Administering Windows Servers

Here are my notes on Administering Microsoft's Windows 2008/2003/2000/NT4 Servers. (I'm not done updating this for Windows 2008 yet)

Topics this page:

Permissions: ACLs

Site Map  
About this site  

Factoids (by the numbers)

Subject	Windows 2003/2000	NT4
Maximum cluster size of compressed NTFS5 partitions	4 KB	N/A
Maximum size (GB) of FAT32 partition with 4KB clusters	8 GB
Maximum size (GB) of FAT32 hard drive partition	32 GB
Maximum size (GB) of FAT16 hard drive partition	4 GB
Maximum size (GB) of NTFS hard drive partition	75	64
Maximum # of Characters in User Account name	20	15
Maximum # of Characters in User Password	127	8
Maximum # of Characters in domain controller FQDN	155
Maximum # of Characters in Active Directory DNS domain name	64
Maximum # of Disks in a Spanned Volume	32
Maximum # of drives in a RAID-5 array	32
Highest Application Thread Priority level	31
Highest Document Priority assigned to a print job	99
Lowest Document Priority assigned to a print job	1
Maximum # of Dfs links assigned to a Dfs root	1,000
The maximum # of concurrent connections allowed to a computer	10

Download Windows 2003 SP2 (32-bit x86) and keep it handy if you don't have the DVD media.

what is windows 2003?
Here's also a Windows comparision chart as well as a Windows starter plan and more information on Microsoft exchange server hosting.

Microsoft's Distributed Systems Guide has dozens of richly illustrated pages on Active Directory and Distributed Security.

Microsoft's Server Resource Kit Supplements

SupportLive Chat: Microsoft Windows 2000 Server and Windows 2000 Professional: February 20, 2001

Tasks

Task	Windows 2000	Windows NT	Windows 98
Windows Explorer	Programs | Accessories	Programs	--
Command Prompt	Programs | Accessories	Programs	--
Administrative Tools	Settings | Control Panel	Programs	--

Manage Compression

Apply compression either through Windows Explorer or from the command line (batch process) with the COMPACT.EXE utility. Through Windows Explorer, you can compress an entire partition, folder, or file. Compression applied at the partition or folder level can be inherited by subfolders and files or just applied to the parent partition or folder. If the compression fails initially because a file targeted for compression is opened by another process, this utility will ensure that the compression procedure completes in the background.

Launching Applets in Windows Control Panel...

• Addusers Automates Creation of a Large Number of Users
• Batch Add Accounts Without Forcing a Password Change at Next Logon
• Use tools described in Rktools.hlp file in Windows NT Server 4.0 Resource Kit Supplement 3 to migrate (export) objects among domains:
  • Subinacl.exe substitutes (replaces) security identifiers in access control entries by obtaining security information on files, registry keys, and services, and transfers this information from user to user, from group to group, and from domain to domain.
  • Addusers.exe imports and exports user and group accounts from one domain to another.
  • Rmtshare.exe remotely creates or deletes shares and grants access to shares.
  • Permcopy.exe copies share permissions from one share to another.
  • Scopy.exe copies NTFS file and folder permissions from one share to another (does not copy share permissions.)

Executive Software's Undelete 2.0 $235 product makes sure that files are captured into a Recycle Bin when they are deleted from network shares, through the Command Line, or from within a program.

Mark Minasi publishes a free newsletter and presents seminars based on his highly rated and best-selling book: Mastering Windows 2000 Server, 3rd Edition

SecurPass Reset is a self help utility that enables end-users who forgot their password, or accidentally got locked out of their own accounts, to reset their own passwords and re-enable their own accounts via a web application, without Help Desk intervention.

Areas of Security Setting

Area	/area	Count
Account Policies	USER_MGMT	14
Local Policies:	SECURITYPOLICY	14
Audit Policy	USER_MGMT	9
User Rights Assignment	USER_RIGHTS	34
Security Options	DSOBJECTS	39
Event Log	USER_MGMT
Restricted Groups	GROUP_MGMT
System Services	SERVICES
Registry	REGKEYS
File System	FILESTORE

Rights grant the ability to perform (do) an action such as login.
Permissions grant access to a resource such as a folder, file, or printer.

In the Group Policy hierarchy, Security settings are under Computer Configuration, Windows Settings.

The Security Options node is contained in the Local Policies node.

Local machine policies can only contain security settings for Account Policies and Local Policies. Domain Policies

Details on each security policy is shown here. In each list:

• The Default column note values from the “setup security" template that defines Out-of-box security settings.
• The Recommended column note values from various templates.

Policies created on Windows 9x will not work with Windows 2000.

Security Toolkit

The Microsoft Security Configuration Tool Set consists of several MMC snap-ins.
• Security Templates MMC
• Security Configuration and Analysis MMC snap-in performs interactively what Secedit.exe CLI does in batch mode.
• The Security Settings Extention to the Group Policy Editor MMC



Download this Visio 2000 file.

.inf Configuration Templates

Default templates are stored in the %SystemRoot%\inf folder:

Defltsv.inf on Windows 2000 servers
Defltwk.inf on Windows 2000 Professional

View these templates using the Security Templates MMC.

The Security Configuration and Analysis MMC snap-in performs interactive what Secedit.exe CLI does in batch mode. Both configure policies into the GPO registry. They import templates into a temporary security database suffixed by .sdb file extension. Operations common to both tools are prefixed with a slash /. The default database is %windir%\security\database\secedit.sdb for administrators or %userprofile%\secedit.sdb for users.

Stored Configuration File in Registry

Windows 2000 services reference stored configuration files stored in each machine's Registry. So, a policy can be set to a particular Registry entry. Question: What takes precedence???

“Analyzed System Settings"

Members of the Group Policy Creator Owners group can create and modify GPOs for a domain, but can't link them. By default, only Domain Admins and Enterprise Admins have authority to link GPOs to domains and OUs. Only Enterprise Admins have authority to link GPOs to sites.

Step-by-Step Guide to Using the Security Configuration Tool Set

Secedit.chm help file

Groups

Action	Group to use
Assign permissions and rights to local domain resources	Local
Give rights to users from another domain	Local
Combine groups	Local
Allow users access to Windows NT Workstations or NT servers in a domain	Global
Export user to another domain	Global

• Security groups can be granted permissions (such as Printer Permissions):
  • container object permissions
  • individual object permissions
  • attribute object permissions
• Distribution groups cannot be used to grant permissions, only to send email.
• A group can only belong to a single OU.
• Unlike NT4, Windows 2000 allows groups to be renamed.

Scope of BUILTIN Groups

Group Scope	User Login from	Can use resources in	In Global Catalog?	BUILTIN Groups
Local	local machine	local machine only	No	Administrators Users Guests Power Users
Domain Local	Local domain	Local domain	List of groups but NOT Memberships	Administrators Account Operators Backup Operators Server Operators
Global		Any domain		Domain Admins Domain Users Domain Guests Enterprise Admins
Universal	Any domain		List of groups and Memberships	Replicator ???
-	-	SQL, MTS	-	MTS Trusted Impersonators

Domain Local Groups

• are valid only on a single (local) domain
• used to assign permissions in the local domain.
• Can contain users and Global groups, including Global groups from other trusted domains.

  To add, display, or modify local groups on workstations:

  NET LOCALGROUP
  Aliases for \\WS1
  ----------------------------------------------
  *Account Operators *Administrators *Backup Operators *Guests *MTS Impersonators *Print Operators *Replicator *Server Operators *Users

  Global Groups

• can access resources in other domains.
• Used to export user accounts to other domains, where they can be imported into Local Groups on trusting domains
• With NT4, contains user accounts only.
  With Windows 2000, a Global group can nest within other global groups from within their own domain, but such groups don't appear in the GC.

  To add, display, or modify global groups on servers:

  NET GROUP
  ----------------------------------------------
  *Domain Admins *Domain Guests *Domain Users *Finance *MTS Trusted Impersonators *MyTstGp1

  Global Group Name	Members	Can be modified by	Initially member of
  Domain Admins	Administrator	Administrators	Administrators
  Domain Guests	Guest	Administrators & Account Operators	Guests
  Domain Users	Administrator	Administrators & Account Operators	Users

  Universal Groups

  New to Windows 2000. This is available only if Windows 2000 is running under native mode. Members of Universal groups can be from any domain.

  Special groups

  Used by Windows Server for system access, and do not contain user or group accounts.

  Print operators???

  Members of Web Site Operators administrate a single site and change or reconfigure the Web site as necessary. However, only local Administrators can change the identification of Web sites, configure the anonymous user name or password, throttle bandwidth, create virtual directories or change their paths, or change application isolation.

The quickest way to tell if the account you are using has administrative rights is to right-click on .
You have admin privileges if you see “Open All Users”.

For more information on commands:

NET HELP GROUP
NET HELP LOCALGROUP

Activewin's excellent Step-by-Step Guide to Understanding the Group Policy Feature Set

This Resource Kit command adds users to groups specified in the file specified:
Usrtogrp.exe parmfile

Group (Printer) Permissions Usage

1. Permissions are never assigned directly to global groups.
2. Organize computer users based on administrative needs (locations and job functions) into global groups such as “LA Sales".
3. Identify common resources (such as files and printers) into domain local groups such as “Color printer X2".
4. Add global groups to a Domain Local Group.
5. Assign permissions (on specific resources) to the Domain Local Group.

Download the Visio flowchart file for this graphic

Printer Permissions

Permission Level	Print Docs, Connect to a printer, pause, resume, restart, cancel YOUR OWN docs	Pause, Resume, Restart, and Cancel (Delete) ALL jobs lined up for printing	Change the printing order of documents; Cancel all documents; Change printer properties and permissions; Share a printer; Delete a printer;
“No Access"	No	No	No
“Print" (the default)	Yes	No	No
“Manage Documents"	No	Yes	No
“Manage Printer" (Full Control)	Yes	Yes	Yes

Group Policies

The Group Policy MMC (Gpedit.msc) with the Security Settings extension displaying Security Options among Local Computer Policies.
C When a policy setting is updated, ???

User Rights Policy

A Restricted Group Policy defines who should and should not belong to a specific group. When a template (or policy) that defines a restricted group is applied to a system, the Security Configuration Tool Set adds members to the group and removes members from the group to ensure that the actual group membership coincides with the settings defined in the template (or policy).

Effective settings are the result of proprogating (overwriting) GPO objects from the Active Directory. The Local Security Settings MMC has a column for "Effective Settings" because, during policy propagation, Domain policies implemented by Active Directory override local security settings protecting the local computer.

Application of group policy objects starts with the group policy object at the bottom of the list and ends with the group policy object at the top. Thus, the group policy object at the top takes precedence over the others.

Order of policy implementation

The same policy item could be defined at various levels in the Active Directory hierarchy. Windows 2000 resolves conflicts by overwriting in this order:
1. Windows NT system policy
2. local group policy
3. site policy
4. domain policy
5. OU policy
6. child OU policy

Thus, Child OU policies "trumps" them all. This is unless "No Override" blocks inheritance.

Policy Inheritance

User account policies are NOT inherited. Account policies set at the domain level always in effect. Account policies that may be set at lower levels are ignored!

A Group Policy linked to a domain applies to all users and computers within that domain. However, a GPO linked to a parent domain does not apply to the domains of its children.

To restrict NT4 users from using Registry editing tools, etc. use the System Policy Editor to create a sytem policy to select “Disable Registry editing tools" under the System/Restriction node. for a default user. Save this NTConfig.pol file in the NetLogon share on a domain controller. When any user logs on to the domain from an NT client, the policy will be applied by overwriting user-specific keys in the local registry.

Using Group Policy Tools

The Locker program prevents other login processes from propogating Group Policies by finding the domain controller on the network, then opens and keeps locked file handles to all Group Policy files.

To access the CIFS File Sharing Service, third parties can create Engines to Security Service Attachments.

FAZAM offers Change and Release Management features in addition to enhanced reporting, disaster recovery, health-check, and analysis of GPOs using the Resultant Set of Policy (RSoP).

gp.chm, the Group Policy help file from the Windows 2000 Server Resource Kit provides a cross-reference of where each Group Policy is stored in the Registry.

w2rksupp.chm lists Windows 2000 Support Tools and provides call parameters for them.

Introduction to Windows 2000 Group Policy

Windows 2000 Group Policy

Step-by-Step Guide to Understanding the Group Policy Feature Set

Step-by-Step Guide to Configuring Enterprise Security Policies

[Nov 4, 1999] Group Policy Simplifies Administration,a key component of IntelliMirror

Administration and Implementation of Group Policy in Windows 2000: February 9, 2001

Microsoft Windows 2000 Server Deployment Planning Guide includes a discussion about setting security policies in Chapter 11, Planning Distributed Security

Windows 2000 Server Resource Kit. Chapter 22, Group Policy

Using Group Policy Scenarios, Feburary 2000

MCSE Training Kit: Microsoft Windows 2000 Server from Microsoft Press, 2000. Lesson 4 in Chapter 7, "Administering Microsoft Windows 2000 Server."

Permissions and Access Control Lists

Setting File Permissions (Modifying Access Control Lists)

Permissions are usually specified in the Security tab of the Properties sheet obtained from right-clicking on a file in Windows Explorer. Changes to this screen are stored in DACLs (Discretionary ACL) permissions and SACL (System ACLs) audit settings. The DACL is a table of Access Control Entries (ACE) that define user and group access. The security subsystem checks the folder's or file's DACL for ACEs that apply to the user and group security identifiers (SIDs) that uniquely identify objects to the operating system.

The DACL of published objects should be Read-Only to limit visibility.

This command from the Resource Kit lists and sets file-system security options in a specified folder:

XcACLs.exe

This command from the Resource Kit lists and migrates ACLs from domain1 to domain2:

Subinacl.exe

To change local permissions: ACLs (“/T”) as access control enTries (ACEs) in the c:\WINNT\tools folder and (/P) rePlaces permission so user “backup operators” has Full control (:f)

CACLS %SYSTEMROOT%\taskman.exe /T /P “backup operators”:f



The Read permission for a folder means that the following permission entries are allowed: List Folder / Read Data Read Attributes Read Extended Attributes Read Permissions Navigate to subfolders Create shares The Change permission allow users to: Change the DACL on files and folders Change data in files Add files and subfolders to the shared folder Delete subfolders and files The Modify permission allow users to: Traverse Folder/Execute File List Folder / Read Data Read Extended Attributes Delete special permissions

To remove Everyone and User perms, re-ACL executable content by using Eric's x template for IIS5 servers so that only admins can use the box locally. His script for NT4 re-ACLs a system and replaces Everyone with AuthUsers.

Assignable permissions

:N = None
:R = Read — allows users to display folder names, filenames, file data, and attributes; run program files; and change folders within the shared folder.
:W = Write — Create new files & subfolders within that folder, modify folder attributes, view ownership and permissions associated within that folder.
:C = Change = Modify = Read + Write + Delete
:F = Full control (R/W/Change Ownership)
??? Create All Child Objects and Delete all Child Objects

Web sharing depends on the Server service.

By default, Windows 2000 assigns Full Control permissions to the Everyone group

Permissions Inheritance

When the ACL is set for a folder, Windows 2000 by default selects for that folder “Propagate inheritable permissions to all subfolders and files”, so that the child of that folder receive that ACL. However, any explicit ACE defined for a child object remains unchanged. ACEs for all child objects are blindly overwritten if you select “Replace existing permission on all subfolders and files with inheritable permissions”.

That's ONLY for child objects checked Allow inheritable permissions from parent to propagate to this object.

acldiag.exe writes to a tab-delimited file the permissions of objects the user has a right to view.

Systemtools.com's DumpSec utility (a.k.a. DumpAcl) dumps a remote computer's user, group, and permissions information.

Operation	Into the Same Volume	Into a Different Volume
Copy	Inherits from the destination folder	Inherits from the destination folder
Move (Cut and Paste)	Retains from the folder moved from.

This decision table illustrates the behavior of inheritance for both NTFS permissions and NTFS data compression (all sub-folders).

When a shared folder is moved, Windows 2000 automatically stops sharing the folder.

To preserve permissions when copying and moving files, use this Resource Kit CLI utility:

ROBOCOPY.EXE

The $299 Security Copy utility integrates with the Windows NT 4.0 Desktop to copy files and directories on NTFS partitions while keeping the security intact, creating shares, and migrating local groups. It also does Differential Copying of only files that have changed in the source server. Multiple opartions can be scheduled to run after hours.

GPO Stores in Registry

.adm text files in (hidden WINNT\IL folder) define how GPO's are presented and what sections of the registry are modified.

GPO templates are stored in %SystemRoot%\ Sysvol\ Sysvol\ Corp.com\ Policies\ {GUID}

gpt.ini contains the version number of the GPO container.

Registry.pol files can only be edited using the Security snap-in.

Replicated to Active Directory Domain Controller's Computer object.

gpotool.exe CLI from the Server Resource Kit searches through GPOs on DCs, then displays their state information after checking for validity and consistency.

gpresult.exe CLI provides general information about GPOs and applied Registry settings.

DumpReg dumps the registry, making it easy to find keys and values containing a string. For Windows NT, the registry entries can be sorted by reverse order of last modified time, making it easy to see changes made by recently installed software.

Windows.NET will include a Group Policy Management Console (GPMC) that will export and import group policies.

Security Setting Templates

Security policies are enforced on multiple computers using security templates. The Secedit command line utility also updates templates, an operation performed through the Security Templates MMC snap-in.
secedit.exe /overwrite /CFG:Securesv.inf

Type of Template	Class of Computer			Notes
	Workstation	Server	Domain Controller
Default Security Settings	basicwk [1]	basicsv [1]	basicdc	[1] User Rights\Restricted Groups not included. [2] Assumes clean-install NTFS file\reg ACLs. [3] Secures remaining areas. [4] Includes SecureDC settings with Windows 2000-only enhancements. [5] Increases SecureWS Settings. Restricts Power User and Terminal Server ACLs. [6] Empties Power Users group.
High Security	hisecws [5]	-	hisecdc [2,4,6]
Secure	securewk [2,3,6]	-	securedc [2,3]
Optional Component File Security	ocfilesw	ocfiless	-

Template comptwsAssumes clean-install NTFS file\reg acls. Relaxes ACL's for Users. Empties Power Users group.

Account Policies

This command lists account policies for the local computer:
NET ACCOUNTS

Q259576: Group Policy Application Rules for Windows 2000 Domain Controllers

Tree	Policy	Default	Recommended
Password Policy	Enforce password history	0 passwords remembered	11 previous
	Maximum password age	0
	Minimum password age	0 days
	Minimum password length	4 characters
	Passwords must meet complexity requirements	Disabled	-
	Store password using reversible encryption for all users in the domain	Disabled	-
Account Lockout Policy	Account Lockout duration
	Account Lockout threshold	0 attempts
	Reset Account Lockout counter after a defined set of time
Kerberos Policy	Enforce user logon restrictions
	Maximum lifetime for service ticket	600 minutes
	Maximum lifetime for user ticket	10 hours
	Maximum lifetime for user ticket renewal	7 days
	Maximum tolerance for computer clock synchronization	5 minutes

Local Policies

The full path from the MMC Console Root is: Local Computer Policy | Computer Configuration | Windows Settings | Security Settings | Local Policies

Audit Policy User Rights Assignment Security Options

Audit Policies

The AUDITPOL CLI from the Resource Kit audits local and remote computers for all (Success and Failure) of “Audit account management” and other events:
AUDITPOL \\MyComputer /enable /sam:all

Note that the CLI lists the 9 audit policies with different names and in a different sequence than the Group Policy MMC GUI (which sorts by policy name):

Policy name in GUI	.inf [Event Audit]	auditpol CLI	Recommended NSA value	Default
Audit account logon events	AuditAccountLogon	9. Account	3=Success, Failure
Audit account management	AuditAccountManage	7. Sam	3=Success, Failure	?
Audit directory service access	AuditDSAccess	8. Directory	0	?
Audit logon events	AuditLogonEvents	2. Logon	3=Success, Failure	?
Audit object access	AuditObjectAccess	3. Object	2=Failure	?
Audit policy change	AuditPolicyChange	6. Policy	3=Success, Failure	?
Audit privilege use	AuditPrivilegeUse	4. Privilege	2=Failure	?
Audit process tracking	AuditProcessTracking	5. Process	0=No auditing	?
Audit system events	AuditSystemEvents	1. System	3=No auditing	?
Shut down the computer when the security audit log is full	CrashOnAuditFull		1=Yes


Use this graphic to remember the 9 Windows 2000 audit policies.


Download the Visio flowchart file for this graphic

User Rights Assignment

Listed alphabetically. Group Right.

Policy	Right	Administrator	Power Users	Backup Operators	Users	Guest	Everyone
U,G	Access this computer from the network	Y	Y	Y	Y	Deny	Y
U	Act as part of the operating system
U	Add workstations to domain
G	Adjust memory quotas for a process	Y
G	Allow logon through Terminal Services	Y
U,G	Back up files and directories	Y	-	Y
U,G	Bypass traverse checking	Y	Y	Y	Y	-	Y
U,G	Change the system time	Y	Y
U,G	Crate a pagefile	Y
U	Create a token object
U	Create permanent shared objects
U	Debug programs
G	Delete programs	Y
U	Deny access to this computer from the network
U	Deny logon as a batch job
U	Deny logon as a service
U	Deny logon locally
U	Enable computer and user accounts to be trusted for delegation
U,G	Force shutdown from a remote system	Y
U	Generate security audits
U,G	Increase quotas	Y
U,G	Increase scheduling priority	Y
U,G	Load and unload device drivers	Y
U	Lock pages in memory
U	Log on as a batch job
U	Log on as a service
U,G	Log on locally	Y	Y	Y	Y	Deny	Y
U,G	Manage auditing and security log	Y
U,G	Modify firmware environment values	Y
G	Perform volume maintenance tasks	Y
U,G	Profile single process	Y	Y
U,G	Profile system performance	Y
U,G	Remove computer from docking station	Y	Y	-	Y
U,G	Restore files and directories	Y	-	Y
U	Synchronize directory service data
U,G	Shut down the system	Y	Y	Y	-	Y
U,G	Take ownership of files or other objects	Y

Security Options (39)

Policy	Default	Recommended
Additional restrictions for anonymous connnections
Allow server operators to schedule taks (domain controllers only)
Allow system to be shut down without having to log on
Allowed to eject removeable NTFS media
Amount of idle time required before disconnecting session
Audit the access of global system objects
Audit use of Backup and Restore privilege
Automatically log off users when logon time expires (local) [7]
Clear virtual memory pagefile when system shuts down
Digitally sign client communication (always)
Digitally sign client communication (when possible)
Digitally sign server communication (always)
Digitally sign server communication (when possible)
Disable Ctrl+Alt+Del requirement for logon
Do not display last user name in logon screen
LAN Manager Authentication Level
Message text for users attempting to log on
Message title for users attempting to log on
Number of previous logons to cache (in case domain controller is not available)
Prevent system maintenance of computer account password
Prevent users from installing printer drivers
Prompt user to change password before expiration	14 days
Recovery console: Allow automatic administrative logon
Recovery console: Allow floppy copy and access to all drives and all folders	Disable
Recovery console:
Rename administrator account [7]
Rename guest account [7]
Restrict CD-ROM access to locally logged-on user only	Disabled
Restrict floppy access to locally logged-on user only	Disabled
Secure channel: Digitally encrypt or sign secure channel data (always)	Disabled
Secure channel: Digitally encrypt secure channel data (when possible)	Enabled
Secure channel: Digitally sign secure channel data (when possible)	Enabled
Secure channel: Require strong (Windows 2000 or later) session key	Disabled
Send unencrypted password to connect to third-party SMB servers	Disabled
Shut down immediately if unable to log security audits	Disabled
Smart card removeable behavior	No Action
Strengthen default permissions of global system objects	Disabled
Unsigned driver installation behavior	Not defined
Unsigned non-driver installation behavior	Not defined

Domain Policies

These policies exists when Active Directory is used, not on local machines.

Public Key Policies

Policy	Default	Recommended
Encrypted Data Recovery Agents	Domain Administrator
Root certificates (trusted)	--
Certificate Trust Lists (scope)	--

IPSec (Internet Procotol Security) Policies

User Profiles and IntelliMirror Technology

When a user logs on for the first time, the default user profile is copied to a profile folder named after the user. Folder naming conflicts are resolved by appending a three-digit number if necessary. The desktop settings that appear are a combination of the Local User profile and the All Users profile.

User Profiles include settings, colors, and documents. Windows 2000 introduced the ability to store for roaming purposes portions of a profile rather than the entire profile.

Create a mandatory user profile used by all users two ways:

1. Create a file named NTUSER.MAN in the user's Roaming User Profile folder. The .MAN file could be a copy of the NTUSER.DAT file in the same folder. This allow the locally cached version.
2. Set the user's profile path to a folder named \Restricted.man containing a .MAN file.

The first time that a user logs on a Windows 2000 Domain Controller, a User Profiles is automatically created in folder %SystemRoot%\Documents and Settings Management (instead of a Profiles folder in NT4). This allows user settings to follow users at different workstations. So clients must join a domain to use this Intellimirror technology.

Profile values are contained in a read/write network share containing the %userprofile% environment variables.

The default user profile and folders not needed by users are hidden.

Windows 2000 introduced the ability to merge profile files together.

Group Policies can be used to manage user profiles such as what actions to take automatically when a profile reaches a certain size.

The User Profile Deletion Utility from the Resource Kit removes user settings, colors, and all files in My Documents folders associated with user profiles on both local and remote machines, optionally after /days of inactivity.

DelProf.exe

User Profiles in Microsoft Windows 2000: June 29, 2000

Q243420: Roaming Profile Creation in Windows 2000 Using the "Copy To" Command

Q214636: How to Set the Path for the Local Default User Profile

Q227260: How a Slow Link Is Detected for User Profiles and Group Policy

Printing

Fix Printer Server

Use the Fixprnsv.exe /diag utility to create a report after scanning the Printer Server for incompatible Printer drivers. The /fix switch install drivers on Windows NT 4.0 and Windows 2000 based clients with the ability to connect to the print server and download the appropriate printer drivers. When this switch is used on a Windows 2000-based computer, any incompatible Windows NT 4.0 printer drivers will be replaced.

Printer Auditing Settings

View auditing settings for a printer from the Auditing tab under the Security tab of Printer Properties.

Logon Scripts

Logon script, ntconfig, and ntconfig.POL filess from NT4 machines' WINNT/ System32/ Repl/ Import/ Scripts files.

Taking printer off-line

From Start | Settings | Printers, highlight the specific printer. Pull down the Printer menu and select the Use Printer Offline option. Remember: When you take a printer off line, documents stay in the print queue, even when the print server is shut down and then restarted.

Printer Permissions to avoid “Access Denied” pop-up.

Utility from the Server CD to view dependencies, starting from NTOSKRNL.

client jobs are spooled (via a TCP/IP conversation —not merely copied) to the print server's x.sp_ file in \System32\Spool and an accompanying x.shd,/b> shadow file in \system32\spool\printers. These files, once created on the server, can be copied and pasted to another location.

\system32\spool\drivers has Share print$.

Services, Processes, Threads

Default processes in Windows 2000 Professional

To Shut It Down

Avoid shuting off your machine (manually crashing your own system).

If your application stops responding, invoke the Task Manager by pressing press Ctrl+Alt+Del or right-click on the Tray Clock.

Kill.exe CLI shuts down processes.

In the Applications tab, right-click on the troublesome application and select "End Task".

This may not do the job becuase of other DLL's which are still alive. In the Applications tab, right-click on the troublesome application and select "Go To Process".

In the Process tab, right click on the highlighted process and select "End Process Tree". This terminates all the other processes indirectly started by the application.

To disable a service after a reboot

Change the value of the “Start” key to 4 in this registry key
HKLM \System \CurrentControlSet \Services \Eventlog

What is a process? and Why do processes need ipc$ share to communicate?

Using Pulist.exe from the Resource Kit, list Process Names and ID's for computers C1 and C2:
PuList.exe \\C1 \\C2

To detail threads running within each process, use the Process Viewer from the Windows 2000 Support Tools CD:
pviewer.exe

For a hierarchical arrangement of parent and child processes, use the Task List from the Windows 2000 Support Tools CD:
tlist.exe /t

.ACM Codecs

To display information about your threads using WMI/WBEM, run this from the Resource Kit:
Cscript “thread.vbs”

List of Windows Services

Application Priorities

Mode	Priority
Realtime	24
Above Normal	???
High	13
Normal	8
Below Normal	???
Low	4

Change the Priorities assigned to application threads to control how they are processed by the CPU.

Use the Task Manager to change an application's priority. Under the Processes tab, right-click on the task Image Name and select Set Priority. Setting the mode of an application automatically sets the priority as well. Priorities range from 0 to 31, with 31 being the highest priority.

taskmgr.exe defaults to High. Other apps default to Normal. Only Windows XP features Above and Below Normal priority modes.

What is the tool to change application priorities from within a WSH script???

How does a C or Java programmer change priorities from within an application program?