Thursday, March 31, 2011

Using Group Policy configures desktop wallpaper of workstations

Some company would like to restrict users' wallpaper. Administrator can use group policy to fullfill the above requirement.

Assuming that Windows Server 2008 or above is the domain controller in our environment.

Prerequisites
If you are running Windows 7 or Windows Server 2008 R2 pre-service pack 1, you have to install a hotfix KB977944.


1. At domain controller, log in as Domain Administrator.
2. Launch "Group Policy Management Console".
3. Expand "Forest > Domains > <Domain Name>", right-click "Default Domain Policy", select "Edit".

Remark: At production environment, you should use another group policy to assign this setting.

4. Expand "User Configuration > Policies > Administrative Templates > Desktop > Desktop".
5. At right pane, double-click "Desktop Wallpaper".
6. Select "Enabled".
7. Next to "Wallpaper Name", type "C:\Windows\Web\Wallpaper\company.jpg".
8. Next to "Wallpaper Style", select "fill".

Figure 1: Desktop Wallpaper group policy

9. Click "OK".

Remark: Simple put using a UNC path puts a lot of stress on network as it has to download file every time the wallpaper is loaded. It also means that if the network path cannot be contacted when the user logs on all they will get is a black background wallpaper.


Copy the wallpaper to the workstations
10. Still in "Group Policy Management Editor", expand "Computer Configuration > Preferences > Windows Settings > Files".
11. Right-click "Files", select "New > File".
12. Next to "Source file", type "\\<File Server>\wallpaper\company.jpg".
13. Next to "Destination File", type "C:\Windows\Web\Wallpaper\company.jpg".

Figure 2: Copy the file by Group Policy Preferences

Remark: Make sure the "Action" is set to "Update".

14. Click "OK".
15. Close "Group Policy Management Editor".
16. Launch "Windows Explorer", create a folder which is named wallpaper in C:\.
17. Right-click "Wallpaper", select "Properties".
18. Select "Sharing" tab, click "Advanced Sharing".
19. Check "Share this folder".
20. Click "Permissions".
21. Remove "Everyone", add "Domain Computers" and assign "Allow - Read".

Figure 3: Share permissions of Wallpaper

22. Click "OK" twice.
23. Select "Security" tab, click "Edit".
24. Add "Domain Computers" and assign "Allow - Read".

Figure 4: NTFS permissions of Wallpaper

25. Click "OK".
26. Click "Close".

As a result, all workstations will be forced to use company.jpg as the wallpaper.

Reference: http://www.grouppolicy.biz/2011/03/best-practice-using-group-policy-to-configure-desktop-wallpaper-background/

This posting is provided “AS IS” with no warranties, and confers no rights!
Posted by at No comments:
Labels: ,

Wednesday, March 30, 2011

Implement Windows 7 print driver in Windows Server 2003 print server

In my production environment, some workstations are installed 32 bit and 64 bit Windows 7 professional, but the file and print server is still using Windows Server 2003 32 bit standard. I have to install the printer driver and add additional print queue in the server for both Windows 7 32 bit and 64 workstations.

Prerequisites
  • Printer drivers for Windows 7
  • 1 Windows 7 workstation which is joined domain

Assuming I have to add network printer.

1. At Windows 7 workstation, log in as Domain Administrator.
2. Click "Start", enter "mmc".
3. On the menu, click "File > Add/Remove Snap-in".
4. Select "Print Management", click "Add".

Figure 1: Configure print management

5. Under "Add servers", type the name or IP which is the print server.
6. Click "Add to List".
7. Click "Finish".
8. Click "OK".

Figure 2: The firewall setting of Print Management

9. Click "Yes".
10. Expand "Print Management > Print Servers > <IP or Server name> > Printers".
11. Right-click "Printers", select "Add Printer".
12. Select "Add a TCP/IP or Web Services Printers by IP address or hostname", click "Next".
13. At "Printer Address" screen, type the IP address of the printer.
14. Un-check "Auto detect the printer driver for user".

Figure 3: IP address of the printer

15. Click "Next" twice.
16. At "Printer Driver" screen, select "Install a new driver".
17. Click "Next".
18. Provide the printer driver of Windows 7 32 bit , click "Next".

Figure 4: Printer Name and Sharing Settings

19. You can change the "Printer Name" and "Share Name", click "Next" twice.
20. Click "Finish".
21. At left pane, right-click "Drivers", select "Add Drivers".
22. At welcome screen, click "Next".
23. Un-check "x86", check "x64".

Figure 5: x64 printer driver option

24. Click "Next".
25. Click "Have Disk" to provide the x64 driver of the above printer.
26. Click "Next".
27. Click "Finish".

As a result the Windows 7 printer driver was installed in the Windows Server 2003 print server.

This posting is provided “AS IS” with no warranties, and confers no rights!
Posted by at No comments:
Labels: ,

Restrict the members of local administrator group by Group Policy

In Windows Server 2008 or above environment, there are 2 method to control the members of users group by Group Policy Restricted Group and Group Policy Preference.

Both settings in a Group Policy could remove unauthorized members from a security group.


Using Group Policy restricted groups
1. At Domain Controller log in as Domain Administrator.
2. Click "Start", enter "gpmc.msc".
3. Expand "Forest > Domains > <Domain Name>", right-click "Default Domain Policy", select "Edit".

Remark: At production environment, you should use another group policy to assign restricted groups setting.

4. Expand "Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups".
5. Right-click "Restricted Groups", select "Add Group".
6. Under "Group", type "Administrators".

Figure 1: Local administrator group

7. Click "OK".
8. Next to "Member of this group", click "Add".
9. Enter the name who you want to add.

Figure 2: The members of the local administrator group

Remark: The local administrator doesn't affect by Restricted Group.

10. Click "OK".
11. Close "Group Policy Management Editor".

Updating the policy, the local administrator group of all computers are applied restricted group setting.

Figure 3: The local administrator group of the computer

Remark: If you add "Administrators" group in "Restricted Group", you get the Event ID 1202 of Application event log and then the group members cannot be applied to the local administrators group.


Reference:
Restrict the members of local administrator group by Group Policy Preference

This posting is provided “AS IS” with no warranties, and confers no rights!
Posted by at No comments:
Labels: ,

Tuesday, March 29, 2011

Using File Server Migration Toolkit

The File Server Migration Toolkit is a tool which let administrators easily migrate and consolidate shared folders from servers running Windows Server 2003, Windows Server 2000 and Windows NT Server 4.0 to a server running Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2.

Remark: FSMT also supports DFS environment.

Prerequisites and Lab environment

Computer in Domain "contoso.com"
Computer FQDN
Roles
OS
DC01.contoso.com
Domain Controller, DNS Server
Windows Server 2003
03FS.contoso.com
Member Server / File Server
Windows Server 2003
08FS.contoso.com
Member Server / File Server
Windows Server 2008 R2

  • Create 4 domain local groups which are named: Account DL GroupFinance DL Group, IT DL Group and Sales DL Group.
  • Create 4 folders in FS1, and share and assign as the following:
Share NameShare PermissionsNTFS Permissions
AccountAccount DL group – Read, Change

Local\Administrators – Read, Change
Account DL group – Read, Write, Modify
Finance
Finance DL group – Read, Change

Local\Administrators – Read, Change
Finance DL group – Read, Write, Modify
IT
IT DL group – Read, Change

Local\Administrators – Read, Change
IT DL group – Read, Write, Modify
Sales
Sales DL group – Read, Change

Local\Administrators – Read, Change
Sales DL group – Read, Write, Modify
  • Install the FSMT in 08FS.contoso.com
Remark: Before installing FSMT, you have to install Microsoft .NET Framework 2.0 or above in the server.


Using FSMT
Now, The folders, files and permissions will be moved to 08fs.contoso.com by FSMT.

1. At 08FS, log in as Domain Administrator.
2. Click "Start > All Programs > Microsoft File Server Migration toolkit > File Server Migration Wizard".
3. At welcome screen, click "New".
4. At New Project Wizard, click "Next".

Figure 1: Project Name and Location

5. Click "Next".

Figure 2: Create a folder for the project

6. Click "Yes" to create the directory.
7. Un-check "Use the following DFS root server".

Figure 3: DFS consolidation root server

8. Click "Next".
9. Next to "Location", type the path which you would like to store folders in.

Figure 4: The path of stored folder

10. Click "Next".
11. Click "Yes" to create the directory.
12. Click "Finish".
13. At "Microsoft File Server Migration Wizard", click "Add Server".
14. Type "03FS", click "OK".

Figure 5: The share folders of the source server

15. Next to "View by", select "Target volumes".
16. Select "temp\03FS\Account".

Figure 6: The options of the target server

You can modify the share name and target location for each folder.

Remark: There is an option to help you create DFS link in the DFS root.

17. Click "Continue" twice.

Figure 7: The copy is in progress

18. Click "Continue".
19. Click "Yes" to accept finalization process.
20. Click "OK".
21. Click "View Report".

Figure 8: The report of migration

Figure 9: Share permissions of the Account folder

Figure 10: NTFS permissions of the Account folder

As a result, all share folders with permission migrate to 08FS.

Download link: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=d00e3eae-930a-42b0-b595-66f462f5d87b&DisplayLang=en

Reference:
http://www.microsoft.com/windowsserver2008/en/us/fsmt.aspx

This posting is provided “AS IS” with no warranties, and confers no rights!
Posted by at No comments:
Labels:

Monday, March 28, 2011

Replace default recovery environment of Windows 7 / Windows Server 2008 R2 by Microsoft Diagnostic and Recovery Toolset

Installing Microsoft Diagnostic and Recovery Toolset
Microsoft has developed a new version of ERD Commander from Winternals, which Microsoft acquired a while ago. The new version is called Diagnostic and Recovery Toolset, or DaRT for short. DaRT 6.5 is a part of Microsoft Desktop Optimization Pack (available to customers with an active Software Assurance license).

1. At the PC, log in as user who is the member of Administrators group.
2. Insert MDOP DVD.
3. Click "Microsoft Diagnostics and Recovery Toolset".

Figure 1: Microsoft Diagnostics and Recovery Toolset

4. Click "Install DaRt 6.5 (32-bit)".

Remark: Preparing the DaRT for Windows Server 2008 R2, you have to select "Install DaRT 6.5 (64-bit).

5. At welcome screen, click "Next".
6. Click "I Agree".
7. Click "Next".
8. Select "Complete".
9. Click "Install".
10. Click "Finish".


Creating the ERD Commander ISO image
1. At the PC, click "Start > All Programs > Microsoft Diagnostics and Recovery Toolset > ERD Commander Boot".
2. At welcome screen, click "Next".
3. Insert and navigate to Windows 7 enterprise installation disk.

Figure 2: ERD Command Boot Media Wizard

4. Click "Next" twice.

Figure 3: The tools of ERD image

5. Select or exclude the tools that will be included in your ERD image, click "Next".
6. Select "Locate the Debugging Tools...", click "Next".

Figure 4: The option of Crash Analyzer Wizard

7. At "Standalone System Sweeper Definition Download" screen, select "Yes, download the latest definitions".

Figure 5: The option of Standalone System Sweeper Definition Download

8. Click "Next" twice.
9. If you want to add additional drivers, click "Add Device".

Figure 6: Addition Drivers for ERD image

10. Click "Next" twice.
11. Click "Next" to create a ISO file.

Figure 7: The path of stored image

12. If you want to burn the ISO into a media set the wizard to your media burner, click "Next" to proceed.

Figure 8: Burning CD option

13. Click "Finish".


Add the Microsoft Diagnostic and Recovery Toolset image to Recovery folder
1. At the PC, launch Windows Explorer.
2. Press [ALT], select "Tools > Folder options".
3. Select "View" tab.
4. Select "Show hidden files, folders or drivers".
5. Un-check "Hide protected operating system files (Recommended)".

Figure 9: The option of the folders

6. Click "OK".
7. At Windows Explorer, navigate to C:\.
8. Right-click "Recovery", select "Properties".
9. Select "Security" tab.

Figure 10: The security tab of Recovery folder


10. Click "Continue".
11. Click "Add".
12. Add the current user and assign Full control permission.

Figure 11: The permissions of Recovery folder

13. Click "OK" twice.
14. Mount the Microsoft Diagnostic and Recovery Toolset image ISO file.
15. Navigate to D:\Sources, copy the "boot.wim" file.

Remark: Assuming that D:\ is the virutal CD-Rom drive.

16. Navigate to "C:\Recovery\<UID>\", paste the file in here.
17. Delete the "Winre.wim" file and rename "boot.wim" to "Winre.wim".


Figure 12: Replace the original "Winre.wim"

18. At PC, restart the computer and boot in "Repair Your Computer".

Figure 13: The menu of System Recovery Options

DaRT has been added to the Windows RE menu.

Reference:
Replace Default Windows 7 / Server 2008 R2 Recovery Environment in Diagnostic and Recovery Toolset Version 6.5

This posting is provided “AS IS” with no warranties, and confers no rights!
Posted by at No comments:
Labels: ,

Sunday, March 27, 2011

Configure the size limit for both (.pst) and (.ost) files in Outlook 2010

By default, the maximum file size of .pst and .ost is 50 GB in Outlook 2010, but we can modify this setting by the following registry entries.

Assuming that Windows Server 2008 or above is the domain controller in the production environment.

Prerequisites
Creating an OU which is named People
Move the user accounts in the People OU

1. At the domain controller, log in as Domain Administrator.
2. Launch "Group Policy Management Console". 
3. Expand "Forest > Domains > <Domain Name> ", right-click "People", select "Create a GPO in this domain, and Link it here".
4. Under "Name", type "Outlook Policy".
5. Click "OK".

Figure 1: Outlook Policy

6. Right-click "Outlook Policy", select "Edit".
7. Expand "User Configuration > Preferences > Windows Settings", right-click "Registry", select "New > Registry Item".
8. Still select "HKEY_CURRENT_USER".
9. Next to "Key Path", type "Software\Microsoft\Office\14.0\Outlook\PST".
10. Next to "Value name", type "MaxLargeFileSize".
11. Next to "Value type", select "REG_DWORD".
12. Next to "Value data", type the value you want.

Figure 2: MaxLargeFileSize properties

13. Click "OK".
14. Close "Group Policy Management Editor".

As a result, the policy is applied to all users.

Remark: For non-domain environment, you have to configure the setting by "Registry Editor".

Remark: You may have to create the registry values if it do not exist in "Registry Editor".

Reference:
The file size limits of .pst and .ost files are larger in Outlook 2010 and Outlook 2013

How to configure the size limit for both (.pst) and (.ost) files in Outlook

This posting is provided “AS IS” with no warranties, and confers no rights!
Posted by at No comments:
Labels:

Saturday, March 26, 2011

Configuring home directory for domain users

Configuring home directory for domain users, you should add root share that will contain the user home directory, and configure the permissions on home folder.

1. At file server, log in as Domain Administrator.
2. Launch "Windows Explorer", create a new folder which is named "Home" in C drive.
3. Right-click "Home", select "Properties".
4. Select "Sharing" tab.
5. Click "Advanced Sharing".

Remark: For Windows Server 2003, you should select "Share this folder".

Figure 1: The sharing option of Windows Server 2003

6. Check "Share this folder".
7. Next to "Share name", type "Home$".

Figure 2: The share name of the folder

Remark: For security reason, you should use hidden share.
8. Click "Permissions".
9. Remove "Everyone", add "Authenticated Users".
10. Check Allow "Read" and "Change".

Figure 3: The share permissions of the folder

11. Click "OK" twice.
12. Select "Security" tab.
13. Click "Advanced".
14. Click "Change Permissions".
15. Un-check "Include inheritable permissions from this object's parent".

Figure 4: "Include inheritable permissions from this object's parent" option

16. Click "Add".
17. Remove "Users" in the permission entries.
18. Add "Authenticated Users".
19. In the "Permission Entry for Home", check Allow "Traverse folder / execute file", "List folder / read data", "Read attributes" and "Read extended attributes".
20. Next to "Apply to", select "This folder only".

Figure 5: The NTFS permissions of the folder

21. Click "OK".

Figure 6: The NTFS permissions of the permission entries

22. Click "OK" twice.
23. Click "Close".
24. Launch "Active Directory Users and Computers", select a user's properties.
25. Select "Profile" tab.
26. Next to "Home folder", select "Connect".
27. Next to "To", type \\<Server Name>\home$\%username%.

Figure 7: Home folder path

28. Click "OK".

As a result, the user's home folder is created in the home folder of the file server.

Reference: http://support.microsoft.com/kb/555046/en-us

This posting is provided “AS IS” with no warranties, and confers no rights!
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)