Week 13, December 3 backups blocking software upside-downternet remote installation roaming home directory Administrative templates Project: same as last time, but try to apply admin template?? Also, try to set up home directory on H: ================================================ Shell variables to know about %USERNAME% pld %USERPROFILE% c:\Documents and Settings\pld %SYSTEMROOT% C:\windows %LOGONSERVER% \\valhal2 (or \\winserver01) ================================================ Roaming profile: * forgot to set server access (read-only by default) * forgot to set permissions on c:\homes: CREATOR OWNER has FULL CONTROL Everyone (or maybe Domain Users) must have "Create Folder" permission (special!!) * forgot that the account has to be NEW, with redirection set up before FIRST USE * Should have MENTIONED how "copy" works for a user: retains password defaults, roaming status Demo: watch user log on first time. Check c:\homes\%USERNAME% It should be created, but empty. Open My Documents, and create a file there. Now log off, and then on again. See changes. profile should be \\server\homedir\%USERNAME% script example [We're not going to be doing anything with this add_roamer script in csed 430, but maybe in 431....] Save as add_roamer.vbs cscript add_roamer.vbs labusers zane '\\winserver01\homes' 'usage: add_roamer OU user RoamerRoot set Args = Wscript.Arguments ouName = Args(0) usrName = Args(1) RUProot = Args(2) RUPpath = RUProot & "\" & usrName 'Get the domain Set dse = GetObject("LDAP://RootDSE" ) Set domain = GetObject( "LDAP://" & dse.Get("defaultNamingContext" )) 'Wscript.echo "dse: " & dse Wscript.echo "domain: " & domain.Name set ou = domain.GetObject("organizationalUnit" , "OU=" & ouName ) wscript.echo "Creating user in " & ou.Name set usr = ou.Create("user" , "cn=" & usrName ) usr.Put "samAccountName" , usrName usr.Put "userPrincipalName" , usrName usr.Put "Profilepath" , RUPpath usr.SetInfo usr.AccountDisabled = false usr.SetPassword usrName usr.SetInfo wscript.echo " User " & usrName & " was created successfully in " & ou.Name & " with a RUP Path of: " & RUPpath ==================================================== Backing up is hard to do (apologies to Neil Sedaka) Don't take my fi-iles away from me Don't you leave my disk in misery If they go then I'll be blue 'Cause backing up is hard to do. 1. Second disk drive 2. Automated solutions 3. Tape 4. RAID Real problems with backup: * add'l cost of hardware for tape * getting it AUTOMATED An easy fix: diskA diskB, about 2x as big Each weekend: del diskB:\backup2 ren diskB:\backup1 diskB:\backup2 mkdir diskB:\backup1 xcopy diskA: diskB:\backup1 /s /e Better: figure out how to write to a zip file: zip /r diskb:\backup.zip diskA:\homes ALWAYS CHECK THIS WITH AN OCCASIONAL RANDOM RESTORE! =============================================== Blocking software see Peacefire.org * Keywords * Encrypted lists of sites Yes, you're not policy makers; your school boards are. If you work for CPS, you're a looong way from the board. However, there are lots of intermediate issues. But you should not think filtering "works", or that the filtered set of pages is written in stone, or that filtering doesn't introduce a very significant bias, or that it isn't easily bypassed by clever HS students with home broadband. Question: is your goal to support GENERAL BROWSING by students? This includes "topic research". If so, your filter is likely to get in the way. However, if your goal is to allow access to specific sites for in-class demos, then that's easier to implement. Some specific issues: * anti-gay bias real problem: many sites with info on homosexuality ineluctably talk about sexuality. * conservative bias Probably because conservative groups pay more attention to "family values" and access restrictions. PeaceFire "hate speech" example ============================================== BESS: from SecureComputing, formerly N2H2: runs on server Claim: they have people check each blocked site. FALSE Side effect: translators & redirectors must be blocked, too BESS and google Microsoft ISA server 2004 Issue 1: ISA Server turned off all network traffic Killed DNS, DCFS Best Practice: RUN ON ANOTHER MACHINE!!! ISA Server structure: review Single Network Adapter Edge Firewall Issue 2: move from Domain Controller (baaad choice for an ISA Server) to winserver03. SecureComputing Architecture: BESS windows install guide, page 8 User AdminServer ReportServer | \ | | | \ | | | AuthServer | | | \ | | Firewall \ | | or -------- Filter Server ----------LogServer Proxy | | | | | | | Internet CategoryServer (SecureComputing) Differences between Firewall and Proxy Website for testing BESS entries: www.securecomputing.com/sfwhere/index.cfm Bess admin demo: misc things keywords IP ranges create policies => Policies => Typical_School_filter => customize Demo of upside-down-ternet and *web proxy* on ulam3, 10.38.2.67, port 3128 ============================================================ Multiple DCs: how we deal with this All are "masters". All have full copy of the AD database. There are some replication issues that have to be dealt with. This is where sites are handy, if you have DCs connected by a slow link. ============================================================ ============================================================ Administrative Templates ============================================================ Look through gpo settings for "show/hide extensions" /HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/Advanced/HideFileExt Administrative Templates: *.adm -- bunch of settings -- can be imported into a GPO Here it is: CLASS USER CATEGORY "Hide File Extensions" POLICY "Hide file extensions" KEYNAME "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" VALUENAME "HideFileExt" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY END CATEGORY To add: * edit some gpo * right-click on User Conf => Admin Templates, select Add/Remove Templates then click Add button * now, Hide File Extensions should be there. -- my simple example: -- need to change filtering!!!! click on policy[?], menu: view => filtering => unclick "only show policy settings that can be fully managed" -- look at how to enable or disable Note that, using this approach, we can use GPO to set ANY registry entries. ========================================== ============================================== ================================================================== Disk quotas * enable * set levels * edit specific users Try setting user "demo" to be low Then go over * remote admin: just mount disk & make entries disk must be shared from root folder! ================================================================== Remote installation (ie from the server) of windows itself 1. RIS (Remote Installation Services) can be used to install windows itself Alternatives: A. UnattendedInstall: from CD, for low bandwidth setups B. Sysprep: clean installations needs 3rd-party cloning utility C. RIS Booting from network is hard with wireless Can create full OS + app suite 2. Windows update & Automatic Updates WindowsUpdate is the web site AutomaticUpdates is the client-side automatic access thingie Enabling automatic updates from server using GPO!!! Downloading & approving updates Will the laptops boot from the network?? =============================================================== Remote Installation of user software PUBLISH TO USER: allows user to install via control panel got it to work with python ASSIGN TO USER: supposed to auto-install when user next logs on, and tries to use the software ASSIGN TO MACHINE supposed to auto-install when machine is next restarted Supposed to work; dunno what I did wrong.... Need: * access point * msi file * maybe you need a "pure" msi file with no options? installshield v msi windows installer msiexec To deploy software to remote computers: Open GPO Edit for appropriate GPO To assign software to computers: click Computer Configuraton Select software from networks share ============================================================= ============================================================= Adding a Backup Domain Controller run dcpromo /adv choose options to create new domain controller ============================================================= 1. Microsoft scripting (Windows Scripting Host, or WSH): .bat/.vbs/.vbe/.js is automatically recognized .vbe: .vbs encoded 2. Startup, Shutdown, Logon, Logoff Contexts: Startup, Shutdown: Local System Logon, Logoff: user (Be sure to test scripts as an ordinary user!!!) Domain User scripts v GPO scripts DU: work with NT 4.0, can be individually created GPO: easy to implement GPO scripts run before DU scripts Classic uses: Startup, Shutdown: software update (maybe) inventory statistics reporting backup (eg registry, event logs) Logon: mapping network drives mapping printers Users generally expect to log on more or less immediately following a reboot; lengthy startup scripts are unpopular and confusing. Example logon script to map drive H: must have pre-existing directory etc can we map My Documents to H:??? Try it and see! ========== A Windows script is a text file. You can create a script with any text editor as long as you save your script with a WSH-compatible script extension (.js, vbs, or .wsf). Scripts v Group Policy There *is* considerable overlap! GPOs are easier to write Code to secure the screen-saver (vbs version) HKEY_CURRENT_USER = &H80000001 strComputer = "." Set objReg = GetObject("winmgmts:\\" & strComputer & _ "\root\default:StdRegProv") strKeyPath = "Control Panel\Desktop" objReg.CreateKey HKEY_CURRENT_USER, strKeyPath ValueName = "ScreenSaverIsSecure" strValue = "1" objReg.SetStringValue HKEY_CURRENT_USER, strKeyPath, ValueName, strValue Limitation: GPOs can only tweak registry settings, and failures are hard to track Logon scripts can often be defeated by unplugging the Ethernet cable. Be wary of security enforcement this way! Note: GPOs are *usually* related to security enforcement! ======================================================================