Windows Server Administration

Had an interesting question from a reader in response to setting a default printer with Group Policy Preferences that I thought I would share.

Question was:
If you set a user general default printer like the main office copier but also set a location printer preference like the library copier using the loop back policy will it over ride the general default printer preference?

Do I merge or replace?
Read the rest of this entry »

The other day I wrote an article on how I use Group Policy Preferences to Deploy Printers and Set the Default Printer. Today I wanted to share with you how I go about mapping network drives to particular users based on their AD DS Group Memberships. In days gone by this was don via a vbs login in script, but let me show you how this can be done via GPP.

Simple scenario, we have a group of Media students that need a drive mapped to a different “Media Backup Server”, so what I have done is put these students into and Active Directory Group called “Media Students”.

So in my Students GPO I simply went to User Configuration > Preferences > Windows Settings > Drive Maps

Read the rest of this entry »

The job of deploying printers and setting default printers has been quite simply a pain in the butt. Well automating the default printer has been anyway. Now if you are like me and work in an educational environment where there are computer labs, left right and center, libraries, staff notebooks (separated on different campuses), student notebooks etc etc and users all wanting to print to specific printers and of course people not wanting to select the correct one from a list of printers then read on.

Use Group Policy Preferences !!!

In the past I have used the Print Management Console to deploy the printers via Group Policy, now that did work very well, but there was still the “overlooked” problem of being able to set the default printer. To get around this what I used to do was to name the computers in a certain way and then have a vbs script that would get the name of the printer and then set the default based on the computer name.

I was reading an article by GPO Guru Derek Melber about the new Group Policy Preferences that come with Windows Server 2008 and Windows Vista and thought I would explore this option.

To start off your client will need the Group Policy Preference Client Side Extensions both XP and Vista Clients need these. Now you can manually download these and install via a computer startup script via Group Policy or if you have a WSUS Server then you can make this “Feature Pack” available via Windows Updates (this is the option I took, less work!).

Now that you have the Group Policy Preference Client Side Extensions installed on the clients, you can go ahead and play with the GPO’s. If you open up the Group Policy Management snap in and edit a GPO object you will see “Preferences”

Read the rest of this entry »

I have been reading a bit about wireless security over the past week, as it is part of the 70-642 MCTS Exam “Configuring Windows 2008 Network Infrastructure” that I am currently studying (I will be sitting the exam in the next week or two, so subscribe to my RSS Feed so you don’t miss out on some inside tips !!!). We are curently running a wireless infrastructure with Cisco 1200 Access Points, a Windows 2003 Radius Server and using WEP 128bit (keys auto rotated every hour) encryption and Auto Enrolled Certificates from our Windows 2003 CA for authentication. This has been working pretty well, but with WPA2, an updated version of WPA and comes in two flavours WPA2-PSK and WPA2-EAP, it offers improved security and better protection from attacks. Now if all clients can support WPA2-EAP then this should be your first choice.

To kick things off you first of all need a PKI Infrustructure and enable autoenrollment so that all your wireless clients obtain the correct certificates for the authentication process.

1. Install the Active Directory Certificate Services (ADCS) Role to the server and just use the default settings here.

2. Next Open up the Group Policy Management Console and either edit a policy or create a new one to apply the wireless settings to your clients. The section we want is Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies. In the details pane now you need to right click the Certificate Services Client – Autoenrollment and then select properties. In the Properties dialog box select enabled from the rop down box and then place a tick in the other boxes, which is optional.
Read the rest of this entry »

Here is a task that most Network Administrators will face at one time or another, moving User Home Directories from one Server to another. We are in the process of organising new Servers for 2009 and these will be Windows Server 2008 and the current Servers are running on Windows 2003 Server Standard Edition. Now currently our Home Folders are individually shared as hidden shares, and I want to move to a convention of a parent shared User Folder with individual folders for each user in there that are not shared.

Now I wanted to explore the PowerShell option to copy from the source server to the destinsation server and keep the NTFS Permissions intact after the copy, as I have previosuly used PowerShell to do a bulk import of users into Active Directory and that woked a treat. I was a bit dissapointed with the PowerShell options using GET-ACL and SET-ACL because I could do individual folders one at a time but that would take forever, and I couldn’t see an easy way to iterate through them….

Read the rest of this entry »

Well it is coming to that time of year again where we will be given a list of new students that will be enrolled for the 2009 School Year, and of course it is up to the IT Department to created the hundreds of accounts. This year I thought I would have a crack at using PowerShell to do a bulk import into Active Directory.

The first thing that I found was that PowerShell doesn’t have any specific Active Directory CMDLets, so I found these PowerShell CMDLets from Quest. A must have if you are working with Active Directory and PowerShell. There are a few pre requesests before installing so grab the PDF document associated and have a read. Let’s build the script!

I want to be able to import users from a CSV file so the the cmdlet that I amm interested in is Import-CSV which takes a parameter for the file name like so:

Import-CSV C:\New.csv

Next Step is to iterate through the file. This is done by piping the contents of the csv file to the For-EachObject cmdlet which inturn uses the New-QADUser cmdlet.

ForEach-Object {New-QADUser -ou domain.local/Students/2009 -name $_.Name -Description $_.Description -City $_.City -UserPassword $_.Password -SamAccountName $_.sAMAccountName -FirstName $_.FirstName -LastName $_.LastName -DisplayName $_.Name -UserPrincipalName $_.UPN}

If you type in get-help New-QADUser you will see the syntax and all the parameters you can include. In the above script you will see $_.Name etc etc. These correlate to the CSV File. My CSV File had Name, Description, UserPassword, sAMAccountName, FirstName, LastName, DispplayName and UPN. You can see the connection above. It doesn’t even matter what order they are in in the CSV File!

Did you Like This Post? Stay Updated with more How To’s and Tips by Subscribing to My RSS Feed

Let me first start by saying that we have a pretty unorginsaeed Active Directory Structure at the moment, but that will change. Today I took the first step to getting some order in our AD Structure, disable all accounts that ahve been inactive for a period of time. To do this I simply used DSQuery and piped the results to DSMod and there we have it all the accounts are disabled.

Here was the command I used:

dsquery user -inactive 40 -limit 0 | dsmod user -disabled yes

I know, I know pretty simple but something that is good to have in the tool kit. I then went on and did it using the computer accounts. Then from Active Directory Users and Computers snap in I could then create a query to lookup all the disabled user and computer account and eother delete them or move them to a temp OU before deleting.

Daniel Anderson
Cleaning up my Active Directory.