About James

I am an Infrastructure Systems Administrator in the Infrastructure Systems Group (ISG) within ISS. We are responsible for a number of the core services which support the IT Infrastructure of the University including Active Directory, Exchange, DNS, Central Filestore, VMware and SQL. I hold number of current Microsoft Certifications and am also a Symantec Certified Specialist (Netbackup) http://twitter.com/JamesAPocock

Active Directory Users and Computers Tip (View > Advanced Features)

When using the ADUC console select View > Advanced Features. Once selected, hidden containers, tabs and attributes can be seen when selecting an objects properties. Most useful is the ‘Object’ tab which allows the ‘Protect Object from Accidental Deletion’ flag to be set but also displays the displays the full path of the object which can be useful when locating Computers in the AD.

Object Tab

Microsoft Removes Hardware Virtualization Requirement from XP Mode

Nearly missed this. The news is a few weeks old but here goes:

From Paul Thurrott’s SuperSite Blog 18/3/10

Although I’m pretty sure it’s Windows Virtual PC that had required hardware virtualization support, and not XP Mode. XP Mode, of course, requires Windows Virtual PC and Windows 7 Professional or higher. Anyway, semantics aside, here’s the news from Microsoft:

We’re announcing an update to Windows XP Mode today that will make it a more accessible to PCs in small and midsize businesses who want to migrate to Windows 7 Professional but have applications that still require Windows XP. Windows XP Mode will no longer require hardware virtualization technology to run. This change makes it extremely easy for businesses to use Windows XP Mode to address any application incompatibility roadblocks they might have in migrating to Windows 7. Windows XP Mode will of course continue to use hardware virtualization technology such as Intel VT (Intel Virtualization Technology) or AMD-V if available. You can find more information here

Security Principals, ACE, ACLs, DACLs, and SACLs

As a follow up to an earlier post I made on Advanced NTFS Permissions I thought I’d post some notes I made recently on Security Principals, ACE, ACLs, DACLs, and SACLs

Security Principals

A security principal is an entity that can be authenticated by the system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account and Security groups of these accounts. The important thing to remember is that each principal is automatically assigned a security identifier (SID)when it is created and that these are unique. This is why a domain computer cannot access domain resources if its account is deleted even when a new account with the same name exists.

Access Control Entry (ACE)

An Access Control Entry (ACE) is an element in an access control list (see below). Each ACE controls or monitors access to an object. We see an ACE when we look in the list of security principals which have access tab on an object.
Access Control Lists (ACL)
Broadly speaking an ACLs are the lists of security principals (users, groups and computers that have access to an object. There are two types of ACL. The DACL and the SACL.

Discretionary access control lists (DACLs).

DACLs identify the users and groups that are assigned or denied access permissions on an object. If a DACL does not explicitly identify a security principal it will be denied access to that object.

System access control lists (SACLs).

SACLs identify the users and groups that you want to audit when they successfully access or fail to access an object. Auditing is used to monitor events related to system or network security. A SACL can be found by selecting the Advanced Security settings on an object button and selecting the Auditing Tab

Security

Must have Powershell snippets

Over the last few months my colleague Jon has been providing me with some very useful Powershell snippets which I thought I’d share. A number of them require the Quest ActiveRoles Management Shell for Active Directory

Display Group memberships for a user.

(Get-QADUser username).MemberOf

Display the members of an Active Directory Group

Get-QADGroupMember "Groupname" | ft name,displayname -a

Bulk remove machine from Windows DNS

The text file contains a list on NetBios machine names.

gc computers.txt | %{dnscmd dnsservername /RecordDelete campus.ncl.ac.uk "$_" A}

Recuse through a Directory Structure and delete all file with a Creation date > 90 days.

The text file contains a list of UNC paths.

GC filecontainingpaths.txt | %{dir $_ -recurse | ?{!$_.psiscontainer -and $_.creationtime -lt ((get-date).adddays(-90))} | del -whatif}

Windows 7 / Windows Server 2008 R2: RemoteApp and Desktop Connection

If you are testing Windows 7 and are a user of one of the ISS Remote Desktop Services Servers you can import all of the applications available to you directly to you Start Menu by following these instructions:

1. Navigate to Control Panel\All Control Panel Items\RemoteApp and Desktop Connections on the Start Menu.

2. Select ‘Set up a new connection with RemoteApp and Desktop Connections

.

3. In the connection box URL type https://servername.ncl.ac.uk/RDWeb/feed/webfeed.aspx

4. Acknowledge the messages at the next 2 screens.

5. You will receive confirmation that the connection has been setup.

.

The applications will now be visible under: Start Menu > Programs > RemoteApp and Desktop Connections

Installing and Configuring Windows XP Mode for Windows 7 (XPM)

Although Windows 7 has several built-in tools to help with application compatibility and Windows XP applications should be installed directly on Windows 7. Windows XP Mode runs some older productivity applications that may not run otherwise on Windows 7.

XP Mode consists of the Virtual PC-based virtual environment and a fully licensed copy of Windows XP with Service Pack 3 (SP3). XPM does not require you to run the virtual environment as a separate Windows desktop. Instead, as you install applications inside the virtual XP environment, they are published to the host (Windows 7) OS as well. (With shortcuts placed in the Start Menu.) That way, users can run Windows XP-based applications (like IE 6) alongside Windows 7 applications under a single desktop.

Note: If you have an older version of Windows Virtual PC e.g. 2007 you will need to uninstall it first.

Install and configure XPM

1. Two installations are required, a special version of Virtual PC and the XP Mode install file itself. These can be found on Microsoft Website or at \\campus\software\iss\Publix\XPMode. There are x86 and x64 versions available. Install the MSU file first and then the Windows XP Mode installer.

2. Restart the machine.

3. Once the machine has restarted installed Windows XP Mode, click the Windows 7 Start button then select All Programs > Windows Virtual PC > Windows XP Mode to begin configuration.

4. Accept the licence agreement and click Next.

5. Specify a password for the XPMUser account. This account is the default account that is used to run Windows XP Mode and the virtual applications you install in the virtual instance of Windows XP with SP3. If you do not want to enter the password each time you start Windows XP Mode, you can store the credentials.

Important: Any application that runs on the host in the context of the user logged on to the host can access the credentials stored for Windows XP Mode.

6. At the next screen turn on Automatic Updates.

7. The next screen displays a message about drive sharing. More information is available if required. You can then start setup. This can take some time.

8. When finished you will be presented with a Windows XP Desktop logged on as XPMUser.

9. At this point you can install applications on the XP PC and they will appear in teh Windows 7 Start Menu.

10. To load the XP VM and install more applications simply select Windows XP Mode from the Start Menu.

Note: Applications installed in XPMode are published in Windows 7 under
Start Menu\Programs\Windows Virtual PC\Windows XP Mode Applications.

The contents of this folder is generated from the ‘All Users’ Start Menu folder in the XP VM located at C:\Documents and Settings\All Users\Start Menu.
For Example creating a shortcut to IE6 in the XPVM All Users start menu folder creates a shortcut in Windows 7 called ‘Internet Explorer 6 (Windows XP Mode)’

UPDATE: You may need to activate Hardware Virtualisation in the machines BIOS for this to work. If you are planning on deploying XPM then make sure the machines fully support hardware virtualisation. Thanks to Chris Letts of ECLS for pointing this out.