Windows Server Printer Integration with Active Directory

The print subsystem of Windows Server 2003 is tightly integrated with Active Directory, making it easy for users and administrators to search for and connect to printers throughout an enterprise. All required interaction between printers and Active Directory is configured, by default, to work without administrative intervention. You need to make changes only if the default behavior is not acceptable. When a logical printer is added to a Windows Server 2003 print server, the printer is...

M-switch Advanced Administration Guide Mail

M switch, 7-28 mail server, 1-10 maintaining disk storage volumes, 11-11 to 11-12 operating systems, 9-1 to 9-48 printers, 8-29 to 8-30 Manage Documents permission, 8-17 Manage Printers permission, 8-17 Manage Your Server page, 1-11, 1-22 Management Console. See Microsoft Management Console (MMC) mandatory profiles, 3-65 Master Boot Record (MBR), 11-6 master file table (MFT), 11-25 MBR (Master Boot Record), 11-6 media pools, 7-21 to 7-23, 7-27, 7-41 managing, 7-22 types of, 7-22 Member Of tab,...

Defining Resource Access with Permissions

Once authentication has been configured, permissions are assigned to files and folders. A common way to define resource access with IIS is through NTFS permissions. NTFS permissions, because they are attached to a file or folder, act to define access to that resource regardless of how the resource is accessed. IIS also defines permissions on sites and virtual directories. Although NTFS permissions define a specific level of access to existing Windows user and group accounts, the Tip You must...

Configuring Automatic Updates Through Group Policy

The Automatic Updates client will, by default, connect to the Microsoft Windows Update server. After you have installed WSUS in your organization, you can direct Automatic Updates to connect to specific intranet WSUS servers by configuring the registry of clients manually or by using Windows Update group policies. To configure Automatic Updates using GPOs, open a GPO and navigate to the Computer Configuration Administrative Templates Windows Components Windows Update node. The Windows Update...

Per Device or Per User Licensing

The Per Device or Per User licensing mode varies from the Per Seat scheme of previous versions of Windows. In this new mode, each device or user that connects to a server requires a CAL, but with that license, the device or user can connect to a number of servers in the enterprise. Per User or Per Device mode is generally the mode of choice for distributed computing environments in which multiple users access multiple servers. Note The licensing tools and the user interface do not yet...

Per Server Licensing

Per-server licensing requires a User or Device CAL for each concurrent connection. If a server is configured with 1,000 CALs, the 1,001st concurrent connection is denied access. CALs are designated for use on a particular server, so if the same 1,000 users require concurrent connections to a second server, you must purchase another 1,000 CALs. Per-server licensing is advantageous only in limited access scenarios such as when a subset of your user population accesses a server product on very few...

Lesson Restoring Data

In conjunction with the design of a backup strategy, you must create and verify restore procedures to ensure that appropriate personnel are knowledgeable in the concepts and skills that are critical to data recovery. This lesson will share the processes and options available for restoring data using the Backup Utility. After this lesson, you will be able to Restore data to its original location or to an alternate folder Configure restore options Estimated lesson time 10 minutes

Troubleshooting Lab

At 1 00 P.M. on Tuesday, a user in the Finance Department contacts you to let you know that he accidentally deleted some files from the Finance folder. You are confident that the backup procedure you established will help you recover the deleted files. However, you also want to ensure that you don't roll back any files that had been changed today, after the overnight backup job was executed. In this lab, you will simulate the workflow that creates such a scenario, and then you will recover the...

Exercise Modify Multiple User Objects Properties

Open Active Directory Users And Computers and navigate to the Contoso.com Employees OU. Select the Employees OU in the tree pane, which will list the user objects you created in Exercise 1 in the details pane. 2. Select Dan Holme's user object. 3. Hold the CTRL key and select Hank Carbeck's user object. 4. Click the Action menu, and then click Properties. 5. Notice the difference between the Properties dialog box here, and the more extensive properties dialog box you explored in Exercise 2....

Deleting and Disabling and Resetting Computer Accounts

Computer accounts, like user accounts, maintain a unique SID, which enables an administrator to grant permissions to computers. Also like user accounts, computers can belong to groups. Therefore, like user accounts, it is important to understand the effect of deleting a computer account. When a computer account is deleted, its group memberships and SID are lost. If the deletion is accidental, and another computer account is created with the same name, it is nonetheless a new account with a new...

Objective Questions

What is the difference between a Windows Device CAL and a Windows User CAL (Choose all that apply.) A. A Windows Device CAL allows a device, such as a workstation, to connect to a server regardless of how many users use that device. B. A Windows Device CAL allows a single user to connect to multiple servers so long as they use only a single workstation. C. A Windows User CAL allows a single user to access a server from multiple devices, such as workstations. D. A Windows User CAL allows a...

Case Scenario Exercise

You are configuring an update strategy for a network consisting of 1000 clients running a mix of Windows XP and Windows 2000. Your goal is to prevent users from downloading updates directly from Microsoft Update and to create a structure in which you can approve critical patches and security rollups for distribution. You have recently purchased desktops and laptops, and you have applied the corporate standard image to those systems. Unfortunately, the image was created a while ago. The Windows...

Introducing Microsoft Windows Server

This chapter does not cover specific exam objectives. After introducing the Microsoft Windows Server 2003 family of products, this chapter covers some installation and configuration considerations with a focus on what you need to know for the 70-290 certification exam. The purpose of this book is to empower you to manage and maintain a Microsoft Windows Server 2003 environment, and to prepare you effectively for the 70-290 certification examination. Although it is assumed that you have...

Exercise Configuring NTFS Permissions

Open the c docs folder that you shared in Lesson 1's practice. 2. Create a folder called Project 101. 3. Create domain local security groups to manage access to the folder. Using Active Directory Users And Computers, create the following domain local security groups in the Security Groups OU Project 101 Contributors and Project 101 Editors. 4. To manage access using these groups, add global groups representing employee roles to the two domain local groups you just created. Add the Project 101...

Page Lesson Review

You're administering a computer running Windows Server 2003 configured as a print server. Users in the Marketing group complain that they cannot print documents using a printer on the server. You view the permissions in the printer's properties. The Marketing group is allowed Manage Documents permission. Why can't the users print to the printer a. The Everyone group must be granted the Manage Documents permission. b. The Administrators group must be granted the Manage Printers permission. c....

Recovering from Device Disaster

Occasionally, when you install or upgrade a device driver, the device might not function properly or might cause conflicts with other devices on the system. Depending on the role of the device, the effect of the problem will range from annoying to catastrophic. A faulty configuration of a core system component, such as a video device, can render the computer unusable. Rolling back the driver, after all, is difficult if you cannot see the screen. Thankfully, there are many ways to recover from...

Controlling Printer Security

Windows Server 2003 allows you to control printer usage and administration by assigning permissions through the Security tab of the printer's Properties dialog box. You can assign permissions to control who can use a printer and who can administer the printer or documents processed by the printer. A typical printer Security tab of a printer's Properties dialog box is shown in Figure 8-5. General Sharing Ports Advanced Security Device Settings Group or user names J3 Administrators C0NT0S0...

Creating User Objects with Active Directory Users And Computers

You can create a user object with the Active Directory Users And Computers snap-in. Although you can create user objects in the root of the domain or any of the default containers, it is best to create a user in an organizational unit, so that you can fully leverage administrative delegation and Group Policy Objects GPOs . To create a user object, select the OU or container in which you want to create the object, click the Action menu, then choose New and choose User. You must be a member of...

Reinstating Inheritance

Inheritance can be reinstated in two ways from the child resource or from the parent folder. The results differ slightly. You might reinstate inheritance on a resource if you disallowed inheritance accidentally or if business requirements have changed. Simply reselect the Allow Inheritable Permissions option in the Advanced Security Settings dialog box. Inheritable permissions from the parent will now apply to the resource. All explicit permissions you assigned to the resource remain, however....

Password Policy

The domain password policies enable you to protect your network against password compromise by enforcing best-practice password management techniques. The policies are described in Table 3-5. Enforce Password History When this policy is enabled, Active Directory maintains a list of recently used passwords and will not allow a user to create a password that matches a password in that history. The result is that a user, when prompted to change his or her password, cannot use the same password...

Creating Computer Objects Using Active Directory Users and Computers

To create a computer object, or account, open Active Directory Users And Computers and select the container or OU in which you want to create the object. From the Action menu or the right-click shortcut menu, choose the New Computer command. The New Object-Computer dialog box appears, as illustrated in Figure 5-1. Figure 5-1 The New Object-Computer dialog box Figure 5-1 The New Object-Computer dialog box In the New Object-Computer dialog box, type the computer name. Other properties in this...

Understanding the Windows Server Printer Model

Windows Server 2003, and previous versions of Windows, support two types of printers Locally attached printers Printers that are connected to a physical port on a print server, typically a universal serial bus USB or parallel port. Network-attached printers Printers connected to the network instead of to a physical port. A network-attached printer is a node on the network print servers can address the printer using a network protocol such as Transmission Control Protocol Internet Protocol TCP...

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the Questions and Answers section at the end of this chapter. 1. You're setting up a Web site in IIS on Server01. The site's Internet domain name is adatum.com, and the site's home directory is C Web Adatum. Which URL should Internet users use to access files in the...

Redirecting Print Jobs

If a printer is malfunctioning, you can send documents in the queue for that printer to another printer connected to a local port on the computer or attached to the network. This is called redirecting print jobs. It allows users to continue sending jobs to the logical printer and prevents users with documents in the queue from having to resubmit the jobs. To redirect a printer, open the printer's Properties dialog box and click the Ports tab. Select an existing port or add a port. The check box...

Ql

Table 4-1 summarizes the use of Windows Server 2003 domain groups as security principals group type security . Table 4-1 Security Group Scope and Membership Group Scope Members Can Include Group Can Be a Member of Windows 2000 native or Windows Server 2003 domain functional level domain Domain Local Computer accounts, users, global groups, Domain local groups in the same and universal groups from any domain domain. in the forest or any trusted domain. Domain local groups from the same domain....

Info

Caution If your computer is on a network, check with the network administrator before assigning a name to your computer. 21. In the Administrator Password text box and the Confirm Password text box, type a complex password for the Administrator account one that others cannot easily guess . Remember this password because you will be logging on as Administrator to perform most hands-on exercises. Important In a manual installation, Windows Server 2003 will not let you progress to subsequent steps...

Managing and Implementing Disaster Recovery

Disks will fail, files will be lost, and power supplies will fuse with a puff of smoke, a few sparks, and an acrid smell. Systems administrators should not wait for a disaster to occur before deciding on a course of action. Before disaster strikes, administrators should have planned and put in place the procedures that will restore system functionality as soon as possible. The first step in protecting data stored on Windows Server 2003 systems is to ensure that it is...

Performing Disk Management Tasks from the Command Prompt

Windows Server 2003 provides command-line alternatives for disk management, including the following Chkdsk Scan a disk for errors and, optionally, attempt to correct those errors. Convert Convert a volume from FAT or FAT32 to NTFS. Fsutil Perform a variety of tasks related to managing FAT, FAT32, or NTFS volumes. Mountvol Manages mounted volumes and reparse points. See Also See the Windows Help And Support Center for details about the roles and syntax of each command. But the granddaddy of disk...

Lesson Understanding Disk Storage Options

Before you tackle the installation of a disk drive and the configuration of that drive, you must understand several important storage concepts. This lesson will introduce you to the concepts, technologies, features, and terminology related to disk storage in Windows Server 2003. You will learn about differences between basic and dynamic disk storage types and the variety of logical volumes they support. After this lesson, you will be able to Understand disk-storage concepts and terminology...

Exercise Create User Objects

Log on to Server01 as an administrator. 2. Open Active Directory Users And Computers. 3. Create an OU called Employees and then select the Employees OU. 4. Create a user account with the following information, ensuring that you use a strong password User Logon Name Pre-Windows 2000 dholme Tip A new feature of Windows Server 2003 is that drag-and-drop operations are supported in several MMC snap-ins, including Active Directory Users And Computers. You can move objects between OUs by dragging...

System State

Microsoft Windows 2000 and Windows Server 2003 introduced the concept of System State to the backup process. System State data contains critical elements of a system's configuration including The COM Class Registration Database The boot files, which include boot.ini, ntdetect.com, ntldr, bootsect.dos, and ntbootdd.sys System files that are protected by the Windows File Protection service In addition, the following are included in the System State when the corresponding services have been...

Approving Updates

Update management includes identifying, evaluating, and approving updates. You perform each of these tasks using the Updates page of the WSUS administration site. From the WSUS home page, click the Updates link in the top navigation bar. The Updates page, shown in Figure 9-4, appears. Figure 9-4 Updates administration page Figure 9-4 Updates administration page The list view in the top frame of the Updates page displays a subset of update metadata, including the update's title, classification,...

Schedule Backup Jobs

Backup jobs are best run at a time when there is minimal use of the server that is to be backed up. This tends to be at times in the middle of the night rather than during the normal hours that a systems administrator is in the office. Rather than having to come back to work each night at 2 00 A.M., or having to wake up to initiate an early morning Terminal Services connection, the Windows Server 2003 Backup Utility allows the scheduling of backup jobs. A wide variety of scheduling options is...

Managing and Maintaining a Server Environment

Managing a Microsoft Windows Server 2003 system requires an awareness of what is occurring on the system. The best place to find this information is in the event logs. The three main event logs that are on a Windows Server 2003 system are the System, Security, and Application logs. Event log views can be filtered so that only information in which the administrator is interested is displayed. Another part of server management is ensuring that relevant updates are downloaded and applied to the...

Using System Monitor and Performance Logs and Alerts

The System Monitor and Performance Logs And Alerts snap-ins, both of which are included in the Performance MMC, allow you to observe real-time performance of printers, log metrics for later analysis, or set alert levels and actions. System Monitor and Performance Logs And Alerts are discussed in detail in Chapter 12, Monitoring Microsoft Windows Server 2003. To add a counter to System Monitor, right-click the graph area and choose Add Counters. Select the performance object in this case Print...

Configuring System Monitor

With System Monitor, you can collect and view data by configuring counters that report hardware, application, and service activity for any computer on your network. Three configurations must be made for the data you wish to collect. Type of data You can specify one or more counter instances of performance monitor objects for which you want data to be reported. Source of data Either local or remote computer data can be collected by a counter. You must be a local administrator or a member of the...

Computers and Groups

Users need access to resources on the network to do their daily work but should not have access to unauthorized data. This access is gained by logging on to a computer that has access to the domain and then being acknowledged as a member of assigned groups in the domain. Permissions to resources can be set only for users, groups, and computers that are recognized by the domain. Creation of these user, group, and computer accounts can be done manually through tools provided in the Microsoft...

Configuring Audit Settings

To specify the actions you wish to monitor and track, you must configure audit settings in the file's or folder's Advanced Security Settings dialog box. The Auditing tab, shown in Figure 6-12, looks strikingly similar to the Permissions tab before it. Instead of adding permissions entries, however, you add auditing entries. Figure 6-12 Auditing tab of the Advanced Security Settings dialog box Figure 6-12 Auditing tab of the Advanced Security Settings dialog box Click Add to select the user,...

Questions and Answers

Which of the following locations are not allowed to be used for a backup of a Windows Server 2003 system d. Shared folder on a remote server g. Tape drive on a remote server The correct answers are b, e, and g. 2. You are to back up a Microsoft Windows Server 2003 file server every evening. You perform a manual, normal backup. You will then schedule a backup job to run every evening for the next two weeks. Which backup type will complete the fastest 3. You are to back up a Windows Server...

Navigating the MMC

Note that the console has a name and that there is a Console Root. This Console Root will contain any snap-ins that you choose to include. There are no items to show in this view, Each console includes a console tree, console menu and toolbars, and the details pane. The contents of these will vary, depending on the design and features of the snap-in you use. Figure 2-2 shows a populated MMC with two snap-ins loaded. Figure 2-2 A populated MMC Using the MMC...

Event Log Retention Settings

On the General tab of each log's Properties dialog box shown in Figure 12-1 , you can specify the maximum size of the log and its behavior when the log reaches its maximum size. The available log retention options are as follows C W 1N DO'WS System32 conFig Sec Event. Evt Monday. November 25. 2DD2 9 38 56 AM Maximum log size 512 Kl When maximum log size is reached Ovefwrite events as needed C Ovefwrite events older than p C Do not ovefwrite events clear log manually Maximum log size 512 Kl When...

Load Balancing Terminal Servers

In previous implementations of Terminal Services, it was difficult to load-balance terminal servers. Windows Server 2003 Enterprise and Datacenter Editions introduce the ability to create server clusters, which are logical groupings of terminal servers. When a user connects to the cluster, the user is directed to one server. If the user's session is disconnected and the user attempts to reconnect, the terminal server receiving the connection will check with the Session Directory to identify...

Exercise Configure the Server for Remote Desktop

In this exercise, you will enable Remote Desktop connections, change the number of simultaneous connections allowed to the server, and configure the disconnection settings for the connection. 1. Log on to Server01 as Administrator. 2. Open the System properties from Control Panel. 3. On the Remote tab, enable Remote Desktop. Close System Properties. 4. Open the Terminal Services Configuration console from the Administrative Tools folder. 5. On the tscc Terminal Services Configuration...

The Access Control List Editor

As in earlier versions of Windows, security can be configured for files and folders on any NTFS volume by right-clicking the resource and choosing Properties or Sharing And Security then clicking the Security tab. The interface that appears has many aliases it has been called the Permissions dialog box, the Security Settings dialog box, the Security tab, or the Access Control List editor ACL editor . Whatever you call it, it looks the same. An example can be seen on the Security tab of the Docs...

Recognizing Computer Account Problems

Computer accounts and the secure relationships between computers and their domain are robust. However, certain scenarios might arise in which a computer is no longer able to authenticate with the domain. Examples of such scenarios include After reinstalling the operating system on a workstation, the workstation is unable to authenticate even though the technician used the same computer name. Because the new installation generated a new SID and the new computer does not know the computer account...

Managing and Maintaining Physical and Logical Devices

One of the primary responsibilities of the systems administrator is to ensure that the physical and logical devices on the servers are correctly managed and maintained. A physical device is hardware that can be touched a network card, a graphics adapter, or a Small Computer System Interface SCSI hard disk drive. A logical device is one that has been created by the operating system. Partitions, volumes, and striped disks are examples of logical devices. The disk management console gives the...

Setting Up a Printer Pool

A printer pool is one logical printer that supports multiple physical printers, attached to the server, attached to the network, or a combination thereof. When you create a printer pool, users' documents are sent to the first available printer the logical printer representing the pool automatically checks for an available port. Printer pooling is configured from the Ports tab of the printer's Properties dialog box. To set up printer pooling, select the Enable Printer Pooling check box, and then...

Managing Computer Object Permissions

In Lesson 1, you learned that you could join a computer to a domain by providing domain administrator credentials when prompted by the computer during the join process. Security concerns, however, require us to use the minimum necessary credentials to achieve a particular task, and it does seem like overkill to need a Domain Admins' account to add a desktop to the domain. Fortunately, Active Directory allows you to control, with great specificity, the groups or users that can join a computer to...

Page Troubleshooting Lab Exercise Plan the Recovery

How will you recover the missing data A normal backup includes all selected files. It is the baseline from which you begin to recover from data loss. The differential backup includes all files that have changed since the normal backup. After you have restored the normal backup, you can restore the most recent differential backup. Keep in mind, however, that some of the files Budget and Current have been changed by users subsequent to the overnight differential backup. 2. How will you prevent...

Media Pools

The Backup Utility of Windows Server 2003 manages tapes with RSM using media pools, as seen in Figure 7-6. Tip In the real world, do not nest accounts in the Backup Operators group without considering the security implications. Members of the Backup Operators group can connect to hidden administrative drive shares C , for example and have the ability to transfer ownership of files. It is recommended that you grant the user rights to back up files and folders and to restore files and folders to...

Q

Extended partition A basic disk may also contain an extended partition. Unlike primary partitions, extended partitions are not formatted or assigned drive letters. Instead, extended partitions are further divided into logical drives. Logical drives are logical volumes on a basic disk. In earlier versions of Microsoft operating systems, including Microsoft Windows 95, Windows 98, and MS-DOS, the operating system could only see the primary partition on which it was installed, plus the extended...

Enabling and Configuring Remote Desktop For Administration

The Terminal Services service enables Remote Desktop, Remote Assistance, and Terminal Server for application sharing. The service is installed by default on Windows Server 2003 and configured to support Remote Desktop For Administration. Remote Desktop For Administration allows only two concurrent remote connections and does not include the application sharing components of Terminal Server. Therefore, Remote Desktop For Administration operates with very little overhead on the system and with no...

Roaming User Profiles

If users work at more than one computer, you can configure roaming user profiles RUPs to ensure that their documents and settings are consistent no matter where they log on. RUPs store the profile on a server, which also means that the profiles can be backed up, scanned for viruses, and managed centrally. Even in environments where users do not roam, RUPs provide resiliency for the important information stored in the profile. If a user's system fails and must be reinstalled, an RUP will ensure...

Account Lockout Policy

Account lockout refers, in its broadest sense, to the concept that after several failed logon attempts by a single user, the system should assume that an attacker is attempting to compromise the account by discovering its password and, in defense, should lock the account so no further logons may be attempted. Domain account lockout policies determine the limitations for invalid logons, expressed in a number of invalid logons in a period of time, and the requirements for an account to become...

Key Terms

Last Known Good Configuration A driver rollback requires logon, whereas a logon invalidates Last Known Good Configuration. Roll Back Driver and Last Known Good Configuration both revert to a previous configuration of a device driver. Last Known Good Configuration reverts to the previous configuration of all devices and services. Safe mode vs. Last Known Good Configuration Logging on in Safe mode loads a minimal set of drivers but will not reset any drivers, whereas the Last...

Device Manager Status Codes

When a device fails, an error message is usually indicated in Device Manager with a yellow exclamation point on the device icon. If you double-click the device or right-click the device and then click Properties , a dialog box is displayed and any error messages that Device Manager detects are listed. This Device Status has some friendly text with it, but troubleshooting might require that you understand more than the text message delivers. Often there is a code listed with the text that gives...

Printer Location Tracking

Printer location tracking is a feature, disabled by default, that significantly eases a user's search for a printer in a large enterprise by pre-populating the Location box of the Find Printers dialog box, so that the result set will automatically be filtered to list printers in geographic proximity to the user. To prepare for printer location tracking, you must have one or more sites or one or more subnets. Site and subnet objects are created and maintained using the Active Directory Sites And...

Exercise Creating Computer Accounts with Dsadd

Dsadd computer Tip The best practice is to pre-stage computer accounts that is, create a computer account in the correct OU using the skills discussed in previous sections prior to joining the computer to the domain. By doing so, you ensure that the administration of the computer account is delegated correctly and that the computer is within the scope of the Group Policy Objects GPOs your organization has created to configure computers.

Configuring Printer Properties

Printer Properties General

After installing the logical printer, you can configure numerous properties by opening the printer's Properties dialog box, shown in Figure 8-2. The General tab allows you to configure the printer name, location, and comments, all of which were initially configured based on your responses to prompts in the Add Printer Wizard. Figure 8-2 The General tab of a printer's Properties dialog box Figure 8-2 The General tab of a printer's Properties dialog box The Sharing tab shown in Figure 8-3 allows...

Lesson Using the WMI Event Logging Provider

Windows Management Instrumentation WMI is the Microsoft implementation of Web-Based Enterprise Management WBEM , an initiative to establish standards for creating, reading, and modifying management information. WMI is WBEM-compliant and provides integrated support for the Common Information Model CIM , the data model that describes the objects that exist in a management environment. The WMI repository is the database of object definitions, and the WMI Object Manager handles the objects as input...

Create and Manage Groups

Grouping user accounts is an efficient way to organize individual users into logical units to which permissions can be assigned. Different from OUs, groups are security principals and can be added to the Discretionary Access Control List DACL or ACL of a resource for permission assignment. The types of groups that are available, their scope, and the combinations of nested groups that can be used depend on the Functional Level of the domain in which the groups reside similarly, some groups can...

Using WMIC in Monitoring

With WMI running on a computer, and sufficient administrative credentials owned by the user running WMIC, local or remote monitoring of a computer is available at the command line. In noninteractive mode, multiple commands can be contained in a batch file that is run either manually or on an automated schedule. These WMIC commands can be output to a CSV file, text file, or HTML page to be viewed and analyzed. Following are examples of common monitoring scenarios and output that illustrate the...

Configuring Multiple Logical Printers for a Single Printer

Although a printer pool is a single logical printer that supports multiple ports, or printers, the reverse structure is more common and more powerful multiple logical printers supporting a single port, or printer. By creating more than one logical printer directing jobs to the same physical printer, you can configure different properties, printing defaults, security settings, auditing, and monitoring for each logical printer. For example, you might want to allow executives at Contoso, Ltd. to...

Understanding Effective Permissions

The rules that determine effective permissions are as follows File permissions override folder permissions. This isn't really a rule, but it is often presented that way in documentation, so it is worth addressing. Each resource maintains an ACL that is solely responsible for determining resource access. Although entries on that ACL might appear because they are inherited from a parent folder, they are nevertheless entries on that resource's ACL. The security subsystem does not consult the...

Evaluating Effective Permissions

Complexity is a possibility, given the extraordinary control over granular permissions and inheritance that NTFS supports. With all those permissions, users, and groups, how can you know what access a user actually has Microsoft added a long-awaited tool to help answer that question. The Effective Permissions tab of the Advanced Security Settings dialog box, shown in Figure 6-8, provides a reliable approximation of a user's resulting resource access. Figure 6-8 The Effective Permissions tab of...

Dsrm

You use Dsrm to remove an object, its subtree, or both. The basic syntax is dsrm ObjectDN -subtree -exclude -noprompt -c It supports the -s, -u, and -p parameters described in the section about Dsquery. You specify the object by using its distinguished name in the ObjectDN parameter. The -subtree switch directs Dsrm to remove the objects contents if the object is a container object. The -exclude switch excludes the object itself, and you can use it only in conjunction with -subtree. Specifying...

Creating a Preconfigured Default Profile

In our introduction to user profiles, we indicated that when a user logs on to a system for the first time, if that user does not have a roaming user profile or if the folder to which that user's roaming user profile is configured is empty, the system copies its Default User profile as the basis for the user's initial profile. Therefore, if you wish to customize the initial environment for all users logging on to a system, you must customize the Default User profile on that system. To do so,...

Configuring Windows Server Update Services Settings

Although you can specify some of the configuration of WSUS during a custom installation, all WSUS settings are accessible from the WSUS administration Web page. From the Windows Server Update Services administration page, click Options in the top navigation bar. Then click the Synchronization Options link. The settings on the Synchronization Options page are easiest to understand if we categorize the issues you will be addressing through your choice of configuration. From where does this WSUS...

Create and Manage User Accounts

User accounts can be added individually through the Active Directory Users And Computers snap-in or through the Directory Service command-line tool Dsadd. These tools are preferred and sufficient for single accounts. Active Directory Users And Computers is also the easiest tool for managing the properties of user accounts because it presents a common and usable interface to these properties. The Directory Service command-line tools are better suited for mass manipulation of the properties of...

Administering Site Licensing

The License Logging service, which runs on each computer running Windows Server 2003, assigns and tracks licenses when server resources are accessed. To ensure compliance, licensing information is replicated to a centralized licensing database on a server in the site. This server is called the site license server. A site administrator, or an administrator for the site license server, can then use the Microsoft Licensing tool in Administrative Tools program group to view and manage licensing for...

Exercise Create a User Profile Template

Create a user account that will be used solely for creating profile templates. Use the following guidelines when creating the account User Logon Name Pre-Windows 2000 Profile 3. Log on as the Profile account. 4. Customize the desktop. You might create shortcuts to local or network resources such as creating a shortcut to the C drive on the desktop. 5. Customize the desktop using the Display application in Control Panel. On the Desktop page of the Display Properties dialog box, you can...

Practice Recovering from System Failure

In this practice, you will back up the System State and create an Automated System Recovery Set. You will also install and use the Recovery Console to troubleshoot driver or service failures. Finally, if you have access to a second physical disk drive, you will be able to perform Automated System Recovery to restore a failed server. Exercise 1 Back Up the System State 1. Log on to Server01 as Administrator. 3. If the Backup And Restore Wizard appears, click Advanced Mode. 4. Click the Backup...

Using Csvde

Csvde, discussed in detail in Chapter 3, User Accounts, supports the creation of objects from comma-separated text files. The following example shows a .csv file that will create a group, Marketing, and populate the group with two initial members Dan Holme and Scott Bishop. The objects listed in the member attribute must already exist in the directory service. The distinguished names DNs of member objects are separated by semicolons. CN Dan Bishop, You could import this file into Active...

Exercise Take a Printer Offline and Print a Test Document

In this exercise, you set the printer you created to offline status. Taking a printer offline causes documents you send to this printer to be held in the print queue while the print device is unavailable. Doing this will prevent error messages about unavailable print devices from occurring in later exercises. Otherwise, Windows Server 2003 will display error messages when it attempts to send documents to the fictional print device that is not actually available to the computer. 1. In the...

Users At Contoso Ltd. Use Microsoft Office Applications To Access Resources On Server01. Your Job Is To Monitor

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the Questions and Answers section at the end of this chapter. 1. Which of the following must be done to generate a log of resource access for a file or folder Select all that apply. a. Configure NTFS permissions to allow the System account to audit resource access. b....

Creating a Preconfigured Group Profile

Roaming profiles enable you to create a standard desktop environment for multiple users with similar job responsibilities. The process is similar to creating a preconfigured user profile except that the resulting profile is made available to multiple users. Create a profile using the steps outlined above. When copying the profile to the server, use a path such as profile name gt . You must grant access to all users who will use the profile, so, in the Permitted To Use frame, click Change and...

Configuring and Administering WSUS

You will perform five categories of administrative tasks related to supporting WSUS servers configuring settings, synchronizing content, approving updates, managing computer groups, and reporting update status. You perform these tasks using the WSUS Administration Web site, shown in Figure 9-2, which you can access by navigating to http WSUS_servername WSUSAdmin with Internet Explorer 5.5 or later. The administration of WSUS is entirely Web-based. The home page of the WSUS administration site...

Objective Answers

Incorrect This will not back up the IIS configuration or certificate database. It will also not use the smallest amount of space on the backup media. B. Incorrect This will not back up the IIS configuration or certificate database. C. Correct This will back up the IIS configuration and the certificate database as well as perform the full backup required. D. Incorrect Differential backups use more space on the backup media than incremental backups do. Differential backups store all...

Exercise Using Ldifde to Create a Group

In this exercise, you will use Ldifde to add a group named Management to the Marketing OU of contoso.com. 1. Start a text editor, such as Notepad, and create a text file named Newgroup.ldf. Save the file as an LDIF file, not as a text file. 2. Edit the LDIF file Newgroup.ldf, and add the following text dn 3. Save and close the LDIF file. 4. Open a Command Prompt, type the following command, and then press Enter ldifde -i -f newgroup.ldf -s server01 Tip Watch for extra white space tabs, spaces,...

The Computers Container vs OUs

The Computers container is the default location for computer objects in Active Directory. After a domain is upgraded from Windows NT 4 to Active Directory, all computer accounts are found, initially, in this container. Moreover, when a machine joins the domain and there is no existing account in the domain for that computer, a computer object is created automatically in the Computers container. Although the Computers container is the default container for computer objects, it is not the ideal...

Using Ldifde

The Ldifde command allows you to import and export accounts using Lightweight Directory Access Protocol LDAP file formats. It is explained in the Windows Help And Support Center search for Ldifde . Figure 4-3 lists the primary commands used with Ldifde displayed by typing ldifde at the command prompt. -f filename Input lt -s servername The se -c FromDN ToDN Replao -d RootDN -r Filter -p SearchScope -1 list Turn on Import Mode The default is Export gt Input or Output filename The server to bind...

Managing User Logon Hours

You can configure a user account to permit or deny logon during a particular time period using the Logon Hours button on the user's Account properties page, shown in Figure 3-4. If a user attempts to log on to a system when logon is denied, the user receives an error message, as shown in Figure 3-13. The user will not be able to log on to a computer during denied hours. CapyHflhUl 19 5 S02 UlcroBaR Cnrporrtlmi ite OBOt Your account has time restrictions that prevent you from logging on at this...

Saved Queries

The Active Directory Users And Computers MMC console and snap-in contains a new node labeled Saved Queries. This node allows you to create views of Active Directory objects that display the current results of a query you define. Some administrators refer to these as virtual folders or virtual OUs. The Windows Help And Support Center provides details about how to create saved queries search for Saved Queries , and learning how to create saved queries is a valuable skill, both for the...

Unlocking a User Account

Account Lockout Error Message

The account lockout policy requires that when a user has exceeded the limit for invalid logon attempts, the account is locked and no further logons can be attempted for a specified period of time or until an administrator has unlocked the account. If a user account is locked out, the user will receive a specific error message at logon, as shown in Figure 3-7. Figure 3-7 Logon message indicating the user's account is locked out Figure 3-7 Logon message indicating the user's account is locked out...

Managing and Maintaining Access to Resources

Access to resources requires proper identification and proper permissions. There is no additional configuration to be done to access files across a network than to make sure that the resource is accessible shared and that the user has appropriate permissions to accomplish the desired action read, write, delete, and so on . This transactional process of analyzing the user's access token involves reading the entries on the access control list ACL of the resource and comparing the list with the...

Exercise Create a Profiles Share

Create a Profiles folder on the C drive. 2. Right-click the Profiles folder and choose Sharing and Security. 4. Share the folder with the default share name Profiles. 5. Click the Permissions button. 6. Select the check box to allow Full Control. Security Alert Windows Server 2003 applies a limited share permission by default when creating a share. Most organizations follow the best practice, which is to allow Full Control as a share permission, and to apply specific NTFS permissions to the...

Lesson Maintaining Disk Storage Volumes

Windows Server 2003 disk volumes are efficient and stable if formatted with NTFS, but somewhat less so when formatted with FAT or FAT32. The NTFS file system logs all file transactions, replaces bad clusters automatically, and stores copies of key information for all files on the NTFS volume. With these mechanisms, NTFS actively protects the integrity of the volume structure and the file system metadata the data related to the file system itself . User data, however, can occasionally be...

Moving and Renaming Groups with Dsmove

The Dsmove command, introduced in Chapter 3, allows you to move or rename an object within a domain. You cannot use it to move objects between domains. Its basic syntax is dsmove ObjectDN -newname NewName -newparent ParentDN The object is specified using its distinguished name in the parameter ObjectDN. To rename the object, specify its new common name in the NewName parameter. To move an object to a new location, specify the distinguished name of a container through the ParentDN parameter. For...

Creating Groups with Dsadd

The Dsadd command, introduced in Chapter 3, is used to add objects to Active Directory. To add a group, use the syntax The GroupDN parameter is one or more distinguished names for the new user objects. If a DN includes a space, surround the entire DN with quotation marks. The GroupDN. parameter can be entered one of the following ways By piping a list of DNs from another command such as dsquery. By typing each DN on the command line, separated by spaces. By leaving the DN parameter empty, at...

Managing User Sessions

A variety of settings determine the behavior of a user session that has been active, idle, or disconnected for a time. These settings can be configured in the Sessions tab of the RDP-Tcp Properties dialog box in the Terminal Services Configuration console, shown in Figure 2-22. The settings can also be configured with Group Policy. Remote Control Client Settings Network Adapter Permissions General Logon Settings Sessions Environment Use this tab to set Terminal Services timeout and reconnection...

Points of Administration

Rdp Tcp Properties General Tab

There are several processes that occur as a user connects to a terminal server and at each step, there are opportunities to configure the behavior of the connection. The Remote Desktop Connection client allows 32-bit Windows platforms to connect to a terminal server using the Remote Desktop Protocol RDP . The client has been greatly improved over earlier versions of the Terminal Services client and now includes a wider variety of data redirection types including file system, serial port,...

Importing User Objects Using Csvde

Occasionally, situations arise that require you to create multiple objects quickly, such as a new class of incoming students at a school or a group of new hires at an organization. In these situations it can be helpful to import the accounts from existing data sources so that you do not approach the task on an account-by-account basis. Csvde is a command-line utility that allows you to import or export objects in Active Directory from or to a comma-delimited text file also known as a...

Changing or Removing Computer Restrictions

Computer restrictions, introduced in Lesson 1, limit the computers to which a user may log on. By default, users may log on to any workstation in the domain. They can be restricted by clicking the Log On To button in the Account tab of the user Properties dialog box, shown in Figure 3-4. If a user who has computer restrictions configured attempts to log on to a computer that is not allowed by computer restrictions, the user will receive the message illustrated in Figure 3-10. To troubleshoot...

Manage Backup Procedures

When the System State data is backed up, the following items are written to the backup set System's Registry, COM Class Registration database, boot files, and system files that are protected by the Windows File Protection service. Depending on which services have been installed on the Windows Server 2003 system, System State data can also include the Certificate Services database, Active Directory and the Sysvol folder on a domain controller, cluster service information on a cluster server, and...

Recovering from Mirrored Disk Failures

The recovery process for a failed disk within a mirrored volume depends on the type of failure that occurs. If a disk has experienced transient I O errors, both portions of the mirror will show a status of Failed Redundancy. The disk with the errors will report a status of Offline or Missing, as seen in Figure 11-8. Figure 11-8 A mirrored volume with a failed disk Figure 11-8 A mirrored volume with a failed disk After correcting the cause of the I O error perhaps a bad cable connection or power...

Recovery Console

The Recovery Console is a text-mode command interpreter that allows you access to the hard disk of a computer running Windows Server 2003 for basic troubleshooting and system maintenance. It is particularly useful when the operating system cannot be started because the Recovery Console can be used to run diagnostics, disable drivers and services, replace files, and perform other targeted recovery procedures. You can start the Recovery Console by booting with the Windows Server 2003 CD-ROM and,...

Preventing Users from Logging On with Cached Credentials

When a user logs on successfully to a Windows operating system, the computer caches the user's credentials including the user's username and password . This allows the user to log on even if the computer cannot contact a domain controller, which has obvious value for laptop users who work offline. In certain environments, or on certain systems, you might wish to prevent users from logging on with cached credentials in other words, require their computers to be connected to the network and to be...

Exercise Verify Backup and Restore Procedures

To verify backup and restore procedures, many administrators will perform a test restore of a backup set. To avoid damaging production data, that test restore is targeted not at the original location of the data, but at another folder, which can then be discarded following the test. In a production environment, your verification should include restoring the backup to a standby server, which would entail making sure that the backup device that is, the tape drive is correctly installed on a...

Automated System Recovery

Windows Server 2003 Asr Wizard Screen

Recovering a failed server has traditionally been a tedious task involving reinstallation of the operating system, mounting and cataloging the backup tape, then performing a full restore. Automated System Recovery makes that process significantly easier. Automated System Recovery requires you to create an ASR set, consisting of a backup of critical system files, including the registry, and a floppy disk listing the Windows system files that are installed on the computer. If the server ever...

Dsquery

The Dsquery command queries Active Directory for objects that match a specific criteria set. The command's basic syntax is dsquery object_type StartNode forestroot domainroot -o dn rdn samid -scope subtree onelevel base -name Name -desc Description -upn UPN -samid SAMName -inactive NumberOfWeeks -stalepwd NumberOfDays -disabled -s Server -d Domain -u UserName -p Password As you can see, there are numerous parameters and options for each parameter. In fact, there are even more than the common...