LOOKING AFTER YOUR
L.A.W.N. Local œ Area - Windows - Network
CURRICULUM
Disclaimer: Whilst every effort has been made to ensure the accuracy of the information Version 2.20 within this document, no responsibility is accepted by the author for the use or result from June 06 using any information within this document. Use of this signifies your acceptance of this condition. Looking After Your L.A.W.N.
Compiled by Paul Warneke 2 of 110 Version 2.20 Looking After Your L.A.W.N.
CONTENTS
Student Folder ...... 39 SUMMARY OF CHANGES ...... 5 Student Shared Folder ...... 40 Changes in edition 2.20...... 5 Clipart Folder...... 40 Changes in edition 2.10...... 5 Utilties Folder ...... 41 Comments and Contributions ...... 5 Login Scripts and Mapped Drives ..... 42 Get the Latest Version...... 5 admin.bat...... 42 PLANNING ...... 7 staff.bat...... 42 Partition Sizes ...... 7 student.bat...... 43 Suggested Partition Sizes...... 7 USER IDENTITIES ...... 44 Your partition sizes ...... 7 Create User Templates ...... 44 Storage...... 7 Staff Template ...... 44 Shared Folders ...... 7 Student Template...... 46 Commonly shared folders ...... 7 Users from Templates ...... 46 Your shared folders ...... 8 Copy the staff template...... 46 Folder Permissions ...... 8 Create users with DSADDlite...... 47 Common Permissions ...... 8 Step 1 œ File locations...... 47 Your Folder Permissions...... 8 Step 2 œ Account Age ...... 49 Fixed IP Register ...... 8 Step 3 œ Identity formats ...... 49 My Reserved addresses ...... 9 Step 4 œ User profile...... 50 Default User Accounts ...... 9 Step 5 œ Domain information ...... 51 Backup Existing Data...... 9 Step 6 œ Organisation information ...... 51 Multiple Domain Controllers ...... 10 Step 7 œ Personal Information...... 52 INSTALLATION ...... 11 Step 8 œ Data Summary...... 52 Operating System ...... 11 Step 9 œ File creation...... 52 Copy installation files ...... 18 Finished...... 52 Connect to the network...... 18 The files created...... 52 Run the DSADD file ...... 53 CONFIGURATION...... 19 DSADD failed...... 53 TCP/IP Settings...... 19 Completing the optional Fields ...... 54 Manage Your Server ...... 20 Using the user record...... 55 Install WINS Server...... 22 Desktop Icons ...... 22 SOFTWARE...... 56 Configure DHCP ...... 23 McAfee 8.0i...... 56 Configure DNS ...... 27 Installation ...... 56 Internet Explorer Settings...... 28 Share the Install Folder...... 57 Enable Remote Desktop...... 29 Getting DAT File Updates...... 58 On the server ...... 29 Define a Scheduled Download...... 59 Access from a client...... 29 Update the Server Definitions ...... 60 Event Viewer ...... 30 DSADDlite...... 62 ACTIVE DIRECTORY...... 31 BACKUP REGIME...... 63 Create Organisational Units...... 31 Normal Backup...... 63 Create Security Groups...... 32 Restore a File from Backup ...... 67 Group Policy...... 33 PRINTERS ...... 69 Edit Default Group Policy...... 33 Install a Network Printer ...... 69 Password Policy...... 33 Load Printer Policy...... 72 Internet Explorer Settings ...... 34 Load Printer Script ...... 73 Logon Options ...... 35 Windows Messaging ...... 35 SOLUTIONS ...... 74 Folder redirection...... 35 Registry Settings...... 74 User Policy...... 35 Export Internet Settings...... 74 Hide C: Drive...... 35 Import Registry Settings ...... 75 Disable Windows Installer ...... 35 Intranet Settings ...... 75 Disable Windows Messenger ...... 35 Combining Registry Settings ...... 75 Apply policy changes ...... 35 Map to Curriculum from Admin...... 76 Hiding a Shared Drive...... 76 FILE STRUCTURE...... 36 Install Extra Domain Controllers ...... 77 Create Other Partitions...... 36 Remove a Domain Controller...... 80 Create Shared Folders ...... 37 Imaging with Ghost ...... 81 Apply Folder Permissions ...... 37 Prepare the Workstation...... 81 Staff Folder...... 37 Install Ghost...... 81 StaffShared Folder ...... 39
Compiled by Paul Warneke 3 of 110 Version 2.20 Looking After Your L.A.W.N.
Create the Boot Disks...... 81 REFERENCE...... 89 The Universal Boot Disk (Disk 1)...... 81 Complete Group Policy Listing...... 89 The Ghost Disk (Disk 2) ...... 82 Hard-drive Jumper Settings ...... 108 Create the Image ...... 82 At the ghost server ...... 82 RESOURCES ...... 110 On the client...... 83 DECS Websites ...... 110 Back on the Ghost Server ...... 84 Scholastic Websites ...... 110 Broadcast the Image...... 85 Technical Websites ...... 110 On the Server...... 85 On the workstation...... 85 On the Ghostcast Server ...... 87 On the workstation...... 88 On the server ...... 88
Compiled by Paul Warneke 4 of 110 Version 2.20 Looking After Your L.A.W.N.
SUMMARY OF CHANGES
These changes are incremental. That is to say, the changes made in Version 1.0 will also be included in Version 1.1 etc unless a note has been made on this page to say otherwise.
Changes in edition 2.20
• Multiple Domain Controllers discussed on page 10 • Changes made to the backup regime notes - page 63 • Restore a file from backup added - page 67 • Mapping from Administration network added œ page 76 • Hiding a network shared folder œ page 76 • Adding a second Domain Controller to your network œ page 77 • Removing a Domain Controller from your network œ page 80 • Imaging with Ghost added œ page 81 • Hard-drive jumper settings discussed œ page 108
Changes in edition 2.10
• Format changed to reduce the number of pages • XP Pro notes moved to a separate booklet • Using DSADDlite added œ Page 47 and 62 • Event Viewer added œ Page 30 • Regedit details added œ Page 74
Comments and Contributions
Your comments and contributions to this document are welcomed. We all have slightly differing perspectives and what makes sense to some of us may not make sense to everyone so. That is why your comments and perceptions are important.
Please feel free to contact me on 041 7897 128 or send and email to Paul Warneke at:
Get the Latest Version
The latest versions of this document can be downloaded from:
www.davparkr7.sa.edu.au/support
Compiled by Paul Warneke 5 of 110 Version 2.20 Looking After Your L.A.W.N.
Compiled by Paul Warneke 6 of 110 Version 2.20 L.A.W.N. Server 2003 œ Pre-planning
PLANNING
Partition Sizes To separate the system data from the user data, the hard-drive will be split into sections call partitions. These partitions will be for the following œ operating system, staff data, student data and network utilities. With this being a network server, there will be very little software installed and the utilities will also not need very much space leaving the rest to be divided between the staff and students data.
Suggested Partition Sizes
Capacity C: System D: Staff E: Students F: Utilities 40Gb 5Gb 16Gb 16Gb 3Gb 80Gb 10Gb 36Gb 36Gb 6Gb 120Gb 14Gb 50Gb 50Gb 6Gb Partitions D: and E: are each 50% of the balance after deducting C: and F: A minimum of 2Gb is needed for a basic server installation
Your partition sizes Into the table below, record your partition sizes. These will be used later.
Capacity C: System D: Staff E: Students F: Utilities Gb Gb Gb Gb Gb
Storage
Shared Folders So that data is available to users, some folders must be shared and then made accessible to selected groups of users. Some folders are created and shared automatically during the installation of the server operating system but these are some that will need to be created and shared later in the set up process. You may want to create others, planning them now will save time later. Be aware though, that the ”home‘ folders for staff and students (or classes if you do not need individual student identities) will be created later, as sub-folders in the staff or student folder semi-automatically.
Commonly shared folders Accessible by
Share Name Admin Staff Students Guest Student Share Yes Yes Yes Yes Staff Share Yes Yes No No Clipart Yes Yes Yes Yes Staff Yes Owner only No No Students Yes Yes Owner only No These last two folders will house individual staff and student (Home) folders
Compiled by Paul Warneke 7 of 110 Version 2.20 L.A.W.N. Server 2003 œ Pre-planning
Your shared folders If you need shared folders other than those above, make a note them here
Accessible by Share Name Admin Staff Students Guest
Note that share names cannot contain blank spaces, you will need to replace any spaces between words with an underscore at the time of creation.
Folder Permissions Drive mappings to shared folders make finding your data much simpler. All the shared folders described on the previous page will be assigned a ”drive letter‘ by the logon script when uses log on. There are however some letters than need to be left for automatic assigning and others that are saved for specific software use and some folders that are not shared but are mapped for ease of use.
Common Permissions Accessible by Share Name Mapped to: Shared Access and rights Home Folder H: No Owner œ read, write, execute Student Share I: Yes Staff, students œ read, write, execute Staff Share J: Yes Staff œ read, write, execute Clipart K: Yes All œ read only Bookmark L: Yes All œ read, write, execute McAfee Y: Yes All œ read, write, execute but mapping is deleted after logon
The actual mappings to shared folders will be achieved using logon scripts later in the setup process.
Your Folder Permissions The shares you noted before need to be mapped as well. Copy the names from the previous page and indicate who will have access rights.
Accessible by Share Name Mapped to: Shared Access and rights M: Yes N: Yes O: Yes
Fixed IP Register During the installation of the server and some peripheral hardware, certain IP addresses are going to be assigned and this number allocation should be planned before commencing. An important aspect in this planning, is ensuring that certain sections of the Curriculum network is accessible from the Administration network. This ability to ”see‘ from Admin into Curriculum is only one way. Curriculum must not be able to see into the Administration network. If it can, then call the Customer Support Centre (phone 8204 1866) and ask for help in isolating the problem.
An IP address contains four octets (groups of three numbers) with the first three octets will be allocated to your schools by D.E.C.S. and the last octet can be assigned at school level.
Compiled by Paul Warneke 8 of 110 Version 2.20 L.A.W.N. Server 2003 œ Pre-planning
Important: Any Curriculum resource (computer or printer) that you want Admin to have access to, must be numbered between 48 and 55. The main curriculum server you will notice falls into this range.
So that you do not need to write the first three octets into every address in the list, make a note of them here for easy reference.
Example: 10 1 8 176 Yours:
My Reserved addresses Address Used by Comments A 1 Default Gateway This is the main Curriculum gateway Routers and Although not all are used, this range is normally 2 œ 10 switches reserved for use by the router and/or switches 48 B 49 Squid server If a Squid (web proxy) server is installed C 50 Server The main curriculum server 51 Print server This may not be used in most cases 52 53 54 55
Default User Accounts Throughout the setup and customization of the network you will be asked to create accounts and enter passwords. So that you are consistent and can have a record fro when you need them in six months time, record all passwords in the following table.
Extra columns have been left in case you have to change them later. The last entry in each column will then be the latest (current) password.
Description #1 #2 #3 administrator (local) textbook administrator (network) study staff template welcome student template study mcafee virusfree Bookmark bookmark
Backup Existing Data Before you install the new operating system make sure that you:
• Back up user data to an external media such as tape or DVD • Record any fixed IP addresses for printers, squid server etc • Record any port or specific printer settings that you are going to need when you come to re-install these network assets • Any generic logons that you will need to recreate such as classroom and Bookmark • The logon scripts and batch files • The names and permissions of all network shared folders
Compiled by Paul Warneke 9 of 110 Version 2.20 L.A.W.N. Server 2003 œ Pre-planning
Multiple Domain Controllers
Having more than one Domain Controller on your network can be of benefit as it provides a level of redundancy and support should one controller go off line or have a lot of users try to log on at the same time. In these cases, the second or subsequent Domain Controllers can take over and/or share the task of allowing users to log on.
The other time that having a second Domain Controller running Active Directory beneficial is when you need to upgrade or replace your main server and do not want to shut the network down during the implementation process. In this case, the first Domain controller can be removed from the network, upgraded and returned without any degradation of the networking function.
If you are currently running a second server with Windows 2003 Server as a file or print server then you may wish to consider adding the Domain Controller role as well.
Before installing a second Domain Controller, you must:
• Have Active Directory running on your main W2003 network server • Have a DHCP and DNS server running
To install a second or subsequent Domain Controller:
• Use the notes commencing on page 11 to install your main Windows 2003 server • Install the basic Server 2003 operating system on a second machine but do not set up any of the options using the Manage Your Server wizard. • Assign a static IP address to the second server as described on page 19 • Use the notes on page 77 to set up the second Domain Controller.
Compiled by Paul Warneke 10 of 110 Version 2.20 L.A.W.N. Server 2003 œ Installation
INSTALLATION (Installing the first domain controller in a new forest)
Operating System
BACKUP ANY EXISTING DATA BEFORE PROCEEDING
Make sure your computer BIOS is configured to boot from the CD drive and turn on the computer.
1. Insert the Windows 2003 CD and if required, restart the computer. 2. If there is an operating system installed on the computer already, you will be asked to select a CD boot or hard-drive boot. Make sure you select to boot from the CD otherwise you will be returned to your original operating system. 3. An analysis and file copy process will commence with hardware settings and a number of other parameters being examined. 4. After a few minutes, the Welcome to setup screen will be displayed, press [Enter]
5. Press [F8] to accept the End User Licensing Agreement (EULA).
6. To separate the system files and your data files you will need to partition the hard-drive at the next screen. This will in effect create multiple hard-drives on the one physical drive. Initially you will only need to create one partition for the operating system. The other partitions will be created later. 7. Press [C] to create a partition.
Compiled by Paul Warneke 11 of 110 Version 2.20 L.A.W.N. Server 2003 œ Installation
8. Enter a {partition size} in Mb as you decided in the planning stage.
9. Press [Enter]
10. When you are returned to the previous window you will see that a new partition has been created. This is where the operating system will be installed.
11. Press [Enter] to continue 12. Select the 3rd option to [Format the partition using the NTFS1 file system] and press [Enter] to continue. 13. The partition will be formatted and files copied to the hard-drive. This process may take some time. Leave the CD in the drive as it will be accessed during this process.
1 The NTFS format is a much more secure format than FAT32. It is also required for the implementation of some aspects of the network including the Space Quota system.
Compiled by Paul Warneke 12 of 110 Version 2.20 L.A.W.N. Server 2003 œ Installation
14. Once all the files have been copied the server will be restarted, DO NOT PRESS ANY KEYS DURING THIS PROCESS as it will reboot from the hard-drive displaying a GUI interface without any input.
15. This installation of basic services may take some time. When asked, press [Next] 16. At the Regional Settings2 screen, press [Customize] 17. Select [English (Australia)] from the drop down list in the Standards and Formats section.
18. Then, near the bottom of the same window, set the Location to [Australia]
2 All of these regional settings can be altered from the Control panel after installation so do not be concerned if you are unsure of some aspects.
Compiled by Paul Warneke 13 of 110 Version 2.20 L.A.W.N. Server 2003 œ Installation
19. Select the [Languages] tab and press the [Details] button
20. Press [Add] and then select [English (Australia)]
21. Press [OK] to close the window 22. Now under Installed Services, highlight [English (United States)] and press [Remove]
23. Press [Apply] 24. A warning message will be displayed about the language being in use, press [OK] to delete it the next time you reboot.
Compiled by Paul Warneke 14 of 110 Version 2.20 L.A.W.N. Server 2003 œ Installation
25. Press the [Language Bar] button 26. Unselect [Show the Language bar on the desktop] and press [OK]
27. Press [OK] to close the Input Languages window 28. Select the [Advanced] tab and change the Language for non-Unicode programs to [English (Australia)]
29. Press [OK] again and then [Next] 30. Into the Name space enter your {school name} and {DECS} into the Organization space, Press [Next]
31. Enter the {Product Key} from the CD and press [Next]
Compiled by Paul Warneke 15 of 110 Version 2.20 L.A.W.N. Server 2003 œ Installation
32. Into the Licensing Modes screen, enter {5003} as the number of licenses into the Per Server section, press [Next].
33. Enter {server} as the computer name (it must be different to your domain name), enter a {password} and press [Next]
34. Press [Next] 35. Depending on the password you entered, a warning message may be displayed. Press [Yes] to continue. This issue will be addressed later on page 33.
3 As a DECS site you have an unlimited license and can enter almost any number here. We suggest entering 1000 as this should be more than adequate for most schools.
Compiled by Paul Warneke 16 of 110 Version 2.20 L.A.W.N. Server 2003 œ Installation
36. At the Date and Time Settings window, set the current date and time4 and set the Time Zone to [Adelaide] from the list.
37. Press [Next]. The network components5 will then be installed. Provide any driver information as requested. 38. Select [Typical settings] and [Next]
39. Highlight the option [No, this computer is not on a network, or is on a network without a Domain etc] as this will be completed in a later stage. 40. Leave the default Workgroup name and press [Next]
41. Installation will continue until the server reboots.
4 Windows 2003 server services rely on the correct date and time being entered at this point. If this is incorrect, changing the date after connecting clients can cause problems when users try to log on. 5 The installation of network components may differ if this is not the first server or is not connected to the network. These notes assume that this is going to be the first server and that the default gateway is configured correctly.
Compiled by Paul Warneke 17 of 110 Version 2.20 L.A.W.N. Server 2003 œ Installation
42. The system installation phase is now complete and will restart in Windows 2003 Server.
43. When prompted, press Ctrl+Alt+Del and then enter {administrator} and the {password} you supplied earlier.
Copy installation files You will shortly proceed to configure the environment, but firstly before you remove the server installation CD from the CD drive, copy the folder [I3866] to the hard-drive root directory.
Connect to the network Before proceeding, make sure your server is connected to the network with a cable. The next process may not complete properly if your server is isolated from your site router or switch.
6 These files are used for later component installation and having them on the hard-drive will save you inserting the CD. The copying of these files is not mandatory and will not hinder the installation of the server software.
Compiled by Paul Warneke 18 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
CONFIGURATION
TCP/IP Settings 1. From the desktop, right-click [My network places] and select [Properties]. 2. In the Local Area Properties window, highlight [Internet Protocol7] and press [Properties]
3. Select [Use the following IP address8] and enter the IP address for this server that you entered onto the planning sheet earlier. If you use a number between 48 and 55 for the last octet, admin machines will be able to access your shared folders on the server.
Note: Use the IP address you recorded for the server in your planning stage
4. Enter the Subnet Mask (usually 255.255.254.0) and the Default Gateway which will probably be the first three octets of your IP address with the fourth being the number one. 5. As the Preferred DNS server, enter the {servers IP address} as in your planning earlier. This must be the first server in the DNS list 6. Press [OK] and [Close] to close all the property windows
7 If the four entries shown above are not available, press the [Install] button and then select [Client] or [Service] and install the relevant modules until all four entries are listed. 8 The first three sets of numbers (octets) in the IP address must be those allocated to your school. If you are unsure of what these are, contact the DECS help desk.
Compiled by Paul Warneke 19 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
Manage Your Server
1. The first time you log on, the Manage Your Server window will display by default and is used to set up and manage key aspects of your network.
2. Active Directories manages computers and users, defining how the network reacts to them and what they can and can‘t do while logged onto the network. The first thing to set up is the Typical Settings which includes Active Directories, DHCP and DNS. 3. On the Manage Your Server window, select the link to [Add or remove a role] 4. You will be reminded to make sure that all drivers and hardware devices are installed correctly. If you have ensured that everything is as it should be, press [Next], otherwise, [Cancel] out and complete the hardware setup before proceeding.
Important: If you do not have an active network connection, a warning message will be displayed.
5. If this happens, press [Cancel] to stop the installation process. Make sure your server is connected to the network and can see the router. Things to check are: a. Network cable plugged into the correct network card and wall port. b. Network drivers are correctly installed c. Network card in enabled d. Cables are correctly installed in the switch cabinets 6. Then start this Typical Settings process again. 7. As this is the initial configuration, select [Typical configuration …] and press [Next]
Compiled by Paul Warneke 20 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
8. Enter {curriculum.local} as the domain name and press [Next]
Important œ Do not use the schools internet domain name as the name of this network domain as it can cause the resolution of computer names into IP addresses to be extraordinarily slow. This in turn slows down the logon process.
9. If the NetBIOS name is not completed by default, enter {curriculum} and then press [Next] 10. When asked about Forwarding DNS queries, select [No, do not forward queries]
11. Press [Next] 12. Then [Next] at the Summary window 13. Press [OK] to accept the warning to close all programs
14. If you get an option to set up Router Options, then you must have two network cards installed and Windows assumes that you are setting up a router. You will need to cancel out of the setup process and either remove one of your network cards or turn it off using the hardware manager available from My Computer and Properties. 15. Press [Next] and then [OK] to confirm the selection 16. Initial components will be configured. 17. Active Directories will be installed 18. The server will reboot and if asked to insert the Windows Server 2003 CD, browse to the I386 folder you copied to the hard-drive. 19. Three services will be installed: a. Active Directories œ manages users and computers b. DHCP œ manages computer IP addresses c. DNS œ resolves computer names and IP addresses 20. The server will reboot again 21. Press [Next] 22. Press [Finish] to return to the Manage Your Server window where the new services will be listed
Compiled by Paul Warneke 21 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
Install WINS Server 1. The Manage Your Server window should still be displayed from the previous section, if not, from the [Start] menu, select [Manage Your Server] 2. Select the link to [Add or remove a role] and press [Next]. 3. In the Server Role window, highlight [WINS Server9] and press [Next]
4. Press [Next] again to start the installation 5. File copying will commence and you will be asked to insert the Windows Server CD. Press [OK] to clear the message and direct the installation to the folder you copied onto the hard-drive, probably c:\i386. 6. Press [OK] 7. File copying will continue. 8. Press [Finish] when prompted. 9. Close the Manage Your Server window
Desktop Icons 1. To make management easier, add the following icons to your desktop from the [Start] [All Programs] and [Administrative Tools] menu. a. DHCP b. DNS c. Active Directories users and computers
9 The WINS Server resolves NetBIOS computer names into IP addresses and Microsoft advise that the installation of WINS is not required unless you intent to support Window 95 or NT. Windows 2000 and XP do not require WINS but it will not hurt to install it just in case.
Compiled by Paul Warneke 22 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
Configure DHCP 1. From the [Start] menu, select [Administrative Tools] and [DHCP] 2. Expand out the directory tree in the left-hand panel. 3. Highlight the first row that starts [server.curriculum …] and if an existing scope is displayed in the right-hand panel, right-click it
4. Select Delete and then [Yes] to accept the warning message 5. In the left panel again, highlight [server.curriculum.local] and from the [Action] menu, select [New Scope] 6. At the New Scope window, press [Next] 7. Enter a {Scope name} and a {description} if you wish, press [Next] 8. To define the range of IP addresses to be leased out to work stations, enter the first and last addresses. The first will normally be 10.xxx.xxx.1 with the last being 10.xxxx.xxx.254 where the x‘s represent the middle two octets of your schools IP address range. If you are unsure of this range, ring the Customer Support Centre. 9. Enter the standard subnet mask of 255.255.254.0 unless yours is different. The length will be completed automatically.
Note: The length value will be comple ted automatically once the subnet mask is entered.
Important œ Do not omit to complete the subnet mask. Omitting this value here will mean an incorrect mask will be issued when DHCP assigns the IP address lease to client machines at logon and the network will not function correctly.
10. Press [Next] 11. You now need to exclude the Reserved IP addresses that you noted earlier so they are not assigned to other computers by the DHCP service. Enter the start IP address of 10.xxx.xxx.1 to 10.xxx.xxx.5 for the range used by switches and routers and press [Add]. 12. Repeat this for the range 10.xxx.xxx.48 œ 55 which is the range accessible from the Admin network.
Compiled by Paul Warneke 23 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
13. Press [Next] 14. Enter a length, in days10 that each IP address allocation will remain reserved and then press [Next].
Note: Whilst you could assign a 12 month lease it is probably good practice to specify a much shorter duration, perhaps 90 days.
15. Accept the default of [Yes, configure DHCP options now] by pressing [Next]
16. Enter the address of your router which will usually be in the format 10.xxx.xxx.1 and press [Next]
10 You would probably only assign short leases if IP addresses were at a premium and you needed a situation where addresses were released when clients logged off the system. Otherwise a longer (90 day) lease can be used
Compiled by Paul Warneke 24 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
17. Enter {curriculum.local} as the Parent Domain information and enter {server} into the Server name space. 18. Press [Resolve] to display the server‘s address in the IP address area. 19. Press [Add] to include this server IP in the list and press [Next]
20. At the WINS Server window, enter the server IP address and press [Add]
Compiled by Paul Warneke 25 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
21. Click [Next] to activate the scope and then [Finish]. You will be returned to the previous window with it now looking something like the one below.
22. Make sure there is a green arrow next to your server name to indicate that the scope is active. 23. Close the DHCP window.
Compiled by Paul Warneke 26 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
Configure DNS
1. Double-click the [DNS] icon on your desktop 2. Expand the directory trees, there should be two entries shown under the Forward Lookup Zone heading. Some texts advocate deleting the _msdcs zone11 but the recommendation here is to leave this system created zone.
3. In the left panel, right click [server] or the name of your server where it differs, and select properties 4. Select the [Forwarders] tab
5. Delete12 any existing entries in the DNS domain space and enter the two eduConnect IP addresses shown below.
6. Press [OK] to close the DNS window
11 When the DNS server was installed, it automatically created a zone called _msdcs.xxx.com with the appropriate resource records. This contains the resource record information for making your DNS server work using the server's fully qualified domain name 12 Your servers IP address should not be listed here as the forwarder system is used where your server cannot resolve an address so sending it back to your server will result in unnecessary network traffic.
Compiled by Paul Warneke 27 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
Internet Explorer Settings
The settings that you prescribe here will be distributed to all workstations when you set the Default group Policy a little later.
1. From the server, open Internet Explorer 2. Select [Tools] on the top menu and then [Internet Options] 3. Change to the [Connections] tab and then select the [LAN Settings] button towards the bottom. 4. Set the panel as shown below.
5. It is not shown above but the full Proxy server address is proxy.decs.sa.edu.au 6. Press [OK] and [OK] to close the internet connection windows
Compiled by Paul Warneke 28 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
Enable Remote Desktop
So that you will be able to access the server from any Window XP Professional client on the network you should enable remote desktop. That way you will be able to perform most tasks without having to physically go and do them at the server.
On the server 1. Right-click [My Computer] and select [Properties]. 2. On the [Remote] tab make sure that the option to allow users to connect remotely is selected.
Access from a client 1. Remote desktop can now be run from a client from the [Start] [Run] options. 2. Enter {mstsc} and press [Enter].
3. When you connect remotely you will be asked to enter the server‘s name which will generally be {server} if you followed the DECS naming conventions or if you are following these notes. 4. Then enter the administrator user and password to log on to the server
Compiled by Paul Warneke 29 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
Event Viewer
Now that you have completed the initial configuration, it is a good time to introduce the Event Viewer and suggest that it would be good practice to regularly check this event logging utility. Getting into this habit may save you from suffering a disastrous server crash later.
1. From the [Start] menu, select [All Programs] [Accessories] [System Tools] 2. Right œ click [Event Viewer] and select [Send to desktop] 3. Open Event Viewer from the new desktop icon.
4. There are six log types listed in the left-hand window. Select each one of these in turn and have a look at the messages in the right-hand window. 5. You should mostly see information listings, with a few yellow warnings and hopefully very few critical red crosses.
6. Review the warnings and errors to make sure that there is nothing major wrong. Some of the errors may have been logged during the setup process so use the time and date stamps of each to assess the relevance of each message. 7. Check these logs regularly!
Compiled by Paul Warneke 30 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
ACTIVE DIRECTORY
Create Organisational Units Applying Group Policy and managing your users will be much easier if you create logically named Organisational Units to house users and security groups. The simplest is to create two Organisational Units (OU), one for staff and one for students.
1. Open Active Directories Users and Computers 2. Right-click the name of your server (curriculum.local) and select [New] [Organisational Unit]
3. Into the Name space, enter {school users} and press [OK]
4. Right-click this new school users OU and select [New] [Organisational Unit] and enter the Name {Staff OU} 5. And a again, right-click the school users container and select [New] [Organisational Unit] and enter the name {Student OU} 6. You should now have an Active Directory tree similar to the one below.
7. Later you will apply policies to these OUs and create users in the OUs Staff and Students
Compiled by Paul Warneke 31 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
Create Security Groups Having previously created the Organisational Units to house your users, you now need to create Security Groups so that when the users are created, they can be made members of these groups and therefore be granted access to shared folders and printers.
CREATE YOUR SECURITY GROUPS BEFORE ADDING USERS OR CREATING SHARED FOLDERS
1. Highlight the Users13 Organisational Unit that you have created and right-click anywhere in the white space in the right-hand panel. Select [New] [Security Group] from the menu. 2. Enter {Staff Group} as the Group name
3. Leave all other settings as the default settings then press [OK] 4. Right-click anywhere in the right-hand panel again to create another Group Policy Object called {Student Group} in the Users OU.
13 Security Groups can be created in almost any OU but they MUST be in the Users container for DSADD to work correctly
Compiled by Paul Warneke 32 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
Group Policy
Edit Default Group Policy 1. Open Active Directory Users and Computers from the desktop and in the console tree on the left, right-click the domain [curriculum .local] and select [Properties]. 2. Curriculum.local is the top level in the Active Directory hierarchy and policies set here will be applied to all users, including the default accounts such as administrator. Do not make any changes at this level that should not be applied to all users. 3. Select the [Group Policy] tab, highlight [Default Group Policy] and then [Edit]
Password Policy This setting needs to be changed before either changing the Administrator password or creating new users to ensure that your preferred passwords are not rejected as the default password settings are possibly more complex than you require.
1. Expand out the [Computer Configuration] tree and then [Windows Settings] and [Security Settings] 2. Highlight [Account Policies] to display in the right-hand windows the three options available for this policy.
3. Double click the [Password Policy] in the right-hand window to display the individual default group policies.
4. You will now set the policies so that they suit the needs of your school. To change a setting, right-click it and change the appropriate options shown below.
Compiled by Paul Warneke 33 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
Internet Explorer Settings
Applying this policy will ensure all users have the same Internet Explorer connection settings and that if changes are made at workstation level they are replaced with these correct setting when the next user logs on.
1. The edit policy window should still be displayed. In the left section, expand [User Configuration] and also [Windows Settings] 2. Double click [Internet Explorer Maintenance]
3. In the right hand area, double click the [Connection] icon
4. Then double click [Connection Settings]
5. Highlight the option [Import …. From this machine]. These settings were configured earlier when you set the Internet explorer LAN connection preferences 6. Close the Connection Settings window 7. In the left-hand panel, double-click the [URLs] icon. 8. Double-click [Important URLs] in the right pane
9. Enter {http://www.ed.sa.edu.au} into the home page URL area.
10. Press [OK] to save these changes
Continue in the same fashion to set up the rest of the Default Group Policies that will be applied to all users.
Compiled by Paul Warneke 34 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
Logon Options
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options Interactive Logon: Do not display last user name Enabled Interactive Logon: Do not require CTRL+ALT+DEL Enabled Interactive Logon: Message text for users log on You are responsible etc Interactive Logon: Message tile for users log on IMPORTANT USER INFORMATION
Windows Messaging
Computer Configuration\Administrative Templates\Windows Components\Windows Messaging Do not allow Windows Messenger to be run Enabled Do not automatically start Windows Messenger initially Enabled
Folder redirection User Configuration\Windows Settings\Folder Redirection My Documents Basic then Redirect to home directory
User Policy
These settings are made at the user level:
11. Open Active Directory Users and Computers 12. Right-click the container [school users] and then select [Properties] 13. Select the [Group Policy] tab and then [New] 14. Enter {school user policy} as the name and press [Edit] 15. Edit each of the settings below and set then as indicated below.
Hide C: Drive
User Configuration\Administrative Templates\Windows Components\ Windows Explorer Remove ”Map Network Drive‘ Enabled Hide these specific drives in My Computer Enabled, C drive only Prevent access to drives in My Computer Enabled, C drive only No ”computers near me‘ in my network places Enabled No ”Entire network‘ in my network places Enabled
Disable Windows Installer
User Configuration\Administrative Templates\Windows Components\ Windows Installer Prevent removable media for any install Enabled
Disable Windows Messenger
User Configuration\Administrative Templates\Windows Components\ Windows Messenger Do not allow Windows Messenger to be run Enabled Do not automatically start Windows Messenger initially Enabled
Apply policy changes
1. Close all Group Policy windows and also Active Directories. 2. From the [Start] and [Run] options, run {gpupdate /force} to refresh the networks Group Policies. 3. Log off if you are asked to. 4. These group Policy settings will now be used when network clients logon.
Compiled by Paul Warneke 35 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
FILE STRUCTURE
Create Other Partitions
During the installation process you created the main partition that the system software was installed on. This was a minimal size as it only needed to house the operating system and a few programs. Now you need to create the other partitions to hold the user data. Creating these partitions will divide your hard-drive into further sections that will be used to hold the student and staff home folders as well as clipart and other general folders.
1. From the [Start] menu, select [Administrative Tools] [Computer Management] 2. Click on [Disk Management] in the left-hand panel to display a window similar to the one below
3. Right-click in the area that contains the phrase [Unallocated] and select [New Partition] 4. At the Welcome screen, press [Next] 5. Leave the selection for [Primary partition] as selected by default. Press [Next] 6. Set the size to the size you nominated for partition ”D‘ then press [Next] 7. Set the drive letter to {V} and press [Next] 8. Change the Volume Label to {Staff} and accept all other default settings. Press [Next] 9. Press [Finish] to commence formatting the new partition. 10. Repeat steps 3 œ 9 to divide the remaining space for partitions W: Students and X: Software. 11. The new partitions shown be shown similar to those \below. The sizes will vary though, depending on your settings.
12. Close the window when all partitions are completely formatted. 13. You should now see the new partitions when you open My Computer
Compiled by Paul Warneke 36 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
Create Shared Folders
1. Right-click the [Start] button and select [Explore] from the pop up list. If you don‘t see the drives shown above, go back and create the partitions before proceeding. 2. Double-click the [Staff] partition to select it. 3. Create two new folders, [StaffHome] and [StaffShared] 4. Double-click the [Students] partition to select it. 5. Create new folders, [StudentHome] and [StudentShared] 6. Double-click the [Software] partition to select it. 7. Create two folders, [Clipart] and [Utilities]
Apply Folder Permissions Sharing the folders will make them available to others where they have been given access rights which you will do later.
Staff Folder Will contain the staff home folders 1. Click the Staff partition and right-click the [StaffHome] folder and then [Sharing and Security] 2. Select the [Sharing] tab and highlight the option to [Share this folder]
3. Accept the default Share Name of [StaffHome] and press the [Permissions] button 4. The default setting will be for everyone to have Read access, change this so that they have [Full Access]. This may seem strange as you would not want students with full access but you will change the NTFS security settings shortly and these take precedence over these share permissions.
Compiled by Paul Warneke 37 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
5. Press [Apply] and then [0K] 6. Click the [Security] tab 7. Press the [Advanced] button towards the bottom of the window 8. Remove the [checkmark] from the option to Allow inheritable permissions etc.
9. In the confirmation window that is displayed, press the [Remove] button.
10. Press the [Add] button 11. Type {administrator} and press [OK]
12. You may be asked to select which administrator account you require, select [Administrator] and press [OK]
Compiled by Paul Warneke 38 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
13. Change the permissions for the Administrator to [Full Control]
14. This folder will contain the Staff user home folders. When these are created automatically later in the process, they will be given full control of their own home folder. Here you have ensured that the Administrator also has control but no-one else.
StaffShared Folder A folder accessible to all staff but not students.
1. Click the Staff partition and right-click the [StaffShared] folder and then [Sharing and Security] 2. Select the [Sharing] tab and highlight the option to [Share this folder] 3. Accept the default Share Name of [StaffShared] and press the [Permissions] button 4. Change permissions so that they have [Full Access]. 5. Press [Apply] and then [0K] 6. Click the [Security] tab 7. Press the [Advanced] button and remove the [checkmark] from the option to Allow inheritable permissions etc. 8. In the confirmation window that is displayed, press the [Remove] button. 9. Press the [Add] button 10. Type {administrator} and press [OK] 11. You may be asked to select which administrator account you require, select [Administrator] and press [OK] 12. Change the permissions for the Administrator to [Full Control] 13. Repeat the process to add the [Staff Group] and give them [Modify] permission.
Student Folder Will house the Students home folders. Staff will be given modify access.
1. Click the Students partition and right-click the [StudentHome] folder and then [Sharing and Security] 2. Select the [Sharing] tab and highlight the option to [Share this folder] 3. Accept the default Share Name of [StudentHome] and press the [Permissions] button 4. Change permissions so that they have [Full Control] 5. Press [Apply] and then [0K] 6. Click the [Security] tab 7. Press the [Advanced] button and remove the [checkmark] from the option to Allow inheritable permissions etc. 8. In the confirmation window that is displayed, press the [Remove] button. 9. Press the [Add] button 10. Type {administrator} and press [OK] 11. You may be asked to select which administrator account you require, select [Administrator] and press [OK] 12. Change the permissions for the Administrator to [Full Control] 13. Repeat the process to add the [Staff Group] and give them [Modify] permission.
Compiled by Paul Warneke 39 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
Student Shared Folder Will hold the Students shared files. Staff will be given modify access.
1. Click the Students partition and right-click the [StudentShared] folder and then [Sharing and Security] 2. Select the [Sharing] tab and highlight the option to [Share this folder] 3. Accept the default Share Name of [StudentShared] and press the [Permissions] button 4. Change permissions so that they have [Full Access]. 5. Press [Apply] and then [0K] 6. Click the [Security] tab 7. Press the [Advanced] button and remove the [checkmark] from the option to Allow inheritable permissions etc. 8. In the confirmation window that is displayed, press the [Remove] button. 9. Press the [Add] button 10. Type {administrator} and press [OK] 11. You may be asked to select which administrator account you require, select [Administrator] and press [OK] 12. Change the permissions for the Administrator to [Full Control] 13. Repeat the process to add the [Staff Group] and give them [Modify] permission. 14. Repeat the process to add the [Students Group] and give them [Modify] permission.
Clipart Folder Will hold general clipart. Staff and students will be given read access.
1. Click the Software partition and right-click the [Clipart] folder and then [Sharing and Security] 2. Select the [Sharing] tab and highlight the option to [Share this folder] 3. Accept the default Share Name of [Clipart] and press the [Permissions] button 4. Set the permissions to [Full Control] Press [Apply] and then [0K] 5. Click the [Security] tab 6. Press the [Advanced] button and remove the [checkmark] from the option to Allow inheritable permissions etc. 7. In the confirmation window that is displayed, press the [Remove] button. 8. Press the [Add] button 9. Type {administrator} and press [OK] 10. You may be asked to select which administrator account you require, select [Administrator] and press [OK] 11. Change the permissions for the Administrator to [Full Control] 12. Repeat the process to add the [Staff Group] and [Students Group] giving them the default permissions as shown below.
13. Close the Properties windows.
Compiled by Paul Warneke 40 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
Utilties Folder Will hold network utilities and software. Staff and students will not be given access.
1. Click the Software partition and right-click the [Utilties] folder and then [Sharing and Security] 2. Select the [Sharing] tab and highlight the option to [Share this folder] 3. Accept the default Share Name of [Utilities] and press the [Permissions] button 4. Set the permissions to [Full Control] Press [Apply] and then [0K] 5. Click the [Security] tab 6. Press the [Advanced] button and remove the [checkmark] from the option to Allow inheritable permissions etc. 7. In the confirmation window that is displayed, press the [Remove] button. 8. Press the [Add] button then type {administrator} and press [OK] 9. Select which administrator account you require, select [Administrator] and press [OK] 10. Change the permissions for the Administrator to [Full Control], close the Properties windows.
Note œ Now that you have shared some folders, if you open the Manage Your Server wizard, you will see that the File Server has been installed automatically.
Compiled by Paul Warneke 41 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
Login Scripts and Mapped Drives
Network mappings make it easy to quickly navigate to important folders in a directory tree without having to pass through each individual level of the network. It is simply a named shortcut.
1. Using a text editor like Notepad, write the script shown below and save them in the folder: C:\windows\sysvol\sysvol\scripts 2. Save these files as either {admin.bat}, {staff.bat} or {student.bat}
admin.bat
@echo off REM set the time to that on the server net time \\server /set /yes REM delete any existing mappings net use * /d /yes REM Map the shared folders net use h: \\server\staffhome\%username% /yes net use i: \\server\StaffHome /yes REM leave the letter L for Bookmark mapping net use j: \\server\StaffShared /yes net use k: \\server\Studenthome /yes net use m: \\server\StudentShared /yes net use n: \\server\Clipart /yes net use o: \\server\utilities /yes net use y: \\server\mcafee /yes REM load the latest virus definitions call y:\mcafee.bat REM the Y drive is not deleted for administrators
staff.bat
@echo off REM set the time to that on the server net time \\server /set /yes REM delete any existing mappings net use * /d /yes REM Map the shared folders net use h: \\server\staffhome\%username% /yes REM leave the letter L for Bookmark mapping net use j: \\server\StaffShared /yes net use k: \\server\Studenthome /yes net use m: \\server\StudentShared /yes net use n: \\server\Clipart /yes net use y: \\server\mcafee /yes REM load the latest virus definitions call y:\mcafee.bat net use y: /d /yes
Compiled by Paul Warneke 42 of 110 Version 2.20 L.A.W.N. Server 2003 œ Configuration
student.bat
@echo off REM set the time to that on the server net time \\server /set /yes REM delete any existing mappings net use * /d /yes REM Map the shared folders net use h: \\server\studenthome\%username% /yes REM leave the letter L for Bookmark mapping net use m: \\server\StudentShared /yes net use n: \\server\Clipart /yes net use y: \\server\mcafee /yes REM load the latest virus definitions call y:\mcafee.bat net use y: /d /yes
Note œ If you intend to have a link to the library bookmark system, you may want to include the mapping: net use l: \\library_server\bookmark
Compiled by Paul Warneke 43 of 110 Version 2.20 L.A.W.N. Server 2003 œ User Identities
USER IDENTITIES
Create User Templates
Staff Template 1. Open Active Directories, Users and Computers 2. Right œ click the [Staff OU] that you created earlier and select [New] [User]
3. Enter the details: • First Name Staff • Last Name Template • User logon name stafftemp 4. Press [Next] 5. Enter and confirm the password of {welcome} making sure that the option [User must change password at next logon] is selected. 6. Press [Next] 7. At the confirmation screen, press [Finish] 8. Before proceeding, you should disable the account so that it cannot be used to logon with. 9. Click the [Staff OU] and right-click the [Staff Template] 10. Select [Disable] from the menu. This user will now display with a red cross indicating that it is disabled. 11. Doubleœclick the [staff template] to open its Properties window. Click the [Profile] tab 12. So that the correct folders are mapped, into the Logon script section, enter {staff.bat} 13. Set the Home Folder to connect to [H:] 14. Set the path to {\\server\staffhome\%us ername%}
Compiled by Paul Warneke 44 of 110 Version 2.20 L.A.W.N. Server 2003 œ User Identities
15. Now press [Apply]. You will see the variable %username% change to stafftemp (see below) and the home folder (called stafftemp) will be automatically created in the StaffHome folder
16. Press the [Member of] tab. It is here that you will make this user a member of the Staff Group which will then give them access to any folders and resources that the Staff Group has been given access. 17. By default, the Domain Users group will be included. Press the [Add] button.
18. Enter {staff} into the object names area and press [OK] 19. If you have no other users or groups starting with the letters ”staff‘ the Staff Group will be added. Otherwise you will need to select the group from a list of users and groups presented. 20. Staff are also going to need access to the student area so repeat the process above to make them members of the [Student Group]. 21. Press [Apply] 22. Their memberships should be as shown below
23. Press [OK] to close the Properties window. 24. If you open Windows Explorer and go to the StaffHome folder, you will see a new folder named stafftemp with appropriate access permissions. When you copy the staff template, a home folder will be created automatically in the same way as this one.
Compiled by Paul Warneke 45 of 110 Version 2.20 L.A.W.N. Server 2003 œ User Identities
Student Template 1. Still in Active Directories, right œ click the Student OU and select [New] [User] 2. Enter a First name of {Student} and a Last name of {Template} with a User logon name of {studtemp} 3. Press [Next] 4. Enter and confirm the password of {Welcome} 5. Select the option to make the user {User cannot change password} options are selected so students cannot change (and forget) their password. 6. Press [Next] then [Finish] to create the template. 7. Double œclick this new account to open it‘s Properties window. 8. Click the [Profile] tab 9. So that the correct folders are mapped, into the Logon script section, enter {student.bat} 10. Set the Home Folder to connect to [H:] 11. Set the path to {\\server\students\%username%} 12. Now press [Apply] 13. Press the [Member of] tab. 14. Make them a member of the Domain Users, Student Group, and Domain Admin groups. 15. Press [Apply] and then [OK] to close the Properties window. 16. Right-click the [Student Template] and select [Disable] from the menu. 17. Your two templates are now ready to use.
Users from Templates If you have not already created the staff and student templates, create them first from the previous pages before proceeding with this stage.
Copy the staff template 1. Open active directories and select the [Staff OU] Organisational Unit 2. Right-click your staff template and select [Copy]
3. Enter these test details (or details for one of your actual users): • First name: John, Last name: Smith and Logon name: jsmith 4. The Full name and pre Windows 2000 logon will be complete automatically. 5. Press [Next] 6. Enter a {password14} and highlight the option [User must change password at next logon]
14 Important œ Use a standard format when entering this default password as you will often be asked by staff ”What is my password?“. Consider simply using their logon identity for staff and students.
Compiled by Paul Warneke 46 of 110 Version 2.20 L.A.W.N. Server 2003 œ User Identities
Create users with DSADDlite DSADDlite is a utility that uses the functionality of the DSADD command line tool that was introduced with Server 2003 to create bulk users. From the command line however it can be very cumbersome, DSADDlite provides an easy interface that can, in minutes create hundreds of user profiles.
DSADDlite is free and can be downloaded from www.davparkr7.sa.edu.au/support These notes assume that you have downloaded and installed the utility on an XPpro workstation.
1. From Start, All programs, start DSADDlite 2. If a network connection or Active Directory are not found you may be shown one or two messages reflecting these problems. If these warnings are given, it is recommended that you exit DSADDlite and rectify the problems before continuing to avoid problems during the creation process.
3. At the Welcome page, press [Begin] 4. Read the EULA and if you accept these provisions, tick the box signifying this at the bottom of the page and press [Next] otherwise [Cancel}
Step 1 – File locations
5. Using the Browse buttons, locate the text file that will supply the user data. This file must be a comma separated (CSV) text file with the following fields as a minimum:
Surname, Middle name, First name, ID Code, Date of Birth, Description
e.g. Smith, Fred, John, 12345, 3/02/1994, Year 2 or Smith,, John, 12345, 3/2/1994, Year 2 or Smith,, John, 12345, 3021994, Year 2
Compiled by Paul Warneke 47 of 110 Version 2.20 L.A.W.N. Server 2003 œ User Identities
The middle name can be left blank but the filed must be identified with the comma and the date can be in any of the three formats shown. The day in this case will be converted from ”3‘ to ”03‘ by DSADDlite to maintain a uniform eight digit date format.
6. Nominate the where you want the DSADD batch file saved. A location on the server is the best as this is where you will need to run the file later. The file path will be truncated automatically to save space but will not affect the process. 7. As well as creating the DSADD file, you have the option of creating a CSV file that can be loaded into eduConnect to create your users email accounts. The benefit of creating it now is that you can be assured of maintaining data uniformity such as passwords that you may wish to be the same for both accounts. 8. To create an eduConnect CSV file, tick the box halfway down the page to display the CSV options.
9. Enter your school domain name in the format {davparkr7.sa.edu.au}
10. Accept the default email identity format of [first name plus surname] 11. The CSV file name will be saved in the same location as your DSADD file and the name created automatically. 12. Press [Next]
Compiled by Paul Warneke 48 of 110 Version 2.20 L.A.W.N. Server 2003 œ User Identities
Step 2 – Account Age 13. Here you can opt to disable these accounts until they are needed later. But normally you would want them ready immediately so leave this option un-selected. 14. You can also set a date when they would cease to be active such as the 20th December after the end of the school year. Some sites create all their student users at the start of each year and this option can be useful in this process. 15. If you do want your user accounts to expire, select the [End of] option to display the calendar.
16. Using the arrows on the calendar, scroll through to the month required and double-click a suitable date. 17. The date and days to expiry will now be displayed. Press [Next]
Step 3 – Identity formats 18. Select a identity format from the top drop-down box
19. There are four options for the password format: a. Use the birth date from the text file b. Use a random password. You will be presented with a separate window where you can select a password file and password length. You can create your own password files with a normal text editor such as Notepad. These password files must be saved with a ”pwd‘ extension and only have one word per line c. Use the logon ID as the password. This will be as you selected in the drop-down box above. d. Use this password for all users. A separate window will display where you can nominate the password that will be applied to all users.
20. Select a password format to suit
Compiled by Paul Warneke 49 of 110 Version 2.20 L.A.W.N. Server 2003 œ User Identities
21. If you are creating student users you will probably not want them to be able to change their password. To set this policy, under the heading Password Age, a. Remove the tick on the option [Users must change password …] to display the other options b. Place a tick in the last two options as shown below.
22. Press [Next]
Step 4 – User profile 23. If you use mandatory or roaming profiles, enter the path in the {\\server\profile\} format. 24. Enter the {logon script} name 25. Select a [Home Drive] letter 26. Enter the UNC path where home folders will be created. This should be in the format {\\server\student}. Do not include the %username% parameter as this will be added automatically for each user later. 27. From the drop-down list, select the Security Group to which these users will belong. You do not have to specify Domain Users as this will be added automatically.
Note: If the Group Name list is empty it will be because Active Directory was not found and the list could not be populated. You will need to enter the name manually.
28. Press [Next]
Compiled by Paul Warneke 50 of 110 Version 2.20 L.A.W.N. Server 2003 œ User Identities
Step 5 – Domain information 29. If a network is available, the domain details will be completed automatically 30. Enter a {Organisational Unit} name. If you want to create a new OU, you can use the create button next to the field box or enter the new name into the data field and leave the option to {have the script create it} selected.
31. Press [Next]
Step 6 – Organisation information 32. The Organisational fields on this page of DSADDlite are optional fields and do not need to be completed unless they are needed. If you do want to use these fields then there are two ways that you can complete them. a. By entering data into the DSADD utility. Data entered in this way will apply to all users. That is, the data will not necessarily be user specific as every user will have the same information applied. b. By importing the data from the text file you specified back on step 1. This data can vary from user to user and therefore more meaningful. 33. For more information on completing the optional fields, refer to page 54. 34. If the data is coming from the text file, the field will not be available for data entry on the DSADDlite page. The figure below shows fields that are coming from the text file.
35. Enter any data into these fields that you wish. 36. Press [Next]
Compiled by Paul Warneke 51 of 110 Version 2.20 L.A.W.N. Server 2003 œ User Identities
Step 7 – Personal Information 37. As with Step 6, this information is optional. Enter data as required. 38. Press [Next]
Step 8 – Data Summary 39. Data collection is complete. 40. Review these entries and go back to correct any that are not correct.
41. Once you are satisfied that all data is correct, press [Create].
Step 9 – File creation 42. The main window will be replaced by a progress window. 43. During this process, DSADD will refer to any existing users in Active Directory and not create the new user if they already exist. It will also monitor all new users created to make sure that user codes are not duplicated. 44. Wait for this to complete and be replaced with the main window again.
Finished 45. This last window will give you a summary of any users who had their identity changed to avoid duplication. This alteration is simply done by adding a unique number to the end of the user ID. Whilst this may not suit your needs precisely it does allow for the user to be created and give you a change to manually alter then DSADD file if you wish. 46. Press [Next] to clear this last window.
The files created 1. There will have been three files created a. The DSADD batch file b. The CSV file if this option was selected c. A Word document recording the users created and their password and identity details.
Compiled by Paul Warneke 52 of 110 Version 2.20 L.A.W.N. Server 2003 œ User Identities
Run the DSADD file Now that you have created the DSADD file, it is a simple case of running it to create the users in Active Directory.
Note: The DSADD command is not recognised by XP Professional and so you cannot run your DSADD batch file from windows Explorer. You will need to use the remote access (refer page 29) method or physically sit at your server to run DSADD files.
1. Go to the server and in Windows Explorer, find the folder where you created the DSADD file. 2. Double-click it to open a command window and start the DSADD command line tool. 3. A new OU will be created if required. 4. The users and their home folders will be created if all the data you supplied is correct. 5. So that you can make sure that there are not any errors in your DSADD file, it will pause after the first user and give you a chance to read the screen text. 6. Beneath the large amount of text starting —dsadd user —CN= ….“ And containing the new user profile info, there should be a line of text saying —DSADD succeeded“.
7. If this message says —DSADD failed“, press [CTRL + C] to halt the command line tool otherwise press [any key] to continue the process. Refer below for some of the possible errors and their solutions. If there were any errors reported, they will need to be corrected and the DSADDlite process started over. Any users created and their home folders should also be deleted. 8. The window will close when complete.
DSADD failed These are some of the errors that you may encounter when running your DSADD batch file:
Error: The password does not meet password policy requirements. Solution: Change your Group Policy Password settings so that the password format you have selected is valid. Refer to page 33 for some common settings
Error: The specified user already exists. Solution: You may be running the DSADD batch file for a second time and have not deleted users created when this batch file was previously run. This error is not a major one and should not create problems.
Error: Directory Object not found. Solution 1: Security Group Missing - This could indicate that the user has been created but the Security Group specified in DSADDlite could not be found. It should be safe to continue the creation of users and then add the users to the Security Group later. Verify this by looking in Active Directory, the user will probably have been created but be disabled and has not been made a
Compiled by Paul Warneke 53 of 110 Version 2.20 L.A.W.N. Server 2003 œ User Identities
member of the Security Group specified.
Solution 2: Organisational Unity Missing œ This error will be supported by a second line of text a little further down that says —No mapping between account names and security IDs was done“ and indicates a critical error. Most probably the OU could not be found where these users need to be created. Close the command line utility, delete the home folders created and then run DSADDlite again, making sure to nominate an existing OU or to have the script make one for you.
Completing the optional Fields If you want to import more than just the first six mandatory fields (Fields 0 to 5) then you can add the extra data into your text file. The fields available in order are:
Field Name Example 0. Surname Smith 1. Middle name James 2. First name Bruce Mandatory 3. ID number 514879 Fields 4. Date of birth 19/7/1958 or 19071958 5. Description Sales Office 6. Company Barts Biscuits 7. Office Adelaide Office 8. Department Sales Dept. 9. Title Manager 10. Work phone (08) 5555-9999 11. Webpage www.bb.com.au 12. email [email protected] 13. Home phone (08) 5555-8888 14. Mobile 041 123 456 15. Fax (08) 5555-7777 16. Pager 5689 17. IP Phone 555-66666
The middle name (Field 1) can be blank but a field must exist in the text file for it. Using the data above, the line of the text file containing only the mandatory fields, with the blank middle name would be indicated by the two commas side by side looking like:
Smith,,Bruce,514879,19071958,Sales
Likewise, the description and date of birth fields can be left blank if they are not going to be used but they must be designated by the commas to mark the field location.
Smith,,Bruce,514879,,Sales
Each line of text must have a minimum of five commas marking the required six fields.
If you are including optional fields, the same rules apply. If you wanted to include the Work Phone data, there would either have to be data or field placings for fields Company, Office, Department and Title proceeding the Work Phone number. The effect of this on the data input screen is that the optional fields from Company to Work Phone would not be available to accept data from the form. This line in your text file might look like this:
Smith,,Bruce,514879,,Sales,,,,,,,,(08) 5555-8888
The only optional fields that would be available for input in DSADDLite would then be Mobile, Fax, Pager and IP Phone as they come after the fields supplied in the text file.
Compiled by Paul Warneke 54 of 110 Version 2.20 L.A.W.N. Server 2003 œ User Identities
Using the user record
During the file creation process, a record of all your users was also created. This can be an invaluable tool when users forget their password, for teachers as a record of their class identities and also later, if you need to recreate a specific user with identical details.
This
This a very simple Rich Text Format (rtf) document that as well as recording password and identity details, it also identifies:
• (D) User IDs that were changed to avoid duplication: Notice that the 14th user ”Lemuel Levine‘ has had a number added to her ID. This was dome automatically to avoid duplicating the identity of ”Lina Levine‘ in the line above. If you want to change this ID before running the DSADD batch file, use the Find and Replace function of any word processor to all occurrences of the required identities. • (E) User Exists in Active Directory: The user ”Lavonne Blackburn‘ was not created as they (or another identical user were found in Active Directory. These users will need to be created manually if required. The password for these users will also be indicated as ”Refer A.D.‘.
Compiled by Paul Warneke 55 of 110 Version 2.20 L.A.W.N. Server 2003 œ Software
SOFTWARE
McAfee 8.0i
Installation 1. Uninstall any other Virus Software 2. Insert the CD containing the McAfee installation files and navigate to the folder containing the file VSE80iLEN.zip 3. Double-click the above file to start WinZip (or similar compression software) and press [Use evaluation version]
4. Double-click the listed file [Setup.exe]
5. Remove the [Minimise during install] check mark and press [OK] 6. Extraction will commence 7. Then the recomposition process runs
8. And then the End User License Agreement window will be displayed. 9. Set the License Expiry Type as [Perpetual] and select the [I accept the license agreement] check box, press [OK]
Compiled by Paul Warneke 56 of 110 Version 2.20 L.A.W.N. Server 2003 œ Software
10. Select [Typical] as the Setup Type, leave the Install To details as the default setting and press [Next]
11. And then [Install] to start the installation 12. The status of the installation will be displayed.
13. At the next window make sure that both options are unchecked
14. And press [Finish]
Share the Install Folder 1. Using Windows Explorer, navigate to the c:\Program Files\Network Associates\VirusScan folder 2. Right-click the [VirusScan] folder and select [Sharing and Security]
Compiled by Paul Warneke 57 of 110 Version 2.20 L.A.W.N. Server 2003 œ Software
3. Share the folder as {mcafee}
4. Press [Permissions] 5. Give [Everyone] Full Control and press [OK] 6. Press the [Security] tab 7. Click the [Advanced] button 8. Remove the tick towards the bottom that Allows inherited permissions … etc and accept the warning by selecting [Yes]
9. Select [Remove] at the warning message 10. The administrator should be left in your list, give it [Full Control] 11. Add the [Staff Group] and the [Student Group] and give them all but full control (ie All boxes selected but the top one.) 12. Press [OK]
Getting DAT File Updates 1. So that updated DAT files are downloaded automatically, some files needs to copied from the Admin server. 2. On the admin server, from the Y: drive (ntbatch on Adelu) and the [Patches] folder, copy the files OPSYS.bat, FTP.bat and FTP.exe to the mcafee directory on the curriculum server. 3. Then copy the two files, mcafee.bat and update.bat to the shared folder, mcafee on the curriculum server. 4. A couple of minor changes need to be made to the batch files. In the mcafee folder, right-click the mcafee.bat file and select [edit]. 5. In the third and fourth lines, remove the two references to ”Y:\MCAFEE\sdat*.exe‘ so they read ”Y:\sdat*.exe‘ 6. Close and save the file. 7. Likewise, edit the file Update.bat and remove the ”\patches‘ references. 8. Now double-click the [update.bat] file to start the latest dat download. 9. A Dos window will display the progress of the definition download.
Compiled by Paul Warneke 58 of 110 Version 2.20 L.A.W.N. Server 2003 œ Software
10. The window will close when the download finishes. There should now be a new virus definition in the mcafee folder called sdat****.exe. 11. So that you don‘t have to manually check for downloads, the next step is to automate the process.
Define a Scheduled Download 1. So that the server always supplies clients with the latest DAT version, a regular download event needs to be scheduled. 2. From the [Start] [Control Panel] [Scheduled Tasks] select [Add Scheduled Task] to open the wizard.
3. Press [Next] and then [Browse] 4. Navigate to the shared mcafee folder and select [update.bat] and press [Open] 5. Highlight the option to perform this task [Daily]
6. Press [Next] 7. Set the run time to {4.00am} and change the option to perform this task only on [weekdays]
Compiled by Paul Warneke 59 of 110 Version 2.20 L.A.W.N. Server 2003 œ Software
8. Press [Next] 9. Enter the network administrator {password} and then again to confirm it.
10. Press [Next] and then [Finish] to complete the setup process. 11. To check that the event will run correctly, navigate back to the Scheduled Events] menu, your new event ”Update‘ should be listed; right-click it and select [Run] 12. If everything was set up correctly, a DOS window should open and then minimise to the bottom status bar. Double clicking this icon should display a window showing the download process you say earlier when you copied over and tested the bat files. 13. Now, at 4am every weekday, the server will check with the DECS FTP site for the latest update.
Update the Server Definitions 1. The client machines will have their virus definitions updated when users logon but the server may not get used regularly and the definitions may become critically out of date. To keep the latest definitions applied a scheduled task needs to be set up to run the installation after the latest download has completed.
2. This setup process follows the same steps as described for the regular dat download. From the [Start] [Control Panel] [Scheduled Tasks] select [Add Scheduled Task] to open the wizard. 3. Press [Next] and then [Browse] 4. Navigate to the shared mcafee folder and select [mcafee.bat] and press [Open] 5. Highlight the option to perform this task [Daily] 6. Press [Next] 7. Set the run time to {6.00am} and change the option to perform this task only on [weekdays] 8. Press [Next] 9. Enter the network administrator {password} and then again to confirm it. 10. Press [Next] and then [Finish] to complete the setup process. 11. Now, at 6am every weekday, the server will run the batch file to keeps its virus definitions updated. However it is best to check that this will work correctly. 12. Before updating the definitions, check the current version on McAfee. Right-click the McAfee shield in the notification area and select [About]
Compiled by Paul Warneke 60 of 110 Version 2.20 L.A.W.N. Server 2003 œ Software
13. The third line down will show the current definition version. Make a note of this. 14. Now navigate to the Scheduled Task menu and right-click the [McAfee] event in the list. 15. Select [Run] to start the definition update. 16. A DOS window will briefly appear advising that the definitions are being updated. 17. When this clears, right-click the McAfee shield again to see if the definition version has been updated.
Compiled by Paul Warneke 61 of 110 Version 2.20 L.A.W.N. Server 2003 œ Software
DSADDlite
DSADDlite is a utility for creating user identities in Active Directory as described on page 47.
Note: This utility should be installed on a workstation but has been included in this document to complete the notes on page 47.
1. Download the free utility from www.davparkr7.sa.edu.au/support 2. Extract the zip file into a temporary folder on the workstation 3. From this temporary folder, run the file [setup.exe] 4. Press [OK] at the Welcome screen 5. Press the large button to begin the installation
6. Accept the default Program group and press [Continue] 7. Installation will take a couple of minutes. 8. If you asked, do not overwrite any files with older version. 9. Press [OK] to complete the installation. 10. DSADDlite can now be run from the [All Programs] menu
Compiled by Paul Warneke 62 of 110 Version 2.20 L.A.W.N. Server 2003 œ Backup
BACKUP REGIME
Normal Backup 1. Start the backup utility from the [Start] menu, then [Accessories] [System Tools] and [Backup]
2. Make sure there is a tick in the [Always start in wizard mode] box and press [Next]
3. Select the [Backup Wizard] button 4. Press [Next] at the Welcome to the Wizard window 5. Select [Backup selected files …] and press [Next]
Compiled by Paul Warneke 63 of 110 Version 2.20 L.A.W.N. Server 2003 œ Backup
6. You now need to identify the drives, folders and files that you want to backup. 7. As a guide you will probable want to backup: a. C:\windows\sysvol which has you logon and group policy scripts b. C:\System Volume Information c. Staff and student data drives d. Your intranet e. Any other critical data stored elsewhere on your network
8. Expand the drives containing your data to be backed. In this case it is the C: drive but you may have partitioned your hard drive into one or more partitions for staff and student data.
9. Click each folder that you want backed up so that a blue check mark is shown next to the folder name.
Note œ As you mark folders to be backed up, you may notice that others become marked with a shaded highlight. The difference with these two highlight methods is that the blue check mark indicated a full folder backup where a shaded check mark indicated that only some date (or sub folders) will be included in the backup process.
10. Press [Next]
11. Select [File] as the backup type 12. Select a backup location. In this case, we are backing up to [F:] which is a LANShare drive
Compiled by Paul Warneke 64 of 110 Version 2.20 L.A.W.N. Server 2003 œ Backup
13. Enter a name for this backup job. We have used [Friday Backup] because this job will be run every Friday. The same task will be created for each of the other days of the week. 14. Press [Next] 15. Press the [Advanced] button on the wizard window
16. In our example, we have selected [Normal] as the backup type as the LANShare drive has enough space to do a Normal backup every day. This is by far the easiest backup to restore from as it backs up all the selected files, not just those that have changed since the last backup. 17. You may want to select another backup type
18. Press [Next] 19. Select [Verify data after backup] 20. Press [Next] 21. Select [Replace existing backups] 22. Press [Next] 23. Select [Later] for when to run the backup 24. Enter the same {backup name} as you used earlier in this process
Compiled by Paul Warneke 65 of 110 Version 2.20 L.A.W.N. Server 2003 œ Backup
25. Press the [Set Schedule] button 26. Enter [Weekly] as the schedule and then a {time} to run
27. Set it to run every [1] weeks on the [day] you require 28. Make sure you change the am to pm to avoid running the backup during school hours 29. Press [OK] 30. Enter the administrator {password} and then again to confirm it 31. Press [OK] 32. You may be asked to enter the administrator passwords again depending on your individual settings. 33. Press [Finish] 34. If you need to create additional backup tasks for each day of the week, do so now. 35. Close the backup window.
Compiled by Paul Warneke 66 of 110 Version 2.20 L.A.W.N. Server 2003 œ Backup
Restore a File from Backup 1. Start the backup utility from the [Start] menu, then [Accessories] [System Tools] and [Backup] 2. Select the [Restore Wizard] button 3. Press [Next] at the Welcome window 4. Expand out your backup media. In this case it is [File]
5. Select the backup file from which to restore 6. Keep expanding out the directories until you find the data you need to restore. 7. Make sure the data to be restores is identified with a blue tick. 8. Press [Next] 9. Press [Finish] to close the wizard and start the restore process 10. The backup file will be mounted
Compiled by Paul Warneke 67 of 110 Version 2.20 L.A.W.N. Server 2003 œ Backup
11. If you are asked to check the backup filer location, press [Next] to continue the restore process
12. The restore of files will be continued with a completion summary being displayed at the end.
13. Press [Close] to close the window 14. Check that the files have been restored correctly. 15. Check also that the correct user permissions have been applied to this restored data.
Compiled by Paul Warneke 68 of 110 Version 2.20 L.A.W.N. Server 2003 œ Printers
PRINTERS
Install a Network Printer
1. Installing a network printer is very similar to installing it locally but generally it is shared using an IP address and accessed though the cabling network.
2. From the [Start] menu, select [Printers and Faxes] 3. Double-click [Add a printer] 4. Press [Next] at the Welcome window 5. Although this is a network printer, select [Local printer] as the installation method, making sure the option to [Automatically detect printers] is NOT selected.
6. Press [Next] and highlight [Create a new port]
7. Set the port type to [TCP/IP] and press [Next] 8. You will be presented with yet another welcome window, press [Next] 9. Into the top data entry box, type the {IP address} of your printer
10. The Port name will be completed automatically. Press [Next]
Compiled by Paul Warneke 69 of 110 Version 2.20 L.A.W.N. Server 2003 œ Printers
11. Set the Device Type to [Standard]15, press [Next] 12. Press [Finish] to complete the installation of the TCP/IP port and return to the installation of your printer. 13. Highlight both the [Manufacturer] and [Model] of your printer and press [Next]. If your printer is not listed, you will need to insert the appropriate driver disk and browse to the correct configuration files on the CD.
14. If a driver for this printer is already on the hard-drive you will be asked if you want to keep or replace the existing driver. Select [Keep] and press [Next]
15. Enter a {Name}16 for your printer, select [No, do not use this as the default printer] and press [Next]
15 In the initial installation you can set the device Type to [Standard] however some printers require a custom configuration. If you are unsure, read the installation notes that came with the printer or contact the supplier for specific instructions
Compiled by Paul Warneke 70 of 110 Version 2.20 L.A.W.N. Server 2003 œ Printers
16. Enter a {Share Name} and press [Next]
17. You will more than likely get a warning that this share name may not be accessible from some MS-DOS workstations because of the length or spaces, press [Yes] 18. Enter [Location] and [Comment] details as required for your situation.
19. Press [Next] 20. Select if you want this as the default printer or not, press [Next] and then [Finish] to clear the installation completed window.
Important œ You should print both a portrait and landscape orientation document to test that the drivers are installed correctly for this printer. Do not always trust the automatically generated Test Page from the properties window.
Note œ Now that you have installed a shared printer, if you open the Manage Your Server wizard, you will see that the Print Server has been installed automatically.
16 The printer name you enter here is the name that will be displayed if you open the Printers and Faxes window from the Start menu. It is also the name that is shown when users select a printer from within documents.
Compiled by Paul Warneke 71 of 110 Version 2.20 L.A.W.N. Server 2003 œ Printers
Load Printer Policy
By loading printer script using group Policy, it is possible to load different scripts depending on the location of the work station. This then means that the nearest printer can be set as the default printer.
1. In Active Directory, create Organisational Units for each logical group of computers 2. Move the computers from the Computers Organisational Unit into their respective containers than you have just created. 3. You now need to define a Group Policy for each of these OUs that will load the correct printer script. Details of how to create these printer scripts can be found on page 73. 4. Right click the first computer OU that you created and select [Properties] 5. Select the [Group Policy] tab 6. Press [New] and name the policy to replected the name of the OU you are working with. e.g. ”LibraryPrinter Policy‘ 7. Now press [Edit] 8. Under the headings [Computer Configuration] [Administrative templates] [System] [Group Policy], double click [User group policy loopback processing mode] 9. Click [Enabled] 10. From the drop down list next to Mode in the bottom panel, select [Merge] 11. Now under [User Configuration] [Windows Settings], click on [Scripts (logon/logoff)] 12. In the right-hand panel you will see two headings, logon and logoff. Double-click [Logon] 13. The logon scripts you specify here do not run form the \\server\netlogon location but rather from an obscurely named folder created when you create the policy. 14. Press the [Show Files] button towards the bottom of the window. 15. This will open the folder created by Active Directory where the printer script you want to run needs to be stored. 16. Open a second Explorer Window and navigate to where you created the logon script for these computers and copy it into the folder created by Active Directory. 17. Close the window where you copied the script. 18. On the Logon Properties window, press [Add] 19. Press [Browse] and then select the script you just copied. 20. Press [Apply] and then [OK] to close the Logon Properties window 21. Close all Propertie windows to return to the main Active Directory window. 22. Repeat this process for each printer OU you created.
Compiled by Paul Warneke 72 of 110 Version 2.20 L.A.W.N. Server 2003 œ Printers
Load Printer Script
This short script will load a printer in conjunction with a log on batch file or via Active Directory (refer page 72)
1. Using a text editor, create enter the following script 2. Take care with the printer names, they must be exactly the same as the share name when created.
' PRINTER VBS SCRIPT
Dim net Set net = CreateObject("WScript.Network") net.AddWindowsPrinterConnection "\\server\Kyocera 3800" net.AddWindowsPrinterConnection "\\server\HP LaserJet" net.AddWindowsPrinterConnection "\\server\Kyocera 820"
3. This script will load the three printers with the first being the default printer 4. When complete save the file with a vbs extension (e.g. printer.vbs) 5. To call this script from your logon batch file, save the script in the \\server\netlogon folder and insert the following line into the batch file:
call \\server\netlogon\printer.vbs
Compiled by Paul Warneke 73 of 110 Version 2.20 L.A.W.N. Server 2003 œ Printers
SOLUTIONS
Registry Settings Importing registry settings from the logon script will save a lot of time where a change has to be made to every computer. Generally you should be able to export the settings from a computer with the correct settings and then import them from a line in your logon script.
Don‘t be to adventurous with registry changes as you can destroy the system and
always EXPORT THE ENTIRE REGISTRY SETTINGS FIRST
Export Internet Settings
If you need to point internet explorer to your intranet home page it can bee difficult using Active Directory as it expects a valid internet address to start with http://www..... etc. It will not accept an IP or file address. The solution is as follows:
1. Set up a computer with Internet Explorer pointed to your intranet home page 2. Then from the [Start] [Run] command, enter [regedit] to display the Registry Editor
3. Highlight [My Computer] and then from the Edit menu, select [Find] 4. In the search box, enter part of the intranet path that is unique to the intranet location
5. Press [Find Next] 6. Be patient while the search is completed. There may be several results depending on your search criteria, press [F3] to continue the search if at first the result is not as expected. 7. If your search was successful, you should be positioned at the intranet home page when the search finishes.
Compiled by Paul Warneke 74 of 110 Version 2.20 L.A.W.N. Server 2003 œ Printers
8. The figure above has found the correct setting and now we need to export the data. 9. Highlight the heading [Internet Explorer] that contains all these individual settings 10. From the [File] menu, select [Export] 11. Navigate to your \\server\netlogon folder 12. Enter {internetExplorerSettings} as the file name and press [Save] 13. You should now have a file that look like the one to the right. 14. Close the Registry Editor
Import Registry Settings
Intranet Settings 1. Into your logon batch files enter the following line. Change the name of the registry file to suit your file. You may also need to change the name of your server.
regedit -s \\server\netlogon\internetSettings.reg
2. The [-s] switch in the command line tells regedit to run in Silent mode. 3. By creating other regedit files, you can change many of the minor settings at logon. Some that are regularly used follow.
Combining Registry Settings 1. If you have a number of registry settings to import, you can condense them down to the essential data and combine them into one file as the following example shows.
Windows Registry Editor Version 5.00 ; the colon denotes a remark line and is ignored by regedit!
; Internet home page [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page"="file://zues/intranet/index.html"
; Don't show hidden files and folders [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Adva nced] "Hidden"=dword:00000002
; Turn the NUMLOCK on at login [HKEY_CURRENT_USER\Control Panel\Keyboard] "InitialKeyboardIndicators"="2"
; set default wallpaper [HKEY_CURRENT_USER\Control Panel\Desktop] "Wallpaper"="C:\\WINDOWS\\DTwallpaper.bmp" "WallpaperStyle"="2"
Compiled by Paul Warneke 75 of 110 Version 2.20 L.A.W.N. Server 2003 œ Printers
Map to Curriculum from Admin There are often times when you need to share information between the Admin and Curriculum networks. Normally these two networks are completely separate but there is a small ”one-way‘ window available for admin computers to access curriculum shared resources. Curriculum MUST NOT be able to see any of the administration network resources
For this to work, there are several factors that need to exist:
1. The Curriculum server needs to have an IP address that is in the xxx.xxx.xxx.48 œ xxx.xxx.xxx.55 range 2. The resources to be accessed need to be shared with appropriate permissions granted.
If the above criteria have been met then you should be able to create a mapped connection between THE TWO NETWORKS BY:
1. Create and share the folder to be mapped on the curriculum network 2. In the admin network logon script add a line similar to the following:
net use q: \\x.x.x.x\share /user:curiculum.local\administrator password
3. Where: q: is the mapped drive letter x.x.x.x is the IP address of the server share is the name of the shared folder curriculum.local is the full name of your curriculum network administrator is the name of the curriculum user account with which to log on password is the password for this user
4. Logon to an Admin workstation and open My Computer 5. The curriculum shared folder should now be listed.
Hiding a Shared Drive If you do not want users to be able to navigate to a shared drive using a UNC path such as \\server\myshare or via Windows Explorer you can hide the folder by adding a dollar sign ”$‘ to the end of the share name
1. Right-click the folder to be shared 2. Select [Sharing and Security] 3. Select [Share this folder] 4. Enter a {share name$} with the $ sign at the end. 5. This folder will now not be available for browsing via the network
Compiled by Paul Warneke 76 of 110 Version 2.20 L.A.W.N. Server 2003 œ Printers
Install Extra Domain Controllers
Make sure you have read the notes on page 10 before continuing this installation.
1. Set up a second server with Windows 2003 Server following the notes earlier in this document but do not install Active Directories with the manage Your Server wizard. 2. On the second server, click [Start] [Run} and enter {dcpromo} to start the Active Directory installation process. 3. Click [Next] at the welcome window 4. Press [Next] to accept the compatibility warning 5. Highlight the option to install an [Additional domain controller for an existing domain]
6. Press [Next] 7. Verify the installation by entering your {administrator} account name and {password}
8. Press [Next] 9. As you will probably only be working with the one domain, accept the default domain name and press [Next]
Compiled by Paul Warneke 77 of 110 Version 2.20 L.A.W.N. Server 2003 œ Printers
10. The next window lets you specify the location of the database and log files. It is possibly good practice to locate these on a second hard-drive or partition in case the system drive fails. For this exercise we will accept the default location, you may choose otherwise.
11. Press [Next] 12. As with the database location, accept the default location for your Shared System Volume information. Press [Next]
Compiled by Paul Warneke 78 of 110 Version 2.20 L.A.W.N. Server 2003 œ Printers
13. Enter and verify the {password} to be used to restore this data should it be needed. You may want to use the same password as your administrator account but be sure to RECORD YOUR PASSWORDS in case you (or your successor) need them later.
14. Press [Next] 15. Review the settings and if satisfied that they are correct, press [Next] to commence the replication process.
16. Depending on the size and speed of your network this may take a few minutes.
17. Once complete, press [Finish] and then [Restart] your second server. 18. You will have an exact copy of your Active Directory including policies, users and security groups on your second server. Changes you make in one will be mirrored in the other.
Compiled by Paul Warneke 79 of 110 Version 2.20 L.A.W.N. Server 2003 œ Printers
Remove a Domain Controller
The following process would be followed where you needed to remove a secondary domain controller after a server upgrade etc.
1. Log onto the domain controller to be removed with an administrator account. 2. Click [Start] [Run} and enter {dcpromo} to start the Active Directory installation process. 3. Click [Next] at the welcome window 4. Unless this is the LAST domain controller in your network, make sure there is NOT a tick in the check box against [This server is the last domain controller on the domain] 5. Press [Next] to accept the compatibility warning. 6. Enter and verify the {password} to be used by the administrator. This may very well be the existing password for this account. Be sure to RECORD THE PASSWORD if it is different. 7. Press [Next] 8. Check the settings you and entered and press [Next] 9. The wizard will reconfigure the Domain Controller function. 10. When complete, press [Finish] and then restart the server to finalise the process.
If you intend to remove this server from the network, make sure that you:
• Copy all data to a network location • Share these copied folders as required • Apply appropriate access permissions to these folders • Make sure the permissions have propagated to the sun folders and files.
Compiled by Paul Warneke 80 of 110 Version 2.20 L.A.W.N. Server 2003 œ Printers
Imaging with Ghost
Prepare the Workstation
Before you create the image, set up a workstation with all the software, updates and patches and with the desktop as it will be for users. Once you are happy that the machine is complete you can create the image ready to be sent to the other ”like‘ computers.
For this example, Ghost 8.2 is being used, your situation might vary.
Install Ghost
Install Ghost on a computer that will act as your Ghost server. It does not have to be on your network server. In fact, it may be less disruptive to your network if it is NOT on your Domain or File server
Create the Boot Disks
A two disk DOS boot disk set is going to be needed so that you can create your workstation image. The first disk is the network boot disk and the second contains a DOS version of the Ghost console. And whilst it is perfectly acceptable to create a set of boot disks for each computer model you have in the school, it is much easier to use a universal boot disk that can be used to boot all your computers.
The Universal Boot Disk (Disk 1)
1. Go to www.netbootdisk.com to download the latest Universal Boot Disk zip file to a local folder on a Windows XP computer. The boot disk creation will not work properly on anything other than Windows XP! 2. Extract the contents of the Zip file into the same local folder 3. Insert a new floppy disk into the drive. 4. Open My Computer and right-click [3² Floppy A:] 5. Select [Format] from the pop up menu 6. On the Format window, highlight [Create an MS-DOS startup disk]
7. Make sure the write protect tab is closed, press [Start] 8. When the format finishes, press [Close] 9. Navigate to the folder where you extracted the Universal Boot Disk files 10. Double-click the [MakeDisk.bat] file 11. Make sure the disk you just formatted is in Drive a: and press [any key] 12. If you get any error messages, you will need to format the disk again as space is critical for all the files to fit on the floppy disk. You should get an initial message Windows XP startup disk found! 13. The creation process will take a couple of minutes and then the command window will close. 14. Remove the disk and label it as {Universal Boot Disk} 15. Open the write protect tab so that the disk not become corrupted during use. You may also want to make several copies for use during ghosting.
Compiled by Paul Warneke 81 of 110 Version 2.20 L.A.W.N. Server 2003 œ Printers
The Ghost Disk (Disk 2)
1. The disk containing ghost.exe is the second disk in your set. 2. Format a floppy disk and place it in the A: drive 3. Copy [ghost.exe] from c:\program files\symantec\ghost (or your differing location) to the floppy disk.
Create the Image
In imaging a group of computers, you first need to set one computer up exactly as you want all your computers of that type to be and then save that image to the server using the following steps. This is a multi stage process and these notes cover the creation and casting of an image using Ghost 7.5/8.2 which for this process are essentially the same.
At the ghost server 1. Start [Ghostcast] on the server 2. From the Ghost menu, type a {Session Name} (e.g. H) and select [Create Image]
3. Click [Browse] and navigate to where you want to store your images and either select an image to overwrite or type in a new image name {RALPH050920}.
4. Click [Accept Clients]. The server will now wait until it ”sees‘ a client ready to send an image.
Compiled by Paul Warneke 82 of 110 Version 2.20 L.A.W.N. Server 2003 œ Printers
On the client
1. Make sure the computer is connected to the network by cable (this process will not work using a wireless connection as there are not any DOS drivers for wireless) and is turned off. 2. Put the Universal Boot Disk into the floppy drive and turn the computer on. 3. After a short while a window will display showing the network card name. 4. If it says —Auto Detected“, press [Esc], otherwise if it says —Last used“ you must press any key and then manually select the network card from the available list.At the initial screen, select the first option and press [Enter]. When the card is selected, press [Esc] to continue the process 5. After DHCP is configured, you will be dropped back at the command prompt. 6. replace the disk in drive A: with the one with Ghost.exe on it and type a:ghost\ghost.exe or the path to the file if it differs on your disk. 7. Once the DOS system has loaded, press [OK] at the About Symantec Ghost screen 8. From the menu, select [GhostCast] and [Multicast]
9. Enter the {Session} name you created, (eg H)
Compiled by Paul Warneke 83 of 110 Version 2.20 L.A.W.N. Server 2003 œ Printers
10. Leave the Discovery Method as [Automatic] and press [OK] 11. Select the drive (if there is more than one) and press [OK].
12. Select an Image Compression ratio of [Fast].
13. Data transfer will commence with progress being shown on the client and on the server
14. When transfer is complete, press [Continue] 15. Press [Yes] to confirm that you want to quit. 16. Reboot the work station.
Back on the Ghost Server 1. Press [OK] to clear the Transfer Complete message and close the Symantec GhostCast Server
Compiled by Paul Warneke 84 of 110 Version 2.20 L.A.W.N. Server 2003 œ Printers
Broadcast the Image
Broadcasting the image is very similar to creating the image, only in reverse.
On the Server
1. On your Ghost server, start [Ghostcast Server] from the [Start] menu 2. Enter a session name of {h}. The session name can be anything but single letter names are easy to remember 3. Select the [Restore image] option 4. Using the Browse button, select a location and enter a {name} for the image 5. Press the [More Options] button 6. Enter the number of clients you will be imaging into the [Client Count] area. This setting is not mandatory but it does save you going back to the server to press the Send button when all the clients are connected. With this setting, when the Client Count is reached, the server starts transmitting. 7. Now press the [Accept clients] button. 8. You screen should now look similar to the one below.
9. The server will now wait until it is contacted by a client
On the workstation
1. Insert the Universal boot disk as you did when you created the image. 2. When you have been returned to the N: prompt, insert the second disk and run ghost.exe. 3. Once the DOS system has loaded, press [OK] ant the About Symantec Ghost screen if it is presented.
4. From the menu, select [GhostCast] and then [Multicast]. If your mouse does not work, use the arrow, tab and Enter button to navigate and select from the menu.
Compiled by Paul Warneke 85 of 110 Version 2.20 L.A.W.N. Server 2003 œ Printers
5. Enter the {Session} name you created at the server. (eg g)
6. Leave the Discovery Method as [Automatic] and press [OK] 7. Select the drive (if there is more than one) and press [OK].
8. Press [OK] to confirm the destination drive details
Compiled by Paul Warneke 86 of 110 Version 2.20 L.A.W.N. Server 2003 œ Printers
9. Press [Yes] to accept the restore process.
10. Repeat this process for each workstation that you want to re-image 11. Once you have connected the number of workstations nominated in the Client Count area on the Ghostcast server, the broadcast will commence. If you did not set this option, you will need to return to the server and press the [Send] button.
On the Ghostcast Server 1. The computer (or computers) that are to receive the image will now be listed in the lower portion of the Ghostcast server.
2. When all computers are listed or you press [Send] data transfer will commence with progress being shown on the client and on the server
Compiled by Paul Warneke 87 of 110 Version 2.20 L.A.W.N. Server 2003 œ Printers
On the workstation 1. When transfer is complete, on the workstation or workstations, remove any floppy disks and press [Reset Computer]
2. If you imaged multiple computers, you will need to change their computer names as they will all have the same as the original image and will cause networking issues. 3. When the clients have rebooted, log on as [Administrator] 4. Right-click [My Computer] and select [Properties] 5. select [Computer Name] tab and then the [Change] button 6. Enter the new Computer Name 7. Remove the {.local} after the Domain name so that only the word {curriculum} remains 8. Press [OK] 9. Enter {administrator} as the user and the appropriate {password} 10. Press [OK] 11. After a few moments you should be advised of the completion of the name change. 12. Reboot the workstation.
On the server 1. Press [OK] to clear the Transfer Complete message and close the Symantec GhostCast Server
Compiled by Paul Warneke 88 of 110 Version 2.20 L.A.W.N. Server 2003 - Reference
REFERENCE
Complete Group Policy Listing Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy Enforce password history • Only set these if you are • Maximum password age forcing a change of • Minimum password age password policy and even • Minimum password length then, policy will differ • Passwords must meet complexity requirements between staff and students • Store password using reversible encryption
Note œ By default, Windows Server 2003 will install using complex passwords that must meet complexity and character requirements. This is often too complex for school users; change these options to introduce simpler password rules.
Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy • Account lockout duration • Account lockout threshold • Reset account lockout counter after
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy • Audit account logon events 17 • Audit account management • Audit directory service access • Audit logon events • Audit object access • Audit policy change • Audit privilege use • Audit process tracking • Audit system events
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment • Access this computer from the network • Act as part of the operating system • Add workstations to domain • Back up files and directories • Bypass traverse checking • Change the system time • Create a page file • Create a token object • Create global objects • Create permanent shared objects • Debug programs • Deny access to this computer from the network • Deny logon as a batch job • Deny logon as a service • Deny logon locally • Enable computer and user accounts to be trust. • Force shutdown from a remote system • Generate security audits • Impersonate a client after authentication • Increase quotas • Increase scheduling priority • Load and unload device drivers • Lock pages in memory • Log on as a batch job
17 The Audit Policies allow you to monitor who is accessing which files and folders and if their attempts are successful or not. This can be useful if you suspect that students are trying to hack the network.
Compiled by Paul Warneke 89 of 110 Version 2.20 L.A.W.N. Server 2003 - Reference
• Log on as a service • Log on locally • Manage auditing and security log • Modify firmware environment values • Profile single process • Profile system performance • Remove computer from docking station • Replace a process level token • Restore files and directories • Shut down the system • Synchronize directory service data • Take ownership of files or other objects
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options • Accounts: Administrator account status • Accounts: Guest account status • Accounts: Limit local account use of blank pass. • Accounts: Rename administrator account • Accounts: Rename guest account • Audit: Audit the access of global system objects • Audit: Audit the use of Backup and Restore privilege • Audit: Shut down system immediately if. • Devices: Allow undock without having to log on • Devices: Allowed to format and eject removable • Devices: Prevent users from installing printer • Devices: Restrict CD-ROM access to locally log. • Devices: Restrict floppy access to locally logged. • Devices: Unsigned driver installation behaviour • Domain controller: Allow server operators to tasks • Domain controller: LDAP server signing requirements • Domain controller: Refuse machine account pass • Domain member: Digitally encrypt or sign secure • Domain member: Digitally encrypt secure channel • Domain member: Digitally sign secure channel • Domain member: Disable machine account • Domain member: Maximum machine account • Domain member: Require strong session key • Interactive logon: Do not display last user name18 • Interactive logon: Do not require CTRL+ALT+DEL19 • Interactive logon: Message text for users attempt20 • Interactive logon: Message title for users attempt • Interactive logon: Number of previous logons to remember • Interactive logon: Prompt user to change p/wd • Interactive logon: Require Domain Controller • Interactive logon: Require smart card • Interactive logon: Smart card removal behaviour • Microsoft network client: Digitally sign comms • Microsoft network client: Digitally sign comms • Microsoft network client: Send unencrypted p/wd • Microsoft network server: Amount of idle time • Microsoft network server: Digitally sign comm • Microsoft network server: Digitally sign comm. • Microsoft network server: Disconnect clients when • Network access: Allow anonymous SID/Name • Network access: Do not allow anonymous • Network access: Do not allow storage of Passports • Network access: Let Everyone permissions • Network access: Named Pipes that can be
18 Not displaying the last user‘s logon name is useful in restricting student‘s attempts to guess passwords. 19 Some sites disable this requirement to make it easier for ”small fingers‘ to log on 20 Combine this and the next option to present a welcome message or network policy information to users when they attempt to log on.
Compiled by Paul Warneke 90 of 110 Version 2.20 L.A.W.N. Server 2003 - Reference
• Network access: Remotely accessible registry • Network access: Remotely accessible registry • Network access: Restrict anonymous access to • Network access: Shares that can be accessed • Network access: Sharing and security model for • Network security: Do not store LAN Manager hash • Network security: Force logoff when logon hours • Network security: LAN Manager authentication • Network security: LDAP client signing requiremen • Network security: Minimum session security for • Network security: Minimum session security for • Recovery console: Allow automatic administrative • Recovery console: Allow floppy copy and access • Shutdown: Allow system to be shut down without • Shutdown: Clear virtual memory pagefile • System cryptography: Force strong key • System cryptography: Use FIPS compliant algorithms for encryption, • System objects: Default owner for objects created by members of • System objects: Require case insensitivity for non-Windows • System objects: Strengthen default permissions of internal system • System settings: Optional subsystems • System settings: Use Certificate Rules on Windows Executables
Computer Configuration\Windows Settings\Security Settings\Local Policies\Event Log • Maximum application log size • Maximum security log size • Maximum system log size • Prevent local guests group from accessing application log • Prevent local guests group from accessing security log • Prevent local guests group from accessing system log • Retain application log • Retain security log • Retain system log • Retention method for application log • Retention method for security log • Retention method for system log
Computer Configuration\Administrative Templates\Windows Components\Net Meeting • Disable remote Desktop Sharing
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer • Security Zones: Use only machine settings • Security Zones: Do not allow users to change policies • Security Zones: Do not allow users to add/delete sites • Make proxy settings per-machine (rather than per-user) • Disable Automatic Install of Internet Explorer components • Disable Periodic Check for Internet Explorer software updates • Disable software update shell notifications on program launch • Disable showing the splash screen
Computer Configuration\Administrative Templates\Windows Components\Application Compatibility • Turn Off Application Compatibility Engine • Turn Off Program Compatibility Wizard • Remove Program Compatibility Property Page • Turn On Application Help Log Events • Prevent access to 16-bit applications
Computer Configuration\Administrative Templates\Windows Components\Internet Information Services • Prevent IIS installation
Compiled by Paul Warneke 91 of 110 Version 2.20 L.A.W.N. Server 2003 - Reference
Computer Configuration\Administrative Templates\Windows Components\Task Scheduler • Hide Property Pages • Prevent Task Run or End • Prohibit Drag-and-Drop • Prohibit New Task Creation • Prohibit Task Deletion • Hide Advanced Properties Checkbox in Add Scheduled Task Wizard • Prohibit Browse
Computer Configuration\Administrative Templates\Windows Components\Terminal Services • Keep-Alive Connections • Automatic reconnection • Restrict Terminal Services users to a single remote session • Enforce Removal of Remote Desktop Wallpaper • Deny log off of an administrator logged in to the console session • Limit number of connections • Limit maximum colour depth • Allow users to connect remotely using Terminal Services • Do not allow local administrators to customize permissions • Remove Windows Security item from Start menu • Remove Disconnect option from Shut Down dialog • Set path for TS Roaming Profiles • TS User Home Directory • Sets rules for remote control of Terminal Services user sessions • Start a program on connection
Computer Configuration\Administrative Templates\Windows Components\Terminal Services • Client-Server Data Redirection • Allow Time Zone Redirection • Do not allow clipboard redirection • Do not allow smart card device redirection • Allow audio redirection • Do not allow COM port redirection • Do not allow client printer redirection • Do not allow LPT port redirection • Do not allow drive redirection • Do not set default client printer to be default printer in a session
Computer Configuration\Administrative Templates\Windows Components\Terminal Services • Encryption and Security • Always prompt client for password upon connection • Set client connection encryption level
Computer Configuration\Administrative Templates\Windows Components\Terminal Services • Licensing • License Server Security Group • Prevent License Upgrade
Computer Configuration\Administrative Templates\Windows Components\Terminal Services • Temporary Folders • Do not use temp folders per session • Do not delete temp folder upon exit
Computer Configuration\Administrative Templates\Windows Components\Terminal Services • Session Directory • Terminal Server IP Address Redirection • Join Session Directory • Session Directory Server • Session Directory Cluster Name
Compiled by Paul Warneke 92 of 110 Version 2.20 L.A.W.N. Server 2003 - Reference
Computer Configuration\Administrative Templates\Windows Components\Terminal Services • Sessions • Set time limit for disconnected sessions • Sets a time limit for active Terminal Services sessions • Sets a time limit for active but idle Terminal Services sessions • Allow reconnection from original client only • Terminate session when time limits are reached
Computer Configuration\Administrative Templates\Windows Components\Windows Installer • Disable Windows Installer21 • Always install with elevated privileges • Prohibit rollback • Remove browse dialog box for new source • Prohibit patching • Disable IE security prompt for Windows Installer scripts • Enable user control over installs • Enable user to use media source while elevated • Enable user to patch elevated products • Allow admin to install from Terminal Services session • Cache transforms in secure location on workstation • Logging • Prohibit User Installs • Turn off creation of System Restore Checkpoints
Computer Configuration\Administrative Templates\Windows Components\Windows Messenger • Do not allow Windows Messenger to be run22 • Do not automatically start Windows Messenger initially
Computer Configuration\Administrative Templates\Windows Components\Windows Media Digital Management • Prevent Windows Media DRM Internet Access
Computer Configuration\Administrative Templates\Windows Components\Windows Media Player • Do Not Show First Use Dialog Boxes • Prevent Desktop Shortcut Creation • Prevent Quick Launch Toolbar Shortcut Creation • Prevent Automatic Updates • Prevent Video Smoothing
Computer Configuration\Administrative Templates\Windows Components\Windows Update • Configure Automatic Updates • Specify intranet Microsoft update service location • Reschedule Automatic Updates scheduled installations • No auto-restart for scheduled Automatic Updates installations
Computer Configuration\Administrative Templates\System • Restrict potentially unsafe HTML Help functions to specified folders • Do not display Manage Your Server page at logon • Display Shutdown Event Tracker • Activate Shutdown Event Tracker System State Data feature • Enable Persistent Time Stamp • Specify Windows installation file location • Specify Windows Service Pack installation file location • Remove Boot / Shutdown / Logon / Logoff status messages • Verbose vs normal status messages • Restrict these programs from being launched from Help • Turn off Autoplay
21 Setting this option can help prevent installation of unauthorised software 22 Use this and the following option to stop Windows messenger from start at logon or from being used to message across the network.
Compiled by Paul Warneke 93 of 110 Version 2.20 L.A.W.N. Server 2003 - Reference
• Do not automatically encrypt files moved to encrypted folders
• Download missing COM components • Allow Distributed Link Tracking clients to use domain resources
Computer Configuration\Administrative Templates\System\User Profiles • Do not check for user ownership of Roaming Profile Folders • Delete cached copies of roaming profiles • Do not detect slow network connections • Slow network connection timeout for user profiles • Wait for remote user profile • Prompt user when slow link is detected • Timeout for dialog boxes • Log users off when roaming profile fails • Maximum retries to unload and update user profile • Add the Administrators security group to roaming user profiles • Prevent Roaming Profile changes from propagating to the server • Only allow local user profiles
Computer Configuration\Administrative Templates\System\Scripts • Run logon scripts synchronously • Run startup scripts asynchronously • Run startup scripts visible • Run shutdown scripts visible • Maximum wait time for Group Policy scripts
Computer Configuration\Administrative Templates\System\Logon • Don't display the Getting Started welcome screen at logon • Always use classic logon • Run these programs at user logon • Do not process the run once list • Do not process the legacy run list • Always wait for the network at computer startup and logon
Computer Configuration\Administrative Templates\System\Disk Quota • Enable disk quotas • Enforce disk quota limit • Default quota limit and warning level • Log event when quota limit exceeded • Log event when quota warning level exceeded • Apply policy to removable media
Computer Configuration\Administrative Templates\System\Net Logon • Expected dial-up delay on logon • Site Name • Negative DC Discovery Cache Setting • Initial DC Discovery Retry Setting for Background Callers • Maximum DC Discovery Retry Interval Setting for Background Callers • Final DC Discovery Retry Setting for Background Callers • Positive Periodic DC Cache Refresh for Background Callers • Positive Periodic DC Cache Refresh for Non-Background Callers • Scavenge Interval • Contact PDC on logon failure • Log File Debug Output Level • Maximum Log File Size • SYSVOL share compatibility • Netlogon share compatibility
Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records • Dynamic Registration of the DC Locator DNS Records • DC Locator DNS records not registered by the DCs • Refresh Interval of the DC Locator DNS Records • Weight Set in the DC Locator DNS SRV Records • Priority Set in the DC Locator DNS SRV Records
Compiled by Paul Warneke 94 of 110 Version 2.20 L.A.W.N. Server 2003 - Reference
• TTL Set in the DC Locator DNS Records • Automated Site Coverage by the DC Locator DNS SRV Records • Sites Covered by the DC Locator DNS SRV Records • Sites Covered by the GC Locator DNS SRV Records • Sites Covered by the Application Directory Partition Locator • Location of the DCs hosting a domain with single label DNS name
Computer Configuration\Administrative Templates\System\Group Policy • Turn off background refresh of Group Policy • Group Policy refresh interval for computers • Group Policy refresh interval for domain controllers • User Group Policy loopback processing mode • Allow Cross-Forest User Policy and Roaming User Profiles • Group Policy slow link detection • Turn off Resultant Set of Policy logging • Remove users ability to invoke machine policy refresh • Disallow Interactive Users from generating Resultant Set of Policy data • Registry policy processing • Internet Explorer Maintenance policy processing • Software Installation policy processing • Folder Redirection policy processing • Scripts policy processing • Security policy processing • IP Security policy processing • Wireless policy processing • EFS recovery policy processing • Disk Quota policy processing • Always use local ADM files for Group Policy Object Editor
Computer Configuration\Administrative Templates\System\Remote Assistance • Solicited Remote Assistance • Offer Remote Assistance
Computer Configuration\Administrative Templates\System\System Restore • Turn off System Restore • Turn off Configuration
• Computer Configuration\Administrative Templates\System\Error Reporting • Display Error Notification • Report Errors
Computer Configuration\Administrative Templates\System\Error Reporting Advanced Error Reporting Settings • Default application reporting settings • List of applications to always report errors for • List of applications to never report errors for • Report operating system errors • Report unplanned shutdown events
Computer Configuration\Administrative Templates\System\Windows File Protection • Set Windows File Protection scanning • Hide the file scan progress window • Limit Windows File Protection cache size • Specify Windows File Protection cache location
Computer Configuration\Administrative Templates\System\Remote Procedure Call • RPC Troubleshooting State Information • Propagation of extended error information • Ignore Delegation Failure • Minimum Idle Connection Timeout for RPC/HTTP connections
Computer Configuration\Administrative Templates\System\Windows Time Service • Global Configuration Settings
Compiled by Paul Warneke 95 of 110 Version 2.20 L.A.W.N. Server 2003 - Reference
Computer Configuration\Administrative Templates\System\Windows Time Providers\Time Providers • Enable Windows NTP Client • Configure Windows NTP Client • Enable Windows NTP Server
Computer Configuration\Administrative Templates\System\Network • Background Intelligent Transfer Service (BITS) inactive job timeout • Sets how often a DFS Client discovers DC's
Computer Configuration\Administrative Templates\System\Network\DNS Client • Primary DNS Suffix • Dynamic Update • DNS Suffix Search List • Primary DNS Suffix Devolution • Register PTR Records • Registration Refresh Interval • Replace Addresses In Conflicts • DNS Servers • Connection-Specific DNS Suffix • Register DNS records with connection-specific DNS suffix • TTL Set in the A and PTR records • Update Security Level • Update Top Level Domain Zones
Computer Configuration\Administrative Templates\System\Network\Offline Files • Allow or Disallow use of the Offline Files feature23 • Prohibit user configuration of Offline Files • Synchronize all offline files when logging on • Synchronize all offline files before logging off • Synchronize offline files before suspend • Default cache size • Action on server disconnect • Non-default server disconnect actions • Remove 'Make Available Offline' • Prevent use of Offline Files folder • Files not cached • Administratively assigned offline files • Turn off reminder balloons24 • Reminder balloon frequency • Initial reminder balloon lifetime • Reminder balloon lifetime • At logoff, delete local copy of user‘s offline files • Event logging level • Subfolders always available offline • Encrypt the Offline Files cache • Prohibit 'Make Available Offline' for these file and folders • Configure Slow link speed
Computer Configuration\Administrative Templates\System\Network\Network Connections • Prohibit use of Internet Connection Sharing on your DNS domain network • Prohibit use of Internet Connection Firewall on your DNS domain network • Prohibit installation and configuration of Network Bridge on your DNS • IEEE 802.1x Certificate Authority for Machine Authentication
• Computer Configuration\Administrative Templates\System\Network\QOS Packet Scheduler • Limit reservable bandwidth • Limit outstanding packets • Set timer resolution
23 Refer to page Error! Bookmark not defined. for a complete guide to setting these options. 24 Disable these to stop those annoying reminder messages from being displayed
Compiled by Paul Warneke 96 of 110 Version 2.20 L.A.W.N. Server 2003 - Reference
Computer Configuration\Administrative Templates\System\Network\QOS Packet Scheduler\DSCP Value of Conforming Packets • Best effort service type • Controlled load service type • Guaranteed service type • Network control service type • Qualitative service type
Computer Configuration\Administrative Templates\System\Network\QOS Packet Scheduler\DSCP Value of Non-Conforming Packets • Best effort service type • Controlled load service type • Guaranteed service type • Network control service type • Qualitative service type
Computer Configuration\Administrative Templates\System\Network\QOS Packet Scheduler\Layer-2 Priority Value • Non-conforming packets • Best effort service type • Controlled load service type • Guaranteed service type • Network control service type • Qualitative service type
Computer Configuration\Administrative Templates\System\Network\SNMP • Communities • Permitted Managers • Traps for public community
Computer Configuration\Administrative Templates\System\Printers • Allow printers to be published • Allow pruning of published printers • Automatically publish new printers in Active Directory • Check published state • Computer location • Custom support URL in the Printers folder's left pane • Directory pruning interval • Directory pruning priority • Directory pruning retry • Disallow installation of printers using kernel-mode drivers • Log directory pruning retry events • Pre-populate printer search location text • Printer browsing • Prune printers that are not automatically republished • Allow Print Spooler to accept client connections • Web-based printing
User Configuration\Windows Settings\Folder Redirection • Application Data25 • Desktop • My Documents26 • Start Menu
User Configuration\Windows Settings\Internet Explorer Maintenance\Browser User Interface • Browser Title • Custom Logo • Browser Toolbar Customisations
25 Creating a shared folder on the server to store user application data will remove it from users home folders 26 Refer to page 35 for a full description on setting this policy
Compiled by Paul Warneke 97 of 110 Version 2.20 L.A.W.N. Server 2003 - Reference
User Configuration\Windows Settings\Internet Explorer Maintenance\Connection • Connection Settings27 • Automatic Browser Settings • Proxy Settings • User Agent String
User Configuration\Windows Settings\Internet Explorer Maintenance\URL‘s • Favourites and links • Important URL‘s
User Configuration\Windows Settings\Internet Explorer Maintenance\Security • Security Zones and Content • Authentication Settings
User Configuration\Windows Settings\Internet Explorer Maintenance\Programs • Programs
User Configuration\Administrative Templates\Windows Components\Netmeeting • Enable Automatic Configuration • Disable Directory services • Prevent adding Directory servers • Prevent viewing Web directory • Set the intranet support Web page • Set Call Security options • Prevent changing Call placement method • Prevent automatic acceptance of Calls • Allow persisting automatic acceptance of Calls • Prevent sending files • Prevent receiving files • Limit the size of sent files • Disable Chat • Disable NetMeeting 2.x Whiteboard • Disable Whiteboard
User Configuration\Administrative Templates\Windows Components\Netmeeting\Application Sharing • Disable application Sharing • Prevent Sharing • Prevent Desktop Sharing • Prevent Sharing Command Prompts • Prevent Sharing Explorer windows • Prevent Control • Prevent Application Sharing in true colour
User Configuration\Administrative Templates\Windows Components\Netmeeting\Audio & Video • Limit the bandwidth of Audio and Video • Disable Audio • Disable full duplex Audio • Prevent changing DirectSound Audio setting • Prevent sending Video • Prevent receiving Video
User Configuration\Administrative Templates\Windows Components\Netmeeting\ Options Page • Hide the General page • Disable the Advanced Calling button • Hide the Security page • Hide the Audio page • Hide the Video page
27 Refer to page 34 for help on setting this option
Compiled by Paul Warneke 98 of 110 Version 2.20 L.A.W.N. Server 2003 - Reference
User Configuration\Administrative Templates\Internet Explorer • Search: Disable Search Customization • Search: Disable Find Files via F3 within the browser • Disable external branding of Internet Explorer • Disable importing and exporting of favourites • Disable changing Advanced page settings • Disable changing home page settings • Use Automatic Detection for dial-up connections • Disable caching of Auto-Proxy scripts • Display error message on proxy script download failure • Disable changing Temporary Internet files settings • Disable changing history settings • Disable changing colour settings • Disable changing link colour settings • Disable changing font settings • Disable changing language settings • Disable changing accessibility settings • Disable Internet Connection wizard • Disable changing connection settings • Disable changing proxy settings • Disable changing Automatic Configuration settings • Disable changing ratings settings • Disable changing certificate settings • Disable changing Profile Assistant settings • Disable AutoComplete for forms • Do not allow AutoComplete to save passwords • Disable changing Messaging settings • Disable changing Calendar and Contact settings • Disable the Reset Web Settings feature • Disable changing default browser check • Identity Manager: Prevent users from using Identities • Configure Outlook Express • Configure Media Explorer Bar
User Configuration\Administrative Templates\Internet Explorer\Internet Control Panel • Disable the General page28 • Disable the Security page • Disable the Content page • Disable the Connections page • Disable the Programs page • Disable the Privacy page • Disable the Advanced page
User Configuration\Administrative Templates\Internet Explorer\Offline Pages • Disable adding channels • Disable removing channels • Disable adding schedules for offline pages • Disable editing schedules for offline pages • Disable removing schedules for offline pages • Disable offline page hit logging • Disable all scheduled offline pages • Disable channel user interface completely • Disable downloading of site subscription content • Disable editing and creating of schedule groups • Subscription Limits
User Configuration\Administrative Templates\Internet Explorer\Browser Menus • File menu: Disable Save As... menu option • File menu: Disable New menu option • File menu: Disable Open menu option • File menu: Disable Save As Web Page Complete
28 Hiding some of the Control panel tabs is effective in stopping the changing of critical system or desktop display settings. Make sure you do not inhibit access to the volume settings as these are often used by staff and students.
Compiled by Paul Warneke 99 of 110 Version 2.20 L.A.W.N. Server 2003 - Reference
• File menu: Disable closing the browser and Explorer windows • View menu: Disable Source menu option • View menu: Disable Full Screen menu option • Hide Favourites menu • Tools menu: Disable Internet Options... menu option • Help menu: Remove 'Tip of the Day' menu option • Help menu: Remove 'For Netscape Users' menu option • Help menu: Remove 'Tour' menu option • Help menu: Remove 'Send Feedback' menu option • Disable Context menu • Disable Open in New Window menu option • Disable Save this program to disk option
User Configuration\Administrative Templates\Internet Explorer\Toolbars • Disable customizing browser toolbar buttons • Disable customizing browser toolbars • Configure Toolbar Buttons
User Configuration\Administrative Templates\Internet Explorer\Persistence Behavior • File size limits for Local Machine zone • File size limits for Intranet zone • File size limits for Trusted Sites zone • File size limits for Internet zone • File size limits for Restricted Sites zone
User Configuration\Administrative Templates\Internet Explorer\Administrator Approved Controls • Media Player • Menu Controls • Microsoft Agent • Microsoft Chat • Microsoft Survey Control • Shockwave Flash • NetShow File Transfer Control • DHTML Edit Control • Microsoft Scriptlet Component • Carpoint • Investor • MSNBC
User Configuration\Administrative Templates\Application Compatibility • Prevent access to 16-bit applications
User Configuration\Administrative Templates\Help and Support Centre • Do not allow "Did you know" content to appear
User Configuration\Administrative Templates\Windows Explorer • Turn on Classic Shell • Removes the Folder Options menu item from the Tools menu • Remove File menu from Windows Explorer • Remove "Map Network Drive" and "Disconnect Network Drive"29 • Remove Search button from Windows Explorer • Remove Windows Explorer's default context menu • Hides the Manage item on the Windows Explorer context menu • Allow only per user or approved shell extensions • Do not track Shell shortcuts during roaming • Hide these specified drives in My Computer 30 • Prevent access to drives from My Computer • Remove Hardware tab • Remove DFS tab • Remove Security tab
29 Turn off access to browsing the network to restrict user access to resources with this option and ”No Computers Near Me‘ and ”No Entire Network‘ . 30 Configure this and the next option to stop access to the work station C: drive
Compiled by Paul Warneke 100 of 110 Version 2.20 L.A.W.N. Server 2003 - Reference
• Remove UI to change menu animation setting • Remove UI to change keyboard navigation indicator setting • No "Computers Near Me" in My Network Places • No "Entire Network" in My Network Places • Maximum number of recent documents • Do not request alternate credentials • Request credentials for network installations • Remove CD Burning features • Do not move deleted files to the Recycle Bin • Display confirmation dialog when deleting files • Maximum allowed Recycle Bin size • Remove Shared Documents from My Computer • Turn off caching of thumbnail pictures • Turn off Windows+X hotkeys31 • Remove Publish to Web from File and Folder Tasks • Prevent Internet download for Web Publishing and Online Ordering • Remove Order Prints from Picture Tasks
User Configuration\Administrative Templates\Windows Components\Windows Explorer\Common Open File Dialog • Items displayed in Places Bar • Hide the common dialog places bar • Hide the common dialog back button • Hide the dropdown list of recent files
User Configuration\Administrative Templates\Windows Components\Microsoft Management Console • Restrict the user from entering author mode • Restrict users to the explicitly permitted list of snap-ins
User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted-Permitted Snap-Ins • Active Directory Users and Computers • Active Directory Domains and Trusts • Active Directory Sites and Services • ADSI Edit • ActiveX Control • Certificates • Certification Authority • Certificate Templates • Wireless Monitor • Component Services • Computer Management • Device Manager • Disk Management • Disk Defragmenter • Distributed File System • Event Viewer • FAX Service • FrontPage Server Extensions • Indexing Service • .Net Framework Configuration • Internet Authentication Service (IAS) • Internet Information Services • IP Security Policy Management • IP Security Monitor • Link to Web Address • Local Users and Groups • Performance Logs and Alerts • QoS Admission Control • Remote Desktops • Removable Storage Management • Routing and Remote Access
31 Turning off the hot-keys can both restrict and frustrate users so set this option with care
Compiled by Paul Warneke 101 of 110 Version 2.20 L.A.W.N. Server 2003 - Reference
• Security Configuration and Analysis • Security Templates • Services • Shared Folders • System Information • Telephony • Terminal Services Configuration • WMI Control
User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted-Permitted Snap-Ins\Extension Snap-Ins • AppleTalk Routing • Authorization Manager • Certification Authority Policy Settings • Connection Sharing (NAT) • DCOM Configuration Extension • Device Manager • DHCP Relay Management • Event Viewer • Extended View (Web View) • IAS Logging • IGMP Routing • IP Routing • IPX RIP Routing • IPX Routing • IPX SAP Routing • Logical and Mapped Drives • OSPF Routing • Public Key Policies • RAS Dialin - User Node • Remote Access • Removable Storage • RIP Routing • Routing • Shared Folders Ext • Send Console Message • Service Dependencies • SMTP Protocol • SNMP • System Properties
User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted-Permitted Snap-Ins\Group Policy • Group Policy Management • Group Policy Object Editor • Group Policy tab for Active Directory Tools • Resultant Set of Policy snap-in
User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted-Permitted Snap-Ins\Group Policy\Group Policy Snap-In Extensions • Administrative Templates (Computers) • Administrative Templates (Users) • Folder Redirection • Internet Explorer Maintenance • Remote Installation Services • Scripts (Logon/Logoff) • Scripts (Startup/Shutdown) • Security Settings • Software Installation (Computers) • Software Installation (Users) • Wireless Network (IEEE 802.11) Policies
Compiled by Paul Warneke 102 of 110 Version 2.20 L.A.W.N. Server 2003 - Reference
User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted-Permitted Snap-Ins\Group Policy\Resultant Set Of Policy Snap-In • Administrative Templates (Computers) • Administrative Templates (Users) • Folder Redirection • Internet Explorer Maintenance • Scripts (Logon/Logoff) • Scripts (Startup/Shutdown) • Security Settings • Software Installation (Computers) • Software Installation (Users)
User Configuration\Administrative Templates\Windows Components\Task Scheduler • Hide Property Pages • Prevent Task Run or End • Prohibit Drag-and-Drop • Prohibit New Task Creation • Prohibit Task Deletion • Hide Advanced Properties Checkbox in Add Scheduled Wizard • Prohibit Browse
User Configuration\Administrative Templates\Windows Components\Terminal Services • Start a program on connection • Sets rules for remote control of Terminal Services user sessions
User Configuration\Administrative Templates\Windows Components\Terminal Services\Sessions • Set time limit for disconnected sessions • Sets a time limit for active Terminal Services sessions • Sets a time limit for active but idle Terminal Services sessions • Allow reconnection from original client only • Terminate session when time limits are reached
User Configuration\Administrative Templates\Windows Components\Windows Installer • Always install with elevated privileges • Search order • Prohibit rollback • Prevent removable media source for any install
User Configuration\Administrative Templates\Windows Components\Windows Messenger • Do not allow Windows Messenger to be run • Do not automatically start Windows Messenger initially
User Configuration\Administrative Templates\Windows Components\Windows Update • Remove access to use all Windows Update features
User Configuration\Administrative Templates\Windows Components\Windows Media Player • Prevent CD and DVD Media Information Retrieval • Prevent Music File Media Information Retrieval
User Configuration\Administrative Templates\Windows Components\Windows Media Player \User Interface • Hide Privacy Tab • Hide Security Tab • Set and Lock Skin • Do Not Show Anchor
User Configuration\Administrative Templates\Windows Components\Windows Media Player \Playback • Prevent Codec Download • Allow Screen Saver
Compiled by Paul Warneke 103 of 110 Version 2.20 L.A.W.N. Server 2003 - Reference
User Configuration\Administrative Templates\Windows Components\Windows Media Player \Networking • Hide Network Tab • Streaming Media Protocols • Configure HTTP Proxy • Configure MMS Proxy • Configure RTSP Proxy • Configure Network Buffering
User Configuration\Administrative Templates\Windows Components\Start Menu and Taskbar • Remove user's folders from the Start Menu • Remove links and access to Windows Update • Remove common program groups from Start Menu • Remove My Documents icon from Start Menu • Remove Documents menu from Start Menu • Remove programs on Settings menu • Remove Network Connections from Start Menu • Remove Favourites menu from Start Menu • Remove Search menu from Start Menu • Remove Help menu from Start Menu • Remove Run menu from Start Menu • Remove My Pictures icon from Start Menu • Remove My Music icon from Start Menu • Remove My Network Places icon from Start Menu • Add Logoff to the Start Menu • Remove Logoff on the Start Menu • Remove and prevent access to the Shut Down command • Remove Drag-and-drop context menus on the Start Menu • Prevent changes to Taskbar and Start Menu Settings • Remove access to the context menus for the taskbar • Do not keep history of recently opened documents • Clear history of recently opened documents on exit • Turn off personalized menus • Turn off user tracking • Add "Run in Separate Memory Space" check box to Run dialog box • Do not use the search-based method when resolving shell shortcuts • Do not use the tracking-based method when resolving shell shortcuts • Gray unavailable Windows Installer programs Start Menu shortcuts • Prevent grouping of taskbar items • Turn off notification area cleanup • Lock the Taskbar • Force classic Start Menu • Remove Balloon Tips on Start Menu items • Remove pinned programs list from the Start Menu • Remove frequent programs list from the Start Menu • Remove All Programs list from the Start menu • Remove the "Undock PC" button from the Start Menu • Remove user name from Start Menu • Remove Clock from the system notification area • Hide the notification area • Do not display any custom toolbars in the taskbar • Remove Set Program Access and Defaults from Start menu
User Configuration\Administrative Templates\Desktop\Active Desktop • Enable Active Desktop • Disable Active Desktop • Disable all items • Prohibit changes • Prohibit adding items • Prohibit deleting items • Prohibit editing items • Prohibit closing items • Add/Delete items • Active Desktop Wallpaper
Compiled by Paul Warneke 104 of 110 Version 2.20 L.A.W.N. Server 2003 - Reference
• Allow only bitmapped wallpaper
User Configuration\Administrative Templates\Desktop\Active Directory • Maximum size of Active Directory searches • Enable filter in Find dialog box • Hide Active Directory folder
User Configuration\Administrative Templates\Control Panel • Prohibit access to the Control Panel • Hide specified Control Panel applets • Show only specified Control Panel applets • Force classic Control Panel Style
User Configuration\Administrative Templates\Control Panel \Add or Remove Programs • Hide Change or Remove Programs page • Hide Add New Programs page • Hide Add/Remove Windows Components page • Hide the Set Program Access and Defaults page • Hide the "Add a program from CD-ROM or floppy disk" option • Hide the "Add programs from Microsoft" option • Hide the "Add programs from your network" option • Go directly to Components Wizard • Remove Support Information • Specify default category for Add New Programs
User Configuration\Administrative Templates\Control Panel \Display • Remove Display in Control Panel • Hide Desktop tab • Prevent changing wallpaper • Hide Appearance and Themes tab • Hide Settings tab • Hide Screen Saver tab • Screen Saver • Screen Saver executable name • Password protect the screen saver • Screen Saver timeout
User Configuration\Administrative Templates\Control Panel \Display\Desktop Themes • Remove Theme option • Prevent selection of windows and buttons styles • Prohibit selection of font size • Prohibit Theme colour selection • Load a specific visual style file or force Windows Classic
User Configuration\Administrative Templates\Control Panel \Printers • Browse a common web site to find printers • Browse the network to find printers • Default Active Directory path when searching for printers Disable • Point and Print Restrictions • Prevent addition of printers • Prevent deletion of printers
User Configuration\Administrative Templates\Control Panel \Regional and Language Options • Restrict selection of Windows menus and dialogs language
User Configuration\Administrative Templates\Shared Files • Allow shared folders to be published • Allow DFS roots to be published
User Configuration\Administrative Templates\Network\Offline Files • Prohibit user configuration of Offline Files • Synchronize all offline files when logging on • Synchronize all offline files before logging off • Synchronize offline files before suspend Disable
Compiled by Paul Warneke 105 of 110 Version 2.20 L.A.W.N. Server 2003 - Reference
• Action on server disconnect • Non-default server disconnect actions • Remove 'Make Available Offline' • Prevent use of Offline Files folder • Administratively assigned offline files • Turn off reminder balloons • Reminder balloon frequency • Initial reminder balloon lifetime • Reminder balloon lifetime • Event logging level • Prohibit 'Make Available Offline' for these file and folders • Do not automatically make redirected folders available offline
User Configuration\Administrative Templates\Network\Network Connections • Ability to rename LAN connections or remote access connections users • Prohibit access to properties of components of a LAN connection • Prohibit access to properties of components of a remote access connection • Prohibit TCP/IP advanced configuration • Prohibit access to the Advanced Settings item on the Advanced menu • Prohibit adding and removing components for a LAN or remote access • Prohibit access to properties of a LAN connection • Prohibit Enabling/Disabling components of a LAN connection • Ability to change properties of an all user remote access connection • Prohibit changing properties of a private remote access connection • Prohibit deletion of remote access connections • Ability to delete all user remote access connections • Prohibit connecting and disconnecting a remote access connection • Ability to Enable/Disable a LAN connection • Prohibit access to the New Connection Wizard • Ability to rename LAN connections • Ability to rename all user remote access connections • Prohibit renaming private remote access connections • Prohibit access to the Remote Access Preferences item on the Adv. menu • Prohibit viewing of status for an active connection • Enable Windows 2000 Network Connections settings for Administrators
User Configuration\Administrative Templates\System • Don't display the Getting Started welcome screen at logon • Century interpretation for Year 2000 • Configure driver search locations • Code signing for device drivers • Custom user interface • Prevent access to the command prompt • Prevent access to registry editing tools • Run only allowed Windows applications • Don't run specified Windows applications • Turn off Autoplay • Restrict these programs from being launched from Help • Download missing COM components • Windows Automatic Updates
User Configuration\Administrative Templates\System\User Profiles • Do not check for user ownership of Roaming Profile Folders • Connect home directory to root of the share • Limit profile size • Exclude directories in roaming profile
User Configuration\Administrative Templates\System\Scripts • Run logon scripts synchronously • Run startup scripts asynchronously • Run startup scripts visible • Run shutdown scripts visible • Maximum wait time for Group Policy scripts
Compiled by Paul Warneke 106 of 110 Version 2.20 L.A.W.N. Server 2003 - Reference
User Configuration\Administrative Templates\System\CTRL+ALT+DEL Options • Remove Task Manager • Remove Lock Computer • Remove Change Password • Remove Logoff
User Configuration\Administrative Templates\System\Logon • Run these programs at user logon • Do not process the run once list • Do not process the legacy run list
User Configuration\Administrative Templates\System\Group Policy • Group Policy refresh interval for users • Group Policy slow link detection • Group Policy domain controller selection • Create new Group Policy object links Disable • Default name for new Group Policy objects • Enforce Show Policies Only • Turn off automatic update of ADM files • Disallow Interactive Users from generating Resultant Set of Policy data
User Configuration\Administrative Templates\System\Power Management • Prompt for password on resume from hibernate / suspend
Compiled by Paul Warneke 107 of 110 Version 2.20 L.A.W.N. Server 2003 - Reference
Hard-drive Jumper Settings
When installing a new hard-drive it is important to make sure that the jumper switches on the back of the hard-drive are set so that the drive is correctly configured as either a primary (contains the boot sector and operating system) or secondary hard-drive.
There are two ways to set the drive as the correct unit:
1. Using the cable selection method: When you have the workstation cabinet open, you will notice that there are two drive connections on the cable. One at the end which is the primary drive connection and one in the middle which is the secondary drive connection. By changing the position of the hard-drive connection on the cable, you will determine which is the primary and which is the secondary drive. Make sure that the drive jumpers are set to cable select as shown in the diagram at the end of this document.
When connecting the cable, be careful not to bend any pins as they are very fragile and that the coloured stripe on the cable is nearest the power cord connection on the drive and at on one on the mother-board.
2. Setting the drive jumpers: These settings refer to a Seagate hard-drive, yours may differ but the settings are usually printed on the top of the hard-drive.
By setting the jumpers on the pins at the back of the hard drive you can set hard drives to be either primary or secondary and over-ride their position settings on the cable. The diagram below shows the settings that apply to most modern hard-drives. Some drives are different so you should check the top of the drive case for a settings diagram or check the manufacturer‘s wesite for any differences. In fact some drives work better if they are set using the jumper connections.
Compiled by Paul Warneke 108 of 110 Version 2.20 L.A.W.N. Server 2003 - Reference
The jumpers can be moved with a pair of tweezers or needle nosed pliers after the drive has been removed from the case.
• To set the jumpers as cable select, place the connector over pins 5 and 6
• To set the drive as a primary without a secondary drive, place the connector over pins 7 and 8
• To set a primary and a secondary drive, place the connector on pins 7 and 8 on the primary drive and remove any connector on the secondary drive. Then place the drives on the cable in their normal cable select positions.
Acknowledgement: The graphics on this page are from the Seagate website at: www.seagate.com/support/kb/disc/faq/ata_cable_select.html
Compiled by Paul Warneke 109 of 110 Version 2.20 L.A.W.N. Server 2003 - Resources
RESOURCES
DECS Websites
Allabout...... http://www.allabout.sa.edu.au/allabout/ Antivirus ...... www.antivirus.sa.edu.au DECS home page ...... www.decs.sa.gov.au eduConnect...... www.educonnect.sa.edu.au e-learning ...... www.e-learning.sa.edu.au EDSAS home page ...... www1.central.sa.edu.au/schladmn/edsas/edsas2.htm SSONET ...... ssonet.central.sa.edu.au T.S.o.F...... www.tsof.sa.edu.au
Scholastic Websites
Lexile Testing ...... www.mylexile.com.au
Technical Websites
Network boot disk...... www.netbootdisk.com
Compiled by Paul Warneke 110 of 110 Version 2.20