Presentation on theme: "WIN.MIT.EDU Tips and Tricks Joining machines Roaming Profiles Folder Redirection Desktop Sync Previous Versions Group Policy Management Tools Single Sign-on."— Presentation transcript:
WIN.MIT.EDU Tips and Tricks Joining machines Roaming Profiles Folder Redirection Desktop Sync Previous Versions Group Policy Management Tools Single Sign-on vs. a WIN password Printing Laptop Support Server Security Recommendations MIT Windows Updates Server 2008 support Vista RDP sessions PXE boot for OS install
Joining a machine: One-time considerations for new hosts and users: Is there a Moira record for the machine which has propagated to the MITnet DNS? Has the machine been assigned to a container? (Stella) Is your Kerberos password up-to-date? General instructions: If reinstalling or rejoining, use the web form located on the Domain Machine Management page to delete the old machine account Remove existing McAfee antivirus software Verify correct IP and DNS settings, join machine to domain and reboot. If no packages are downloaded, reboot a second time due to the XP fast boot default. Using the "tempjoin" Account: Regular user accounts in WIN do not have rights to create new machine accounts, a requirement when joining a machine or using RIS. The web form requires MIT certificates. It creates a Windows account with your username, followed by ".tempjoin." A temporary password, which is valid for 48 hours, is displayed on the screen. This is the appropriate username and password to use while joining the machine to the domain or authenticating to the RIS server.
Moira Tools Stella – machine management One-time Assignment of the Machine to a Container In order for a machine to get group policies and MSI packages it requires to function properly in the domain, it must be assigned, in Moira, to a container that is within the "Machines" container in AD. If there is no assignment, the machine will appear in the "Orphans/Machines" container, and not get the group policy objects it needs. You can use the stella command to assign the container, stella hostname -lcn lists the container if one has been assigned, the -dcn option removes an existing machine-to-container assignment, and -acn adds one. Perhaps this query is a good candidate for a future web application. If a machine needs to be reinstalled or replaced, the Moira container mapping does not have to be deleted. Only the AD machine account needs to be deleted via the web form. To check if a host already has been assigned to a container use the -lcn option: stella my-machine -lcn Machine: my-machine Container: Machines/my-container If the machine has not been assigned to a container, you will not get any output from the command. To assign the machine to a container use the -acn option: stella my-machine -acn Machines/my-container If the machine already has been assigned to a container, but you wish to move it to another one, you must first delete the old container assignment using the -dcn option, then assign it to the new container with -acn: stella my-machine -dcn Machines/my-container stella my-machine -acn Machines/my-other-container
Profile and Home directories: Dont fill the desktop! Default is roaming profile in DFS.winprofile (or.winprofile.V2) is created in the users DFS home directory Copied to local drive at logon NTFS user quotas Configurable via web form !!!Desktop Folder is Roaming, Dont store large files there! Store them in My Documents!!! It will cause your machine to take a very long time to login or logout Drive H: is mapped to the users DFS home directory Currently 2 GB User quota by default Previous Versions support. This is a self service feature where users can retrieve old versions of files and folders up to 64 days back Accessed over network as needed Used for folder redirection of Windows home directory The H:\WinData directory is created in DFS for redirected user data to minimize the amount of data that is copied at logon and logoff My Documents Application Data Favorites
Roaming Profiles and Desktop Sync Vista roaming profiles are not compatible with XP profiles. Microsoft added code in Vista to create a new profile directory in the users home directory with a.V2 extension: XP: H:\.winprofile Vista: H:\.winprofile.V2 Each profile has its own desktop folder: e.g., XPs is H:\.winprofile\desktop If you have certificates in your XP profile, you will still need to get them separately for Vista Desktop-Sync: In order to preserve consistency of the desktop files and shortcuts for users logging into both XP and Vista machines, WIN.MIT.EDU synchronizes the desktop folders of both profiles when a user logs on: Files saved to an XP desktop will appear on the Vista desktop. Files saved to a Vista desktop will appear on the XP desktop. If a file is updated on one of the desktops, the other desktop will receive the updated version at the next user logon regardless of which OS they logon to. Important! A cached roaming profile may only be deleted via the system control panel. If the files are deleted manually, the roaming profile will fail to load. To fix this the relevant registry keys will have to be deleted from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList Upgrades: If a machine is upgraded to Vista, the upgraded cached copy of a roaming profile should be copied to a new folder via the system control panel and not used (more about this in the folder redirection topic). A local logon should be used for the upgrade and immediately after the upgrade to rename the old cached profile. Upgraded versions of non-roaming profiles can be preserved and do not need to be modified.
Folder Redirection By default, all users and machines use both roaming profiles and folder redirection. Computers download the default user profile from a DFS share. For the Windows XP environment, WIN.MIT.EDU redirects the following folders: Application Data = H:\WinData\Application Data My Documents = %HOMESHARE%\WinData\My Documents My Pictures = %HOMESHARE%\WinData\My Documents\My Pictures Favorites = %HOMESHARE%\WinData\Favorites %HOMESHARE% is the location of the users home directory as specified by the user account properties in Active Directory. These properties are managed by Moira and can be modified via the change profile options webform. Machines opted into the disconnected operations laptop policy mapped H: to their local user profile in C:\Documents and Settings instead of the users DFS home directory. These machines do not use roaming profiles. Users who used the change profile options webform to set their account to local profiles and no folder redirection see similar behavior to those who use machines covered under the laptop policy.
Windows Vista: User Files Directory View The users files folder is a programmatically merged view of the local cached profile and the redirected folders. Its possible to view duplicate entries if a directory exists in each location. We reported this to Microsoft, but action was taken to remediate the issue. We implemented our own workaround to the user file view issue: The default domain Vista roaming profile which is the source for the cached profiles has the folders which are redirected removed. Users in the domain who use a local profile either on a desktop by opting out of roaming profiles or using a computer opted into disconnected operation (laptop policy) have the removed directories recreated at logon when the profile is first created. New logon scripts include logic to detect whether the user is roaming or not and create the directories if they do not exist.
Previous Versions Uses VSS: Windows Server 2003 Shadow copy services for user Home directories Point-in-time copies of files. View, Copy or Restore files and folders as they existed at points of time in the past. Recover files that were accidentally deleted or overwritten. Compare versions of file while working. Self service file restore capability for the end user. Snapshots are made every 4 AM. Versions of up to 64 days are available. Shadow copies are read-only. You cannot edit the contents of a shadow copy.
Container maintenance: Group Policy Management Tools Group Policy Management Console – gpmc.msc Preferred GP Management tool. An add-on MSI for XP, installed by default on Vista. There is also an add-on MSU for Vista with updated tools for administration of Server 2008 View GPO settings and permissions Can launch gpeditor Resultant Set of Policy – rsop.msc Diagnostic tool to view how GP inheritance is working AD Users and Computers – dsa.msc Views and info of containers and machines Group Policy Editor – gpedit.msc Launched by gpmc or dsa, edit settings and a new preferences section for Vista Gpupdate - Command line utility Refresh group policy GPFind – win.mit.edu command line script Search by GPO name and launch the gpeditor
New: Preferences section New server 2008 management tools available for Vista Many features that IS&T had to build custom tools for have now been built in by Microsoft Registry keys can be deployed here instead of using Regpoledit Scheduled tasks can be deployed via group policy as an alternate to Selfmaint Network and local printers can be deployed here instead of using the win.mit.edu custom settings Other new features: Computer based control panel settings such as power options, local accounts and folder options
User Logon and Single Sign on User Accounts via the Moira incremental A corresponding user is created in Active Directory and automatically mapped to the MIT Kerberos principal Profile and Home directory options are written to the users account data along with Office location, phone and A random 127 character password is generated and stored in the user properties in Active Directory so the password does not need to be propagated. Cross-Realm authentication will verify the users password directly from the MIT Kerberos KDCs. Windows Service exists to refresh random passwords every 30 days Webform to set the users Windows password to a known value for use with special applications where required ATHENA realm tickets are automatically acquired at logon To logon to a Vista computer with a local account enter machinename\username in the username field.
Web forms for users Change your Kerberos Password. https://wserv.mit.edu/fcgi-bin/cpw Change Your Active Directory Password. https://wince.mit.edu/changepasswd/index.jsp For users: under certain circumstances, it might be necessary to set your native WIN domain password, but in most cases this is not necessary and should only be used when needed. Change Profile and Home directory options. https://wince.mit.edu/changeprofile/index.jsp A user can change their default DFS roaming profile and home directory locations to a local profile and home directory or to a path on a departmental server
Group Policy – win.mit.edu Printer settings Microsoft did not have a machine based group policy option to assign printers prior to Server 2003 R2/Windows Vista. When Windows 2000 was released, IS&T developed custom printer extensions for win.mit.edu. When Windows XP is closer to being phased out, we plan to phase out these custom settings. The new Microsoft settings are available today for Vista users IS&T is phasing out Kerberized printing, the KLPR packages are no longer being maintained. The KLPR packages do not support Windows Vista. New Microsoft GP settings for Vista are available. Two types of printers may be assigned using the win.mit.edu extensions: KLPR Printers: Queues that require Kerberos authentication Use the MIT Hesiod client installed on the machine for queue resolution Currently the KLP MSI is deployed by default There is an opt-in for the newer LPNG MSI There is a specific list of supported drivers additional drivers can be added but in some cases are not compatible with the UNIX print queue An opt-out of all Kerberized printer clients is available Network Printers: Standard Microsoft Network Printers assigned per machine Uses standard UNC path name Both options have the ability to assign a default printer to the machine
Disconnected operation: Laptop support Requires opt-in of the machine or container via a web form Domain wide scripts have internal checks for network based operations, they test for RPC availability to win.mit.edu over port 445, if there is no connectivity the operation is skipped. If a machine boots with no network connectivity the user logs on using their domain account with cached credentials. Roaming profiles and folder redirection are disabled for disconnected users, by default all files are saved to the local disk. When using disconnected operations with Vista, drive H: will not be mapped to the local profile as in XP. If the machine is connected to MITnet at logon, the drive will be mapped to the network home directory specified in AD. (XP only): People using laptops that are frequently used remotely over a broadband connection should install the MIT VPN client. (XP only): Note about Intel Proset Wireless management software: This software is currently packaged with many laptops, including those from Dell. We recommend that you uninstall this portion of the software via the add/remove programs control panel for use with disconnected operations within win.mit.edu. While it is possible to set this software to use the Microsoft client to manage wireless connections, this setting wont be preserved across system reboots. To logon/logoff without the VPN we currently recommend that it not be connected to the home network until after the Windows logon so the operating system understands it is doing a disconnected logon. This can be done by disconnecting a network cable, or using a function key to disable integrated wireless (F2 on most Dell laptops). This is because Windows detects network connectivity and attempts to authenticate with a domain controller. VPN logon can be started after reconnection to the network. Vista users should disable IPV6 before using the MIT VPN client 5.0 or greater.
Server Security Recommendations: Common policies to implement for server Logon restrictions: Computer Configuration/Windows Settings/Security Settings/User Rights Assignment Allow logon through Terminal Services Generally restricted to the local Administrators group (Allow) Logon Locally Generally restricted to the local Administrators group but sometimes a service account may require this right depending on the application Deny Logon through Terminal services It is recommended to deny the local Administrator account logon over Terminal Services. This way, the local Administrator account can only be used when physically in front of the machine. We already deny this account access to the machine over the network, this setting is a logical extension of the same precaution. Do not use groups or known security principles without understanding their scope Authenticated Users, which includes both local and domain users, but not anonymous Local Users, which by default includes the Domain Users group Always implement the Windows Firewall and only open necessary ports to relevant subnets If possible, implement Microsoft IPSec Resource Management and Administration Use NTFS ACLs, not Share permissions for more granular security Use one or two top level shares and set NTFS ACLs on the sub-folders instead of creating many shares Avoid disabling of inheritance, as it will tend to yield unexpected results if not well documented Avoid granting Full Control (which allows users to change permissions) over resources, use the Modify right. Use local Groups containing Moira groups or at least moira groups on NTFS ACLs Do not assign NTFS permissions or rights to users directly, use the group membership When a user leaves the department rights can be easily removed by removing their group memberships in moira
Server 2003 and Security Recommendations: Using the MIT Windows Update Services Options Domain default – Option 4: auto download and auto install any 2:00 AM Action – nothing Usually good for simple file and print servers, simple web servers Custom setting – Option 4: Auto download and auto install on custom schedule Action – Set Computer Settings/Administrative Templates/Windows Components/Windows Update/Configure Automatic Updates to Option 4: Auto download and notify for install, and set custom schedule below Custom setting – Option 3: Auto download and notify for install Action – Set Computer Settings/Administrative Templates/Windows Components/Windows Update/Configure Automatic Updates to Option 3: Auto download and notify for install Do not set/reset the WSUS server name, this is already done When using option 3, a balloon window notification will appear when new patches are available. Patch install can be run manually from this interface If the administrator wishes, certain patch may be skipped using the client interface F5 Load balancersWSUS ServersMicrosoft Overview Currently running Microsoft WSUS 3.0 Internal repository of patches synchronized with Microsoft Only patches approved and tested by IS&T are available through WSUS Applied by default on all WIN.MIT.EDU machines – auto download and auto install
Windows Server 2008 support Support in WIN.MIT.EDU Computers running Server 2008 may be joined to Active Directory Support for OS groups has been added for software installation assignments Behavior of roaming profiles and folder redirection is the same as Vista The.winprofile.V2 directory used by Vista is also used by Server 2008 Disable IPV6 Like Vista, Server 2008 enables IPV6 by default. We recommend that IPV6 be turned off for network connections on MITnet. Like Vista requires Activation Vista uses a DNS based KMS activation for volume media for computers within MITnet. DNS based activation will be integrated for Server 2008 during the Spring term. In the interim activation may be done manually: c:\windows\system32\slmgr.vbs -skms kms2008.mit.edu c:\windows\system32\slmgr.vbs –ato
RIS: Remote Installation Services Requirements PXE support enabled for subnet and the computer BIOS Moira record should exist for machine and already be mapped to container If reinstalling, the previous computer object in Active Directory must be removed Tempjoin credentials are used for the installation Execution Boot with Network Boot option (using F12) Access to Windows XP images by default, there is an ACL for Server 2003 images Machines automatically join the domain RIS Info RIS will format and install the OS on the first physical disk Images exist for particular Dell and IBM models If a new model is commonly used, a new image can be requested Generic images exist as well that can be used for Virtual Machines WDS (Windows Deployment Services) will soon replace RIS. WDS will support Vista and Server 2008
Windows Vista: Connecting via Remote Desktop Similar to disconnected operations, IS&T is awaiting a hotfix from Microsoft that will remove the requirement of using the UPN (a user principal name: i.e. format to connect via remote desktop HKEY_CURRENT_USER\Software\Micros oft\Terminal Server Client\Servers This issue was resolved when IS&T worked with Microsoft regarding XP SP1 and the fix was rolled into SP2. Unfortunately, this code was not ported to the Vista release and we are awaiting the Kerberos regression hotfixes from Microsoft to be re-released for Vista The Remote Desktop client will not store the UPN format when it makes connections to Vista machines the way it does to XP and We are reporting this behavior to Microsoft as well The Windows Aero interface cannot be displayed over Remote Desktop
Looking forward for 2009 Continued deployment and enhancements to Altiris Hardware and Software inventory and asset management (current) Software deployment via task scheduling (planned) WDS: Windows Deployment Services (WDS) is the revised version of Remote Installation Services (RIS). WDS enables the deployment of Microsoft Windows operating systems, particularly Windows Vista and Windows Server 2008 McAfee ePolicy Orchestrator (ePO): ePO is an integrated management platform that manages the security needs of your client computers Web console, deploy McAfee agents, DATs, McAfee products, configuration policy manager, reporting