Man, I haven’t posted in ages! Well, here’s something I want to remember for later. Force a computer to logoff at a particular time, but still allow logons later. Using Active Directory, I think, will force a logon schedule and dissallow users from logon if not within scheduled times.

On the computer you want to force logoff, open the C: drive and create a text file. Then rename it to, force-logoff.bat
Be sure you can view the extensions, or it will hide the .txt at the end and this wont work. (it can’t be force-logoff.bat.txt, which is what you’ll get if you have “hide extensions of known file types” selected)
Then right click, edit.
Put this in the file and save it.

PsShutdown.exe -o -f

After that, find PsShutdown.exe and copy/paste it into the C:\Windows dir on that system. Get it from here:
http://download.sysinternals.com/Files/PsTools.zip
You’ll have to unzip that and get the Psshutdown tool out of it.  I usually just put all the Pstools in the Windows directory anyway, it’s handy to have.
Then to test, just double click the force-logoff.bat file and it should log you out.  NOTE: The first time you run any of the PSTools, you’ll get a little EULA and you’ll need to agree to the terms.  Not big deal, then after that you won’t get a popup.

Last, make a schedule for it to run every day at your desired time.

Here’s the link to the Microsoft site regarding PsShutdown command line usage.

http://technet.microsoft.com/en-us/sysinternals/bb897541.aspx

Well for the larger businesses out there, this may not be a useful tip. But for those of us that support small networks, like less than 50 or even 10 systems, utilizing shares on workstations is sometimes needed. For example, I have servers in most all of my networks, and their hard drives are fairly large, but I don’t want to save all my downloads and application CD’s on the server. With newer workstations loaded with larger drives than servers sometimes, I’d rather make use of that space there. Not with the main, business critical data, but only things that are not needed for backups or maybe read only archives. These 500+ GB drives give us a ton of space, and when you only have less than 10 people accessing this data periodically, this makes perfect sense. Constant read/write access with lots of users would require the server, rarely accessed stuff goes on a workstation.

Here’s the problem I ran into though. I like to use DFS and create a single shared, mapped drive for all the users. In there I might have a couple shares pointing to workstations. On XP SP2, this works fine, EXCEPT if you are accessing the DFS link from the system where the share resides. You will get an Access Denied error, even with all the correct permissions.

Here’s a registry fix that will overcome the issue.
(Remember, use the registry at your own risk. Back it up if you must. Heck, backup your whole system!)

Open this key on the XP system:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup\Parameters

Add a DWORD value:

EnableDfsLoopbackTargets

Change its value to 1.

Reboot the system.

Your share should now be working from DFS mapped drive from the local system. (the local system where the share is located.)

Some RAID controllers are not what I call *true RAID* drive controllers. They may have a hardware controller, but they run kind of a fake RAID on the host OS. It’s not really software raid, but the RAID is dependant on the OS.

This, as you might guess, causes some problems when we want to do some fun stuff on the system drive while we are not actually booted into the OS. Like when we want to restore an image of the C: drive! That’s ok though, we’ve got a work-around.

BIG NOTICE, DISCLAIMER, OR WHATEVER….

This is based on a RAID1 mirror.
My RAID controller allowed me to build the array based on one of my drives, yours may not.
Do this at your own risk.
Make sure you have a backup. (DUH!)
If you lose your data, it’s your fault.
Your mileage may vary.

Assuming you have made your image successfully already, here’s what we do. The trick is that you must turn off the RAID functions and break the array first. So that your drives look like they are single drives in the system. Delete the partitions you will be reimaging over. On my server, it was just an onboard BIOS setting.

Boot the system into a PE boot disc. You can get a free one called: Ultimate Boot CD for Windows. It’s a doctored up PE Disc, but you’ll need to “build” it. They have great instructions for that on their site. (just Google it) Anyway, you boot into this, and right when the CD starts to boot, you see the “Press F6″ option, like you see when you do a new Windows install. Insert your floppy disc and load the drivers when it asks. Then it will boot to a custom version of XP.

The PE disc should load and see your C: drive. Make sure you open Drive Manager and create your C: drive again. Only DON’T FORMAT it or make a drive letter. Now open Drive Image XML and load the image you made, and recover it to that C: drive.

Reboot when complete and before Windows loads, open the BIOS or RAID controller and turn on the RAID again. On my controller, I was able to recreate the Mirror by building off the first drive. Let that process complete and reboot. Your system should boot right to that image.

The keys to making this work was:
Make the drive appear as a single drive again, turn off RAID in the BIOS or Controller.
Drive Image XML always crashed on me, even if I loaded the drivers at the F6 prompt. It couldn’t deal with that Host based RAID. (but it appeared fine!)
After image is restored, turn on RAID1 again and build your array based on the newly imaged disk BEFORE you boot back to that drive in Windows.

MSTSC V6, both in XP and Vista, now asks for credentials EVERYTIME you connect! I want the server to ask, not the client! Add this line to the Default.rdp file located in your My Documents folder.

enablecredsspsupport:i:0

Also:

authentication level:i:0

You may need to save as another name, then

rename the Default.rdp and replace the file.

=========================

Below are the default.rdp contents as set above

=========================

screen mode id:i:2

desktopwidth:i:1024

desktopheight:i:768

session bpp:i:32

winposstr:s:2,3,0,0,800,600

full address:s:venus

compression:i:1

keyboardhook:i:2

audiomode:i:1

redirectprinters:i:0

redirectcomports:i:0

redirectsmartcards:i:1

redirectclipboard:i:1

redirectposdevices:i:0

displayconnectionbar:i:1

autoreconnection enabled:i:1

authentication level:i:0

prompt for credentials:i:0

negotiate security layer:i:1

remoteapplicationmode:i:0

alternate shell:s:

shell working directory:s:

disable wallpaper:i:1

disable full window drag:i:0

allow desktop composition:i:1

allow font smoothing:i:1

disable menu anims:i:0

disable themes:i:0

disable cursor setting:i:0

bitmapcachepersistenable:i:1

gatewayhostname:s:

gatewayusagemethod:i:0

gatewaycredentialssource:i:4

gatewayprofileusagemethod:i:0

drivestoredirect:s:

enablecredsspsupport:i:0

When opening files on the network over mapped drive OR UNC, you receive a “publisher” or “security” warning before running the file. Very annoying.

In IE, you add the server or domain to your “local intranet” security zone. In my case, my server was: main.domain.local
It was mapped on O: drive.

 

So in the zone I added:
\\main
O:\
domain.local
\\domain.local

That took care of all kinds of connections.

On a domain wide setting: In active directory, I added a group policy for the file types of moderate security.

Go to a domain policy, I did the Default Domain Policy on mine. > Open User Configuration > Administrative Templates > Windows Components > Attachment Manager.

And edit the item: Inclusion List for Moderate Risk file types

Add: .doc;.xls;.exe;.pdf
(just the most common, you might want more)

Add the type you want to exclude from the security warning. Reboot the client computer, or run gpupdate on it to get the new policy. Problem went away for me!

I am not expert on these things (encryption), but I have done some reading and found some issues with Encrypted File System I don’t like. I may not describe the issues correctly, so this is just my opinion more than anything.

1. In Windows 2000, don’t even bother. It can be bypassed with their recovery agent or administrator. So if you lose your laptop, the data can be accessed.

2. In XP, it is better and more secure. I think there is no data recovery agent, but I think a local administrator account on a non-domain install of XP will still have the private keys.

3. The private keys are on that hard drive!

4. You still see all the files. The file names are all viewable, and that may be a security risk for some companies. It’s better than nothing, but I don’t like that too much.

5. You can’t encrypt the whole system. Or a whole partition for that matter. You must encrypt a folder, and at that, only the files in that folder are encrypted.

6. Here’s the one I like least… with EFS, when you open a file, it is decrypted to a tmp file. This file is deleted once you finish with it, but as you know, files are not “wiped” from the drive when they delete, they just remove the pointer to it. So unless data is overwritten in that place of the drive, that data is accessible to anyone. If you had a spreadsheet with SSN’s or credit card numbers, and you just happen to lose your system to someone who knows what to do with it, you got a big problem!!

7. There’s more, I just can’t think of them.

Anyway, after doing some reading… I found that Bitlocker in Vista will be a very nice solution. But you have to buy Enterprise or Ultimate versions of Vista to get it. Bitlocker can encrypt the entire OS partition. Now that is nice! That is exaclty what we wanted! And if you set it up correctly, using a key or PIN at boot, it will make an extremely secure setup. One drawback, you can only encrypt the partition the OS is on, not other partitions. You’ll need to use normal EFS for them.

That’s nice, but I have Vista Business. And I don’t want to spend more money right now. Plus, on my main system and pretty much all my clients, they have 2000 and XP. Guess what I found to get me by? TrueCrypt. www.truecrypt.org. Nice product!! And it’s open-source and free!!!!

With TrueCrypt, you can password protect an entire partition with AES 256-bit encryption. You can use multiple ciphers and even key based access using a USB drive. (Bitlocker can do the USB drive thing too!) It’s a tiny program running in the systray. And in my case, I am just running a password authentication and 256bit AES on a separate partition, so my performance is pretty good too, though not as fast without encryption. Now, with XP I will be making redirections to My Documents to that private drive, and saving all my “work-in-progress” there. That, to me, operates reasonably, and pretty darn secure. I could do more to secure it, like use a key file on my usb key drive. Then you cannot get into any of my private data without the key drive inserted! But I need to test that first.

TrueCrypt can also create a virtual drive from a file.� That might be handy, but performance is just a little slower that way.� It cannot encrypt your OS partition though, which is a drag, but at least I can encrypt a separate partition and you cannot see the file system structure.� It has a lot of neat features. Definitely worth trying if you want lock down things.

All the logical fixes didn’t work. Reinstall, removed ide drivers, reinstalled again, no worky.

I was getting an Error code 39 (and 37 on another machine), and the DVD/CD drives would not show up in Windows.

“Windows cannot initialize the device driver for this hardware. (Code 37)”

The problem seems to be caused by CD Burner software that is not loading or installed properly. It’s odd because I’ve found this on several machines lately.  It occurred to me that there are a lot of programs now that can burn CD or DVD.  Itunes, or other music programs for one, they are very common now.  But there’s other things, like some accounting software that can backup to CD.  You have to watch for any of them that might install their own burning capability.

The solution was to remove the upperfilters and lowerfilters in the registry key below:

Find  "UpperFilters" and "LowerFilters" values in this key and delete them:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}

After that, I uninstalled the device in Device Manager, and scanned for new hardware.  The drive came right back up!

More details on this page:

http://support.microsoft.com/default.aspx/kb/314060

Event ID 40960 and 40961

“The Security System detected an attempted downgrade attack for server…”

In my case, when we logged the user in and opened Windows Explorer to a network share, we received an error. “The system detected a possible attempt to compromise security.” Then in the event logs, we saw the errors above. Turned out, a previous administrator saved a logon password under this user account. To remedy, you must open Control Panel, User Accounts, and then the Advanced tab. Then click the Manage Passwords button. In there, you can set and modify network passwords for specific servers. (a feature I never knew existed!) Sure enough, the server we were connecting to was in that list and set to the name of an ex-admin. Removed that item, and problem solved!

I was using a Jetdirect print server (parallel) to an HP 960c printer.  I got Event ID 6161 when printing with a  non-admin user and the spooled docuements said Error.  The fix was to set the Jetdirect TCP/IP port on the  server as the IP address of the Jetdirect, NOT THE HOSTNAME.

Also, quick check, give full control to c:\windows\system32\spool directory.

This used to drive me nuts. Go to Group Policy, set the Last Username display setting to enabled, and you still see the username at logon. What? Most sites you find when searching for this will tell you to adjust the policy (group or local). OR, they will tell you to remove the DefaultUserName in the registry. For some reason, these do not always work, and I haven’t figured out why. (particularly on a domain controller.)

Anyway, here’s the trick. Keep in mind, that this will disable the last logged on user at ALL logon prompts, terminal (RDP) logons and local console logons.

To make sure that the last username does not show at logon screen go here:

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon

In there, make sure there is a value for:

DontDisplayLastUserName

It should be a REG_SZ type: String value. So, if it’s not there, add it, and make the value = 1

That’s it.

BIG NOTE: I have not tested this on a domain controller yet. But I think this will do it. It works great on 2000 Server (non-DC) and on XP Pro.

Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Name: NoClose
Type: REG_DWORD
Value: 1

This will disable the Shutdown command on the start menu.

On the shutdown registry hack above/below, put it in HKLM to affect the whole server/dc/workstation.

You know, I just want it to work! I am not sure what the details are regarding the WebDAV functionality in Windows XP and why it doesn’t work properly. I just know that I want to connect to my Zope server and transfer/edit files. There is something in the OPTIONS header that causes the Web Folders to fail when you try to setup a new “Network Place” in XP.

It’s worth mentioning that it DOES connect fine to Apache or IIS, just not Zope. Hmmm… Maybe Zope is broke? I don’t care. I just need, and want, to use Zope and DAV, and the nice web folders in XP does not work.

I downloaded some trialware WebDAV client and tested a connection to Zope, it works fine using XP, so I know it was just the Microsoft implementation of DAV. I believe you can find results on a Google search for “options” “webdav” “xp” “unable to connect” to see what I mean. XP also has a problem if you connect to a server and need to open in a subfolder. (as opposed to the root) I ran into a site that said you could use a net use command, that would be sweet, but if your server doesnt communicate MS style, it still wont work. I tried it with Apache, still wouldnt work. (map a drive example: net use x: http://someserver.com/folder password /user:username)

Every Windows based DAV client I found was a commercial product. I want something free. So, I thought, maybe I could just build a simple drive mapping app in VB.NET that utilized some DAV API. Hmm… did some searching and BAM! I found Novell’s Netdrive!

Novell has a WebDAV client for use on their IFolder product, but it works on other DAV servers. Wow, this is perfect! It connects right to the Zope server with no problems. You install it, add a new site, and it adds a new mapped drive to Windows Explorer. Very COOOOL!

You can find it by searching the Novell support pages. Thanks for the great product Novell! I think I’ll have to try out your new Linux servers.

PS. I was able to open and edit files just fine from XP on a Zope. I could copy from one server and paste to another, mostly. There seems to be some kind of failure when doing a copy of ZSQL methods. But, for the most part I can work around that. Just having a mapped drive to Zope is awesome!

EDIT: 2005-03-04
I did some testing and have found that this solution does not work perfectly with Zope. When you edit a dtml document, for example, the DAV client sends back a simple text document, which will not parse correctly in Zope. As a result, don’t use Netdrive to edit your objects, unless you find out why it saves the object incorrectly. Use it for copying objects though, works pretty good.

Edit: 2005-12-29
Using Netdrive with Apache for PHP use works beautifully! I use it all the time now, it’s like having a slow hard drive to my web server!