About James

I am an Infrastructure Systems Administrator in the Infrastructure Systems Group (ISG) within ISS. We are responsible for a number of the core services which support the IT Infrastructure of the University including Active Directory, Exchange, DNS, Central Filestore, VMware and SQL. I hold number of current Microsoft Certifications and am also a Symantec Certified Specialist (Netbackup) http://twitter.com/JamesAPocock

How To: Restrict Machine Logon & Network Access to a members of an Active Directory Group

If you want to Restrict machine Logon & Network Access to a members of an Active Directory Group you can do so using the following procedure:

  1. Create a group which contains the ids for the users who will be allowed access to the PCs in question
  2. If nessecary, create an organisational unit which contains the PCs that are to be restricted.
  3. Create a new group policy on the OU
  4. Expand Computer configuration…Windows Settings…Security Settings…Local Policies…User Rights Assignment
  5. Double click Access This Computer From the Network and click on Add – add the newly created user group
  6. Double click Logon Locally and click on Add – add the user group created at Step 1. Make sure you include the builtin Administrators group with this setting or you could lock yourself out of the machine!

.

Workaround for the: “The network folder specified is currently mapped using a different user name and password” error

Some people make use of the “Connect using different credentials feature” when working with different permissions is required:

It seems that this can sometimes result in the error message “The network folder specified is currently mapped using a different user name and password” error message.” The message can occur even when this is not the case!

Microsoft state that this behaviour is by design and provide a workaround.

“Use the IP address of the remote server when you try to connect to the network share”

This does seem to work but requires that you know the name of the IP of the server you are connecting to. This can easily be found out using the command:

Ping servername

Fix the Windows Explorer Navigation pane in Windows 7

This may not be news to many but I’ve only just found this out so thought I would share on the Blog. For some reason I cannot fathom Microsoft decided to change the behaviour of Windows Explorer in Windows 7 to not expand folders in the Navigation pane.

The way I work means this is massive pain for me so I was happy when I found out how to fix this:

In folder options you can check “Show all folders” and “Automatically expand to current folder”

Problem Solved!

‘Source Path Too Long’ error when using Shadow Copy Service

When using Shadow Copy Service (also known as “Previous Versions”) to restore or copy a file you may receive an error which states ‘Source Path Too Long’

Error

This is due to a limitation of the Windows File System . In the Windows the maximum length for a path is defined as 260 characters for example “H:\some 256-character path string”. Programs which break this limitation can cause this and other problems on clients and servers.

Workaround

In order to restore files and folders where this error occurs you need to map a Network drive to the location to shorten the path. This changes a long path to a short one allowing the restore to take place.

So a long path like

\\campus\dept\mydeparmtnet\management\management reports\trial system\pre-adoption \Research and development with no reponse\reports\2010

Becomes

X:\2010\

The restore can then be performed as usual.

Patching ProLiant Firmware & Software with HPSUM (HP Smart Update Manager) on Windows Systems

This will hopefully be of help with for people using HP Proliant Servers who want quickly to patch their Firmware and Software to the very latest versions

ProLiant Support Packs (PSP) represent operating system (OS) specific bundles of ProLiant optimized drivers, utilities, and management agents. These bundles of software are tested together to ensure proper installation and functionality.

This means that the The Proliant support packs will not necessarily contain the latest versions, just a baseline tested combination and that the software\firmware in use could still be vulnerable or lack the updated functionality in later versions.

It’s possible (and painful) to install updates via the System Management Homepage but this requires lots of restarts and lots of waiting around. The easiest method is to use HPSUM (HP Smart Update Manager) which ships as part of the ProLiant Support Pack but has the ability to download the very latest Firmware and Patches from HP as part of the update process.
Here is how to do it:

1. Extract the ProLiant Support Pack

2. Locate and run setup.exe. This will start the Windows GUI (there is also a command
line version setupc.exe for Windows Server Core)

3. Select the Check ftp.hp.com option and set ‘Type of updates to use’ to ‘Both’.

4. Select ‘Start Inventory’

5. If asked for permission to download from HP.com select yes.

6. At the next screen select Local Host > Next

7. At the next screen it is important to select the currently installed ProLiant Support Pack and ‘ALLOW NON-BUNDLE PRODUCTS’ and ‘ALLOW NON-BUNDLE VERSIONS’. If these options are not checked components will not be update above the level of the currently installed Support Pack.

8. At the next screen you will see all of the very latest updates available. Select the ones you want and hit install. Restarts are optional but some components swill not update until after the next restart.

Free e-book: Introducing Windows Server 2008 R2

All you need is a Windows Live ID.

Free e-book offer from Microsoft Press: Introducing Windows Server 2008 R2
Learn about the features of Windows Server 2008 R2 in the areas of virtualization, management, the web application platform, scalability and reliability, and interoperability with Windows 7. Sign in to download Introducing Windows Server 2008 R2, written by industry experts Charlie Russel and Craig Zacker along with the Windows Server team at Microsoft.

http://www.microsoft.com/…dowsserver.aspx

Delegating Group Policy Objects

A common issue which we hear about is IT Staff who manage delegated Organisational Units (OU) in the Active Directory not being able to edit Group Policy Objects (GPOs) created by other members of their team or people who have left the University.

When a GPO is created the creator (along with some other built in Security Principals are assigned rights to Edit, Settings, delete or modify security. No one else will have these rights until they are assigned them. As with nearly all cases when working with Active Directory the best way to do this is via Group membership.

Every OU we delegate has an Admin Group associated with it for example ISS OU Admin Group or and this is the one you should use. If you are not sure what yours is called each for your s-id in Active Directory and select the ‘Member of’ tab from its properties. Once you know the name of your group you can delegate your GPOs.

Steps to Delegate GPOs

1. From within the GPMC (Group Policy Management Console) Select the Delegation Tab

2. Select the Add button from the bottom of the screen.

3. Add your OU Admin Group Name and select OK.

5. Select ‘Edit settings, delete, modify security’ and select OK.

6. Now all members of your OU Admin Group can edit the GPO