CSED 431 Week 12 -- April 19
Folder redirection
Anyone can redirect their My Documents under
Windows XP, using MyDocuments => properties. The actual folder
represented by the My Documents icons is
HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal
In that Shell Folders key, there are also entries for My Music, My Pictures, etc.
Group Policy folder redirection is just making your Personal folder be a folder on a drive share.
Issues:
redirection styles: we are using "basic - redirect everyone's folder to the same location". This means that, if you
specify \\winser08\homes as the folder, user alice's My Documents would
be in \\winser08\homes\alice\Documents (I have no idea why it isn't "My Documents", but it is apparently not.)
The alternative is "advanced - Specify locations for various user
groups". That would let us create all sorts of user groups and handle
redirection appropriately. But that gets confusing: users can be in
multiple groups. It is perhaps simpler to use Basic redirection,
creating multiple OUs as necessary; each OU can have its own
redirection policy. Note that if a user is in multiple OUs, the one
that matters is the "innermost" one for which a redirection policy is
defined; this is much more precise than for groups.
home share permissions: You have to give everyone Full Control of the share.
This probably sounds worse than it is: all it means is that
domain-authorized users can have Full Control of their own subfolders.
Actual permissions are essentially the "minimum" of share permissions
and NTFS permissions.
home folder NTFS permissions:
You need Everyone able to create folders. That way, each user can
create their own subfolder. Beyond that, you don't want much more. Here
is what microsoft recommends, from http://support.microsoft.com/kb/274443:
Use the following settings for NTFS Permissions:
- CREATOR
OWNER - Full Control (Apply onto: Subfolders and Files Only)
- System
- Full Control (Apply onto: This Folder, Subfolders and Files)
- Domain
Admins - Full Control (Apply onto: This Folder, Subfolders and
Files)
- Everyone - Create Folder/Append Data (Apply onto:
This Folder Only)
- Everyone - List Folder/Read Data (Apply
onto: This Folder Only)
- Everyone - Read Attributes
(Apply onto: This Folder Only)
- Everyone - Traverse
Folder/Execute File (Apply onto: This Folder Only)
Generally, "traverse" checking is turned off in Windows, and I'm not
sure what "Read Attributes" is there for. The basic idea, however, is
that
- Administrators should have full access
- Everyone should, the first time they log on, have the right to create their personal folder in \\server\homes
- Once that folder is created, it should inherit CREATOR OWNER
permissions; that is, the person who created it should have full
control.
XP problem: With Windows 7,
Microsoft restructured some of the subfolder things like My Music. As a
result, redirection is more complicated, and is thus disabled by default
for XP. You have to enable it separately. There is a check box in the
Properties => Settings tab for "Also apply redirection policy to
Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003
operating systems".
exclusive access: There's a
check box in the Properties => Settings tab for "Grant the user
exclusive rights to Documents". With that checked, it is a pain for the
Administrator to browse the user's files. It is similarly a pain for
the Administrator to back up the files!
undoing: What happens to home
directories when redirection goes away? New users will then have their
home directories on the local machine, ie the default location, but
what about users whose home directory was redirected? Where will they
go? You can choose: they stay on the server, or the folder is
redirected back to the local folder.
gpupdate: After any
group-policy change, you must run gpupdate (or even gpupdate /force) to
propagate the new settings to the domain members. Group Policy is
generally pretty slow about updates otherwise.
magic: Note that, with redirection in place (so the domain-member machine is using \\winser08\homes), there are no network drives that show up as mounted.
Powershell
Ok, it's a pain. But the last time I did this, with WSH and visual
basic, it was absolutely intractible. The powershell version is at
least somewhat accessible, if you have an example in front of you.
Default Users, again
I created a user deffie and made various settings. As usual, I didn't really deal with the desktop-background issue; that requires
- creating a .bmp version of the image you want
- making sure it is somewhere in the user's profile, possibly involving manual registry editing
- making sure it is copied to the Default User
After making a few settings, I logged out. (I should have started and configured all the software packages, too.)
I then logged on to the local machine as owner, and went to Control
Panel => System => Advanced => User Profiles. I then chose
deffie's profile, and used the "Copy To" button. I needed to copy to
the NETLOGON share on the server, so I simply mapped
\\winser08\netlogon to the z: drive. I then did a "copy to" the
location z:\Default User.
That still did not work. The last missing piece was that I had to
change the permissions to make the files readable to Everyone (that is,
to the group of that name).
Mandatory profiles:
http://support.microsoft.com/kb/307800
Basically, profiles are made mandatory by renaming ntuser.dat to ntuser.man.
In the non-domain context, you can use the Admin Tools => Computer
Mgmt => System Tools => Local Users & Groups => Users
=> Properties => Profile to spell out a profile path (either
locally or on a server). Local paths being with something like C:\; a
typical server path is \\servname\profiledir\%username%.
Note that %username% is a general shell variable in Windows that always represents a standin for the actual username.
Somewhat peculiarly, when you create a mandatory profile for a user,
Windows then makes an individual copy of that profile for that user!
It's still a mandatory profile, but the benefit of having multiple
users share the same read-only profile file is lost.
Lost passwords
What do you do with a windows computer to which you have lost the
password? Microsoft claims you are out of luck if you failed to make a password recovery disk ahead of time; see http://support.microsoft.com/kb/321305:
If you do not have a reset disk or cannot log on as an administrator,
unfortunately, you may have to reinstall Windows XP and all other
programs that were installed on the computer before you can use the
computer again. This is for security. Without these safeguards, anyone
could reset a password to anyone else's computer and gain access to
private information.
However, the linux world has had NTFS drivers for a long time; you can
access the file system of the locked machine as long as you can boot
off a CD. (It is usually possible to set the BIOS settings to prohibit
booting off the CD without a password, but that is not always done.)
Passwords themselves are kept in c:\windows\system32\config\SAM (SAM =
Security Account Manager; this is a registry hive. The settings are
normally not visible even to Administrators, but the Administrator does
have the power to change
that). The format of the SAM file is obscure, but has been figured out
(leaked?), and Petter Nordahl-Hagen has put together a linux boot disk
with a simple script for clearing passwords. (Clearing requires the minimum knowledge of the password encryption format.) The page is at http://pogostick.net/~pnh/ntpasswd. There are now windows-like tools as well.
For the linux NTFS driver to work, the file system must have been shut
down "cleanly". Normally this is not a problem, but if you can't log
in, you might have no choice but to turn the machine off, and then the
shutdown won't be clean.
Some passwords (mostly user passwords) are also used as encryption keys. Forgetting those passwords means the files are gone, even if you successfully reopen the account itself.
A slightly different technique is to back up the SAM file first, so
that it can be restored. This "covers your tracks", and is easily
accomplished with a linux "live CD", that is, a bootable CD from which
you can run linux in addition to installing it.
Nordahl-Hagen's approach does not work in recovering lost
domain-administrator passwords; they live in a different database. The
problem is that nobody outside of Redmond is admitting to knowing where
this database is, or how it's formatted. So the Nordahl-Hagen approach
appears to be unavailable.
Lab
Log in as administrator to the Windows XP partition of your laptop.