How I may help
LinkedIn Profile Email me!
Call me using Skype client on your machine

Reload this page Administering Windows Servers

Here are my notes on Administering Microsoft's Windows 2008/2003/2000/NT4 Servers. (I'm not done updating this for Windows 2008 yet)

 

Topics this page:

  • Factoids
  • Tasks
  • Security Settings
  • Groups: BUILTIN
  • Group Permissions
  • Group Policies
  • Permissions: on this page ACLs
  • GPO Stores
  • Security Templates
  • Local Policies
  • Domain Policies
  • User Profiles
  • Printing
  • Services, Processes, Threads
  • Application Priorities
  • Your comments???

  •  

    Site Map List all pages on this site 
    About this site About this site 
    Go to first topic Go to Bottom of this page


    Set this at top of window. Factoids (by the numbers)

      Subject Windows
      2003/2000
      NT4
      Maximum cluster size of compressed NTFS5 partitions 4 KB N/A
      Maximum size (GB) of FAT32 partition with 4KB clusters 8 GB
      Maximum size (GB) of FAT32 hard drive partition 32 GB
      Maximum size (GB) of FAT16 hard drive partition 4 GB
      Maximum size (GB) of NTFS hard drive partition 75 64
      Maximum # of Characters in User Account name 20 15
      Maximum # of Characters in User Password 127 8
      Maximum # of Characters in domain controller FQDN 155
      Maximum # of Characters in Active Directory DNS domain name 64
      Maximum # of Disks in a Spanned Volume 32
      Maximum # of drives in a RAID-5 array 32
      Highest Application Thread Priority level 31
      Highest Document Priority assigned to a print job 99
      Lowest Document Priority assigned to a print job 1
      Maximum # of Dfs links assigned to a Dfs root 1,000
      The maximum # of concurrent connections allowed to a computer 10
     

     
    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set this at top of window. Tasks

      Task Windows 2000 Windows NT Windows 98
      Windows Explorer Programs | Accessories Programs --
      Command Prompt Programs | Accessories Programs --
      Administrative Tools Settings | Control Panel Programs --

      Manage Compression

      Apply compression either through Windows Explorer or from the command line (batch process) with the COMPACT.EXE utility. Through Windows Explorer, you can compress an entire partition, folder, or file. Compression applied at the partition or folder level can be inherited by subfolders and files or just applied to the parent partition or folder. If the compression fails initially because a file targeted for compression is opened by another process, this utility will ensure that the compression procedure completes in the background.

      Launching Applets in Windows Control Panel...

    • Addusers Automates Creation of a Large Number of Users
    • Batch Add Accounts Without Forcing a Password Change at Next Logon
    • Use tools described in Rktools.hlp file in Windows NT Server 4.0 Resource Kit Supplement 3 to migrate (export) objects among domains:
      • Subinacl.exe substitutes (replaces) security identifiers in access control entries by obtaining security information on files, registry keys, and services, and transfers this information from user to user, from group to group, and from domain to domain.
      • Addusers.exe imports and exports user and group accounts from one domain to another.
      • Rmtshare.exe remotely creates or deletes shares and grants access to shares.
      • Permcopy.exe copies share permissions from one share to another.
      • Scopy.exe copies NTFS file and folder permissions from one share to another (does not copy share permissions.)
     

      tool Executive Software's Undelete 2.0 $235 product makes sure that files are captured into a Recycle Bin when they are deleted from network shares, through the Command Line, or from within a program.

      Mark Minasi publishes a free newsletter and presents seminars based on his highly rated and best-selling book: Mastering Windows 2000 Server, 3rd Edition

      tool SecurPass Reset is a self help utility that enables end-users who forgot their password, or accidentally got locked out of their own accounts, to reset their own passwords and re-enable their own accounts via a web application, without Help Desk intervention.

     
    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set this at top of window. Areas of Security Setting

     

    When a volume is formatted with NTFS, a Master File Table (MFT) and Metadata are created.

    In the Group Policy hierarchy, Security settings are under Computer Configuration, Windows Settings.

    The Security Options node is contained in the Local Policies node.

    Local machine policies can only contain security settings for Account Policies and Local Policies. Domain Policies

    Details on each security policy is shown here. In each list:

    • The Default column note values from the “setup security" template that defines Out-of-box security settings.
    • The Recommended column note values from various templates.

    Policies created on Windows 9x will not work with Windows 2000.


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set this at top of window. Security Toolkit

      tool The Microsoft Security Configuration Tool Set consists of several MMC snap-ins.
      • Security Templates MMC
      • Security Configuration and Analysis MMC snap-in performs interactively what Secedit.exe CLI does in batch mode.
      • The Security Settings Extention to the Group Policy Editor MMC



      Download
      this Visio 2000 file.


    Go to Top of this page.
    Previous topic this page
    Next topic this page

      Set this at top of window. .inf Configuration Templates

      Default templates are stored in the %SystemRoot%\inf folder:
        Defltsv.inf on Windows 2000 servers
        Defltwk.inf on Windows 2000 Professional

      View these templates using the Security Templates MMC.

      The Security Configuration and Analysis MMC snap-in performs interactive what Secedit.exe CLI does in batch mode. Both configure policies into the GPO registry. They import templates into a temporary security database suffixed by .sdb file extension. Operations common to both tools are prefixed with a slash /. The default database is %windir%\security\database\secedit.sdb for administrators or %userprofile%\secedit.sdb for users.

      Set this at top of window. Stored Configuration File in Registry

      Windows 2000 services reference stored configuration files stored in each machine's Registry. So, a policy can be set to a particular Registry entry. Question: What takes precedence???

      “Analyzed System Settings"

      Members of the Group Policy Creator Owners group can create and modify GPOs for a domain, but can't link them. By default, only Domain Admins and Enterprise Admins have authority to link GPOs to domains and OUs. Only Enterprise Admins have authority to link GPOs to sites.

     


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Groups

      Action Group to use
      Assign permissions and rights to local domain resources Local
      Give rights to users from another domain Local
      Combine groups Local
      Allow users access to Windows NT Workstations or NT servers in a domain Global
      Export user to another domain Global

    • Security groups can be granted permissions (such as Printer Permissions):
      • container object permissions
      • individual object permissions
      • attribute object permissions
    • Distribution groups cannot be used to grant permissions, only to send email.
    • A group can only belong to a single OU.
    • Unlike NT4, Windows 2000 allows groups to be renamed.


    Go to Top of this page.
    Previous topic this page
    Next topic this page

      Set this at top of window. Scope of BUILTIN Groups

      Group Scope User Login from Can use resources in In Global Catalog? BUILTIN Groups

      Local

      local machine local machine only No
    • Administrators
    • Users
    • Guests
    • Power Users
    • Domain Local

      Local domain Local domain List of groups but NOT Memberships
    • Administrators
    • Account Operators
    • Backup Operators
    • Server Operators
    • Global

      Any domain
    • Domain Admins
    • Domain Users
    • Domain Guests
    • Enterprise Admins
    • Universal

      Any domain List of groups and Memberships
    • Replicator ???
    • - - SQL, MTS -
    • MTS Trusted Impersonators

    Go to Top of this page.
    Previous topic this page
    Next topic this page

      Set screen Domain Local Groups

    • are valid only on a single (local) domain
    • used to assign permissions in the local domain.
    • Can contain users and Global groups, including Global groups from other trusted domains.

      To add, display, or modify local groups on workstations:

        NET LOCALGROUP

        Aliases for \\WS1
        ----------------------------------------------
        *Account Operators *Administrators *Backup Operators *Guests *MTS Impersonators *Print Operators *Replicator *Server Operators *Users

      Set screen Global Groups

    • can access resources in other domains.
    • Used to export user accounts to other domains, where they can be imported into Local Groups on trusting domains
    • With NT4, contains user accounts only.
      With Windows 2000, a Global group can nest within other global groups from within their own domain, but such groups don't appear in the GC.

      To add, display, or modify global groups on servers:

        NET GROUP

        ----------------------------------------------
        *Domain Admins *Domain Guests *Domain Users *Finance *MTS Trusted Impersonators *MyTstGp1

      Global Group Name Members Can be modified by Initially member of
      Domain Admins Administrator Administrators Administrators
      Domain Guests Guest Administrators &
      Account Operators
      Guests
      Domain Users Administrator Administrators &
      Account Operators
      Users

      Set screen Universal Groups

      New to Windows 2000. This is available only if Windows 2000 is running under native mode. Members of Universal groups can be from any domain.

      Special groups

      Used by Windows Server for system access, and do not contain user or group accounts.

      Print operators???

      Members of Web Site Operators administrate a single site and change or reconfigure the Web site as necessary. However, only local Administrators can change the identification of Web sites, configure the anonymous user name or password, throttle bandwidth, create virtual directories or change their paths, or change application isolation.

     

      The quickest way to tell if the account you are using has administrative rights is to right-click on .
      You have admin privileges if you see “Open All Users”.

      For more information on commands:

      NET HELP GROUP
      NET HELP LOCALGROUP

      webpage article Activewin's excellent Step-by-Step Guide to Understanding the Group Policy Feature Set

      tool This Resource Kit command adds users to groups specified in the file specified:
      Usrtogrp.exe parmfile

     
    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set this at top of window. Group (Printer) Permissions Usage

    1. Permissions are never assigned directly to global groups.
    2. Organize computer users based on administrative needs (locations and job functions) into global groups such as “LA Sales".
    3. Identify common resources (such as files and printers) into domain local groups such as “Color printer X2".
    4. Add global groups to a Domain Local Group.
    5. Assign permissions (on specific resources) to the Domain Local Group.


    Go to Top of this page.
    Previous topic this page
    Next topic this page

      Set this at top of window. Printer Permissions

      Permission LevelPrint Docs, Connect to a printer, pause, resume, restart, cancel YOUR OWN docs Pause, Resume, Restart, and Cancel (Delete) ALL jobs lined up for printing
    • Change the printing order of documents;
    • Cancel all documents;
    • Change printer properties and permissions;
    • Share a printer;
    • Delete a printer;
    • “No Access"NoNoNo
      “Print" (the default)YesNoNo
      “Manage Documents"NoYesNo
      “Manage Printer" (Full Control)YesYesYes


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set this at top of window. Group Policies

      The Group Policy MMC (Gpedit.msc) with the Security Settings extension displaying Security Options among Local Computer Policies. Click for full screen
      C When a policy setting is updated, ???

      on this page User Rights Policy

      A Restricted Group Policy defines who should and should not belong to a specific group. When a template (or policy) that defines a restricted group is applied to a system, the Security Configuration Tool Set adds members to the group and removes members from the group to ensure that the actual group membership coincides with the settings defined in the template (or policy).

      Effective settings are the result of proprogating (overwriting) GPO objects from the Active Directory. The Local Security Settings MMC has a column for "Effective Settings" because, during policy propagation, Domain policies implemented by Active Directory override local security settings protecting the local computer.

      Application of group policy objects starts with the group policy object at the bottom of the list and ends with the group policy object at the top. Thus, the group policy object at the top takes precedence over the others.

      Set this at top of window. Order of policy implementation

      The same policy item could be defined at various levels in the Active Directory hierarchy. Windows 2000 resolves conflicts by overwriting in this order:

      1. Windows NT system policy
      2. local group policy
      3. site policy
      4. domain policy
      5. OU policy
      6. child OU policy

      Thus, Child OU policies "trumps" them all. This is unless "No Override" blocks inheritance.

      Set this at top of window. Policy Inheritance

      User account policies are NOT inherited. Account policies set at the domain level always in effect. Account policies that may be set at lower levels are ignored!

      A Group Policy linked to a domain applies to all users and computers within that domain. However, a GPO linked to a parent domain does not apply to the domains of its children.

      To restrict NT4 users from using Registry editing tools, etc. use the System Policy Editor to create a sytem policy to select “Disable Registry editing tools" under the System/Restriction node. for a default user. Save this NTConfig.pol file in the NetLogon share on a domain controller. When any user logs on to the domain from an NT client, the policy will be applied by overwriting user-specific keys in the local registry.

      Set this at top of window. Using Group Policy Tools

      tool The Locker program prevents other login processes from propogating Group Policies by finding the domain controller on the network, then opens and keeps locked file handles to all Group Policy files.

      tool To access the CIFS File Sharing Service, third parties can create Engines to Security Service Attachments.

     

     
    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set this at top of window. Permissions and Access Control Lists

      Setting File Permissions (Modifying Access Control Lists)

      Permissions are usually specified in the Security tab of the Properties sheet obtained from right-clicking on a file in Windows Explorer. Changes to this screen are stored in DACLs (Discretionary ACL) permissions and SACL (System ACLs) audit settings. The DACL is a table of Access Control Entries (ACE) that define user and group access. The security subsystem checks the folder's or file's DACL for ACEs that apply to the user and group security identifiers (SIDs) that uniquely identify objects to the operating system.

      The DACL of published objects should be Read-Only to limit visibility.

      tool This command from the Resource Kit lists and sets file-system security options in a specified folder:

        XcACLs.exe

      tool This command from the Resource Kit lists and migrates ACLs from domain1 to domain2:

        Subinacl.exe

      tool To change local permissions: ACLs (“/T”) as access control enTries (ACEs) in the c:\WINNT\tools folder and (/P) rePlaces permission so user “backup operators” has Full control (:f)

        CACLS %SYSTEMROOT%\taskman.exe /T /P “backup operators”:f

      The Read permission for a folder means that the following permission entries are allowed:
      • List Folder / Read Data
      • Read Attributes
      • Read Extended Attributes
      • Read Permissions
      • Navigate to subfolders
      • Create shares
      The Change permission allow users to:
      • Change the DACL on files and folders
      • Change data in files
      • Add files and subfolders to the shared folder
      • Delete subfolders and files
      The Modify permission allow users to:
      • Traverse Folder/Execute File
      • List Folder / Read Data
      • Read Extended Attributes
      • Delete special permissions

      tool To remove Everyone and User perms, re-ACL executable content by using Eric's x template for IIS5 servers so that only admins can use the box locally. His script for NT4 re-ACLs a system and replaces Everyone with AuthUsers.

      Set this at top of window. Assignable permissions

        :N = None
        :R = Read — allows users to display folder names, filenames, file data, and attributes; run program files; and change folders within the shared folder.
        :W = Write — Create new files & subfolders within that folder, modify folder attributes, view ownership and permissions associated within that folder.
        :C = Change = Modify = Read + Write + Delete
        :F = Full control (R/W/Change Ownership)
        ??? Create All Child Objects and Delete all Child Objects

      Web sharing depends on the Server service.

      By default, Windows 2000 assigns Full Control permissions to the Everyone group

      Set this at top of window. Permissions Inheritance

      When the ACL is set for a folder, Windows 2000 by default selects for that folder “Propagate inheritable permissions to all subfolders and files”, so that the child of that folder receive that ACL. However, any explicit ACE defined for a child object remains unchanged. ACEs for all child objects are blindly overwritten if you select “Replace existing permission on all subfolders and files with inheritable permissions”.

      That's ONLY for child objects checked Allow inheritable permissions from parent to propagate to this object.

      tool acldiag.exe writes to a tab-delimited file the permissions of objects the user has a right to view.

      tool Systemtools.com's DumpSec utility (a.k.a. DumpAcl) dumps a remote computer's user, group, and permissions information.

      Operation Into the Same Volume Into a Different Volume
      Copy Inherits from the destination folder Inherits from the destination folder
      Move (Cut and Paste) Retains from the folder moved from.
      This decision table illustrates the behavior of inheritance for both NTFS permissions and NTFS data compression (all sub-folders).

      When a shared folder is moved, Windows 2000 automatically stops sharing the folder.

      tool To preserve permissions when copying and moving files, use this Resource Kit CLI utility:

        ROBOCOPY.EXE

      tool The $299 Security Copy utility integrates with the Windows NT 4.0 Desktop to copy files and directories on NTFS partitions while keeping the security intact, creating shares, and migrating local groups. It also does Differential Copying of only files that have changed in the source server. Multiple opartions can be scheduled to run after hours.

     
    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set this at top of window. GPO Stores in Registry

      .adm text files in (hidden WINNT\IL folder) define how GPO's are presented and what sections of the registry are modified.

      GPO templates are stored in %SystemRoot%\ Sysvol\ Sysvol\ Corp.com\ Policies\ {GUID}

      gpt.ini contains the version number of the GPO container.

      Registry.pol files can only be edited using the Security snap-in.

      Replicated to Active Directory Domain Controller's Computer object.

      tool gpotool.exe CLI from the Server Resource Kit searches through GPOs on DCs, then displays their state information after checking for validity and consistency.

      tool gpresult.exe CLI provides general information about GPOs and applied Registry settings.

     

      tool DumpReg dumps the registry, making it easy to find keys and values containing a string. For Windows NT, the registry entries can be sorted by reverse order of last modified time, making it easy to see changes made by recently installed software.

      Windows.NET will include a Group Policy Management Console (GPMC) that will export and import group policies.

     
    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Go to top of page Security Setting Templates

      Security policies are enforced on multiple computers using security templates. tool The Secedit command line utility also updates templates, an operation performed through the Security Templates MMC snap-in.

        secedit.exe /overwrite /CFG:Securesv.inf

      Type of Template Class of Computer Notes
      Workstation ServerDomain Controller
      Default Security Settings basicwk [1] basicsv [1] basicdc [1] User Rights\Restricted Groups not included.
      [2] Assumes clean-install NTFS file\reg ACLs.
      [3] Secures remaining areas.
      [4] Includes SecureDC settings with Windows 2000-only enhancements.
      [5] Increases SecureWS Settings. Restricts Power User and Terminal Server ACLs.
      [6] Empties Power Users group.
      High Security hisecws [5] - hisecdc [2,4,6]
      Secure securewk [2,3,6] - securedc [2,3]
      Optional Component File Security ocfilesw ocfiless -
      Template comptwsAssumes clean-install NTFS file\reg acls. Relaxes ACL's for Users. Empties Power Users group.


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set this at top of window. Account Policies

      Do this! This command lists account policies for the local computer:

        NET ACCOUNTS

      webpage article Q259576: Group Policy Application Rules for Windows 2000 Domain Controllers

      Tree PolicyDefaultRecommended

      Password
      Policy

      Enforce password history 0 passwords remembered11 previous
      Maximum password age 0
      Minimum password age 0 days
      Minimum password length 4 characters
      Passwords must meet complexity requirements Disabled -
      Store password using reversible encryption for all users in the domain Disabled -

      Account
      Lockout
      Policy

      Account Lockout duration
      Account Lockout threshold 0 attempts
      Reset Account Lockout counter after a defined set of time

      Kerberos
      Policy

      Enforce user logon restrictions
      Maximum lifetime for service ticket 600 minutes
      Maximum lifetime for user ticket 10 hours
      Maximum lifetime for user ticket renewal 7 days
      Maximum tolerance for computer clock synchronization 5 minutes


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set this at top of window. Local Policies

      The full path from the MMC Console Root is: Local Computer Policy | Computer Configuration | Windows Settings | Security Settings | Local Policies

      Audit Policy User Rights Assignment Security Options

      Set this at top of window. Audit Policies

      tool The AUDITPOL CLI from the Resource Kit audits local and remote computers for all (Success and Failure) of “Audit account management” and other events:

        AUDITPOL \\MyComputer /enable /sam:all

      Note that the CLI lists the 9 audit policies with different names and in a different sequence than the Group Policy MMC GUI (which sorts by policy name):

      Policy name in GUI .inf [Event Audit]auditpol CLI Recommended NSA valueDefault
      Audit account logon events AuditAccountLogon9. Account3=Success, Failure
      Audit account management AuditAccountManage7. Sam 3=Success, Failure?
      Audit directory service access AuditDSAccess8. Directory0?
      Audit logon events AuditLogonEvents2. Logon3=Success, Failure?
      Audit object access AuditObjectAccess3. Object2=Failure?
      Audit policy change AuditPolicyChange6. Policy3=Success, Failure?
      Audit privilege use AuditPrivilegeUse4. Privilege2=Failure?
      Audit process tracking AuditProcessTracking5. Process0=No auditing?
      Audit system events AuditSystemEvents1. System3=No auditing?
      Shut down the computer when the security audit log is full CrashOnAuditFull 1=Yes


      Reminder Use this graphic to remember the 9 Windows 2000 audit policies.

      download Download the Visio flowchart file for this graphic


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set this at top of window. User Rights Assignment

      Listed alphabetically. Group Right.

      Policy Right Administrator Power Users Backup Operators Users Guest Everyone
      U,G Access this computer from the network Y Y Y Y Deny Y
      U Act as part of the operating system
      U Add workstations to domain
      G Adjust memory quotas for a process Y
      G Allow logon through Terminal Services Y
      U,G Back up files and directories Y - Y
      U,G Bypass traverse checking Y Y Y Y - Y
      U,G Change the system time Y Y
      U,G Crate a pagefile Y
      U Create a token object
      U Create permanent shared objects
      U Debug programs
      G Delete programs Y
      U Deny access to this computer from the network
      U Deny logon as a batch job
      U Deny logon as a service
      U Deny logon locally
      U Enable computer and user accounts to be trusted for delegation
      U,G Force shutdown from a remote system Y
      U Generate security audits
      U,G Increase quotas Y
      U,G Increase scheduling priority Y
      U,G Load and unload device drivers Y
      U Lock pages in memory
      U Log on as a batch job
      U Log on as a service
      U,G Log on locally Y Y Y Y Deny Y
      U,G Manage auditing and security log Y
      U,G Modify firmware environment values Y
      G Perform volume maintenance tasks Y
      U,G Profile single process Y Y
      U,G Profile system performance Y
      U,G Remove computer from docking station Y Y - Y
      U,G Restore files and directories Y - Y
      U Synchronize directory service data
      U,G Shut down the system Y Y Y - Y
      U,G Take ownership of files or other objects Y


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set this at top of window. Security Options (39)

      PolicyDefaultRecommended
      Additional restrictions for anonymous connnections
      Allow server operators to schedule taks (domain controllers only)
      Allow system to be shut down without having to log on
      Allowed to eject removeable NTFS media
      Amount of idle time required before disconnecting session
      Audit the access of global system objects
      Audit use of Backup and Restore privilege
      Automatically log off users when logon time expires (local) [7]
      Clear virtual memory pagefile when system shuts down
      Digitally sign client communication (always)
      Digitally sign client communication (when possible)
      Digitally sign server communication (always)
      Digitally sign server communication (when possible)
      Disable Ctrl+Alt+Del requirement for logon
      Do not display last user name in logon screen
      LAN Manager Authentication Level
      Message text for users attempting to log on
      Message title for users attempting to log on
      Number of previous logons to cache (in case domain controller is not available)
      Prevent system maintenance of computer account password
      Prevent users from installing printer drivers
      Prompt user to change password before expiration 14 days
      Recovery console: Allow automatic administrative logon
      Recovery console: Allow floppy copy and access to all drives and all folders Disable
      Recovery console:
      Rename administrator account [7]
      Rename guest account [7]
      Restrict CD-ROM access to locally logged-on user only Disabled
      Restrict floppy access to locally logged-on user only Disabled
      Secure channel: Digitally encrypt or sign secure channel data (always) Disabled
      Secure channel: Digitally encrypt secure channel data (when possible) Enabled
      Secure channel: Digitally sign secure channel data (when possible) Enabled
      Secure channel: Require strong (Windows 2000 or later) session key Disabled
      Send unencrypted password to connect to third-party SMB servers Disabled
      Shut down immediately if unable to log security audits Disabled
      Smart card removeable behavior No Action
      Strengthen default permissions of global system objects Disabled
      Unsigned driver installation behavior Not defined
      Unsigned non-driver installation behavior Not defined

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set this at top of window. Domain Policies

      These policies exists when Active Directory is used, not on local machines.

      Set this at top of window. Public Key Policies

      PolicyDefaultRecommended
      Encrypted Data Recovery AgentsDomain Administrator
      Root certificates (trusted)--
      Certificate Trust Lists (scope)--

      IPSec (Internet Procotol Security) Policies


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set this at top of window. User Profiles and IntelliMirror Technology

      When a user logs on for the first time, the default user profile is copied to a profile folder named after the user. Folder naming conflicts are resolved by appending a three-digit number if necessary. The desktop settings that appear are a combination of the Local User profile and the All Users profile.

      User Profiles include settings, colors, and documents. Windows 2000 introduced the ability to store for roaming purposes portions of a profile rather than the entire profile.

      Create a mandatory user profile used by all users two ways:

      1. Create a file named NTUSER.MAN in the user's Roaming User Profile folder. The .MAN file could be a copy of the NTUSER.DAT file in the same folder. This allow the locally cached version.
      2. Set the user's profile path to a folder named \Restricted.man containing a .MAN file.

      The first time that a user logs on a Windows 2000 Domain Controller, a User Profiles is automatically created in folder %SystemRoot%\Documents and Settings Management (instead of a Profiles folder in NT4). This allows user settings to follow users at different workstations. So clients must join a domain to use this Intellimirror technology.

      Profile values are contained in a read/write network share containing the %userprofile% environment variables.

      The default user profile and folders not needed by users are hidden.

      Windows 2000 introduced the ability to merge profile files together.

      Group Policies can be used to manage user profiles such as what actions to take automatically when a profile reaches a certain size.

      Resource Kit The User Profile Deletion Utility from the Resource Kit removes user settings, colors, and all files in My Documents folders associated with user profiles on both local and remote machines, optionally after /days of inactivity.

        Command Line Interface DelProf.exe
     

    Microsoft Webcast User Profiles in Microsoft Windows 2000: June 29, 2000

    Q243420: Roaming Profile Creation in Windows 2000 Using the "Copy To" Command

    Q214636: How to Set the Path for the Local Default User Profile

    Q227260: How a Slow Link Is Detected for User Profiles and Group Policy


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Printing

      Fix Printer Server

      Use the Fixprnsv.exe /diag utility to create a report after scanning the Printer Server for incompatible Printer drivers. The /fix switch install drivers on Windows NT 4.0 and Windows 2000 based clients with the ability to connect to the print server and download the appropriate printer drivers. When this switch is used on a Windows 2000-based computer, any incompatible Windows NT 4.0 printer drivers will be replaced.

      Printer Auditing Settings

      View auditing settings for a printer from the Auditing tab under the Security tab of Printer Properties.

      Logon Scripts

      Logon script, ntconfig, and ntconfig.POL filess from NT4 machines' WINNT/ System32/ Repl/ Import/ Scripts files.

      Taking printer off-line

      From Start | Settings | Printers, highlight the specific printer. Pull down the Printer menu and select the Use Printer Offline option. Remember: When you take a printer off line, documents stay in the print queue, even when the print server is shut down and then restarted.
     

      Printer Permissions to avoid “Access Denied” pop-up.

      Utility from the Server CD to view dependencies, starting from NTOSKRNL.

      client jobs are spooled (via a TCP/IP conversation —not merely copied) to the print server's x.sp_ file in \System32\Spool and an accompanying x.shd,/b> shadow file in \system32\spool\printers. These files, once created on the server, can be copied and pasted to another location.

      \system32\spool\drivers has Share print$.

     
    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Services, Processes, Threads

      Default processes in Windows 2000 Professional

      To Shut It Down

      Avoid shuting off your machine (manually crashing your own system).

      If your application stops responding, invoke the Task Manager by pressing press Ctrl+Alt+Del or right-click on the Tray Clock.

      tool Kill.exe CLI shuts down processes.

      In the Applications tab, right-click on the troublesome application and select "End Task".

      This may not do the job becuase of other DLL's which are still alive. In the Applications tab, right-click on the troublesome application and select "Go To Process".

      In the Process tab, right click on the highlighted process and select "End Process Tree". This terminates all the other processes indirectly started by the application.

      To disable a service after a reboot

      Change the value of the “Start” key to 4 in this registry key
      HKLM \System \CurrentControlSet \Services \Eventlog

     

     
    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Application Priorities

      Mode Priority
      Realtime 24
      Above Normal ???
      High 13
      Normal 8
      Below Normal ???
      Low 4
      Change the Priorities assigned to application threads to control how they are processed by the CPU.

      Use the Task Manager to change an application's priority. Under the Processes tab, right-click on the task Image Name and select Set Priority. Setting the mode of an application automatically sets the priority as well. Priorities range from 0 to 31, with 31 being the highest priority.

      taskmgr.exe defaults to High. Other apps default to Normal. Only Windows XP features Above and Below Normal priority modes.

     

      tool What is the tool to change application priorities from within a WSH script???

      How does a C or Java programmer change priorities from within an application program?

     
    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Portions ©Copyright 1996-2010 Wilson Mar. All rights reserved. | Privacy Policy |

     

    Related Topics:

  • Event Logs
  • Win2000 Config.
  • Win2000 Installation
  • MMC
  • Security
  • TCP/IP
  • Active Directory
  • Troubleshooting
  • Performance Tuning

  • Free Training!
  • Tech Support

  • Go to Top of this page.
    Previous topic this page
    Next topic this page

    Portions ©Copyright 1996-2010 Wilson Mar. All rights reserved. | Privacy Policy |


    How I may help

    Send a message with your email client program


    Your rating of this page:
    Low High




    Your first name:

    Your family name:

    Your location (city, country):

    Your Email address: 



      Top of Page Go to top of page

    Thank you!