Building a VMWare Server

As I can never find them here are some videos showing how to build/manage a virtual server as hosted by ISS

Virtual machine access ILO/KVM type interface:
http://wit.ncl.ac.uk/vmware/videos/vSphere_Client_on_Innermind.htm

Installing VMware tools:
http://wit.ncl.ac.uk/vmware/videos/VMWare_Tools_Install.htm

WDS building a virtual machine:
http://wit.ncl.ac.uk/vmware/videos/RIS_Build_ESX_Virtual_Server.htm

Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1)

Since the release of Windows 7 SP1, people who installed the Service Pack before installing the RSAT package weren’t able to do so (although if you installed RSAT before SP1 you were fine).

Microsoft have resolved this with the release of Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1): http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d

How To: Restrict Machine Logon & Network Access to a members of an Active Directory Group

If you want to Restrict machine Logon & Network Access to a members of an Active Directory Group you can do so using the following procedure:

  1. Create a group which contains the ids for the users who will be allowed access to the PCs in question
  2. If nessecary, create an organisational unit which contains the PCs that are to be restricted.
  3. Create a new group policy on the OU
  4. Expand Computer configuration…Windows Settings…Security Settings…Local Policies…User Rights Assignment
  5. Double click Access This Computer From the Network and click on Add – add the newly created user group
  6. Double click Logon Locally and click on Add – add the user group created at Step 1. Make sure you include the builtin Administrators group with this setting or you could lock yourself out of the machine!

.

Useful Utils

A few useful utils I’ve come across recently

Sandboxie – runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. http://www.sandboxie.com/

MagicDisk – a free alternative to Daemon Tools for mounting ISO images as disks – http://www.magiciso.com/tutorials/miso-magicdisc-overview.htm

EasyBCD – a free tool to manipulate Windows boot menus – http://neosmart.net/dl.php?id=1

Dave

Delegating Group Policy Objects

A common issue which we hear about is IT Staff who manage delegated Organisational Units (OU) in the Active Directory not being able to edit Group Policy Objects (GPOs) created by other members of their team or people who have left the University.

When a GPO is created the creator (along with some other built in Security Principals are assigned rights to Edit, Settings, delete or modify security. No one else will have these rights until they are assigned them. As with nearly all cases when working with Active Directory the best way to do this is via Group membership.

Every OU we delegate has an Admin Group associated with it for example ISS OU Admin Group or and this is the one you should use. If you are not sure what yours is called each for your s-id in Active Directory and select the ‘Member of’ tab from its properties. Once you know the name of your group you can delegate your GPOs.

Steps to Delegate GPOs

1. From within the GPMC (Group Policy Management Console) Select the Delegation Tab

2. Select the Add button from the bottom of the screen.

3. Add your OU Admin Group Name and select OK.

5. Select ‘Edit settings, delete, modify security’ and select OK.

6. Now all members of your OU Admin Group can edit the GPO

Active Directory Users and Computers Tip (View > Advanced Features)

When using the ADUC console select View > Advanced Features. Once selected, hidden containers, tabs and attributes can be seen when selecting an objects properties. Most useful is the ‘Object’ tab which allows the ‘Protect Object from Accidental Deletion’ flag to be set but also displays the displays the full path of the object which can be useful when locating Computers in the AD.

Object Tab