WIN.MIT.EDU Tips and Tricks Joining machines Roaming Profiles Folder Redirection Desktop Sync Previous Versions Group Policy Management Tools Single Sign-on.

WIN.MIT.EDU Tips and Tricks

Joining machines  Roaming Profiles Folder Redirection Desktop Sync Previous Versions Group Policy Management Tools Single Sign-on vs. a WIN password Printing Laptop Support Server Security Recommendations MIT Windows Updates Server 2008 support Vista RDP sessions PXE boot for OS install

Joining a machine: http://web.mit.edu/win/join.html

One-time considerations for new hosts and users: Is there a Moira record for the machine which has propagated to the MITnet DNS? Has the machine been assigned to a container? (Stella) Is your Kerberos password up-to-date?

General instructions: If reinstalling or rejoining, use the web form located on the Domain Machine

Management page to delete the old machine account Remove existing McAfee antivirus software Verify correct IP and DNS settings, join machine to domain and reboot. If no packages are downloaded, reboot a second time due to the XP fast boot default.

Using the "tempjoin" Account: Regular user accounts in WIN do not have rights to create new machine accounts, a

requirement when joining a machine or using RIS. The web form requires MIT certificates. It creates a Windows account with your

username, followed by ".tempjoin." A temporary password, which is valid for 48 hours, is displayed on the screen. This is the appropriate username and password to use while joining the machine to the domain or authenticating to the RIS server.

Moira Tools Stella – machine management One-time Assignment of the Machine to a Container

In order for a machine to get group policies and MSI packages it requires to function properly in the domain, it must be assigned, in Moira, to a container that is within the "Machines" container in AD. If there is no assignment, the machine will appear in the "Orphans/Machines" container, and not get the group policy objects it needs.

You can use the stella command to assign the container, stella hostname -lcn lists the container if one has been assigned, the -dcn option removes an existing machine-to-container assignment, and -acn adds one. Perhaps this query is a good candidate for a future web application.

If a machine needs to be reinstalled or replaced, the Moira container mapping does not have to be deleted. Only the AD machine account needs to be deleted via the web form.

To check if a host already has been assigned to a container use the -lcn option: stella my-machine -lcn

Machine: my-machine Container: Machines/my-containerIf the machine has not been assigned to a container, you will not get any output from the command.

To assign the machine to a container use the -acn option: stella my-machine -acn Machines/my-container

If the machine already has been assigned to a container, but you wish to move it to another one, you must first delete the old container assignment using the -dcn option, then assign it to the new container with -acn:

stella my-machine -dcn Machines/my-container stella my-machine -acn Machines/my-other-container

Profile and Home directories: Don’t fill the desktop!

Default is roaming profile in DFS .winprofile (or .winprofile.V2) is created in the users DFS home directory Copied to local drive at logon NTFS user quotas Configurable via web form

!!!Desktop Folder is Roaming, Don’t store large files there! Store them in My Documents!!!It will cause your machine to take a very long time to login or logout

Drive H: is mapped to the users DFS home directory Currently 2 GB User quota by default Previous Versions support. This is a self service feature where users can retrieve old

versions of files and folders up to 64 days back Accessed over network as needed Used for folder redirection of Windows home directory The H:\WinData directory is created in DFS for redirected user data to minimize the

amount of data that is copied at logon and logoff My Documents Application Data Favorites

Roaming Profiles and Desktop Sync Vista roaming profiles are not compatible with XP profiles. Microsoft added code in

Vista to create a new profile directory in the users home directory with a .V2 extension:

XP: H:\.winprofile Vista: H:\.winprofile.V2 Each profile has its own desktop folder: e.g., XP’s is H:\.winprofile\desktop If you have certificates in your XP profile, you will still need to get them separately for Vista

Desktop-Sync: In order to preserve consistency of the desktop files and shortcuts for users logging into both XP and Vista machines, WIN.MIT.EDU synchronizes the desktop folders of both profiles when a user logs on:

Files saved to an XP desktop will appear on the Vista desktop. Files saved to a Vista desktop will appear on the XP desktop. If a file is updated on one of the desktops, the other desktop will receive the updated version at the next

user logon regardless of which OS they logon to. Important! A cached roaming profile may only be deleted via the system control panel. If the

files are deleted manually, the roaming profile will fail to load. To fix this the relevant registry keys will have to be deleted from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Upgrades: If a machine is upgraded to Vista, the upgraded cached copy of a roaming profile should be copied to a new folder via the system control panel and not used (more about this in the folder redirection topic).

A local logon should be used for the upgrade and immediately after the upgrade to rename the old cached profile.

Upgraded versions of non-roaming profiles can be preserved and do not need to be modified.

Folder Redirection

By default, all users and machines use both roaming profiles and folder redirection.

Computers download the default user profile from a DFS share.

For the Windows XP environment, WIN.MIT.EDU redirects the following folders: Application Data = H:\WinData\Application Data My Documents = %HOMESHARE%\WinData\My Documents My Pictures = %HOMESHARE%\WinData\My Documents\My Pictures Favorites = %HOMESHARE%\WinData\Favorites

%HOMESHARE% is the location of the users home directory as specified by the user account properties in Active Directory. These properties are managed by Moira and can be modified via the change profile options webform.

Machines opted into the disconnected operations laptop policy mapped H: to their local user profile in C:\Documents and Settings instead of the users DFS home directory. These machines do not use roaming profiles.

Users who used the change profile options webform to set their account to local profiles and no folder redirection see similar behavior to those who use machines covered under the laptop policy.

Windows Vista:

User Files Directory View

The user’s files folder is a programmatically merged view of the local cached profile and the redirected folders.

It’s possible to view duplicate entries if a directory exists in each location.

We reported this to Microsoft, but action was taken to remediate the issue.

We implemented our own workaround to the user file view issue: The default domain Vista roaming profile which is the source for the

cached profiles has the folders which are redirected removed. Users in the domain who use a local profile either on a desktop by

opting out of roaming profiles or using a computer opted into disconnected operation (laptop policy) have the removed directories recreated at logon when the profile is first created.

New logon scripts include logic to detect whether the user is roaming or not and create the directories if they do not exist.

Previous Versions

Uses VSS: Windows Server 2003 Shadow copy services for user Home directories

Point-in-time copies of files. View, Copy or Restore files and folders as they existed at points of time in the past.

Recover files that were accidentally deleted or overwritten. Compare versions of file while working. Self service file restore capability for the end user.

Snapshots are made every 4 AM. Versions of up to 64 days are available. Shadow copies are read-only. You cannot edit the contents of a shadow copy.

Container maintenance: Group Policy Management Tools

Group Policy Management Console – gpmc.msc Preferred GP Management tool. An add-on MSI for XP, installed by default on

Vista. There is also an add-on MSU for Vista with updated tools for administration of Server 2008

View GPO settings and permissions Can launch gpeditor

Resultant Set of Policy – rsop.msc Diagnostic tool to view how GP inheritance is working

AD Users and Computers – dsa.msc Views and info of containers and machines

Group Policy Editor – gpedit.msc Launched by gpmc or dsa, edit settings and a new preferences section for Vista

Gpupdate - Command line utility Refresh group policy

GPFind – win.mit.edu command line script Search by GPO name and launch the gpeditor

New: Preferences section

New server 2008 management tools available for Vista

Many features that IS&T had to build custom tools for have now been built in by Microsoft

Registry keys can be deployed here instead of using Regpoledit

Scheduled tasks can be deployed via group policy as an alternate to Selfmaint

Network and local printers can be deployed here instead of using the win.mit.edu custom settings

Other new features: Computer based control panel settings such as

power options, local accounts and folder options

User Logon and Single Sign on

User Accounts via the Moira incremental

A corresponding user is created in Active Directory and automatically mapped to the MIT Kerberos principal

Profile and Home directory options are written to the users account data along with Office location, phone and email

A random 127 character password is generated and stored in the user properties in Active Directory so the password does not need to be propagated. Cross-Realm authentication will verify the users password directly from the MIT Kerberos KDC’s.

Windows Service exists to refresh random passwords every 30 days

Webform to set the users Windows password to a known value for use with special applications where required

ATHENA realm tickets are automatically acquired at logon

To logon to a Vista computer with a local account enter machinename\username in the username field.

Web forms for users

Change your Kerberos Password. https://wserv.mit.edu/fcgi-bin/cpw

Change Your Active Directory Password. https://wince.mit.edu/changepasswd/index.jsp For users: under certain circumstances, it might be necessary to set

your native WIN domain password, but in most cases this is not necessary and should only be used when needed.

Change Profile and Home directory options. https://wince.mit.edu/changeprofile/index.jsp A user can change their default DFS roaming profile and home

directory locations to a local profile and home directory or to a path on a departmental server

Group Policy – win.mit.edu Printer settings Microsoft did not have a machine based group policy option to assign printers prior

to Server 2003 R2/Windows Vista. When Windows 2000 was released, IS&T developed custom printer extensions for

win.mit.edu. When Windows XP is closer to being phased out, we plan to phase out these custom settings. The new Microsoft settings are available today for Vista users

IS&T is phasing out Kerberized printing, the KLPR packages are no longer being maintained. The KLPR packages do not support Windows Vista.

New Microsoft GP settings for Vista are available. Two types of printers may be assigned using the win.mit.edu extensions:

“KLPR” Printers: Queues that require Kerberos authentication Use the MIT Hesiod client installed on the machine for queue resolution Currently the KLP MSI is deployed by default There is an opt-in for the newer LPNG MSI There is a specific list of supported drivers

additional drivers can be added but in some cases are not compatible with the UNIX print queue An opt-out of all Kerberized printer clients is available

Network Printers: Standard Microsoft Network Printers assigned per machine Uses standard UNC path name

Both options have the ability to assign a default printer to the machine

Disconnected operation: Laptop support Requires opt-in of the machine or container via a web form Domain wide scripts have internal checks for network based operations, they test for RPC

availability to win.mit.edu over port 445, if there is no connectivity the operation is skipped. If a machine boots with no network connectivity the user logs on using their domain account

with cached credentials. Roaming profiles and folder redirection are disabled for disconnected users, by default all files

are saved to the local disk. When using disconnected operations with Vista, drive H: will not be mapped to the local

profile as in XP. If the machine is connected to MITnet at logon, the drive will be mapped to the network home directory specified in AD.

(XP only): People using laptops that are frequently used remotely over a broadband connection should install the MIT VPN client.

(XP only): Note about Intel Proset Wireless management software: This software is currently packaged with many laptops, including those from Dell. We recommend that you uninstall this portion of the software via the add/remove programs control panel for use with disconnected operations within win.mit.edu. While it is possible to set this software to use the Microsoft client to manage wireless connections, this setting won’t be preserved across system reboots.

To logon/logoff without the VPN we currently recommend that it not be connected to the home network until after the Windows logon so the operating system understands it is doing a disconnected logon. This can be done by disconnecting a network cable, or using a function key to disable integrated wireless (F2 on most Dell laptops). This is because Windows detects network connectivity and attempts to authenticate with a domain controller. VPN logon can be started after reconnection to the network.

Vista users should disable IPV6 before using the MIT VPN client 5.0 or greater.

Server Security Recommendations:Common policies to implement for server Logon restrictions: Computer Configuration/Windows Settings/Security

Settings/User Rights Assignment Allow logon through Terminal Services

Generally restricted to the local Administrators group (Allow) Logon Locally

Generally restricted to the local Administrators group but sometimes a service account may require this right depending on the application

Deny Logon through Terminal services It is recommended to deny the local Administrator account logon over Terminal Services. This way, the local

Administrator account can only be used when physically in front of the machine. We already deny this account access to the machine over the network, this setting is a logical extension of the same precaution.

Do not use groups or known security principles without understanding their scope Authenticated Users, which includes both local and domain users, but not anonymous Local Users, which by default includes the Domain Users group

Always implement the Windows Firewall and only open necessary ports to relevant subnets If possible, implement Microsoft IPSec

Resource Management and Administration Use NTFS ACL’s, not Share permissions for more granular security

Use one or two top level shares and set NTFS ACL’s on the sub-folders instead of creating many shares Avoid disabling of inheritance, as it will tend to yield unexpected results if not well documented Avoid granting Full Control (which allows users to change permissions) over resources, use the Modify right.

Use local Groups containing Moira groups or at least moira groups on NTFS ACL’s Do not assign NTFS permissions or rights to users directly, use the group membership When a user leaves the department rights can be easily removed by removing their group memberships in moira

Server 2003 and Security Recommendations:Using the MIT Windows Update Services

Options Domain default – Option 4: auto download and auto install any day @ 2:00 AM

Action – nothing Usually good for simple file and print servers, simple web servers

Custom setting – Option 4: Auto download and auto install on custom schedule Action – Set Computer Settings/Administrative Templates/Windows Components/Windows Update/Configure

Automatic Updates to Option 4: Auto download and notify for install, and set custom schedule below

Custom setting – Option 3: Auto download and notify for install Action – Set Computer Settings/Administrative Templates/Windows Components/Windows Update/Configure

Automatic Updates to Option 3: Auto download and notify for install

Do not set/reset the WSUS server name, this is already done When using option 3, a balloon window notification will appear when new patches are available.

Patch install can be run manually from this interface If the administrator wishes, certain patch may be skipped using the client interface

Microsoft

InternetKMS Hosting

MachineKMS Hosting MachineKMS Hosting

MachineF5 Load balancers WSUS ServersMicrosoft

Overview Currently running Microsoft WSUS 3.0 Internal repository of patches synchronized

with Microsoft Only patches approved and tested by IS&T

are available through WSUS Applied by default on all WIN.MIT.EDU

machines – auto download and auto install

Windows Server 2008 support

Support in WIN.MIT.EDU Computers running Server 2008 may be joined to Active Directory Support for OS groups has been added for software installation assignments

Behavior of roaming profiles and folder redirection is the same as Vista The .winprofile.V2 directory used by Vista is also used by Server 2008

Disable IPV6 Like Vista, Server 2008 enables IPV6 by default. We recommend that

IPV6 be turned off for network connections on MITnet. Like Vista requires Activation

Vista uses a DNS based KMS activation for volume media for computers within MITnet.

DNS based activation will be integrated for Server 2008 during the Spring term. In the interim activation may be done manually: c:\windows\system32\slmgr.vbs -skms kms2008.mit.edu c:\windows\system32\slmgr.vbs –ato

RIS: Remote Installation Services Requirements

PXE support enabled for subnet and the computer BIOS Moira record should exist for machine and already be mapped to container If reinstalling, the previous computer object in Active Directory must be removed Tempjoin credentials are used for the installation

Execution Boot with Network Boot option (using F12) Access to Windows XP images by default, there is an ACL for Server 2003 images Machines automatically join the domain

RIS Info RIS will format and install the OS on the first physical disk Images exist for particular Dell and IBM models

If a new model is commonly used, a new image can be requested Generic images exist as well that can be used for Virtual Machines WDS (Windows Deployment Services) will soon replace RIS. WDS will support Vista

and Server 2008

Windows Vista:Connecting via Remote Desktop

Similar to disconnected operations, IS&T is awaiting a hotfix from Microsoft that will remove the requirement of using the UPN (a user principal name: i.e. username@REALMNAME) format to connect via remote desktop

HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers

This issue was resolved when IS&T worked with Microsoft regarding XP SP1 and the fix was rolled into SP2. Unfortunately, this code was not ported to the Vista release and we are awaiting the Kerberos regression hotfixes from Microsoft to be re-released for Vista

The Remote Desktop client will not store the UPN format when it makes connections to Vista machines the way it does to XP and 2003. We are reporting this behavior to Microsoft as well

The Windows Aero interface cannot be displayed over Remote Desktop

Looking forward for 2009 Continued deployment and enhancements to Altiris

Hardware and Software inventory and asset management (current) Software deployment via task scheduling (planned)

WDS: Windows Deployment Services (WDS) is the revised version of Remote Installation Services (RIS). WDS enables the deployment of Microsoft Windows operating systems, particularly Windows Vista and Windows Server 2008

McAfee ePolicy Orchestrator (ePO): ePO is an integrated management platform that manages the security needs of your client computers

Web console, deploy McAfee agents, DAT’s, McAfee products, configuration policy manager, reporting