Active Directory Password Policies

Oftentimes, users have a hard time adapting to new password policies on their network.  Perhaps they are running an older version of Windows server or don't have a domain at all and use blank passwords or very simple passwords.  Once they move to a Windows 2003 or 2008 network, they find their old passwords are no longer acceptable.  Most times, users adapt and begin using more complex passwords, but sometimes users want to stick with their old password policy or modify the security level provided by the default Windows policy.  Unfortunately, this is not as easy as it may seem.

In a standard Windows 2008 or 2003 domain, the password policy is pre-defined in the Default Domain Policy Group Policy Object.  This policy is reasonably good for most configurations, though circumstances may vary from organization to organization.  Unfortunately, while you can create new GPOs and configure password policy settings in them, they will have no effect.  The only way to change the password policies of the domain is by editing the Default Domain Policy.  In fact, even if you set the Default Domain Policy password options all to "Not Defined", the standard Active Directory defaults will remain; you must define all the values for any changes to take effect.

This has long been a limitation of Active Directory and newer versions of Windows have not adequately provided alternatives.  In particular, some organizations wish to have multiple password policies, defining different restrictions and requirements for different sets of users.  This has never been possible until Windows 2008.

While common sense would lead you to believe you could simply create new GPOs with custom password policies and assign those to the appropriate Organizational Units, this does not work.  Instead, Microsoft has created an entirely new system specifically for multiple password policies.  This system is is known as Fine Grained Password Policies.  The basic process involves adding a new Active Directory object, known as a Password Settings Object (PSO), into a new container, known as the Password Settings Container (PSC).  The steps necessary to do this are complex and involve using ADSIEdit to manually create the new objects.  Microsoft provides a step-by-step explanation of the process (here)http://technet.microsoft.com/en-us/library/cc770842%28WS.10%29.aspx. 

Brian St. Marie - Sr. Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

DNS? Registrar? Web Host?! All I want is a company web page!

Although the Domain Name System used on the internet is as old as the internet itself, it's still a very confusing technology for many businesses.  Understanding all the different hosts and services necessary to create a presence on the web can be confusing and overwhelming.

Most people understand that they need to register a name for their business on the web (referred to as a domain name) and host a website, but beyond that, they're unclear on what they might need.  In fact, there are several layers and different hosts who coordinate to make sure everything goes just right.  Just like when buying a cell phone, there are many parts to the equation to ensure everything works as you expect.

The Registrar

The registrar is the place you start; they are the service which officially creates and maintains your chosen domain name (e.g. terminal.com).  Using our cell phone analogy, this is much like choosing your carrier and cell phone plan.  Initially, Network Solutions was the only registrar, but some years ago law changed to allow other companies to act as internet registrars. Now there are hundreds, such as GoDaddy, Verisign, Tucows, and many others.  They all work essentially the same, though costs can vary quite a bit.

The Domain Host

Once you've registered your domain name, you need to host it somewhere.  Again, going back to our analogy, you need more than just a cell phone plan, you need to get a phone number as well, so people know how to reach you.  The domain host provides directions on the internet for anyone trying to reach your internet services, whether they be email or web or even remote access or corporate VPNs.

The Service Hosts (email, web, etc.)

If the registrar is the cell phone plan in our analogy, and the domain host is the phone number, the service host would be the cell phone itself.  The service hosts are the endpoint that your users are trying to reach.  This can be a web page, or email, or many other business services.  Some companies choose to host these services inside their own offices, while others choose to have other companies host them.  Traditionally, many small and medium businesses have relied on web hosting companies to host their web pages and sometimes their email, as well.  As companies grow in size, they will frequently host their own email and may even host their own web pages.  These days, as cloud computing becomes more popular, companies often host many services with third party service hosts.

While it's entirely possible to choose different companies for each of these categories, many companies offer some or all of these services together.  I often encourage clients to try to stick to as few companies as possible, as it helps keep a handle on recurring costs and creates a central contact point for service-related issues.

It's important to choose wisely, for this very reason; don't be stuck in the situation of not knowing just who to call when something breaks!  If you need help consolidating or making sense of your domain hosting, Contact Us today and a Terminal engineer can help you understand your domain configuration and simplify your management.

Brian St. Marie - Sr. Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Profile Migration Made Easy!

Once again on the subject of useful tools is ForensIT's User Profile Wizard. If anyone is familiar with the longhand method of migrating a user's profile, you will be very excited to get your hands on this gem!

Recently, we have been building a lot of domain environments from the ground up which requires us to migrate many user’s beloved local profile to their new domain profile. The User Profile Wizard has helped us slash the time it takes to do this and has improved the success rate at the same time. This tool completely automates the process of changing the various permissions on the local profile folders and registry keys, sets the default login name and even lets you join the computer to the domain all within one intuitive wizard. Using the migration tool preserves the user's custom settings, wallpaper, email configuration, internet favorites, shortcuts and desktop icons. It fully supports both Active Directory and Novell networks. When purchased, you will gain access to the deployment kit which supports scripting and customization and has the capability automatically migrate thousands of workstations at once! This is a solid tool that just works.

Adam Jones - Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Configuring Symantec's Endpoint Protection Manager for Domain Logon

A personal pet peeve of mine is the required authentication to access the Management Console of Symantec's Endpoint Protection Suite.  Since it doesn't typically require logging in very often yet requires frequent changing of the password, it's very easy to forget the login information which delays troubleshooting when it's most important.

Just recently, I discovered that there is a way to configure the Management Console to allow domain logins, greatly simplifying management of Symantec's Protection Suite.

Inside the console, browse to the Admin tab.  On the bottom left of the new pane, click on the Servers sub-tab.  Select your management server and click Edit Server Properties and then Directory Servers on the resulting window.  Here, you can add external authentication servers for the Symantec software to use.  Click Add and enter the information for your domain controller of choice, as well as the name of the account you wish the software to use when connecting to the domain.

Once that's complete, you can specify any Symantec Endpoint Protection Administrator to use this domain server and account to log into the console.  Simply browse to the Administrators sub-tab, edit or create an Administrator account and specify Directory Authentication for Authentication.  You don't even need to have the same username in Symantec as you do on the domain, but you must use the same password.  The advantage to this is you never need to worry about independent or unmanaged passwords in the Symantec management system.  This improves security and manageability, allowing administrators to focus on keeping your network protected.

Brian St. Marie - Sr. Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

PDQ Deploy

I was recently recommended a brilliant free utility from Admin Arsenal called PDQ Deploy. This is a free software deployment tool that will allow you to deploy just about any type of installer package or command line script from a source to a network client. It is capable of remotely executing EXE, MSI, REG, BAT, VBS, MSP and MSU including any command line switches that are supported by the installation package. I found this software to be a great alternative to using Group Policy startup scripts for immediately deploying single Microsoft hotfixes that might not be included in your WSUS database. It also works quite well for small scriptable installations like Adobe Reader and Flash Player. It has a simple user interface that keeps track of your deployment history so that you can quickly see which computers were successful and which may have failed.

While there are more robust options for software deployment such as System Center Essentials and a few other third party alternatives those may be too expensive or just plain overkill for a small network. I would definitely suggest putting Admin Arsenal's PDQ Deploy into your "admin arsenal".

Find PDQ Deploy here.

Adam Jones - Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Secure Password List

This week, I ran into a large amount of people that forgot their passwords.  So, I let them know about a program called KeePass.

I have been using KeePass for some time and it never lets me down. The nice thing about KeePass is that it divides your passwords into separate categories.  It has the following categories to choose from: Windows, Network, Internet, Email and Home Banking. You can set up multiple databases - maybe one for work then one for home.

I find it to be very useful to keep track of passwords that expire after a certain timeframe. KeePass can be found by going to www.KeePass.com. The most current version is 2.15 and it is available for Windows, Mac OS X, and Linux making it very easy to use at home and in the office.

Dennis Foote - Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Emulating Local Printing on a Network

Most network administrators and technicians are familiar with mapping a printer from a server.  This is the most typical and efficient way of sharing printers on a network.  However, many applications, especially legacy applications, only work with a local, non-network printer.  Some applications may also require the printer have a specific name, which won't work with network printers as you cannot rename them.  There are a few ways to get around these problems, if an application requires it.

The first, and most straightforward, is simply to manually create a local printer port which actually redirects to the server hosting the printer.  This can be done through the Add Printer Wizard on any version of Windows by simply selecting "Local Printer" and adding a new Local Printer Port.  The name of the port is \\servername\printername.

However, this process requires manually installing the printer on each computer, which can be time consuming and difficult to manage if you're trying to deploy the printer to several machines.

Installing a local printer via script can be done, using the PrintUIEntry function found in Windows XP and onward.  The basic command is:

rundll32 printui.dll,PrintUIEntry /if /b <printername> /f %windir%\inf\ntprint.inf /r <portname> /m <drivername> /u

This will install the printer with the specified name, port, and driver.  However, this script assumes the port name specified already exists, so the port must be created first.  There are two ways to do this.  For computers with old LPT parallel ports, you can map LPT1 to a network location and then specifiy LPT1 in the script.  The script would look something like this:

net use LPT1 \\servername\printername /persistent:yes

rundll32 printui.dll,PrintUIEntry /if /b <printername> /f %windir%\inf\ntprint.inf /r LPT1 /m <drivername> /u

Unfortunately, this will not work if there are no parallel ports on the target computer, as then LPT1 does not exist.  In that case, we need to create a new Local Port on the machines the way we did above in the manual scenario, but this time we need to do it via script.  The best way to do this is by adding a registry entry to the target machine, which creates the port. Then we restart the spooler on the target machine so it recognizes the new port.  The basic script would look like this:

net stop spooler

reg ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Ports" /v \\servername\printername /t REG_SZ /f

net start spooler

rundll32 printui.dll,PrintUIEntry /if /b <printername> /f %windir%\inf\ntprint.inf /r \\servername\printername /m <drivername> /u

The catch with this scenario is that we must have elevated privileges to run this script on Windows Vista or Windows 7.  Otherwise, we will not be allowed to add any info to the registry or restart services via script.

One last method uses new technology released with Windows 2008, call Group Policy Preferences.  GPP allows an administrator to control almost anything they like on the target machines, including adding local printers to an entire domain.  The sets are essentially the same as the manual process above, except done through the GPP interface.  Once configured, GPP will execute on each machine as it starts up on the domain, ensuring the printer is added appropriately.  This is the cleanest and simplest method, but requires Windows 2008 domain controllers and also requires Windows 7 clients.  For Windows Vista or Windows XP, the GPP extensions will first need to be deployed and installed.  However, this is the simplest and most reliable method, once GPP is deployed and working on the network.

There are many solutions to the problem of local printing emulation on a network.  Exactly which method is right for each network depends on many factors and choosing the wrong method can result in extensive headaches and buggy deployment.  Proper research and preparation is necessary before committing to any solution.

Brian St. Marie - Sr. Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Making the Most of Mobile Broadband

As the internet continues to become more and more of a necessity for business, the ability to connect to the internet becomes increasingly critical to keeping your business running.  Many companies have remote works, sales forces which travel, or other employees who need to work from the road.  The challenge is keeping them connected and in touch with the rest of the company.

Thankfully, mobile broadband internet is becoming increasingly useful and cost effective.  Many people have smart phones with data connections, which allow them to check their email or other company resources while on the go.  However, getting a laptop to work this way is more of a challenge.  Often, employees use hotel wireless connections or free hotspots in coffee shops or other locations.  Increasingly, employees are subscribing to mobile broadband services, which allow them to have a mobile broadband connection anywhere there is cell service available.

The downside to this technology has been that 3G speeds are nowhere near comparable to the typical wifi speeds most people are used to when using a laptop.  It can frequently be 1/10th or even less the speed you would get if you were to use a normal wifi connection.  Oftentimes, this is only enough for the most basic work to be done and limits how productive an employee can be when out of the office.

However, new 4G technologies are now hitting the market and are available in many cities across the country.  With 4G mobile broadband connections, speeds are significantly better and more on par with the type of speed many users may be used to from using their home internet connections.  The best part of 4G is the cost is nearly *the same* as older 3G mobile broadband plans, but provides speeds 4-20 times faster.  While not as fast as what they may have in the office, it is vastly better than 3G technology and greatly increases access to resources and productivity from anywhere you can reach a 4G signal.

If you're based in Boston, you're in luck, as 4G technology is becoming a big industry here.  The current leader is Clear with their WiMAX 4G technology.  Clear has also partnered with Sprint, which allows Sprint to offer 4G services to their client base, rebranded as Sprint equipment.  The other carriers are not too far behind with offering their 4G services, mainly based on LTE technology; T-mobile does currently offer service and AT&T and Verizon are not far behind.  However, it's our feeling here at Terminal, that Clear is the most well established network in Boston, as they have been working on their network for far longer than the other technologies.  This is why we chose to partner with Clear, allowing us to offer their technological advantage to our clients and helping them get the most from new 4G services.

If you have a mobile workforce and are interested in getting them to be more productive and more accessible, Contact Us today and we can go over all the benefits and advantages of 4G technology with you.

Brian St. Marie – Sr. Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Network Printers

I replaced a tray #2 paper pickup assembly in a laser jet network printer at a customer’s site. This required splitting the printer in two. After completing the replacement, the diagnostics ran OK. The customer IT analyst had the user send print jobs to the printer. The printer would print one form, but the second form instead of going to Tray #2 for plain paper or Tray #3 for letter head, would ask the for the form to be loaded into Tray #1.

I tried to reset configuration parameters, pulled off the covers, and reseated cables to PCB’s – all NG! The user we were using to send online test print jobs to the printer left for a meeting with one of her customers. The IT analyst then asked a second user to send print jobs to the printer. The online test for print jobs from the second user ran OK, as did tests from two other users. 

The first user’s software driver for the printer suddenly became corrupted and sent both myself and the customer's IT analyst down the yellow brick road chasing a ghost. What are the odds that a software driver would go corrupt for a printer that just had a major repair done to it?  One would believe that the odds are so small that you would believe that it would not happen. But yes, it can happen!

When you work on a network printer, always check it with multiple computers before determining if you have any problems with it even after a major repair. What turned into a two-hour ghost chase could have been avoided by testing the network printer on multiple computers in a half hour or less.

Joe Churma - Hardware Technician

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Wireless Profile Cleanup

I seem to be running into this a lot lately. When you connect to a wireless network, your computer saves the configuration. So all of your old Internet connections in the Network and Sharing Center hang around even after you are done using them.

This might be helpful if you are going to be around the same connections all the time, but you may wish to clean up the old unneeded connections if you are having issues with your network card or connection. You can navigate to the Network and Sharing Center on your computer to manually to remove the old network connections that you no longer use. When you remove the network connections, this also removes the Internet configurations that go along with that connection. Use the following steps to remove the old unwanted connection profiles that may be causing some of the headache.

Click the Start menu and select Control Panel.

Click Network and Internet and select Network and Sharing Center.

Click Manage Network Connections. This will show you a list of all network connections you have created on your computer.

Right-click the old network connection and select Remove network to delete the network connection and the Internet connection associated with it.

Click Yes when prompted to confirm the connection deletion.

Repeat the process for each old Internet connection you wish to delete.

Dennis Foote-Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!