If you want to view the current version of your Active Directory you have, you can browse to the following registry key on your domain controller(s).
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters and select the subkey Schema Version.
13 = Microsoft Windows 2000
30 = Original release version of Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 (SP1)
31 = Microsoft Windows Server 2003 R2
44 = Windows 2008
In de most environments the users have a laptop for working in the office, but also for working out of the office. When there’s a proxy server enabled in your Internet Explorer settings, you’re able to internet on your office. But when you’re logging in out of the office, the proxy server is still enabled. So…..no internet for you!! In the most situations the Internet Explorer settings are hided through a GPO, so the users are not be able to edit the proxy settings manually. Whit the tool ProxyPal, you can give the users the oppertunity to enable or disable the proxy.
1.) Install ProxyPal on the laptop or computer (you can deploy it with a GPO)
2.) Edit your GPO’s to hide the Connection tab in your Internet Settings. (Optional!!)
3.) The users can enable or disable the proxy server now
In some environments users must have the ability to change the power scheme. By default, the normal Domain Users are not be able to do this, there’s an “Access Denied”. With the following Group Policy configuration, the Domain Users are albe to edit the Power Scheme on there laptop or PC.
1.) Make a new Group Policy and link it to the Organizational Unit where the computer objects are placed
2.) Go to Computer Configuration\Policies\Windows Settings\Security Settings\Registry
3.) Add the following registry hives
HKEY_Localmachine\Software\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\GlobalPowerPolicy
HKEY_Localmachine\Software\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\PowerPolicies
4.) Edit the permissions for the BUILTIN\Users from Read to Full Control
5.) Reboot your client
6.) Login with an user on that client
7.) The user has now the ability to change the Power Scheme
By default there are a copple of ProfileSettings available when you install Immidio Flex Profiles. When you install a new application on your Terminal Server environment, you also want to save this application settings for your users! In my Terminal Server environment i’ve installed Adobe Reader and i’ve made some custom INI file for saving the settings for my users.
1.) First make some new INI file in your Flex_Config\ProfileSettings directory
2.) Edit the INI file and type in the RegisterTree or IndividualRegistryValues
3.) Login to your Terminal Server environment, start Adobe Reader and make some changes
4.) Logoff and check the users home directory if there’s a file called <INIfilename.ZIP> in my example AdobeReader9.ZIP. In this file you see all the registry settings!
5.) Login again and see that the settings are saved
6.) Delete the <INIfilename.ZIP> from the users home directory
7.) Login again to your Terminal Server environment
8.) As you can see, all the settings are gone!
9.) If you want to replace a backup, in the users home directory folder _Settings\Settings_Backup is a backup available automatically
A nice tool to manage your environment with Mandatory Profiles is Immidio Flex Profiles.
I’m going to install this tool in my Windows 2003 Terminal Server environment.
– First install the Immidio Flex Profile application on your Terminal Server(s). When executing the Immidio Flex Profiles.msi file, no services are installed and no reboots are required. The Flex Profiles MSI file must be executed under an account with administrative privileges, since a small number of registry keys are added to the HKEY_LOCAL_MACHINE hive.
Note! To install the Framework unattended, just run the following command. msiexec /i “\\Server\Share\Immidio Flex Profiles.msi” /qn
– The Flex Profiles framework includes a compressed file that is used for central configuration purposes: Flex_Config.zip. Extract this file in a central and fault tolerant network share using a Zip program, such as WinZip. The target folder can be a share on a file cluster or the NETLOGON share or SYSVOL folder on a domain controller. The scripts included in Flex_Config.zip help you to centrally configure Flex Profiles.
– Configuring the Flex Profiles in the logon and logoff script is rather simple. The syntax to activate Flex Profiles is as follows.
An example for a logon script may look as follows.
CSCRIPT /NOLOGO “%PROGRAMFILES%\Immidio\Flex Profiles\Flex_Framework.vbs” LOGON \\FLEX.local\NETLOGON\Flex_Config
In the logoff script, specify the LOGOFF option instead:
CSCRIPT /NOLOGO “%PROGRAMFILES%\Immidio\Flex Profiles\Flex_Framework.vbs” LOGOFF \\FLEX.local\NETLOGON\Flex_Config
IMPORTANT: Proper timing is essential when setting up Flex Profiles in a user logon script. It is recommended to run the Flex Framework script in the logon script after the home directories are mapped and before other application settings are configured. Additionally it is recommended to enable the policy Run logon scripts synchronously in order to prevent applications or the desktop from starting while the logon script is still running.
– In order to configure the Flex Profiles Framework the file Framework.ini in the Flex configuration folder needs to be opened and modified with an adequate ANSI editor, such as Notepad.
I’ve edit this setting to [LOCATIONS] STOREROOT, this setting configures the root of the path where the profile archives are stored.
STOREROOT=3 uses the user’s Terminal Server home directory directly from AD (Only supported with Windows Server 2003 and Windows Server 2008 in an AD environment). By default the vallue is 1.
– After you login on your Teminal Server environment, and you logoff, you’ll see the following folder in your users home directory _Settings. Here are the user specific settings that will be saved when the users are logoff. As you can see, all the .ZIP file are exactly the same as in your NETLOGON directory, were you can make you settings per application! You can add new INI files if you want to add some application settings, or even delete some INI files from appliations that are not used in your environment.
In my virtual environment at home i’m using VMware Workstation on the host. Today i’ve installed an new Terminal Server 2003 environment with RES PowerFuse and RES Wisdom. All the users have mandatory profiles, published with RES PowerFuse. When I login with a user, there’s a copy of the mandatory profile in the %systemroot%\Documents and Settings. In my TSpolicy i’ve enabled the option “delete cached copy of roaming profiles”, so all the profiles should disappear when the users logoff.
All the userprofiles are still there when the user logoff, included only one directory and one file…hgfs.dat. The file hgfs.dat comes from VMware shared folder feature. The files is created in the profile of the first user that logs on. The file handle is kept open and therefore you might get more profile folders for the same user.
I’ve fixed it with the following VMware (VMware FAQ1317) article.
1.) Open regedit on your Terminal Server
2.) Locate the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
3.) Edit the key ProviderOrder
4.) Remove vmhgfs
5.) Close regedit
6.) Reboot your Terminal Server
Do you remember a situation when you deleted a couple of Active Directory objects, and after this action you thought, “oops!!”. You’ve to restore these user objects, but how? By default the Active Directory markes all the deleted objects as IsDeleted True. The objects are not vissible any more in your Active Directory, but they still there. This calls tombstoned objects. By default tombstoned objects will be available for 60 days in a Windows 2000/2003 Active Directory and 180 days in a Windows 2003 SP1 of 2008 Active Directory.
In my testenvironment I’ve created 50 test user objects and deleted a couple of this user objects. Now we are going to restore the objects. First I’ve downloaded the following commandline tool adrestore. This tool I’ll using for the restore.
The following commands can be used:
adrestore
This command will give you an overview of all the tombstoned objects in your Active DirectoryThis command asks for an conformation to restore all the individual tombstoned objects.
adrestore -r
adrestore -r “CN of the tombstoned object”, for example adrestore -r testuser11
This command perform a restore of tombstoned object testuser11
Note: after performing a restore of the tombstoned objects, the accounts are disabled and the user must change password at next logon. Before you can enable this account, make sure you reset the password that meets your password policies, configured in your Default Domain policy.
Solarwinds has a new free monitoring tool available on the website, the Exchange Monitor 1.0. This sound great, so I’ve installed it in a test environment.
Requirements:
Operating System Select a 32-bit or 64-bit edition of one of the following operating systems:
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows Server 2008
.NET Framework Microsoft .NET Framework 2.0
Hard Drive space 10MB
Microsoft Exchange Server 2000/2003
Exchange Server Credentials Administrator-level access to the Microsoft Exchange Server
Ports Open the following ports to and from the Exchange Server:
135/tcp
445/tcp
Fill in the Exchange server for the Solarwinds Monitor. In our example its: srv01.e2k3.local.
PressOK
The first looks are great…..but let’s do some little test to wath the real monitoring! We are going to stop the Exchange Information Store manualy.
Great job, the monitoring tool gives a critical warning as you can see. The Exchange Information Store is not running any more…
This is realy a nice free tool to monitor the baseline information for your Exchange 2000 of 2003 environment. Can’t wait for the Exchange 2007 version 
