easily change them without revisiting each machine. One is creating an ADM file with a custom policy for these environment variables (something I'll look into). Another way is defining them in the login script, which is the method used by Alan Rothenbush at Simon Fraser University - whom I got this whole roaming profile idea from.

The default profile used when creating the user's first profile is the "C:\Documents and Settings\Default User" profile on the local machine used when first logging on. This is because no Default User profile exists in the SYSVOL share of the campus domain controllers (probably a good thing). Make any changes to this profile if you want them to apply to users when the first log in. See KB305709: HOW TO: Create a Custom Default User Profile

I have also setup Folder Redirection of the user's My Documents folder to speed up profile loading. Aside from the "nord-profile$" share I've created on my server, I've also setup "nord-home$". I then set the Folder Redirection policy to put My Documents in \\servername\nord-home$\%username% - using the same share/file system permissions listed above for the profile share. The results are seperating "My Documents" from the user's profile, so it isn't copied back and forth every time the user logs in. One 'surprise' is that Windows XP automatically turns on offline file caching for redirected folders. If you don't like this behaviour, enable the policy "Do not automatically make redirected folders available offline", under User Configuration -> Administrative Templates -> Network -> Offline Files.

Make sure to read Recommendations for Folder Redirection for more information on Folder Redirection policies.

Posted by djc6 at 03:35 PM | Comments (7) | TrackBack (0)

Printing posters & large format scanning

I continue to discover useful services on campus available to everyone, even after being here 7+ years. I recently found out that Student Activities & Leadership has the ability to print 36"x48" monochrome posters for $8 each, significantly cheaper than the $78.00 quote I received from printing services. They are located in Thwing across from Wackadoo's Grub & Brew.

A month ago someone came into the lab looking to scan an 11x17 size sheet of paper. The only device I have that can scan something this large is the copier, but it can only scan black & white (not even greyscale). Turns out there is a Digital Scanning Lab @ KSL which is open to everyone and has large format scanners available.

Posted by djc6 at 05:26 PM | Comments (0) | TrackBack (0)

March 13, 2005

Restricting who can log on

By default, anyone in the Kerberos Realm can log on interactively at any machine in the active directory. To change this behavior, set the policy:

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Allow log on locally

To include the list of users/groups you wish to be able to log on at the computer console.

Posted by djc6 at 02:20 PM | Comments (0) | TrackBack (0)

Troubleshooting profile unload issues

I encountered a problem with roaming profiles that was preventing cached copies of profiles from being automatically deleted. The following error was in the event log:

Event Source: Userenv
Event Category: None
Event ID: 1517
Windows saved user ComputerName\UserName registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

The solution was in this knowledge base article KB837115: Troubleshooting profile unload issues. Microsoft provides a service you can install called UPHClean that monitors the computer while Windows is unloading user profiles and forces resources that are open to close.

Posted by djc6 at 02:26 PM | Comments (1) | TrackBack (0)

Sysprep w/ XP SP2 & Default User profile

If you are using Sysprep to prepare computer images for Ghosting, and you are using XP SP2, and you have configured a Default User profile, then you need to call microsoft tech support and get the hotfix listed in this article:

KB887816: Changes in behavior of the SysPrep and RIPREP tools after you install Windows XP Service Pack 2

The problem is that sysprep overwrites the custom Default User profile you've painstakingly created with the Administrator profile.

The latest version of sysprep is included in the Windows XP Service Pack 2 Deployment Tools - it seems to be newer than the copy in the DEPLOY.CAB file on the XP CD.

Posted by djc6 at 02:36 PM | Comments (10) | TrackBack (0)

March 14, 2005

Error editing SP2 policies from SP1 or 2003 Server

If you encounter the following error when opening the group policy editor:

The following entry in the [strings] section is too long and has been truncated.

Download the update in this article KB842933: "The following entry in the [strings] section is too long and has been truncated" error message when you try to modify or to view GPOs in Windows Server 2003, Windows XP Professional, or Windows 2000

Posted by djc6 at 11:32 AM | Comments (0) | TrackBack (0)

Apply Group Policies to Groups

Say you want to have different user configuration policies based on whether a staff or student logs into a particular machine. You can apply Group Policies to Groups by modifying the security filtering - read this article:

Thanks for Jon Wehner in Admissions for pointing this out his first day on ADSTEST! Sometimes I overlook the obvious :)

Posted by djc6 at 01:47 PM | Comments (0) | TrackBack (0)

Group Policy Settings Reference

Check out this invaluable, but poorly formatted reference from Microsoft. A collection of every Group Policy description so you can easily do a keyword search and find the right one:

Group Policy Settings Reference for .adm files and Security Settings included with Windows XP Professional Service Pack 2

Posted by djc6 at 10:54 PM | Comments (1) | TrackBack (0)

March 16, 2005

Default Printer Preferences for All Users

In the Nord Lab I have a Minolta Di251f copier/fax/scanner/printer indentical to those all over campus. Like many departments, the console is setup so you need to pick your name from a list and enter in your password, in an attempt to track printing. It is also neccessary to enter these codes into a user's printer preferences, otherwise the print jobs are discarded. Using registry auditing I was able to identify this registry key changing every time I configured the copier access code & password:


Every printer apparently has a key like this, and within it is a binary value called 'DevMode'. I then exported this key, resulting in a 26KB file. Next, I did a "regedit /s copier-code.reg" on another machine, and the copier code/password (along with other printer preferences) were automatically set! Once I solved this mystery, I set the login script to run regedit and merge this key upon user login.

There is a knowledge base article entitled KB305402: HOW TO: Change Printing Preferences on Print Server for All Connected Users but it didn't seem to work for the particular printer settings I was interested in.

Posted by djc6 at 12:13 AM | Comments (1) | TrackBack (0)

March 31, 2005

Slipstreaming / Free tool for making ISOs of bootable CDs

I've been looking forever for a free utility for windows that can easily make ISOs of bootable CDs..

LC ISO Creator works like a champ on my new slipstreamed Windows Server 2003 w/SP1 CD.

This site has instructions on how to make a slipstreamed CD using EZ-CD Creator 5.x that comes with all of the dells on campus. The only difference between the XP SP2 instructions and Server 2003 SP1 is to change the volume name on the CD you are making.

Posted by djc6 at 04:14 PM | Comments (0) | TrackBack (0)

May 16, 2005

Moving NT4 Profiles to Active Directory

I'm currently moving an office from their own NT4 domain to the Campus Active Directory and wanted to keep their account settings identical. I needed a straightforward way to migrate their old NT4 profile to ADS. I ended up using the moveuser.exe tool which is part of the Windows Server 2003 Resource Kit Tools.

On each machine, I made a local user called "tempuser". I then issued the command to associate the old NT4 profile with the new local user:

moveuser.exe nt4_domain\username tempuser

I then went through the proceedure to join the computer to the active directory. Once on the active directory, I did:

moveuser.exe tempuser ads\username

to asssociate the now local profile with the ADS account. I could then delete "tempuser", log on as the individual and the old profile was now properly associated with their active directory account.

Why couldn't I just "moveuser nt4_domain\username ads\username"? This is because the NT4 domain and campus AD are not trusted. The moveuser tool needs to be able to lookup the SSID for both accounts. Hence, the only way I could accomplish this was using an intermediary local account.

CAUTION: Often I'd have to reboot between adding the tempuser account and issuing the moveuser.exe command. Otherwise I'd get errors that it couldn't find the NT4 domain account, or occasionally an "Access Denied" error, presumably because some portion of the NT4 user's profile is still in use and inaccessable.

Sometimes "HKEY_LOCAL_MACHINE\Software\Classes" still has the old NT SSID in the permissions. When I'd log into AD as the user for the first time, I'd see if I could open it. If not, I'd change the permissions on Classes and find the old SSID in there... Delete it, and add the ADS\username into the permissions.

Apparently "HKEY_LOCAL_MACHINE\Software\Classes" is simply a link to the current user's own HKEY_CLASSES hive. If you go into regedit and look under "HKEY_USERS", you'll notice each user has a <SSID> entry and an <SSID>_Classes entry. I guess moveuser.exe sucks and doesn't check for the presence of <SSID>_Classes and change the permissions accordingly.

Posted by djc6 at 10:08 PM | Comments (2) | TrackBack (0)

May 18, 2005

Power Settings via Group Policy

I wanted to create a policy to set all of the laptops in the department to the same power scheme. This tool allows you to manage power options via Group Policy:

The EPA probably provided this link so you could easily allow systems to go into standby mode, but I want to use it to keep docked laptops on all the time :)

Posted by djc6 at 12:05 AM | Comments (16) | TrackBack (0)

May 23, 2005

FREE Print Quota Software for AD members ONLY

In March I purchased Print Quota software for the Nord Lab called PaperCut. I purchased an unlimited user license, which also covers an unlimited number of servers in the same Active Directory domain. I have confirmed with the authors that anyone at CWRU can use my copy without any additional cost, as long as they are on the Campus Active Directory.

I deployed it on the first day after spring break, and between March 14th and April 28th it processed 262,871 pages for 2,486 users in the Nord Lab flawlessly.

If you are interested and I can verify you are on the production active directory, let me know and I'll hook you up with the serial number and a copy of it.

If you do eventually use it, I am not opposed to those with money helping defray the $744.00 the Nord Lab spent on licensing it :) If you are too poor, I understand... you can pay me once you start saving money on printing costs! :) j/k.

For more information go to

There you can find info on the server software, the administrative console (for receptionists, lab monitors, etc.. who collect money) and also the optional web interface for administration and end user quota monitoring. It really is a spectacular package.

Posted by djc6 at 02:20 PM | Comments (0) | TrackBack (0)

June 03, 2005

Client-less Novell & Active Directory

One "gotcha" in a recent active directory conversion was that users could no longer clientlessly access the campus novell servers. Two solutions were presented to me, the first by Chuck Yoder:

Change Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network Security: LAN Manger authentication level to "Send NTLM response only" from the AD default "Send NTLMv2 response only/refuse LM/NTLM" to get clientless to work.

DISCLAIMER: The above method will lessen the security of clients using network resources. It is not recommended by the Case ADS Administrator. Only apply to machines requiring clientless novell access!

Please see section #10 of this Microsoft Knowledge Base Article: KB823659: Network security: Lan Manager authentication level for more information.

The second solution is from Ben Hrouda, which involves installing the Novell Client. This method does not require disabling NTLMv2 and is considered the more secure workaround. The instructions on this page must be followed in addition to the normal install:

Client32 for Active Directory Kerberos Interoperability

Posted by djc6 at 01:58 PM | Comments (3) | TrackBack (0)

June 08, 2005

Troubleshooting Account Lockout Problems

Microsoft offers tools to help diagnose Account Lockout problems. Most useful is the the "ALockout.dll Tool" which is a logging tool that may help you determine the program or process that is sending the incorrect credentials in an account lockout scenario. Here are some links:

Download: Account Lockout and Management Tools

Technet: Documentation for Account Lockout and Management Tools article on using the Account Lockout Tools

Posted by djc6 at 10:40 PM | Comments (2) | TrackBack (0)

June 22, 2005

Printing from OS X 10.4 TO windows printer on Active Directory

The version of samba included with MacOS 10.4 (Tiger) supports NTLMv2, which is on by default for machines in the Active Directory. Once I upgraded my machine to Tiger, I had set to out print through a shared windows printer on a machine in the active directory. Follow these steps:

  • Change the entry "client ntlmv2 = no" to read "yes" in the /etc/smb.conf file
  • Open the Printer Setup Utility
  • Click Add Printer
  • HOLD DOWN the alt/option key and click on the "More Printers..." button
  • In the first pull down menu select "Advanced"
  • Under Device select "Windows printer via SAMBA"
  • Fill in the Device Name (can be anything)
  • For device URI: insert something like:


  • Select the printer model and you're done!!

Unfortunately, CUPS uses smbspool, which does not currently support kerberos. I had to hardcode in the URI a generic printer account that I created locally on the print server for mac clients to use.

If you search on google, you'll find people have written patches for smbspool to allow for kerberos authentication. I didn't try any of them. Instead, I came across this thread which deterred me from even trying. Responses to the thread may yield some clues.

Here is a link to the patch in question

Posted by djc6 at 04:25 PM | Comments (2) | TrackBack (0)

July 20, 2005

How to Check Password Age before moving to AD

You can check the age of anyone's password by going to this site:

Which is also accessable from the ITS Network Tools page with the link titled "Verify Password".

Basically, type in a user's ID and then enter any string for the password. This will return the age of the password. If it's older than October 1st, 1999 you'll get this error:

"A new version of our authentication system was put into place on 10/01/1999. Since you last changed your password prior to that date, your account is lacking a "key salt" for the newer version. "

This tool has proven invaluable in figuring out which users are ready for Active Directory BEFORE I migrate their machine!

For a background on this active directory issue, see How come some users can't log in?

Posted by djc6 at 07:53 PM | Comments (0) | TrackBack (0)

August 28, 2005

Automated BartPE Ghost CD Installer

Recently Grayden MacLennan wrote to the Sysadmins Mailing List about using BartPE along with Ghost 8.x as a workaround for the Netgear GA621 DOS drivers not working in some buildings. BartPE will create a bootable windows CD, and from there we can run the slightly more reliable windows GA621 drivers and the windows Ghost32 client. The following is a list of instructions to recreate his work.

  • Install the latest version of PE builder and have a Windows XP CD handy.
  • Then copy the following files from C:\Programs Files\Symantec\Ghost into the C:\pebuilder313\plugin\ghost8\files directory:

    ghost32.exe, ghostexp.exe, ghostsrv.exe, ghostcdr.dll

  • Enable the Ghost Plugin (Change to 'Yes' on the plug-in list)
  • (Optional) Enable Boot Fix ("Press any key to boot from CD") Plug-in
  • Create a folder C:\pebuilder313\drivers\Net\GA621 and copy the Netgear GA621 Windows XP Driver files (DP83820.sys and NET83820.INI) into there.
If you stop here, you'll be able to burn a BartPE disc with Ghost and the drivers for the Netgear GA621. I recommened you make at least one CD like this so you can can experiment with everything else BartPE has to offer, and also for use pulling a ghost image from a source machine. To create a fully automatic bootable client CD suitable for pushing an image out , perform this last step:

  • Replace the C:\pebuilder313\plugin\penetcfg\penetcfg.ini file with these contents:



; StarupFlag = CommandLine

; StartupFlag is a bit field that can take the following values:
; 0 = run hidden and wait (00 00 00 00)
; 1 = run normal and wait (00 00 00 01)
; 2 = run hidden and don't wait (00 00 00 10)
; 3 = run normal and don't wait (00 00 00 11)

1 = %SystemDrive%\programs\ghost8\ghost32 -ja=GHOSTSESSIONNAME -sure -rb

The above configuration will automatically install the GA621 Network Adapter, configure it with DHCP, and then start Ghost after the network is setup. Replace "GHOSTSESSIONNAME" with the typical name of your multicast sessions. The switch "-sure" automatically answers the "Proceed with disk load?" prompt. The "-rb" switch reboots the machine automatically when it is done ghosting.

You can customize this however you wish; See for an alphabetical list of all the command line switches for ghost.

Posted by djc6 at 05:19 PM | Comments (7) | TrackBack (0)

September 22, 2005

Imaging machines using different HALs w/sysprep

One of the biggest problems with ghosting dissimilar machines is when they require different Hardware Abstraction Layers (HALs). For instance, an older Pentium 4 machine will use the Uniprocessor HAL, while a newer Pentium 4 machine likely has a hyperthreading processor or even a Pentium D Dual-Core Processor, both of which qualify for the Multiprocessor HAL.

Switching between Uniprocessor/Multiprocessor HALs is only possible if BOTH machines will be using the ACPI version of the HAL, OR if they are BOTH using the non-ACPI version of the HAL. In my case, the hardware is new enough that everything will be using the ACPI HALs. If you have an older machine (P2-400 vintage) I found it possible to enable ACPI in the bios by downloading the latest BIOS updates from Dell. I actually haven't come across anything that hasn't been ACPI compliant. The method I chose was to install the base image on a machine using the Multiprocessor HAL, and then downgrading it to the Uniprocessor HAL if necessary.

To accomplish this, add the following entry to your sysprep.inf file:

UpdateUPHAL = "ACPIAPIC_UP,%WINDIR%\Inf\Hal.inf"

Essentially, this line sets the Uniprocessor HAL to be "ACPIAPIC_UP" *IF* the need for a Uniprocessor HAL is detected. If your computers are both NOT using ACPI, change the above "ACPIAPIC_UP" reference to be "MPS_UP". If the image is being put on a machine that can make use of a Multiprocessor HAL, the HAL won't be changed - it will stay Multiprocessor (since my base machine used the Multiprocessor HAL).

If you are going the other way, from Uniprocessor HAL base machine to Multiprocessor HAL clone, then use this line:

UpdateHAL = "ACPIAPIC_MP,%WINDIR%\Inf\Hal.inf"

Notice that the command is now UpdateHAL (lacking the UP for Uniprocessor) and that the HAL selected ends in MP now (Multiprocessor). The problem with going Uniprocessor->Multiprocessor, is that the Multiprocessor HAL will *ALWAYS* be used, regardless of whether the Uniprocessor one is appropriate. Microsoft says there is a serious performance hit for using the Multiprocessor HAL on a machine that should use the Uniprocessor HAL - this is why I decided to start out with the Multiprocessor HAL base machine. For some reason when going the other way the proper HAL gets selected.

For more information read the "deploy.chm" file that comes with sysprep XP SP2.

Posted by djc6 at 12:46 AM | Comments (17) | TrackBack (0)

January 11, 2006

Disable MSN Messenger Auto Run via Group Policy

At the request of several students, I put the latest version of MSN Messeger 7.5 on the Nord Lab computers. Unfortunately, The Group Policy settings for the old Windows Messenger don't work with this new IM Client. Specifically, the registry key:


is only applicable to Messenger 4.x and below. So, I came up with this ADM file to disable MSN Messenger 7.5 from automatically starting when the user logs in, but they can still run it if they choose to.

This ADM file uses a different method entirely for prevening MSN Messenger from automatically running when the user logs in. It clears out the entry for it from the User's "Run" list.

;; Remember in gpedit.msc to go View->Filtering ;; and uncheck "Only show policy settings that can be fully managed" ;; ;; David Carlin ( 1/11/2006 ;; ;; Disable MSN Messenger AutoRun CLASS USER CATEGORY !!MSN_Messenger_Policy POLICY !!DISABLE_MSN_AUTORUN KEYNAME "Software\Microsoft\Windows\CurrentVersion\Run" VALUENAME msnmsgr VALUEON "" END POLICY END CATEGORY [strings] MSN_Messenger_Policy="MSN Messenger Policy settings" DISABLE_MSN_AUTORUN="Disable MSN Messenger Autorun"

Posted by djc6 at 03:36 AM | Comments (2) | TrackBack (0)

September 16, 2006

Installing Arcobat automatically on multiple machines

There has been a steady rise in requests to have the latest version of acrobat installed by many of the staff members whose computers I maintain. Partly, its simply to satisfy their urge to have the latest and greatest - but increasingly, they are receiving documents that only work with the latest version. I decided to take this opportunity to try Publishing applications via group policy. Here are the steps!!

  1. Download Adobe Acrobat 7 Professional from the Software Center. Run the installer, but DON'T EXIT. Instead, go to the directory "C:\Program Files\Common Files\Software Center\Acrobat 7\acrobat7_src" and copy the installation source to another directory - for this example, we use "D:\acrobat7_src".
  2. Next, create an administrative install point by running "D:\acrobat7_src\setup /a" - give the installer a directory to put the files for the install point - I used "D:\acrobat".
  3. We now need to download a series of updates from Adobe's site to bring the patch level of Acrobat up to 7.0.8 - this way you will be distributing Acrobat 7 along with the very latest updates - automatically. Unfortunately there is no cumulative update, so you need to download and apply three patches. Also, these files are self-extracting ZIP files; you'll need Winzip or something similar to extract the files contained in them - XP's built-in zip file facilities won't cut it. Go download these files:

  4. Now that the updates are expanded, run the following commands to apply the patches to the administrative install point we created earlier in "D:\acrobat":

    • msiexec /p d:\acrobat705update\Ac705PrP_efgj.msp /a d:\acrobat\AcroPro.msi /qb!
    • msiexec /p d:\acrobat707update\Acro707.msp /a d:\acrobat\AcroPro.msi /qb!
    • msiexec /p d:\acrobat708update\Acro708.msp /a d:\acrobat\AcroPro.msi /qb!

  5. Next, you'll need to download the InstallShield Tuner 7.0 for Adobe Acrobat - this application allows you configure many default settings - like the serial number - to make the install non-interactive
  6. Open the Installsheild Tuner. A dialog box will pop up automatically - open the transforms file "D:\acrobat7_src\AcroPro.itw". Next click on "Create a new transform" in the left hand side of the screen. Where it says Select an MSI file, enter the path " D:\acrobat\AcroPro.msi" and click the Create Button.
  7. Now comes the part where you can configure a multitude of default settings for your install. Here is a rundown of the important ones:

    • Under Installation Options, enter the serial number and your name. The serial number is given when you run the installer from the Software Center.
    • Under Shortcuts, click remove desktop icon (this is a personal preference).
    • Under Application Configuration, select Prefences. Then go to the "EULA and Online Features" tab. You need to need to agree to the EULA to make the install non-interactive. I also disabled "All Updates" since my users don't have the administrative privledges to install them. For the Nord Lab, I also disabled "Display PDF in browser". This has proven VERY helpful for people using Blackboard - the PDFs now open in a seperate window, so they don't accidentally use IE's print function instead of Acrobat' (which results in a blank printout).
    • Go through the rest of the preferences and see if there is anything else you'd like to customize.

  8. Once you're done with your customizations, save the new MST file! It will be written in "D:\acrobat\AcroPro1.mst".
  9. Now copy D:\acrobat to a share on a file server - this will be the install point your clients will look to. Test the install by running AcroPro.msi /passive transforms="AcroPro.mst" - it should install Acrobat 7 with all of the updates & customizations - and it should be completely non-interactive. The only thing you should see is a progress bar - it ought not prompt you for any questions. If it does, go back to the Installsheild Tuner and see what you missed.
  10. At this point we're done making the Acrobat 7 package. Now you need to make a group policy entry to publish the application. Open up the GPMC. Create a new Group Policy object and go to "Computer Configuration -> Software Settings -> Software Installation". Once there, right click on the right hand pane of the GPMC and select New. From there, go to package and select the path to the Acrobat MSI file shared on your file server. Thats it!
  11. Link the GPO to the appropriate OUs you wish the publish Acrobat to. Next time your users restart their computer, they'll see an "Installing Adobe Acrobat 7.0 Professional" message for about 5-10 minutes prior to the login dialog box appearing. No more having to install Acrobat by hand!!

Posted by djc6 at 11:42 PM | Comments (1) | TrackBack (0)

August 24, 2008

Enabling MathType macros by default in Office 2007

One of the biggest complaints in the lab is that when a user starts Office for the first time, they are greeted with a security warning asking them to enable/disable the macros for MathType. People always click disable macros because it is the default option, or don't know/care what MathType is, but selecting Disable Macros has other effects on Office, such as disabling printing.

I set out to find a way of trusting this publisher by default, so the MathType macros work by default, and people aren't prompted to enable them. The process involves extracting the Office 2007 install media from the Software Center package, running the Office 2007 Customization Tool, and adding the certificate of the publisher (Digital Science Inc.) to the list of trusted publishers.

First we extract the digital certificate used to sign MathType:

  • Go to C:\Program Files\MathType, right click on MathType.exe , select 'Properties' and click on Digital Signatures Tab
  • Select 'Digital Science Inc.' from the Signature List and click Details
  • Click View Certificate
  • Click Details tab
  • Click "Copy to file..."
  • Save the certificate to a file as a DER encoded binary (I called mine mathtype.cer)

Next, we extract the Office 2007 media from the Software Center package and run the Office 2007 Customization Tool:

  • Run the Office 2007 package from the Software Ceneter
  • Copy the folder C:\Documents and Settings\USERNAME\Local Settings\Temp\~vis0000\CD to another location C:\stuff\office2007
  • Exit out of the Software Center office installation.
  • Start the Office 2007 Customization Tool by running C:\stuff\office2007\setup.exe /admin
  • Select Open an existing setup customization file and open the file C:\stuff\office 2007\Updates\case_full.MSP - you MUST do this since product key is saved in there!
  • Click 'Office Security Settings'
  • Click the 'Add' button next to 'Add the following digital certificates to the Trusted Publishers list:" and add the digital certificate (mathtype.cer) made earlier.
  • Now go File -> Save As in the Office Customization Tool and save the new MSP file.
Now you can either deploy the .MSP by publishing it as a software package in Active Directory, or you can double click on it to change the configuration of the current computer.

You can also replace the case_full.MSP file in the Updates folder so these configuration changes affect future installs of Office 2007.

You can use this method to make other changes to the Office 2007 configuration that you can't do via the Office 2007 Administrative Template files. For more information on deployment visit Change users' configurations after installing the 2007 Office system

Posted by djc6 at 07:19 PM | Comments (0) | TrackBack (0)