.NET to the rescue

I’m sure there is a lot of SOE (Standard Operating Environment) projects going on around the world. I’m always interested in how the AD design would be designed. Definitely, a new AD domain will be created and users will be migrated to this new AD domain.  But… wait, there are still other legacy services like file shares, applications integrated with AD etc that users still need to access to.  To solve this issue, at first, a Domain Trust was used to allow users to continue using their legacy resources.  After a while, this wasn’t allowed anymore and each site is left to their own to figure a way out on how to allow their users to continue using their legacy AD domain’s resources.  Don’t you hate it when your water or electricity supplier just cuts off your supply and left you to find your own supplies??!!

One way out is to make use of the Windows 2003 IIS Password Change tool (same as the one that comes with Exchange OWA). Follow these steps to get it working.

1. Start the Microsoft Management Console (MMC) IIS Management snap-in by clicking Start, Programs, Administrative Tools, Internet Information Server (IIS) Management.
2. Navigate to Web Sites, Default Web Site.
3. Right-click Default Web Site. Select New, then select Virtual Directory. You'll see the Virtual Directory Creation Wizard Welcome screen.
4. Click Next.
5. Enter an alias of IISADMPWD and click Next.
6. For the actual publish folder value, enter C:\windows\system32\inetsrv\iisadmpwd (where C:\windows is the directory in which Windows is installed). Click Next.
7. For virtual directory permissions, select the Read and Run scripts check box, if it isn't already selected. Click Next.
8. Click Finish.
9. Under Web Service Extension make sure Active Server Pages is set to Allow

You can access the new interface at:

http://<server address>/iisadmpwd/aexp2.asp 

to change a local account password or at:

http://<server address>/iisadmpwd/aexp2b.asp 

to change a domain password.

The figure below shows a sample Web interface for changing a domain password.

* Note: Using IISADMPWD without an SSL connection sends the credentials over the network in clear text.  For this reason it is recommended that you use IISADMPWD over an SSL connection.  Use the “SelfSSL” tool from the IIS6 resource kit to create a SSL. Refer to this article for a step by step guide: http://www.visualwin.com/SelfSSL/

Yes, there are tons of tips on Windows 7 in the web.  This is a compilation of what I feel is most useful.

In my earlier post (Using Windows Server 2008 as a Workstation), the same rules apply.  You have to enable the services so that you can unlock the full potential of Windows 7.

Now, time for the tips…

Tip #1: Enable Quick Launch

By default Quick Launch is disabled. I love Quick Launch as it won’t clutter up my Desktop.

1. Right click on a empty space on the taskbar and click on New Tool

2. In the Folder line, type or copy:

%userprofile%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

3. Click on the Select Folder button

4. You now have a Quick Launch toolbar on the taskbar. (See screenshot below)
NOTE: Click on the arrow to see your Quick Launch shortcuts.

Tip #2: Problem Steps Recorder

One of the coolest new tools in Windows 7 is the Problem Steps Recorder (PSR) — especially for those of us who provide tech support to Windows users. No matter how hard they try, users often have problems accurately describing the problem they’re experiencing or the steps they took before or after experiencing it. Sure, Remote Assistance can be a godsend in those situations. But you can’t always connect to the user’s computer in real time. That’s when the PSR comes in handy.

It’s really a type of screen capture software that records all actions — keystrokes, mouse clicks, etc. — and saves the sequence of events in an MHTML page that documents every step the user took, along with screenshots.

You start the PSR by entering psr.exe in the Start menu Search box or at the command prompt. The interface is shown below.

Another usage for this is documentation.  It captures all the step by step actions, therefore all you need to do is just go through the actions and paste it into your docs.  Cool!

BackInfo

While attending Microsoft courses, most likely you would have seen the information details on the desktop wallpaper of the machine you are using.  This is a tiny application called BackInfo.exe.

It is a very useful tool that enables you to visibly identify the computer that you are logged on to.  See a sample pic below.

It’s part of the Windows Server System Reference Architecture Virtual Environments for Development and Test (WSSRA-VE) Deployment Kit. You can download the kit from the link below and after you install the deployment kit you'll find Backinfo in the \bld\utils directory. (http://www.microsoft.com/technet/itsolutions/wssra/ve/wssra-veintro_3.mspx)

Or to save you the hassle, download it here.

BgInfo

There is also another free tool called BgInfo by SysInternals (Bought over by Microsoft) at http://technet.microsoft.com/en-us/sysinternals/bb897557.aspx 

It basically does the same thing.  So, it’s up to you which UI you prefer :)

How to Install

1. Go to Run > gpedit.msc

2. Put the script under User Configuration > Windows Settings > Scripts (Logon/Logoff) > Logon

3. Add the link to the BackInfo.exe

* To prevent accidental deletion, one way is to put it under “C:\Program Files (x86)\backinfo\BackInfo.exe”

There are times whereby I need to go to Start > Control Panel > Network Connections. It’s just too many steps!

So… here are some shortcuts:

- Network Connections: ncpa.cpl

- IIS Manager: inetmgr

- Command Prompt: cmd

- Local Group Policy Editor: gpedit.msc

- Show Desktop: Windows Key + D

- Minimize All Windows: Windows Key + M

- Lock Screen: Windows Key + L

- Windows Explorer: Windows Key + E

- Display Projection: Windows Key + P (Windows 7 only)

The Display Switch settings box lets you quickly change how you want your desktop displayed.

Remember those days when disk space is limited and one of the ways is to delete those $NtUninstall Folders that contain the uninstall information? It helps lots to free up those valuable disk space in C:\ drive.

However, in Windows Vista/2008, MS moved it to another location and I really had a hard time finding it until I came across a web site that finally has that information! My C: drive has 30GB but it’s running out of space.

Well, here are the steps:

Step 1: Deleting C:\Windows\SoftwareDistribution folder

1. In the Start menu search box, type "services.msc" and press Enter

2. Stop the Windows Update service (leave the window open - you will restart the service in step 4)

3. Navigate to your Windows folder (C:\WINDOWS) and delete the folder named "SoftwareDistribution"

4. Restart the Windows Update service

5. Open Windows Update

6 Ta-da! Windows Update states that you have never checked for updates! Simply click "Check for Updates" and you're ready to begin installing updates!

Step 2: Use msizap to remove orphaned cached Windows Installer Data Files to increase free disk space

Msizap is a command-line tool that can delete the configuration data that Windows Installer maintains for products that it installs, including the directories, files, registry subkeys, and registry entries in which Windows Installer stores configuration data.

Running msizap.exe with the G parameter removes orphaned cached Windows Installer data files for all users. Running this command on an old Windows XP machine allowed me to reduce the size of the C:\Windows\Installer directory from 3.6GB down to 875MB.

This computer had so many orphaned files due to the constant installation and uninstallation of software such as Java, Flash, Acrobat Reader, and other utility software over the years. Yes, orphaned files persist on your hard drive despite following proper uninstall procedures.

To run msizap, login to the machine as an administrative user and launch a command window. Navigate to the directory that contains msizap.exe, then type the following command:

msizap !G

The G option removes the orphaned cache files, the exclamation point forces a ‘yes’ response to any prompt.

While removing orphaned files should not have any negative impact on your Windows installation, be aware that msizap is a powerful tool that can cause problems if used incorrectly.

Msizap can be downloaded as a part of the Microsoft Windows Server 2003 Support Tools or the Windows Installer CleanUp Utility. I was unable to find the Windows Installer CleanUp Utility by searching Microsoft’s download site, so note that as of today the file’s name is msicuu2.exe if you the above link goes dead in the future.

After you’ve installed the Windows Installer CleanUp Utility, it can be found at “C:\Program Files (x86)\Windows Installer Clean Up” folder. Navigate to this folder and run the following command:

   1:  MSIZAP !G

If you don’t want to install the Windows Installer CleanUp Utility, use a program such as Universal Extractor (aka UniExtract) to extract the individual files. Once you extract the files, you’ll notice msizap.exe does not exist, but you will find MsiZapA.exe and MsiZapU.exe.

There are two versions of MSIZAP.EXE: MsiZapA.exe (for use in Windows 95, Windows 98 and Windows ME), and MsiZapU.exe (for use in Windows NT, Windows 2000, Windows XP, and Windows Server 2003). The appropriate executable should be renamed MsiZap.exe.

Current msizap.exe options are as follows:

Usage: msizap T[WA!] {product code}
msizap T[WA!] {msi package}
msizap *[WA!] ALLPRODUCTS
msizap PWSA?!

* = remove all Windows Installer folders and regkeys;
adjust shared DLL counts; stop Windows Installer service
T = remove all info for given product code
P = remove In-Progress key
S = remove Rollback Information
A = for any specified removal, just change ACLs to Admin Full Control
W = for all users (by default, only for the current user)
M = remove a managed patch registration info
G = remove orphaned cached Windows Installer data files (for all users)
? = verbose help
! = force ‘yes’ response to any prompt

For more information on the Windows Installer Cleanup Utility and msizap.exe see KB290301.

“Money is the root of all evil”

I have a customer who has a SQL 2005 cluster in the DMZ zone. However, to save cost, they installed Active Directory into the clustered nodes since SQL 2005 Cluster needs domain accounts in order to function. Everything runs fine until they decided to run another SQL cluster joining to this Domain. Problems surfaced when this 2nd set of SQL cluster couldn’t fail over as the SQL services couldn’t be started.

Microsoft has released their statements that they do not support installing SQL 2005 cluster on a domain controller (http://support.microsoft.com/kb/915846/en-us). Nevertheless, there will still be someone who will try to do it and hope for the best that it works and hurray, they managed to save cost without having to buy & maintain another 2 sets of DC. But… when problem occurs… well, you know the story.

This sets me on another track. What if we were to set up a Hyper-V or VMWare DC in each of the cluster nodes? Would this work? And since the DC and SQL Cluster are now “logically separated”, will Microsoft support this architecture? Hope someone who had done this and gain MS support can let us know. Thanks in advance.

I stumbled upon this web site http://blogs.msdn.com/clustering/ and is amazed at how much info you can find there!  It’s simply amazing… a dedicated web site all on clustering only. Forget Google… well for once only :)

I have never put much thought into this until one of the sites I’m handling doesn’t really like keeping up-to-date with MS patches.  To them, application stability and uptime is much more important… until the Conficker Worm threat becomes a huge concern.

This Conficker worm affects all Windows editions but if you look at the link http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx, you won’t be able to find any patch download for Windows Server 2003 RTM edition or Windows XP SP1.

After some Googling, I’ve found this: http://support.microsoft.com/?LN=zh-sg&scid=gp%3B%5Bln%5D%3Blifecycle&x=15&y=5#ServicePackSupport.  This site explains why. 

“When a new service pack is released, Microsoft will provide either 12 or 24 months of support for the previous service pack”.

Other than the Windows Family which provides 24 mths of support, all other products offer 12 mths.

Based on the above, Windows Server 2003 SP2 was released on 13th March 2007 and therefore Windows Server 2003 SP1 support will end on 13th March 2009.  The MS08-067 was released on 23rd October 2008.  Therefore, this version of Windows is still supported.

Now, let’s take Window Server 2003 SP1.  SP1 was released on 30th March 2005. Theoretically, the support for the RTM version will end on 30th March 2007. Thus, this explains why MS08-067 doesn’t support the RTM version!

Now, this is an excellent example to use when you have customers who don’t like to patch their servers.

MBSA is a free tool by Microsoft to help scan a server to determine the security state compliance. The main feature I made use of it is the ability to scan for missing MS patches. Usually, we need to compile the list of missing patches and pass it to the Application team to test it out whether any of the patches affect or break their applications.

I have decided to post this is because I thought that every System Administrator should already know about this great tool, but I was wrong. One of my customers requested for this list and none of the System Admins know how to go about it.

Syntax

mbsacli.exe /target webserver /catalog c:\mbsa\wsusscn2.cab /n password+iis+os+sql /nvc /nd /rd c:\mbsa

These are the switches I’ve chosen:

For more details on these and other available options use mbsacli /?

Ways to download wsusscn2.cab for offline use in a secured environment

Today, most places would have blocked Internet access on the servers in a Data Centre. Here are a couple of ways to download a copy of wsusscn2.cab for offline scanning.

Method 1:
1. Run mbsacli.exe by itself on a machine with Internet access. It will automatically download the wsusscn2.cab file and save it into either of the following folders:

• C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\2.0\Cache\   
• C:\Users\<username>\AppData\Local\Microsoft\MBSA\2.1\Cache

Method 2:
1. Download it from http://go.microsoft.com/fwlink/?LinkId=76054

Recently, there have been a lot of security guidelines being passed down from the various security related agencies and from the auditors about USB thumb drives and HDD drives being plugged into the workstations or notebooks.  Their concerns are that restricted information may be copied out to these removable media and taken out of the office.

Well, in Windows XP SP2, I have implemented USB restrictions to prevent users from plugging in their removable USB media and also disallow them from burning into writeable CDs and this was done long time ago and recently because of this I have to go back and dig out this piece of information.

Hope this saves you some time having to ask Mr. Google.

1. How to disable USB ports to prevent Removable Storage Devices from connecting

You want to prevent users from connecting their removable medias to the USB ports.  This procedure will show you how to disable USB ports to prevent Removable Storage Devices from connecting. E.g. USB Thumb drives, External HDD. But not to worry, it will allow USB Mouse operation.

1. Deny permission on the files usbstor.pnf and usbstor.inf, located at %systemroot%\inf (Note that this folder is hidden, you will need to "Show all hidden files" in File Explorer)

* Remove all users from the permission lists and add "System" to "Deny All"

2. Set the Start value to hexadecimal 4 in the Registry at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor

2. Disabling CD-ROM & Floppy Drives

2.1 How to disable CD-ROM

Set the Start value to hexadecimal 4 in the Registry at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom

This will also disable user from connecting an external USB CD/DVD-Writer to the system.

2.2 Remove CD Burning Features

Use GPO settings to remove CD burning feature:

Local Computer Policy\User Configuration\Administrative Templates\Windows Components\Windows Explorer\Remove CD Burning features

* Windows Explorer allows you to create and modify re-writable CDs if you have a CD writer connected to your PC.
* If you enable this setting, all features in the Windows Explorer that allow you to use your CD writer are removed.
* If you disable or do not configure this setting, users are able to use the Windows Explorer CD burning features.

• Note: This setting does not prevent users from using third-party applications to create or modify CDs using a CD writer.

2.3 How to disable Floppy Drive

Set the Start value to hexadecimal 4 in the Registry at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Flpydisk

3. Prevent Writing to USB Storage Devices

If you still want to allow your users to connect their USB media but prevent them from writing, this is what you will have to do.

Prevent Writing to USB Storage Devices via registry setting. Only works for Win XP SP2.
1. Start the Registry Editor
2. Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control key
3. If there is no key called StorageDevicePolicies, create it. You do this by right-clicking the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control key, and selecting New > Key from the menu.
4. Select the StorageDevicePolicies key
5. From the menu select Edit > New > DWORD Value
6. Name the new value WriteProtect
7. Right-click the WriteProtect value and choose Modify
8. In the Value Data: box enter 1
9. Exit the registry editor, and restart your computer