CSED 431 Week 12 -- April 19



Folder redirection

Anyone can redirect their My Documents under Windows XP, using MyDocuments => properties. The actual folder represented by the My Documents icons is
    HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal

In that Shell Folders key, there are also entries for My Music, My Pictures, etc.

Group Policy folder redirection is just making your Personal folder be a folder on a drive share.

Issues:

redirection styles: we are using "basic - redirect everyone's folder to the same location". This means that, if you specify \\winser08\homes as the folder, user alice's My Documents would be in \\winser08\homes\alice\Documents (I have no idea why it isn't "My Documents", but it is apparently not.)

The alternative is "advanced - Specify locations for various user groups". That would let us create all sorts of user groups and handle redirection appropriately. But that gets confusing: users can be in multiple groups. It is perhaps simpler to use Basic redirection, creating multiple OUs as necessary; each OU can have its own redirection policy. Note that if a user is in multiple OUs, the one that matters is the "innermost" one for which a redirection policy is defined; this is much more precise than for groups.

home share permissions: You have to give everyone Full Control of the share. This probably sounds worse than it is: all it means is that domain-authorized users can have Full Control of their own subfolders. Actual permissions are essentially the "minimum" of share permissions and NTFS permissions.

home folder NTFS permissions: You need Everyone able to create folders. That way, each user can create their own subfolder. Beyond that, you don't want much more. Here is what microsoft recommends, from http://support.microsoft.com/kb/274443:

Use the following settings for NTFS Permissions:
Generally, "traverse" checking is turned off in Windows, and I'm not sure what "Read Attributes" is there for. The basic idea, however, is that
XP problem: With Windows 7, Microsoft restructured some of the subfolder things like My Music. As a result, redirection is more complicated, and is thus disabled by default for XP. You have to enable it separately. There is a check box in the Properties => Settings tab for "Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems".

exclusive access: There's a check box in the Properties => Settings tab for "Grant the user exclusive rights to Documents". With that checked, it is a pain for the Administrator to browse the user's files. It is similarly a pain for the Administrator to back up the files!

undoing: What happens to home directories when redirection goes away? New users will then have their home directories on the local machine, ie the default location, but what about users whose home directory was redirected? Where will they go? You can choose: they stay on the server, or the folder is redirected back to the local folder.

gpupdate: After any group-policy change, you must run gpupdate (or even gpupdate /force) to propagate the new settings to the domain members. Group Policy is generally pretty slow about updates otherwise.
magic: Note that, with redirection in place (so the domain-member machine is using \\winser08\homes), there are no network drives that show up as mounted.


Powershell

Ok, it's a pain. But the last time I did this, with WSH and visual basic, it was absolutely intractible. The powershell version is at least somewhat accessible, if you have an example in front of you.


Default Users, again

I created a user deffie and made various settings. As usual, I didn't really deal with the desktop-background issue; that requires
After making a few settings, I logged out. (I should have started and configured all the software packages, too.)

I then logged on to the local machine as owner, and went to Control Panel => System => Advanced => User Profiles. I then chose deffie's profile, and used the "Copy To" button. I needed to copy to the NETLOGON share on the server, so I simply mapped \\winser08\netlogon to the z: drive. I then did a "copy to" the location z:\Default User.

That still did not work. The last missing piece was that I had to change the permissions to make the files readable to Everyone (that is, to the group of that name).




Mandatory profiles:

http://support.microsoft.com/kb/307800

Basically, profiles are made mandatory by renaming ntuser.dat to ntuser.man.

In the non-domain context, you can use the Admin Tools => Computer Mgmt => System Tools => Local Users & Groups => Users => Properties => Profile to spell out a profile path (either locally or on a server). Local paths being with something like C:\; a typical server path is \\servname\profiledir\%username%.

Note that %username% is a general shell variable in Windows that always represents a standin for the actual username.

Somewhat peculiarly, when you create a mandatory profile for a user, Windows then makes an individual copy of that profile for that user! It's still a mandatory profile, but the benefit of having multiple users share the same read-only profile file is lost.


Lost passwords

What do you do with a windows computer to which you have lost the password? Microsoft claims you are out of luck if you failed to make a password recovery disk ahead of time; see http://support.microsoft.com/kb/321305:

If you do not have a reset disk or cannot log on as an administrator, unfortunately, you may have to reinstall Windows XP and all other programs that were installed on the computer before you can use the computer again. This is for security. Without these safeguards, anyone could reset a password to anyone else's computer and gain access to private information.

However, the linux world has had NTFS drivers for a long time; you can access the file system of the locked machine as long as you can boot off a CD. (It is usually possible to set the BIOS settings to prohibit booting off the CD without a password, but that is not always done.) Passwords themselves are kept in c:\windows\system32\config\SAM (SAM = Security Account Manager; this is a registry hive. The settings are normally not visible even to Administrators, but the Administrator does have the power to change that). The format of the SAM file is obscure, but has been figured out (leaked?), and Petter Nordahl-Hagen has put together a linux boot disk with a simple script for clearing passwords. (Clearing requires the minimum knowledge of the password encryption format.) The page is at http://pogostick.net/~pnh/ntpasswd. There are now windows-like tools as well.

For the linux NTFS driver to work, the file system must have been shut down "cleanly". Normally this is not a problem, but if you can't log in, you might have no choice but to turn the machine off, and then the shutdown won't be clean.

Some passwords (mostly user passwords) are also used as encryption keys. Forgetting those passwords means the files are gone, even if you successfully reopen the account itself.

A slightly different technique is to back up the SAM file first, so that it can be restored. This "covers your tracks", and is easily accomplished with a linux "live CD", that is, a bootable CD from which you can run linux in addition to installing it.

Nordahl-Hagen's approach does not work in recovering lost domain-administrator passwords; they live in a different database. The problem is that nobody outside of Redmond is admitting to knowing where this database is, or how it's formatted. So the Nordahl-Hagen approach appears to be unavailable.



Lab

Log in as administrator to the Windows XP partition of your laptop.