Server Project Notes

Project Notes

0. We are not having class on Monday, May 2, but I can be here if necessary if anyone has problems with their project.

1. The easiest way to get a small file to your server is to try to paste it into a notepad window within your Remote Desktop window (or, if appropriate, download it through a web browser; people have put files onto web pages for less).

2. Make sure that you apply any Group Policies to an OU that does not include your Administrator account, or you may enforce some policy on yourself that you cannot undo.

3. Remember that after you make your machine a domain controller, or after you join a domain, you need to include the first word of the domain in the userid box, eg CSED3\Administrator. In this regard, logging in through Remote Desktop is slightly different than logging in to the (virtual) console directly.

4. If no users can log into your windows 7 machine after it becomes a domain member, and you get a message about lack of Remote Desktop rights, we can try rebooting. But if administrative users can log in and not ordinary ones, that means a genuine permissions problem is more likely. Note that the new name for the User Right in question is "Allow log on through Terminal Services"; you set it with Group Policy Management in the Default Domain Policy, Computer Configuration => Policies => Windows Settings => Security Settings => Local Policies => User Rights Assignment.

Here's what I had to do on one computer. I had to do the crucial step at the local windows7 end; I did not figure out how to set this from the server using Group Policy. I created a group RemoteDesktop on the server (somehow the allegedly existing group Remote Desktop Users didn't work, but maybe I typed it wrong). I added myself to this group, on the server.

Then, on the windows7 end, logged in as Administrator, I went to Control Panel => System. I clicked Remote settings, at the upper left. This brought up a System Properties box, with Remote Desktop in the lower half. I clicked the lower-right button Select Users.... On the select-users panel, I then clicked Add... and added my RemoteDesktop group to this.

I was now able to log on using Remote Desktop, as a non-administrator!

5. Your software restriction policy should ALLOW c:\windows and c:\Program Files, and by default be DISALLOWED. Change the default to DISALLOWED after you allow the other two.

Also, in the Designated File Types thing (part of software restriction policies), scroll down to and delete the extension LNK. These are "link" files. Every user's Start menu consists of link files to the "real" software, and the start menu links are not in the directories above. So by deleting this LNK entry you are allowing users to run LNK files anywhere. But this is not dangerous, because LNK files have to link to somewhere else, and the software will only run if the destination linked to is in one of the c:\Program Files or c:\windows folders above.