Project Notes
0. We are not having class on Monday, May 2, but I can be here if necessary if anyone has problems with their project.
1. The easiest way to get a small file to your server is to try to
paste it into a notepad window within your Remote Desktop window (or,
if appropriate, download it through a web browser; people have put
files onto web pages for less).
2. Make sure that you apply any Group Policies to an OU that does not include your Administrator account, or you may enforce some policy on yourself that you cannot undo.
3. Remember that after you make your machine a domain controller, or
after you join a domain, you need to include the first word of the
domain in the userid box, eg CSED3\Administrator. In this regard,
logging in through Remote Desktop is slightly different than logging in
to the (virtual) console directly.
4. If no users can log into
your windows 7 machine after it becomes a domain member, and you get a
message about lack of Remote Desktop rights, we can try rebooting. But
if administrative users can log in and not ordinary ones, that means a
genuine permissions problem is more likely. Note that the new name for
the User Right in question is "Allow log on through Terminal Services";
you set it with Group Policy Management in the Default Domain Policy,
Computer Configuration => Policies => Windows Settings =>
Security Settings => Local Policies => User Rights Assignment.
Here's what I had to do on one computer. I had to do the crucial step
at the local windows7 end; I did not figure out how to set this from
the server using Group Policy. I created a group RemoteDesktop on the
server (somehow the allegedly existing group Remote Desktop Users
didn't work, but maybe I typed it wrong). I added myself to this group,
on the server.
Then, on the windows7 end, logged in as Administrator, I went to Control Panel => System. I clicked Remote settings,
at the upper left. This brought up a System Properties box, with Remote
Desktop in the lower half. I clicked the lower-right button Select Users.... On the select-users panel, I then clicked Add... and added my RemoteDesktop group to this.
I was now able to log on using Remote Desktop, as a non-administrator!
5. Your software restriction policy should ALLOW c:\windows and
c:\Program Files, and by default be DISALLOWED. Change the default to
DISALLOWED after you allow the other two.
Also, in the Designated File Types thing (part of software restriction policies), scroll down to and delete
the extension LNK. These are "link" files. Every user's Start menu
consists of link files to the "real" software, and the start menu links
are not in the directories above. So by deleting this LNK entry you are allowing users to run LNK files anywhere. But this is not dangerous, because LNK files have to link to somewhere else, and the software will only run if the destination linked to is in one of the c:\Program Files or c:\windows folders above.