Since creating the last mandatory profile the following problem has occured.
When I log on to the pc with a user that has a mandatory profile it brngs up an office installation screen and then a failure because it cannot find the source. This is only if the profile has japnese enabled in the office settings.
The fix to the problem is log on as admin and check the japanese box in the office language settings. Log off the PC and insert the office 2000 cd abd then log back on as administrator. This will install the required japanese features. Logging back on as a user with a manadatory profile is then ok.
When creating an image we must add japanese as administrator.
Wednesday, July 25, 2007
Thursday, July 19, 2007
Setting up softwre installtion from Group Policy
We have a windows 2003 server.
Added the software package under group policy for my test OU.
On reboot of my test machine the folowing error appeared in the event application log
"The group policy framework should call the extension in the snchronous foreground policy refresh. "
According to microsoft support doco the policy "Computer Configuration>Administrative Templates>Sytem>Login>Always wait for the network at computer startup and logon" is not set by default. This allows for the user to get their screen up more quickly. However for software installtion it means that itcan take a couple of boots to install software.
I enabled this policy.
The next error in the event application log was "Installation Source for this product was not available".
The share where the package was located had access fo the adinistrator only. I added read access for Authenticted Users and the installation was succesful.
Added the software package under group policy for my test OU.
On reboot of my test machine the folowing error appeared in the event application log
"The group policy framework should call the extension in the snchronous foreground policy refresh. "
According to microsoft support doco the policy "Computer Configuration>Administrative Templates>Sytem>Login>Always wait for the network at computer startup and logon" is not set by default. This allows for the user to get their screen up more quickly. However for software installtion it means that itcan take a couple of boots to install software.
I enabled this policy.
The next error in the event application log was "Installation Source for this product was not available".
The share where the package was located had access fo the adinistrator only. I added read access for Authenticted Users and the installation was succesful.
Thursday, July 12, 2007
Blogs and Wikis Seminar
- Wordpress - Blogger S/w
- Add movies (Wordpress won't allow)
- Visitor locations and blog stats
- Cluster maps
- Tabbed pages in blog
- Cyberquoll for internet safety (primary school)
- Investigate Microsoft Writer
- Students will do it home
- You can have registered membership for a blog e.g. A class
- Add students to blog as an author. User must be a valid user of edublog. When adding user to edublog you have an option of adding them without creating a blog
Examples of uses
Yr7's Draw pictures and then the YR10's animate those pictures
Science write up investigations
Some Ideas
Look at using Iefranview s default cropping tool for pictures.
Smartboard Recorder for capturing and narating screens.
Themes more useful with blogs - time orientated.
More random contribution WIKI
Use RSS to determine when changes occur
PhotoStory for camps
WSUS 2.0
Listed are some issues with WSUS 2.0 and fixes
In the event log (application) on the WSUS server
Syncronization Event ID:364 "The parameter is incorrect"
I had updated WSUS 2.0 to SP1. The password to get through the proxy had been reset to blank. Puting the password back fixed the problem.
Syncronization Event ID:364 "File Cert Verification Failure"
From the WSUS server started a manual windows update. From the optional software I selected "Root Certificates Updates". Having Installed this update it would appear all sync errors have disappeared.
A few bits of information gathered on the way of researching this problem that may help in the future.
Program Files\Update Services\Logfiles\softwaredistribution.log
Bitsadmin.exe utility \support\tols on Windows2003SP1 CD or XPSP2 cd.
bitsadmin /list/allusers
wsdebugtool
0x80004002 reported in the client log
Link below sorted the problem out
http://msmvps.com/blogs/athif/archive/2006/05/17/Error-0x80004002.aspx
In the event log (application) on the WSUS server
Syncronization Event ID:364 "The parameter is incorrect"
I had updated WSUS 2.0 to SP1. The password to get through the proxy had been reset to blank. Puting the password back fixed the problem.
Syncronization Event ID:364 "File Cert Verification Failure"
From the WSUS server started a manual windows update. From the optional software I selected "Root Certificates Updates". Having Installed this update it would appear all sync errors have disappeared.
A few bits of information gathered on the way of researching this problem that may help in the future.
Program Files\Update Services\Logfiles\softwaredistribution.log
Bitsadmin.exe utility \support\tols on Windows2003SP1 CD or XPSP2 cd.
bitsadmin /list/allusers
wsdebugtool
0x80004002 reported in the client log
Link below sorted the problem out
http://msmvps.com/blogs/athif/archive/2006/05/17/Error-0x80004002.aspx
Wednesday, July 4, 2007
Switch Configuration 4500 3Com
Had some difficulties bringing a 3com 4500 swith into our environment. Thought I would document some lessons learned.
Configured a static IP address and subnet mask from the console. Then I tried to ping from our admin side - no good.
I had a tie cable (cat5) running from our core switch to the 4500. The port at the core switched was tagged and part of both vlans. Removed tie cable and ran a cable to the other switch in the cabinet.
I configured the 4500 to have one port tagged. (note you must make the port a hybrid with the 4500 before you can tag it for the student side. I did this from the web interface. I then tried to tag the port on the default lan and was told the default lan can not be modified.
It turns out you have to modify the default lan via the console.
All now ok.
Configured a static IP address and subnet mask from the console. Then I tried to ping from our admin side - no good.
I had a tie cable (cat5) running from our core switch to the 4500. The port at the core switched was tagged and part of both vlans. Removed tie cable and ran a cable to the other switch in the cabinet.
I configured the 4500 to have one port tagged. (note you must make the port a hybrid with the 4500 before you can tag it for the student side. I did this from the web interface. I then tried to tag the port on the default lan and was told the default lan can not be modified.
It turns out you have to modify the default lan via the console.
All now ok.
Wednesday, June 27, 2007
Office 2007
As I use Office 2007 1 will document issues that arise, new ways of doing things.
VBA Macros
Opened my access database that apparently contains VBA macros. You are given an option
VBA Macros
Opened my access database that apparently contains VBA macros. You are given an option
- Help Protect
- Enable Content
Note if you enable content then it is for this session only. The next time you open the database you will be prompted again.
There seems to be two ways of handling this
- Changing access permisions for all macros
- Adding the location of your database to the trusted locations
Macro Permissions
- Disable all macros without notification
- Disable all macros with notification (default setting)
- Disable all macros except digitally signed macros
- Enable all macros
Trusted Locations
Here you can add the directory location of the database. This would then give you greater security because you could leave the default macro permissions but not have to enable macro permissions for databases that you had created or came from a trusted location.
There is an option not ticked and not recomended "allow trusted locations on my network". Why I am not sure. However I save my database to a network drive so that it is backed up.
** Will have to investigate further **
Star Stream
The shortcut for this would have to be changed from office to office12
Would also need this to be a trusted location
System Requirements
and processor
500 megahertz (MHz) processor or higher
Memory
256 megabyte (MB) RAM or higher1
Hard disk
2 gigabyte (GB); a portion of this disk space will be freed after installation if the original download package is removed from the hard drive.
Drive
CD-ROM or DVD drive
Display
1024x768 or higher resolution monitor
Operating system
Microsoft Windows XP with Service Pack (SP) 2, Windows Server 2003 with SP1, or later operating system2
Other
Certain inking features require running Microsoft Windows XP Tablet PC Edition or later. Speech recognition functionality requires a close-talk microphone and audio output device. Information Rights Management features require access to a Windows 2003 Server with SP1 or later running Windows Rights Management Services.Connectivity to Microsoft Exchange Server 2000 or later is required for certain advanced functionality in Outlook 2007. Instant Search requires Microsoft Windows Desktop Search 3.0. Dynamic Calendars require server connectivity.Connectivity to Microsoft Windows Server 2003 with SP1 or later running Microsoft Windows SharePoint Services or Office SharePoint Server 2007 is required for certain advanced collaboration functionality. PowerPoint Slide Library requires Office SharePoint Server 2007.Internet Explorer 6.0 or later, 32 bit browser only. Internet functionality requires Internet access (fees may apply).
Additional
Actual requirements and product functionality may vary based on your system configuration and operating system.
Folder Locations and Save Options
Folder Locations set to network drive. Drop autsave time to 5 mins. This will need to be checked for all apps.
Personal Folder
I removed Ofice 2000 from Personal Assistants PC. Installed 2007. When I started up Outlook it automatically migrated the Personal Folder (which must not have been deleted when office was removed) into the new version. However there was now two Personal Folders in Outlook. I just closed one and it was OK. I will need to investigate as she may have imported her backup copy from her network drive without realising it had already been done.
Monday, June 25, 2007
All things Vista
I have just installed Vista Ultimate. As I configure and learn I will document.
I connected to the domain. I then tried to access a share on the domain server. This is achieved by going to the start menu and then clicking on network. It told me that network discovery was turned off.
To paraphrase in order to improve my understanding
There are 3 network environments you can choose to have your PC fall under the umbrella of.
I connected to the domain. I then tried to access a share on the domain server. This is achieved by going to the start menu and then clicking on network. It told me that network discovery was turned off.
To paraphrase in order to improve my understanding
There are 3 network environments you can choose to have your PC fall under the umbrella of.
- Work
- Home
- Public (e.g. Using a hot spot at a cafe.)
By selecting one of these network environments the firewall settings are changed to reflect the security required when using your pc in these locations
If you select Work and home office then other Computers on the network can see your PC and you can see other PC's on the network. Other PC's can see and use your shared resources (permissions withstanding) and you can see and use other PC's resources (permissions withstanding). Network Discovery is turned on.
If you select Public then other computers on the network can not see your PC and you cannot see other PC's on the network. Other PC's can not use your shared resources and you cannot use other PC's shared resources. Network discovery is turned off
When connected to a domain, group policy can control if Network Discovery is on or off
To change the Network Discovery setting start>network>network and sharing
Network Discovery can be turned on or off for the network.
There is an option to turn file sharing on or off.
There is an option to turn Public Folders on or off
Public Folder Sharing
The public folder has the following sub folders
- Documents
- Downloads
- Music
- Pictures
- Videos
You could create your own folders under the public folder. Any files placed in this folder and its subsequent subfolders is available to any user that logs on to your PC.
There is an additional option under start>network>network and sharing that allows you to turn Public folder sharing on or off. If it is on then computers on the network will be able to access files placed in the Public folder and subfolders. If it is turned off the access to the Public folder will only be available to those users logging on to your PC.
The options for enabling the Public Folder are
- Open and allow network users read only access
- Open and allow network users read,change and create access
- Do not allow network users access
Administration Pak for Vista
The fownload link for the Latest administration pak for Windows 2003. This can be installed on to your vista machine and allow remote administration of your Domin Controller. Mostly used for its remote administration capabilities i.e. connect to our servers without having to go to the server room.
Windows Update
Service Pack 1 was required to update WSUS 2
http://support.microsoft.com/?kbid=919004
Switch Users
Unlike Windows XP you can us the switch user facility when you are connected to a domain. Very handy if you want to flick to an administrator user. If you want to logon on as another user and connect to the domain for the username enter domain\username. If you want to connect to the local computer loccalpcname\username
User Profile Locations
The user profile location on windows XP was c:\Documents and Settings\Username . This has been changed to c:\users\Username
Where to access physical network adapter
Start>Network>Network and Sharing>Manage Network Connections
Security
Well there seems to be more administation options with Windows firewall in Vista than its predecessor Windows XP. I am not going to cover everything know for a couple of reasons
- I don't understand it all
- Will have to study the security options further.
For the moment I will concentrate on configuring security for Windows Management Instrumentation (WMI). I was trying to run a script from my laptop (which is also hosting virtual pc) to a virtual PC. Bothe were connected to a domain.
Originally I was getting the error
"Remote Server machine does not exist or is not available" : Get Object
There is two locations where firewall changes can be made. The first is via start>control panel> and then click the link "Allow a program through windows firewall". Under the exceptions tab there was an option to click an exception for WMI. This did not fix the problem.
This was when I discovered there was another location to change firewall settings. An advanced section if you like. Go to start>administrative tools>Windows firewall with advanced security. Here there are inbound rules and outbound rules. There is a set of inbound and outbound rules for 3 profile types
- Domain
- Public
- Private
I found I needed to enable the following two rules on the virtual computer to get my WMI script to work.
- Windows Management Instrumentation (DCOM-In)
- Windows Management INstrumentation (WMI-In)
ALL USERS
The al users folder has changed location. It can be found under c:\public\desktop. It is a hidden folder. To view the folder drom the computer explorer windows organize>folder and search options>view and untick do not show hidden folders.
Star Stream
Will need to look at making the location for Star Stream a trusted location to avoid the constant Vista pop ups. Note this is done on a per user basis not system wide. This will have implications for mandatory profiles.
Printers
Drivers for network printers and local printers will need to be upgraded.
File association
If you want to associate a file type right click on the file and then select the program you want to use to open the files of type extension. Make sure the deafult program box is checked.
Wednesday, June 13, 2007
Remote Desktop
To enable or disable Remote Desktop
1. Open Group Policy.
2. In Computer Configuration, Administrative Templates, Windows Components, Terminal Services, double-click the Allows users to connect remotely using Terminal Services setting.
3. Do one of the following:
- To enable Remote Desktop, click Enabled.
- To disable Remote Desktop, click Disabled.
If you disable Remote Desktop while users are connected to the target computers, the computers maintain their current connections, but will not accept any new incoming connections.
Set Firewall Exception
- Computer Configuration>Administrative Templates>Network>Network Connections>Windows firewall>Domain Profile>allow remote desktop exception enable
Thursday, May 10, 2007
Creating and Using MSDE
Below is the procedure I used to create a Microsfot SQL Server Desktop Edition (MSDE).
Find the product on the web. It is free. Download and then extract it.
The default directory was c:\msdereia
From the command prompt run
setup.exe SAPWD="password" INSTANCENAME="NAV"
set the password and instanvename do what ever you want.
For my purposes I was setting this up for the SAV Reporting server.
I found that this set up in windows authentication mode.
The instance is not started up by default. So go to the services panel and start a service
mssql$instancename where instance name is your instance.
Therfore to connect to the database from the command prompt enter
osql -E -S servername\instancename
You will now be at a 1> prompt. You have now confirmed your databse is up and running.
I found that for the SAV reporting server I needed to be in what is called mixed mode.
Stop the instance service.
To achieve this I changed the following registry value from 1 to 0
HKLM\Software\Microsoft\Microsoft SQL Server\myinstance\MSSQLServer and the key Loginmode.
You can now connect to the datbase as follows
osql -U sa -S server\instancename and you will be promted for a password.
On correct entry of password you will be at the 1> prompt
This was my reference.
http://www.codeproject.com/database/ConfigureMSDE.asp
Find the product on the web. It is free. Download and then extract it.
The default directory was c:\msdereia
From the command prompt run
setup.exe SAPWD="password" INSTANCENAME="NAV"
set the password and instanvename do what ever you want.
For my purposes I was setting this up for the SAV Reporting server.
I found that this set up in windows authentication mode.
The instance is not started up by default. So go to the services panel and start a service
mssql$instancename where instance name is your instance.
Therfore to connect to the database from the command prompt enter
osql -E -S servername\instancename
You will now be at a 1> prompt. You have now confirmed your databse is up and running.
I found that for the SAV reporting server I needed to be in what is called mixed mode.
Stop the instance service.
To achieve this I changed the following registry value from 1 to 0
HKLM\Software\Microsoft\Microsoft SQL Server\myinstance\MSSQLServer and the key Loginmode.
You can now connect to the datbase as follows
osql -U sa -S server\instancename and you will be promted for a password.
On correct entry of password you will be at the 1> prompt
This was my reference.
http://www.codeproject.com/database/ConfigureMSDE.asp
Sunday, May 6, 2007
Access Denied - SAV Reporting
Trying to use the new reporting tool in 10.1 of SAV
It uses Internet Information Services (IIS). Trying to access the front page from Symantec System Console (SSC) gives
HTTP error 404; Forbidden Access Denied
From the IIS log
2007-05-07 00:01:52 W3SVC1 10.130.248.10 POST /Reporting/admin/upload.php - 80 - 10.130.248.10 libwww-perl/5.803 403 19 1314
SAV support had me add the NETWORK SERVICES group to
the resgistry on the server
Computer Configuration>Windows Settings>Security Settings>Local Polices>User Rights Assignment>
"Adjust Memory process quota for a processs" and "Replace a process level token"
I checked in the Web Server Extensions of IIS
The SAV install procedure has added a path to the the php-cgi.exe
I added one for php5isapi.dll no good
I added IUSR_Server user to gave the above two rights no good
The problem was fixed by giving the network service security group read,read/execute permissions to the symantec folder. I probably would have got away with just adding it at the reporting folder level. Of the things I tried prior the only one that needs to be actioned is adding the same group to the two registry entries.
It uses Internet Information Services (IIS). Trying to access the front page from Symantec System Console (SSC) gives
HTTP error 404; Forbidden Access Denied
From the IIS log
2007-05-07 00:01:52 W3SVC1 10.130.248.10 POST /Reporting/admin/upload.php - 80 - 10.130.248.10 libwww-perl/5.803 403 19 1314
SAV support had me add the NETWORK SERVICES group to
the resgistry on the server
Computer Configuration>Windows Settings>Security Settings>Local Polices>User Rights Assignment>
"Adjust Memory process quota for a processs" and "Replace a process level token"
I checked in the Web Server Extensions of IIS
The SAV install procedure has added a path to the the php-cgi.exe
I added one for php5isapi.dll no good
I added IUSR_Server user to gave the above two rights no good
The problem was fixed by giving the network service security group read,read/execute permissions to the symantec folder. I probably would have got away with just adding it at the reporting folder level. Of the things I tried prior the only one that needs to be actioned is adding the same group to the two registry entries.
Thursday, March 1, 2007
Network Drives not updating
For users that do not have a mandatory profile when they run the stafflogon script that among other things connects the network drives they get the error
"The local device name is already in use"
For the most part this does not matter beacuse the network drives do not change. What happens though if you change a server or change the UNC for a drive.
A solution to this problem may be to have a script run at logoff or shutdown that disconnects the drives.
Try something different first.
Copied the existing logon script to cw.bat
added the line
net use /persistent:no at the end of the script
Changed logon script in profile for teacher to cw.bat.
Test Case 1:
Log on to a user that already has the incorrect drives mapped. Those mapped to the old servers.
Check they do have the incorrect drives.
logoff the user and change their logon script to cw.
See what happens.
This does not work. I think the reason is because the drives were connected previously with, by default, persistence = yes. Hence they will have to be deleted initially. You could eventually remove the delete connections text from the script because the connections would not be persistent.
Add the delete connections text to the cw script.
This works a treat.
When you have the user logon a second time and hence the logon script is run again the delete drives text fails be cause the drives are no longer persistent and hence are not there. This is a quick process and will not cause any problems.
I have not changed the users home directory mapping. (net use h: /home) This receives its connection string from the Active Directory. When we role over a server this is changed accordingly. This must be a special map i.e. it is not persistent otherwise you would think it would suffer from the original problem.
"The local device name is already in use"
For the most part this does not matter beacuse the network drives do not change. What happens though if you change a server or change the UNC for a drive.
A solution to this problem may be to have a script run at logoff or shutdown that disconnects the drives.
Try something different first.
Copied the existing logon script to cw.bat
added the line
net use /persistent:no at the end of the script
Changed logon script in profile for teacher to cw.bat.
Test Case 1:
Log on to a user that already has the incorrect drives mapped. Those mapped to the old servers.
Check they do have the incorrect drives.
logoff the user and change their logon script to cw.
See what happens.
This does not work. I think the reason is because the drives were connected previously with, by default, persistence = yes. Hence they will have to be deleted initially. You could eventually remove the delete connections text from the script because the connections would not be persistent.
Add the delete connections text to the cw script.
This works a treat.
When you have the user logon a second time and hence the logon script is run again the delete drives text fails be cause the drives are no longer persistent and hence are not there. This is a quick process and will not cause any problems.
I have not changed the users home directory mapping. (net use h: /home) This receives its connection string from the Active Directory. When we role over a server this is changed accordingly. This must be a special map i.e. it is not persistent otherwise you would think it would suffer from the original problem.
Set Proxy Setting via Group Policy
If a user does not have a mandatory profile set then they cannot connect to the internet. the reason being that the school proxy seetings have not been set. I am trying to do this via group policy.
I have created a test Organisation Unit (OU) with a test group policy and in this
Under User Configuration>Window Settings>Internet Explorer Maintenance>Connection>Proxy Settings I have enabled proxy settings and entered our proxy server and port number.
I have created a user teacher. This user has no fixed profile so on initially logging onto the computer it has a proxy setting of "Automatically Detect Settings"
I have now moved the test computer under the test OU and rebooted a couple of times.
I checked in the event log and the "Application Management" event indiacted that "changes to software installation settings; were applied successfully"
Checked the proxy settings and they had not been set."
I removed another group policy below the test one that was there.
Rebooted again
Strange!! Automatically Detect settings is ticked Use automatic configuration is ticked and has a config file. Proxy Server Settings are set correctly.
Reboot to confirm
Back to having just Automatically Detect settings ticked. With the previous Strange happeneings
the event viewer had not shown "software settings applied successfully"
Let the troubleshooting begin
Need to know what policy settings are in effect.
Tools that you can use to see what policy is in effect include Resultant Set of Policy and gpresult
You can also get a report on policy from Help and Support Center by following these steps:
1. Click the Start button, and then click Help and Support.
2. Click Support.
3. Under See Also, click Advanced System Information.
4. Under Advanced System Information, click View Group Policy settings applied.
The report includes User name and domain; Computer name and domain; When User Settings and Computer Settings were last applied; Folder redirection details; Logon, logoff, startup and shutdown scripts; Installed software; and Administrative Templates. The report also gives information about Security Settings, and connection and proxy settings for IE Maintenance.
This showed that the last time group policy was applied was Yesterday???
Ok so I refreshed the Group policy by running gpupdate at the command line of the test PC.
It indicated it had succesfully completed.
However the Last time the group policy was updated still showed yesterday. The proxy settings now show nothing. i.e Automatically detect settings is now unset so there has been a change.
Alright now this is annoying me. Lets get serious
Enable verbose logging on XP
1.Click Start, click Run, type regedit in the Open field, and then click OK
2.Locate and then double-click LogLevel under the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
3.On the Edit DWORD Value window, click to select Hexadecimal on the Base pane. 4.
Type 0000FFFF in the Value data box.
5.Click OK.
Thye size of the setupapi file did not change and there were no entries for today despite numerous reboots!!!!!!
Trawling the net for hours has come up with the goods.
I moved the computer account under the test OU. The settings I was trying to apply from the GPO were for the User. Hence I had to move the user under the test OU and guess what it worked.
A fundamental misunderstanding on my behalf.
No time to celebrate this achievement.
If I remove the proxy settings then they are not added back with a logoff or a reboot.!!!
This behavior occurs because Internet Explorer security settings in Group Policy that has not changed are not to be applied to a user, even if the user has changed the same security settings in the local browser. If you change the local security settings, the settings in the local registry are overwritten.
To resolve this behavior, force the Internet Explorer settings in a Group Policy to always rewrite the appropriate registry keys when the user logs on to the computer:
1.On a domain controller, open the Active Directory Users and Computers snap-in.
2.Right-click the domain name, and then click Properties.
3.Click the Group Policy tab, click the default domain policy, and then click Edit.
4.Expand Administrative Templates under Computer Configuration in the Tree pane.
5.Expand System under Administrative Templates, and then click Group Policy.
6.Click Internet Explorer Maintenance Policy Processing in the Policy pane.
7.Double-click Internet Explorer Maintenance Policy Processing to open the properties for Internet Explorer Maintenance Policy Processing.
8.Click Enable on the Policy tab, and then click Process, even if Group Policy objects have not changed.
9.Click OK to set the policy.
The proxy settings are still mot being update!!!
You may experience the following issues when you try to apply a Microsoft Internet Explorer or a Windows Internet Explorer Maintenance policy to a client computer:
•
The policy is only applied one time.
•
The policy is not reapplied when you log on, even if you have enabled the "Process even if the Group Policy objects have not changed" setting.
•
The policy does not respond to the GPUPDATE /FORCE command.
The Internet Explorer Maintenance policy is probably running in preference mode. Preference mode is designed to provide initial settings to a user without enforcing them.
1.Open the Group Policy Object Editor snap-in. To do this:
a. Click Start, click Run, type mmc in the Open box, and then click OK.
b. On the File menu, click Add/Remove Snap-in.
c. Click Add.
d. Click Group Policy Object Editor, and then click Add.
e. Click the target Group Policy object (GPO). The default GPO is Local Computer. Click Browse to select the GPO that you want, and then click Finish.
f. Click Close, and then click OK.
2.In the console tree, expand the GPO, expand User Configuration, and then expand Windows Settings.
3.Right-click Internet Explorer Maintenance, and then click Preference Mode.
What a roll. Works beautifully. This will allow users with laptops to change the proxy settings when they go home and automatically be changed back when they log in at work.
Not so good. It works sometimes and someteimes it doesn't. Some computers always work some don't work. What a mess.
Will begin to troubleshoot what looks hopeless.
My laptop appears to work successfully.
So I will start to try and find differences.
I have noticed that when I rebooted a computer that was not working this morning 20/03/07
I checked in the event log and the "Application Management" event indiacted that "changes to software installation settings; were applied successfully" Why would this have appeared when I had made no changes.
On computers that were working this was not there.
As part of the investigation I wanted to know what was a
Local Group Policy Object
Local Group Policy Objects (LGPOs), on the other hand, are much simpler, because there is exactly one LGPO on each Windows 2000 or later computer on your network. In an Active Directory environment, LGPOs have the lowest precedence and are always processed first if they have been configured, and so the result is that LGPO settings are usually overwritten by GPOs linked to domains, sites, or OUs. As a result, you usually won't need to configure LGPOs unless you have stand-alone computers that belong to a workgroup. Another scenario in which LGPOs might need to be configured would be kiosk machines configured in a stand-alone environment for public users to access.
The simplest way to configure the LGPO on a Windows 2000 or later computer is by choosing Start -> Run -> gpedit.msc -> OK. As shown in Figure 1 below, this opens the Local Computer Policy in the Group Policy Object Editor.
As a final observation, note that Microsoft says in its documentation that every Windows 2000 or later computer has exactly one LGPO and that this LGPO is stored in a hidden folder named %windir%\system32\Group Policy. This is not quite true, however, as I discovered recently when I worked as tech reviewer for Microsoft Press on the upcoming Microsoft Windows Group Policy Guide. It turns out that this %windir%\system32\Group Policy folder doesn't actually exist on a computer until you first open the GPOE to edit Local Group Policy on that machine. Thus initially there is no LGPO at all on a Windows machine until you decide to configure local policy on the machine using the GPOE.
Trying to pin where the problem occurs is nearly hopless as there seems to be no pattern.
I was working on my laptop and the Internet was working. Went to access a site 10 minutes latter and found I could not access an external site. Checked my proxy seetings and found that
"Use a Proxy Server" was unticked.
By running gpresult we have found that the Computer and User Group Policy settings are updated about every ninety minutes.
Once the setting is lost you can either manually tick the box or a reboot(sometimes) two fixes the problem.
Some interesting info
By default, Group Policy is refreshed every 90 minutes with a randomized delay of up to 30 minutes, for a total maximum refresh interval of up to 120 minutes. This interval can be changed using the computer policy setting Group Policy refresh interval for Computer located in the Computer Configuration\Administrative Templates\System\Group Policy namespace
Ok the problem has been fixed we are 99% sure. Thank God for that.
Replication between the domain server and the secondary server was not working and had not been for some time. Hence the changes we made to group policy were being applied on our domin server and not to our secondary server. Why the random nature? Where a computer gets its policy information is done I believe on a load balancing algorithim. Hence sometimes you will get the correct group policy information from the domain server and sometimes you will get the incorrect (outdated) information from the secondary server.A gpresult actually shows which machine it has compiled your policy information from.
The secondary server has been switched off until the replication issue is rectified.
THE END. (I pray)
I have created a test Organisation Unit (OU) with a test group policy and in this
Under User Configuration>Window Settings>Internet Explorer Maintenance>Connection>Proxy Settings I have enabled proxy settings and entered our proxy server and port number.
I have created a user teacher. This user has no fixed profile so on initially logging onto the computer it has a proxy setting of "Automatically Detect Settings"
I have now moved the test computer under the test OU and rebooted a couple of times.
I checked in the event log and the "Application Management" event indiacted that "changes to software installation settings; were applied successfully"
Checked the proxy settings and they had not been set."
I removed another group policy below the test one that was there.
Rebooted again
Strange!! Automatically Detect settings is ticked Use automatic configuration is ticked and has a config file. Proxy Server Settings are set correctly.
Reboot to confirm
Back to having just Automatically Detect settings ticked. With the previous Strange happeneings
the event viewer had not shown "software settings applied successfully"
Let the troubleshooting begin
Need to know what policy settings are in effect.
Tools that you can use to see what policy is in effect include Resultant Set of Policy and gpresult
You can also get a report on policy from Help and Support Center by following these steps:
1. Click the Start button, and then click Help and Support.
2. Click Support.
3. Under See Also, click Advanced System Information.
4. Under Advanced System Information, click View Group Policy settings applied.
The report includes User name and domain; Computer name and domain; When User Settings and Computer Settings were last applied; Folder redirection details; Logon, logoff, startup and shutdown scripts; Installed software; and Administrative Templates. The report also gives information about Security Settings, and connection and proxy settings for IE Maintenance.
This showed that the last time group policy was applied was Yesterday???
Ok so I refreshed the Group policy by running gpupdate at the command line of the test PC.
It indicated it had succesfully completed.
However the Last time the group policy was updated still showed yesterday. The proxy settings now show nothing. i.e Automatically detect settings is now unset so there has been a change.
Alright now this is annoying me. Lets get serious
Enable verbose logging on XP
1.Click Start, click Run, type regedit in the Open field, and then click OK
2.Locate and then double-click LogLevel under the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
3.On the Edit DWORD Value window, click to select Hexadecimal on the Base pane. 4.
Type 0000FFFF in the Value data box.
5.Click OK.
Thye size of the setupapi file did not change and there were no entries for today despite numerous reboots!!!!!!
Trawling the net for hours has come up with the goods.
I moved the computer account under the test OU. The settings I was trying to apply from the GPO were for the User. Hence I had to move the user under the test OU and guess what it worked.
A fundamental misunderstanding on my behalf.
No time to celebrate this achievement.
If I remove the proxy settings then they are not added back with a logoff or a reboot.!!!
This behavior occurs because Internet Explorer security settings in Group Policy that has not changed are not to be applied to a user, even if the user has changed the same security settings in the local browser. If you change the local security settings, the settings in the local registry are overwritten.
To resolve this behavior, force the Internet Explorer settings in a Group Policy to always rewrite the appropriate registry keys when the user logs on to the computer:
1.On a domain controller, open the Active Directory Users and Computers snap-in.
2.Right-click the domain name, and then click Properties.
3.Click the Group Policy tab, click the default domain policy, and then click Edit.
4.Expand Administrative Templates under Computer Configuration in the Tree pane.
5.Expand System under Administrative Templates, and then click Group Policy.
6.Click Internet Explorer Maintenance Policy Processing in the Policy pane.
7.Double-click Internet Explorer Maintenance Policy Processing to open the properties for Internet Explorer Maintenance Policy Processing.
8.Click Enable on the Policy tab, and then click Process, even if Group Policy objects have not changed.
9.Click OK to set the policy.
The proxy settings are still mot being update!!!
You may experience the following issues when you try to apply a Microsoft Internet Explorer or a Windows Internet Explorer Maintenance policy to a client computer:
•
The policy is only applied one time.
•
The policy is not reapplied when you log on, even if you have enabled the "Process even if the Group Policy objects have not changed" setting.
•
The policy does not respond to the GPUPDATE /FORCE command.
The Internet Explorer Maintenance policy is probably running in preference mode. Preference mode is designed to provide initial settings to a user without enforcing them.
1.Open the Group Policy Object Editor snap-in. To do this:
a. Click Start, click Run, type mmc in the Open box, and then click OK.
b. On the File menu, click Add/Remove Snap-in.
c. Click Add.
d. Click Group Policy Object Editor, and then click Add.
e. Click the target Group Policy object (GPO). The default GPO is Local Computer. Click Browse to select the GPO that you want, and then click Finish.
f. Click Close, and then click OK.
2.In the console tree, expand the GPO, expand User Configuration, and then expand Windows Settings.
3.Right-click Internet Explorer Maintenance, and then click Preference Mode.
What a roll. Works beautifully. This will allow users with laptops to change the proxy settings when they go home and automatically be changed back when they log in at work.
Not so good. It works sometimes and someteimes it doesn't. Some computers always work some don't work. What a mess.
Will begin to troubleshoot what looks hopeless.
My laptop appears to work successfully.
So I will start to try and find differences.
I have noticed that when I rebooted a computer that was not working this morning 20/03/07
I checked in the event log and the "Application Management" event indiacted that "changes to software installation settings; were applied successfully" Why would this have appeared when I had made no changes.
On computers that were working this was not there.
As part of the investigation I wanted to know what was a
Local Group Policy Object
Local Group Policy Objects (LGPOs), on the other hand, are much simpler, because there is exactly one LGPO on each Windows 2000 or later computer on your network. In an Active Directory environment, LGPOs have the lowest precedence and are always processed first if they have been configured, and so the result is that LGPO settings are usually overwritten by GPOs linked to domains, sites, or OUs. As a result, you usually won't need to configure LGPOs unless you have stand-alone computers that belong to a workgroup. Another scenario in which LGPOs might need to be configured would be kiosk machines configured in a stand-alone environment for public users to access.
The simplest way to configure the LGPO on a Windows 2000 or later computer is by choosing Start -> Run -> gpedit.msc -> OK. As shown in Figure 1 below, this opens the Local Computer Policy in the Group Policy Object Editor.
As a final observation, note that Microsoft says in its documentation that every Windows 2000 or later computer has exactly one LGPO and that this LGPO is stored in a hidden folder named %windir%\system32\Group Policy. This is not quite true, however, as I discovered recently when I worked as tech reviewer for Microsoft Press on the upcoming Microsoft Windows Group Policy Guide. It turns out that this %windir%\system32\Group Policy folder doesn't actually exist on a computer until you first open the GPOE to edit Local Group Policy on that machine. Thus initially there is no LGPO at all on a Windows machine until you decide to configure local policy on the machine using the GPOE.
Trying to pin where the problem occurs is nearly hopless as there seems to be no pattern.
I was working on my laptop and the Internet was working. Went to access a site 10 minutes latter and found I could not access an external site. Checked my proxy seetings and found that
"Use a Proxy Server" was unticked.
By running gpresult we have found that the Computer and User Group Policy settings are updated about every ninety minutes.
Once the setting is lost you can either manually tick the box or a reboot(sometimes) two fixes the problem.
Some interesting info
By default, Group Policy is refreshed every 90 minutes with a randomized delay of up to 30 minutes, for a total maximum refresh interval of up to 120 minutes. This interval can be changed using the computer policy setting Group Policy refresh interval for Computer located in the Computer Configuration\Administrative Templates\System\Group Policy namespace
Ok the problem has been fixed we are 99% sure. Thank God for that.
Replication between the domain server and the secondary server was not working and had not been for some time. Hence the changes we made to group policy were being applied on our domin server and not to our secondary server. Why the random nature? Where a computer gets its policy information is done I believe on a load balancing algorithim. Hence sometimes you will get the correct group policy information from the domain server and sometimes you will get the incorrect (outdated) information from the secondary server.A gpresult actually shows which machine it has compiled your policy information from.
The secondary server has been switched off until the replication issue is rectified.
THE END. (I pray)
Wednesday, February 28, 2007
Word closes as soon as you open
As a user you try to start word but it closes as soon as it opens. Existing documents open ok. Tried as administrator and it was ok.
Trawling the web found an idea to rename the normal.dot file. Did this and we have a winner.
Trawling the web found an idea to rename the normal.dot file. Did this and we have a winner.
VASS Unable to Generate report
In the VASS system user was able to logon but when they tried the following nothing happened. Goto School Admin>Data Services>Reporting. Click on Running Service showed nothing.
After a series of fix attempts I made the use a member of the Administrator group. An activeX control for Mead & Co was then installed. This had been released 9 Feb 2007. I was then able to remove the user from the administrators group and all was good.
After a series of fix attempts I made the use a member of the Administrator group. An activeX control for Mead & Co was then installed. This had been released 9 Feb 2007. I was then able to remove the user from the administrators group and all was good.
Thursday, February 22, 2007
WMI error retrieving Software List from Remote PC
When I tried to get the software list from a remote PC after switching servers I got the error
"The remote Server machine does not exist or is anavailable: 'Getobject'
Trawling the net I found the following.
With Windows XP2 you need to make an exception to allow WMI to communicate. Instructions below. In my case this was set but I had due to security reasons only allowed our server to make the calls. Changing the IP address from the old to the new fixed my problem.
Allow for remote administration
loadTOCNode(2, 'moreinformation');
1.
Click Start, click Run, type gpedit.msc, and then click OK.
2.
Under Console Root, expand Computer Configuration, expand Administrative Templates, expand Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile.
3.
Right-click Windows Firewall: Allow remote administration exception, and then click Properties.
4.
Click Enabled, and then click OK.
"The remote Server machine does not exist or is anavailable: 'Getobject'
Trawling the net I found the following.
With Windows XP2 you need to make an exception to allow WMI to communicate. Instructions below. In my case this was set but I had due to security reasons only allowed our server to make the calls. Changing the IP address from the old to the new fixed my problem.
Allow for remote administration
loadTOCNode(2, 'moreinformation');
1.
Click Start, click Run, type gpedit.msc, and then click OK.
2.
Under Console Root, expand Computer Configuration, expand Administrative Templates, expand Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile.
3.
Right-click Windows Firewall: Allow remote administration exception, and then click Properties.
4.
Click Enabled, and then click OK.
Monday, February 19, 2007
Boot.ini file missing on boot
When the PC boots you get an error indicating that the boot.ini is invalid and it is booting from c:\windows.
To fix create a boot.ini file with the following in it and save it to c:\windows
[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
To fix create a boot.ini file with the following in it and save it to c:\windows
[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
Move Intranet from one Server to Another
I have moved my intranet (mainly sport signups) from a Windows 2000 machine to a Windows 2003 machine.
Basically just copied the files from one server to another. Any full path references I have changed the servername.
Trying to access an asp page and get the following
"Access Denied. You must log into the Domain to access this web page."
The above message was generated by my code. Good God!!!!
It was beacuse the getlogonuser function was returning nothing. This was because allow annononoymous was set. See the below article for info.
http://support.microsoft.com/kb/251326
Extract of the above article I used
Setting IIS permissions
IIS will return an empty string ("") for the user name if Allow Anonymous is enabled on the page. Allow Anonymous must be turned off at the page level in IIS to return the network user name. To do so, follow these steps:
1.
In IIS, right-click the ASP file, and then click Properties. Click the File Security tab.
2.
If you are using IIS 5.0 on Microsoft Windows 2000 Server, under Anonymous Access and Authentication Control, click the Edit button, and then click to clear the Anonymous Access check box. If you are using IIS 4.0 on Windows NT 4.0, click to clear the Allow Anonymous Access check box.
3.
Make sure that the Integrated Windows authentication check box or the Basic authentication check box is checked. If the Basic authentication check box is checked, make sure that SSL is used on the Web site. For more information, click the following article number to view the article in the Microsoft Knowledge Base
Basically just copied the files from one server to another. Any full path references I have changed the servername.
Trying to access an asp page and get the following
"Access Denied. You must log into the Domain to access this web page."
The above message was generated by my code. Good God!!!!
It was beacuse the getlogonuser function was returning nothing. This was because allow annononoymous was set. See the below article for info.
http://support.microsoft.com/kb/251326
Extract of the above article I used
Setting IIS permissions
IIS will return an empty string ("") for the user name if Allow Anonymous is enabled on the page. Allow Anonymous must be turned off at the page level in IIS to return the network user name. To do so, follow these steps:
1.
In IIS, right-click the ASP file, and then click Properties. Click the File Security tab.
2.
If you are using IIS 5.0 on Microsoft Windows 2000 Server, under Anonymous Access and Authentication Control, click the Edit button, and then click to clear the Anonymous Access check box. If you are using IIS 4.0 on Windows NT 4.0, click to clear the Allow Anonymous Access check box.
3.
Make sure that the Integrated Windows authentication check box or the Basic authentication check box is checked. If the Basic authentication check box is checked, make sure that SSL is used on the Web site. For more information, click the following article number to view the article in the Microsoft Knowledge Base
Sunday, February 18, 2007
RIS DHCP Issue
Primary Domain Controller was demoted (still exists on the network). A new Primary Domain controller (PDC) exists. The new PDC has a differnet server name and IP address.
When a RIS client tries to connect to the RIS server it fails
E53 - No bootname received
On the RISServer there is an error Event ID 1051
The DHCP/BINL service has determined that it is not authorized to serve clients on this network for the windows domain: student.star
Problem was fixed with the following solution
A. To re-authorize your Windows 2000 RIS server, follow these steps:
1. Open DHCP from Administrative Tools.
2. Right-click DHCP in the upper-left corner of the DHCP screen, and then click Manage Authorized Servers. If your server is not already listed, click Authorize, and then enter the Internet Protocol (IP) address of the RIS server. When you are prompted, click Yes to verify that the address is correct.
3. Restart the DHCP server.
When a RIS client tries to connect to the RIS server it fails
E53 - No bootname received
On the RISServer there is an error Event ID 1051
The DHCP/BINL service has determined that it is not authorized to serve clients on this network for the windows domain: student.star
Problem was fixed with the following solution
A. To re-authorize your Windows 2000 RIS server, follow these steps:
1. Open DHCP from Administrative Tools.
2. Right-click DHCP in the upper-left corner of the DHCP screen, and then click Manage Authorized Servers. If your server is not already listed, click Authorize, and then enter the Internet Protocol (IP) address of the RIS server. When you are prompted, click Yes to verify that the address is correct.
3. Restart the DHCP server.
Tuesday, February 13, 2007
Managing Software Licences
How to store software licence information?
How to store software install instructions?
How to keep track of licenses used?
I have an access database that has every PC owned by the school. I also store the software installed on each computer. This is software that is in the add/remove programs list. Some software is not listed in the afore mentioned list. These programs are generally old. Because it is such a small number i am prepared to ignore them.
I will store the software license information in an access table. All hard copies will also be kept.
Info required
Title
No of licences
Site name
Site codes
Install instructions
I will then be able to compare using an access query no of licences used against licences purchased.
How to store software install instructions?
How to keep track of licenses used?
I have an access database that has every PC owned by the school. I also store the software installed on each computer. This is software that is in the add/remove programs list. Some software is not listed in the afore mentioned list. These programs are generally old. Because it is such a small number i am prepared to ignore them.
I will store the software license information in an access table. All hard copies will also be kept.
Info required
Title
No of licences
Site name
Site codes
Install instructions
I will then be able to compare using an access query no of licences used against licences purchased.
Monday, January 22, 2007
Symantec Virus Definition invalid (CC001000)
Having run the database app to determine which clients are not communicating with the server
you will find 9 out of 10 times the problem is
Symantec Virus Definition invalid (CC001000) in the application event viewer.
The easiest way to repair corrupted virus definitions is to download and run the Intelligent Updater file.Download and run the yyyymmdd-version-x86.exe file (yyyymmdd-version indicates the date and version of the definition file).
I have found this does not work.
The easiest way to get aroun this problem is to delete the client and reinstall.
you will find 9 out of 10 times the problem is
Symantec Virus Definition invalid (CC001000) in the application event viewer.
The easiest way to repair corrupted virus definitions is to download and run the Intelligent Updater file.Download and run the yyyymmdd-version-x86.exe file (yyyymmdd-version indicates the date and version of the definition file).
I have found this does not work.
The easiest way to get aroun this problem is to delete the client and reinstall.
Subscribe to:
Posts (Atom)