Creating and using a custom Policy file (adm template)

, , , ,

So you for some reason or other need a custom GroupPolicy template (.adm template) to set some strange setting for some odd software.

You can use a Policy.ADM file to set custom registry values either for your own pc (may seem like a bit overkill) or more likely for your domain.

Well I have created a few of these back in the good old NT4 days and it was not all that difficult once you got the hang of it, and thus when I had the need again lately I was confident I could get it to work without too much of a hassle.

I was wrong :-/

Ok, creating a simple policy.adm file is easy;

policy1

And if you enter a keyname like;
”SoftwarePoliciesMicrosoftwhatever”

Things will work brilliantly, however lets say you want to change some obscure value for the adobe reader!?  This is outside the “Policies” section of the registry.. things will look like this when you enter the GPM MMC console.

policy2

This is where I lost my temper and started cursing at my monitor, see again once I put “Policies” in the keyname everything worked like a charm (but my setting was NOT in the Policy region of the registry)..

So Google to the rescue, it would seem that things have changed since the good old Poledit days, and that you need to do a bit of editor tweaking to get those ‘dirty’ settings available under NT4+ systems now-er-days.

Here is the secret;

policy3 
View, Filtering, “Only show policy settings that can be fully managed”..

Once this is done you can see everything – just like in the good old days 😀

policy4

Also it’s worth noting the other filter settings, I did not even know they existed, now you can actually limit your view to only those settings that are set, and this DO make it a lot easier to overlook the more complex policies.

Good luck making your new policies its easy as pie you know..

Links;
http://episteme.arstechnica.com/eve/forums/a/tpc/f/12009443/m/645000852731/inc/-1
http://www.windowsecurity.com/articles/ADM-Template-Repository.html
http://technet.microsoft.com/en-us/library/cc738443.aspx

/by

MRT – the shortcut to Malicious Software Removal Tool

, , ,

MRT1 So you would like to run MSRT manually (the Microsoft Malicious Software Removal Tool, the one that comes once a month from Microsoft via Windows Updates and cleans different infections from your pc), well as written in an earlier post https://readmydamnblog.com/?p=463 you can download a version straight from Microsoft, however it turns out there is an even easier method, simply go to your “start menu”, select “Run” and enter “MRT” and hit enter..

There is even the option to launch it with parameters so you could schedule it to run at regular intervals if you would like.

.

/by

XP Unlimited – cheap alternative to Terminal Services

, ,

Are you using or thinking about implementing a Terminal server then you may know this is neither easy nor cheap.

Well me to the rescue (or well rather a link to the rescue), there is actually a cheaper and easier alternative that will make any Windows XP, 2003 or 2008 into a Terminal server without the expensive TS licensing, read more at;

http://www.xpunlimited.nl

While writing this post I also stumbled across this;
http://www.elusiva.com/products/TerminalServerPro.aspx
(Another TS alternative).

And the older free hack for Windows XP sp2 (dont know if it work after SP3);
http://concurrentremotesessions.netfirms.com/

/by

2X SecureRDP for Windows Terminal Services

, , ,

So you are using remote desktop/terminal services and you are worried about security, well there are several things you can do to secure it among the oldies change the port number from 3389.  But hold on to your horses, now there is a whole range of new options via a new utility from 2x called SecureRDP, here you are presented with options to restrict IP, MAC, Computername and a combination of these.

If you use RDP you NEED to check this out, and best of all its FREE 😀

http://www.2x.com/securerdp/

/by

2000 res kit utilities

, ,

Here’s a link to where you can download Win 2000 resource kit, it contains a bunch of interesting utilities.  One utility in particular is interesting; PassPropthis will help change the restriction so the Administrator account can actually be locked out (not for physical logon, but for remote access), neat..

For the rest or the utilities;
http://www.petri.co.il/download_free_reskit_tools.htm

/by

Recovering from a dead spooler service in windows 2003

, ,

So yesterday I had a go on restoring a dead printer spooler service, a user had tried installing a HP printer using the installation wizard on the CD and something went terribly wrong and crashed the service.

spoolerservice2The service would start but would quickly come to a halt displaying a DEP warning and you would never get anywhere near the printers.

 

 

 

 

spoolservice3I tried reinstalling Windows Server 2003 SP2 in the hope that any corrupted DLL’s etc would be refurbished but to no avail, in hindsight I should have tried SFC.EXE /Scannow (checks vital Windows files) but hindsight is often way too easy 😉

 

 

 

There was no HP Jetdirect or other suspect things to uninstall.

Then I moved to restore the printers using PrintMig (we do have backups handy for just such occations see https://readmydamnblog.com/?p=256) however as the Spooler service was not running this was impossible.

Then the time came to cleanspl.exe from the resource kit for Windows 2003 server, this was a partly success as it actually enabled the service to start – great – but as I just had clicked ‘yes’ to everything even the regular TCP/IP printing was disabled as well as ALL printers (the latter was to be expected as that is what cleanspl.exe does), ok so I tried again restoring the printers backed up with PrintMig and the problems was back the service once again could not start.
spoolservice1Examination of the eventlogs and the registry let me to believe that the culprit was the “HP Standard TCP/IP port” monitor, so after making an export of the registry, I moved to delete ALL but the LPR, Standard TCP/IP Port, USB monitor and local Port under the registry key “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlPrintMonitors”, and sure enough now the spooler service again was up and running. Now I reverted to the exported registry and then repeated the process just removing one monitor at the time, and viola once the “HP Standard TCP/IP port” was gone the service worked fine.

So here are my suggestions if you ever run into a similar problem;
1. Before this ever happens make a backup of your printers using PrintMig

2. Run SFC.EXE /Scannow just to be sure no important windows files are corrupted.

3. Check the eventlog see if you can find any references to a “monitor” name (from the; “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlPrintMonitors” registry key).

4. Make an export of the registry branch;
“HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlPrintMonitors”,

5. Try to delete one sub-branch of the;
“HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlPrintMonitors”,
branch at a time, after each delete try to start the spooler service.

 

A tip to prevent things like this to happen is to avoid all custom “monitors” (specially installed printer management software and ports), use regular TCP/IP and LPR ports whenever possible, sure it’s easier to install using some HP installation wizard but it is often not necessary and your windows installation will love you for not installing all that ‘crap’.

Some helpful links;

http://members.shaw.ca/bsanders/CleanPrinterDrivers.htm

http://www.windowsreference.com/windows-xp/how-to-clean-print-spooler-in-windows-xp2003/

http://www.pcreview.co.uk/forums/thread-3490411.php

/by

Windows Server 2008 R2

logo-ms-ws08-vBefore I even got really started on Windows 2008 Microsoft is releasing a beta of their Windows Server 2008 R2.  My first thought was – well that makes sense as Windows 7 is also in beta, but then I came to think – are they actually related? 

I heard something about “Direct access” that would require Win 2008R2 and Windows 7 to work. 

Anyhow, if you are interested, then you can download the beta via;
http://www.microsoft.com/windowsserver2008/en/us/r2.aspx

/by

Terminal services – too many connections

ts-maxed-out1If you work as a Sysadmin you may have run across the issue where there is no more free Terminal Server “slots” available on a server (As you may know it is possible to connect 3 remote TS sessions against a server, 2 regular and 1 admin/console), this is quite annoying and is often due to one of your colleges forgetting to log out after ending their work on the server (or maybe they had something running that prevented them in disconnecting before the task was done)..

Anyhow, now YOU need to connect via MSTSC and are met with a message stating that TS connections are depleted.  You HAVE to get in, so what do you do?  You can try the Mstsc /Admin (XP sp3/Vista SP1)  or Mstsc /Console (all previous versions) and have it kick whomever is on the console connection (or physically logged on to the server in the server room) – however you may want to be nice and actually have a look and see who is on the server via TS and decide whom to kick.

To do so, goto a command prompt and type;
qwinsta /server:<SERVERNAME>/1

this will produce a list of everyone connected to the server via TS, now you can decide on which connection you want to ‘kill’ and type;
rwinsta /server:<SERVERNAME> <SESSION ID>

For a more detailed description see;
http://weblogs.asp.net/owscott/archive/2003/12/30/46776.aspx

Tnx to Jesper Thulstrup for pointing me in the right direction.

/by

Norton UAC replacement

,

UAC

Many people are tired of the UAC (what is UAC) warnings that pop up ever so often in Windows Vista, every time administrator privileges are required you will be prompted if its ok..  Safer than XP, yes for sure, but also annoying – why can’t it learn like the firewall that only prompts once..  I thought about turning UAC off (which is fairly easy) but again I like the added security.

Well Norton to the rescue, Norton is developing a UAC replacement (free for now) that actually will give you the option to answer “Always allow” to those UAC questions, and if you have a shortcut you launch often its annoying like hell to have to approve it EVERY time – but Norton allegedly solves this by letting you “Always allow” and hence only considder the threat once.  Neat..

More info and free download at;
http://www.nortonlabs.com/inthelab/uac.php

/by

Scheduling issues – back to good old NT4

, ,

In this day in age everything has wizards, this also being true for creating a new scheduled job on a server. 

Now I did not research this in great detail, so bare with me if I overlooked something, but I had problems omitting an account and password when creating a new scheduled job.  I wanted to create a schedule witch would run under the systems account, and let me tell you it got old REALLY fast, damn wizard would not let me create the job.

So back to the good old dos AT command I think, but wait I thought was there not an old utility in NT4 that had some kind of GUI..  Google->Search->Found :-)

ftp://ftp.microsoft.com/ResKit/nt4/x86/winat/winat.exe

So if you like me experience problems with those damn modern wizards, download this and be happy (its even a bit nostalgic to work with an NT4 util again :-))..

/by