Presentation on theme: "WIN.MIT.EDU Tips and Tricks"— Presentation transcript:
1WIN.MIT.EDU Tips and Tricks Joining machines Roaming ProfilesFolder RedirectionDesktop SyncPrevious VersionsGroup Policy Management ToolsSingle Sign-on vs. a WIN passwordPrintingLaptop SupportServer Security RecommendationsMIT Windows UpdatesServer 2008 supportVista RDP sessionsPXE boot for OS install
2Joining a machine: http://web.mit.edu/win/join.html One-time considerations for new hosts and users:Is there a Moira record for the machine which has propagated to the MITnet DNS?Has the machine been assigned to a container? (Stella)Is your Kerberos password up-to-date?General instructions:If reinstalling or rejoining, use the web form located on the Domain Machine Management page to delete the old machine accountRemove existing McAfee antivirus softwareVerify correct IP and DNS settings, join machine to domain and reboot.If no packages are downloaded, reboot a second time due to the XP fast boot default.Using the "tempjoin" Account:Regular user accounts in WIN do not have rights to create new machine accounts, a requirement when joining a machine or using RIS.The web form requires MIT certificates. It creates a Windows account with your username, followed by ".tempjoin." A temporary password, which is valid for 48 hours, is displayed on the screen. This is the appropriate username and password to use while joining the machine to the domain or authenticating to the RIS server.
3Moira Tools Stella – machine management One-time Assignment of the Machine to a ContainerIn order for a machine to get group policies and MSI packages it requires to function properly in the domain, it must be assigned, in Moira, to a container that is within the "Machines" container in AD. If there is no assignment, the machine will appear in the "Orphans/Machines" container, and not get the group policy objects it needs.You can use the stella command to assign the container, stella hostname -lcn lists the container if one has been assigned, the -dcn option removes an existing machine-to-container assignment, and -acn adds one. Perhaps this query is a good candidate for a future web application.If a machine needs to be reinstalled or replaced, the Moira container mapping does not have to be deleted. Only the AD machine account needs to be deleted via the web form.To check if a host already has been assigned to a container use the -lcn option:stella my-machine -lcnMachine: my-machine Container: Machines/my-containerIf the machine has not been assigned to a container, you will not get any output from the command.To assign the machine to a container use the -acn option:stella my-machine -acn Machines/my-containerIf the machine already has been assigned to a container, but you wish to move it to another one, you must first delete the old container assignment using the -dcn option, then assign it to the new container with -acn:stella my-machine -dcn Machines/my-containerstella my-machine -acn Machines/my-other-container
4Profile and Home directories: Don’t fill the desktop! Default is roaming profile in DFS.winprofile (or .winprofile.V2) is created in the users DFS home directoryCopied to local drive at logonNTFS user quotasConfigurable via web form!!!Desktop Folder is Roaming, Don’t store large files there! Store them in My Documents!!!It will cause your machine to take a very long time to login or logoutDrive H: is mapped to the users DFS home directoryCurrently 2 GB User quota by defaultPrevious Versions support. This is a self service feature where users can retrieve old versions of files and folders up to 64 days backAccessed over network as neededUsed for folder redirection of Windows home directoryThe H:\WinData directory is created in DFS for redirected user data to minimize the amount of data that is copied at logon and logoffMy DocumentsApplication DataFavorites
5Roaming Profiles and Desktop Sync Vista roaming profiles are not compatible with XP profiles. Microsoft added code in Vista to create a new profile directory in the users home directory with a .V2 extension:XP: H:\.winprofileVista: H:\.winprofile.V2Each profile has its own desktop folder: e.g., XP’s is H:\.winprofile\desktopIf you have certificates in your XP profile, you will still need to get them separately for VistaDesktop-Sync: In order to preserve consistency of the desktop files and shortcuts for users logging into both XP and Vista machines, WIN.MIT.EDU synchronizes the desktop folders of both profiles when a user logs on:Files saved to an XP desktop will appear on the Vista desktop.Files saved to a Vista desktop will appear on the XP desktop.If a file is updated on one of the desktops, the other desktop will receive the updated version at the next user logon regardless of which OS they logon to.Important! A cached roaming profile may only be deleted via the system control panel. If the files are deleted manually, the roaming profile will fail to load. To fix this the relevant registry keys will have to be deleted from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileListUpgrades: If a machine is upgraded to Vista, the upgraded cached copy of a roaming profile should be copied to a new folder via the system control panel and not used (more about this in the folder redirection topic).A local logon should be used for the upgrade and immediately after the upgrade to rename the old cached profile.Upgraded versions of non-roaming profiles can be preserved and do not need to be modified.
6Folder RedirectionBy default, all users and machines use both roaming profiles and folder redirection.Computers download the default user profile from a DFS share.For the Windows XP environment, WIN.MIT.EDU redirects the following folders:Application Data = H:\WinData\Application DataMy Documents = %HOMESHARE%\WinData\My DocumentsMy Pictures = %HOMESHARE%\WinData\My Documents\My PicturesFavorites = %HOMESHARE%\WinData\Favorites%HOMESHARE% is the location of the users home directory as specified by the user account properties in Active Directory. These properties are managed by Moira and can be modified via the change profile options webform.Machines opted into the disconnected operations laptop policy mapped H: to their local user profile in C:\Documents and Settings instead of the users DFS home directory. These machines do not use roaming profiles.Users who used the change profile options webform to set their account to local profiles and no folder redirection see similar behavior to those who use machines covered under the laptop policy.
7Windows Vista: User Files Directory View The user’s files folder is a programmatically merged view of the local cached profile and the redirected folders.It’s possible to view duplicate entries if a directory exists in each location.We reported this to Microsoft, but action was taken to remediate the issue.We implemented our own workaround to the user file view issue:The default domain Vista roaming profile which is the source for the cached profiles has the folders which are redirected removed.Users in the domain who use a local profile either on a desktop by opting out of roaming profiles or using a computer opted into disconnected operation (laptop policy) have the removed directories recreated at logon when the profile is first created.New logon scripts include logic to detect whether the user is roaming or not and create the directories if they do not exist.
8Previous VersionsUses VSS: Windows Server 2003 Shadow copy services for user Home directoriesPoint-in-time copies of files. View, Copy or Restore files and folders as they existed at points of time in the past.Recover files that were accidentally deleted or overwritten.Compare versions of file while working.Self service file restore capability for the end user.Snapshots are made every 4 AM. Versions of up to 64 days are available.Shadow copies are read-only. You cannot edit the contents of a shadow copy.
9Container maintenance: Group Policy Management Tools Group Policy Management Console – gpmc.mscPreferred GP Management tool. An add-on MSI for XP, installed by default on Vista. There is also an add-on MSU for Vista with updated tools for administration of Server 2008View GPO settings and permissionsCan launch gpeditorResultant Set of Policy – rsop.mscDiagnostic tool to view how GP inheritance is workingAD Users and Computers – dsa.mscViews and info of containers and machinesGroup Policy Editor – gpedit.mscLaunched by gpmc or dsa, edit settings and a new preferences section for VistaGpupdate - Command line utilityRefresh group policyGPFind – win.mit.edu command line scriptSearch by GPO name and launch the gpeditor
10New: Preferences section New server 2008 management tools available for VistaMany features that IS&T had to build custom tools for have now been built in by MicrosoftRegistry keys can be deployed here instead of using RegpoleditScheduled tasks can be deployed via group policy as an alternate to SelfmaintNetwork and local printers can be deployed here instead of using the win.mit.edu custom settingsOther new features:Computer based control panel settings such as power options, local accounts and folder options
11User Logon and Single Sign on User Accounts via the Moira incrementalA corresponding user is created in Active Directory and automatically mapped to the MIT Kerberos principalProfile and Home directory options are written to the users account data along with Office location, phone andA random 127 character password is generated and stored in the user properties in Active Directory so the password does not need to be propagated. Cross-Realm authentication will verify the users password directly from the MIT Kerberos KDC’s.Windows Service exists to refresh random passwords every 30 daysWebform to set the users Windows password to a known value for use with special applications where requiredATHENA realm tickets are automatically acquired at logonTo logon to a Vista computer with a local account enter machinename\username in the username field.
12Web forms for users Change your Kerberos Password. https://wserv.mit.edu/fcgi-bin/cpwChange Your Active Directory Password.https://wince.mit.edu/changepasswd/index.jspFor users: under certain circumstances, it might be necessary to set your native WIN domain password, but in most cases this is not necessary and should only be used when needed.Change Profile and Home directory options.https://wince.mit.edu/changeprofile/index.jspA user can change their default DFS roaming profile and home directory locations to a local profile and home directory or to a path on a departmental server
13Group Policy – win.mit.edu Printer settings Microsoft did not have a machine based group policy option to assign printers prior to Server 2003 R2/Windows Vista.When Windows 2000 was released, IS&T developed custom printer extensions for win.mit.edu. When Windows XP is closer to being phased out, we plan to phase out these custom settings. The new Microsoft settings are available today for Vista usersIS&T is phasing out Kerberized printing, the KLPR packages are no longer being maintained. The KLPR packages do not support Windows Vista.New Microsoft GP settings for Vista are available.Two types of printers may be assigned using the win.mit.edu extensions:“KLPR” Printers: Queues that require Kerberos authenticationUse the MIT Hesiod client installed on the machine for queue resolutionCurrently the KLP MSI is deployed by defaultThere is an opt-in for the newer LPNG MSIThere is a specific list of supported driversadditional drivers can be added but in some cases are not compatible with the UNIX print queueAn opt-out of all Kerberized printer clients is availableNetwork Printers: Standard Microsoft Network Printers assigned per machineUses standard UNC path nameBoth options have the ability to assign a default printer to the machine
14Disconnected operation: Laptop support Requires opt-in of the machine or container via a web formDomain wide scripts have internal checks for network based operations, they test for RPC availability to win.mit.edu over port 445, if there is no connectivity the operation is skipped.If a machine boots with no network connectivity the user logs on using their domain account with cached credentials.Roaming profiles and folder redirection are disabled for disconnected users, by default all files are saved to the local disk.When using disconnected operations with Vista, drive H: will not be mapped to the local profile as in XP. If the machine is connected to MITnet at logon, the drive will be mapped to the network home directory specified in AD.(XP only): People using laptops that are frequently used remotely over a broadband connection should install the MIT VPN client.(XP only): Note about Intel Proset Wireless management software: This software is currently packaged with many laptops, including those from Dell. We recommend that you uninstall this portion of the software via the add/remove programs control panel for use with disconnected operations within win.mit.edu. While it is possible to set this software to use the Microsoft client to manage wireless connections, this setting won’t be preserved across system reboots.To logon/logoff without the VPN we currently recommend that it not be connected to the home network until after the Windows logon so the operating system understands it is doing a disconnected logon. This can be done by disconnecting a network cable, or using a function key to disable integrated wireless (F2 on most Dell laptops). This is because Windows detects network connectivity and attempts to authenticate with a domain controller. VPN logon can be started after reconnection to the network.Vista users should disable IPV6 before using the MIT VPN client 5.0 or greater.
15Server Security Recommendations: Common policies to implement for server Logon restrictions: Computer Configuration/Windows Settings/Security Settings/User Rights AssignmentAllow logon through Terminal ServicesGenerally restricted to the local Administrators group(Allow) Logon LocallyGenerally restricted to the local Administrators group but sometimes a service account may require this right depending on the applicationDeny Logon through Terminal servicesIt is recommended to deny the local Administrator account logon over Terminal Services. This way, the local Administrator account can only be used when physically in front of the machine. We already deny this account access to the machine over the network, this setting is a logical extension of the same precaution.Do not use groups or known security principles without understanding their scopeAuthenticated Users, which includes both local and domain users, but not anonymousLocal Users, which by default includes the Domain Users groupAlways implement the Windows Firewall and only open necessary ports to relevant subnetsIf possible, implement Microsoft IPSecResource Management and AdministrationUse NTFS ACL’s, not Share permissions for more granular securityUse one or two top level shares and set NTFS ACL’s on the sub-folders instead of creating many sharesAvoid disabling of inheritance, as it will tend to yield unexpected results if not well documentedAvoid granting Full Control (which allows users to change permissions) over resources, use the Modify right.Use local Groups containing Moira groups or at least moira groups on NTFS ACL’sDo not assign NTFS permissions or rights to users directly, use the group membershipWhen a user leaves the department rights can be easily removed by removing their group memberships in moiraAppropriate level of Auditing doesn’t create to many entries that it is unmanagable and allows one to recognize the real issues.15
16Server 2003 and Security Recommendations: Using the MIT Windows Update Services OverviewCurrently running Microsoft WSUS 3.0Internal repository of patches synchronized with MicrosoftOnly patches approved and tested by IS&T are available through WSUSApplied by default on all WIN.MIT.EDU machines – auto download and auto installMicrosoftF5 Load balancersWSUS ServersOptionsDomain default – Option 4: auto download and auto install any 2:00 AMAction – nothingUsually good for simple file and print servers, simple web serversCustom setting – Option 4: Auto download and auto install on custom scheduleAction – Set Computer Settings/Administrative Templates/Windows Components/Windows Update/Configure Automatic Updates to Option 4: Auto download and notify for install, and set custom schedule belowCustom setting – Option 3: Auto download and notify for installAction – Set Computer Settings/Administrative Templates/Windows Components/Windows Update/Configure Automatic Updates to Option 3: Auto download and notify for installDo not set/reset the WSUS server name, this is already doneWhen using option 3, a balloon window notification will appear when new patches are available.Patch install can be run manually from this interfaceIf the administrator wishes, certain patch may be skipped using the client interfaceSchedule?WUServer Sets the Windows Update intranet server by HTTP name. MIT recommended setting =WUStatusServer Sets the Windows Update intranet statistics server by HTTP name. MIT recommended setting = In a non-Active Directory environment, an administrator can set registry settings to configure Automatic Updates. The following settings are added to the registry of each Windows client at this location: HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AUNoAutoUpdate Range = 0|1. 0 = Automatic Updates enabled (default), 1 = Automatic Updates disabled. MIT recommended setting = 0AUOptions Range = 2|3|4. 2 = notify of download and installation, 3 = auto download and notify of installation, and 4 = auto download and scheduled installation. All options notify the local administrator. MIT recommended setting = 4 ScheduledInstallDay Range = 0|1|2|3|4|5|6|7. 0 = Every day; 1 through 7 = days of the week from Sunday(1) to Saturday(7). MIT recommended setting = 0 ScheduledInstallTime Range = n; where n = the time of day in 24-hour format (0-23). MIT default setting = 1UseWUServer Set this to 1 to enable Automatic Updates to use the Software Update Services server as specified in the WUServer value. MIT recommended setting = 116
17Windows Server 2008 support Support in WIN.MIT.EDUComputers running Server 2008 may be joined to Active DirectorySupport for OS groups has been added for software installation assignmentsBehavior of roaming profiles and folder redirection is the same as VistaThe .winprofile.V2 directory used by Vista is also used by Server 2008Disable IPV6Like Vista, Server 2008 enables IPV6 by default. We recommend that IPV6 be turned off for network connections on MITnet.Like Vista requires ActivationVista uses a DNS based KMS activation for volume media for computers within MITnet.DNS based activation will be integrated for Server 2008 during the Spring term. In the interim activation may be done manually:c:\windows\system32\slmgr.vbs -skms kms2008.mit.educ:\windows\system32\slmgr.vbs –ato
18RIS: Remote Installation Services RequirementsPXE support enabled for subnet and the computer BIOSMoira record should exist for machine and already be mapped to containerIf reinstalling, the previous computer object in Active Directory must be removedTempjoin credentials are used for the installationExecutionBoot with Network Boot option (using F12)Access to Windows XP images by default, there is an ACL for Server 2003 imagesMachines automatically join the domainRIS InfoRIS will format and install the OS on the first physical diskImages exist for particular Dell and IBM modelsIf a new model is commonly used, a new image can be requestedGeneric images exist as well that can be used for Virtual MachinesWDS (Windows Deployment Services) will soon replace RIS. WDS will support Vista and Server 2008RIS will be replaced by BDD (ImageX)Most MIT networks support PXE, contact for help.Moira record can be created using stella or webformIf machines have not been mapped in Moira they are placed in the Orphan container and do not receive any software packages.Computer object is created only after machine has actually joined the domain (at which time the SID is generated)Tempjoin Credentials are only valid for 24 hours (after which the password is reset) and only exist in Active Directory not Moira18
19Windows Vista: Connecting via Remote Desktop Similar to disconnected operations, IS&T is awaiting a hotfix from Microsoft that will remove the requirement of using the UPN (a user principal name: i.e. format to connect via remote desktopHKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\ServersThis issue was resolved when IS&T worked with Microsoft regarding XP SP1 and the fix was rolled into SP2. Unfortunately, this code was not ported to the Vista release and we are awaiting the Kerberos regression hotfixes from Microsoft to be re-released for VistaThe Remote Desktop client will not store the UPN format when it makes connections to Vista machines the way it does to XP and We are reporting this behavior to Microsoft as wellThe Windows Aero interface cannot be displayed over Remote Desktop
20Looking forward for 2009Continued deployment and enhancements to AltirisHardware and Software inventory and asset management (current)Software deployment via task scheduling (planned)WDS: Windows Deployment Services (WDS) is the revised version of Remote Installation Services (RIS). WDS enables the deployment of Microsoft Windows operating systems, particularly Windows Vista and Windows Server 2008McAfee ePolicy Orchestrator (ePO): ePO is an integrated management platform that manages the security needs of your client computersWeb console, deploy McAfee agents, DAT’s, McAfee products, configuration policy manager, reporting