Category Archives: Windows Server 2008

Group Policy Loopback: Merge not working on Windows 7 / Server 2008 R2

I guess I wasn’t paying attention. It’s now November 2012, and I’m just now realizing that Group Policy Loopback, with Merge selected, no longer works as I’d expect with Windows 7 and Server 2008(R2)

It used to work like this:

Replace mode would ignore all GPOs applied to the user up until it got to the OU with the loopback policy, and then apply ONLY the GPOs with user settings in the OU with the loopback policy. This still works as expected in 2008/win7.

Merge mode would ADD the additional GPOs to what was already applied to the user, overriding any existing settings as needed, effectively merging them. This is what no longer works as expected.

Here is what I’ve found:

Microsoft published this KB, 953786, which says that the PCs now need to have a entry in the ACL of the GPO allowing them to read the settings of said GPO. What I’ve done to make this easier for myself is added the “Domain Computers” Active Directory group to any GPO which contains the user settings that I wish to apply via loopback merge.

In my testing, this added ACL entry has solved the issue, and allowed it to work as I expected, which is the way that 2003/xp behaved.

Install a Certificate for Remote Desktop Services or Terminal Services on a Terminal Server

You’ll need a .pfx certificate in this guide, so once you have your certificate and any intermediates that need to be installed, export the certificate and include the entire chain the export, assign a password and then save the .pfx somewhere where you can access it from the terminal server.

On the Terminal Server in Question:

  1. Click “Start” and then “Run”.
  2. Enter “mmc” and then click “OK”.
  3. Click on the “File” menu and then select “Add/Remove Snap-in…”.
  4. Click “Certificates” and then click “Add >”, when prompted choose option “Computer Account” and then click “Next >”.
  5. Select “Local Computer” and then click “Finish”.
  6. Click “OK” to complete the add snap-in wizard and then expand “Certificates (Local Server)”.
  7. Right click on the “Personal” folder and then select “All Tasks”, then “Import…”.
  8. Click “Next >” and then locate the .pfx you’ve saved earlier. Click “Next >”
  9. Enter your password, and then click “Next >”, click “Next >”, click “Finish”.
  10. Now open “Remote Desktop Session Host Configuration”.
  11. Right click on “RDP-tcp” in the center of the window and select “Properties”.
  12. On the “General” tab, click the “Select” button, Select your certificate, and then click “OK”.
  13. Click “OK” one more time, and then all future connections will be secured by the certificate.

 

Apply Internet Explorer Settings with Group Policy without preventing users from making additional changes

Let’s say you want to roll out some default settings to IE, but you don’t want to prevent users from making additional changes. In the past I’ve seen this done through the Site to Zone Assignment List GPO but you end up with users who can’t modify those settings once they are set at the GPO level. The problem is this: say you’ve got a partial list of websites that should be placed in Trusted sites, but you don’t have the full list and you know users are going to need to add additional sites ad hoc.

Here is the better way to configure these settings:

  1. Open Group Policy Management Console, and Create a new GPO
  2. Expand User Configuration, Policies, Windows Settings, and Internet Explorer Maintenance, and finally Security
  3. Double click on “Security Zones and Content Rating”
  4. If and when the “Internet Explorer Enhanced Security Configuration” warning appears click on “Continue”
  5. Change the “Security and Privacy Settings” section to “Import the current security zones and privacy settings” and then click the “Modify Settings” button
  6. Make all of the appropriate changes for your environment and then press OK. These will now be the default settings for any users whom this GPO effects.

To be clear, I’ve not tested to see if these settings will re-apply if they are removed by the users, but my hunch is that if the users tries to remove any of these settings, they will be reapplied the next time the GPO is processed.

Disabling HP Printer Notifications using Group Policy and Group Policy Preferences

The HP printer status notification is enabled by default.  You can disable it manually for each printer just by clicking on the Settings option when the GIANT ANNOYING BIG SQUARE BOX pops up in the bottom right corner of your screen, but of course, you would not want to do that for every client; thus, GPOs become very useful.

Depending on your environment, there are a couple ways to accomplish this.

  1. If you have your server acting as the print server and sharing out all your printers, you are in luck.  HP makes a Universal Print Driver AD Tool Kit and Template that you can add to your GPM console.  Once the new options are added, you can easily disable the status notification option by checking a box.
  2. Download the HP Universal Print Driver AD Template and Guide Park-1.4 from HP’s site.
  3. Open Group Policy Management Console.
  4. Right click on the User Configuration section and add the .adm file you just downloaded.  This will give you added features. See Figure 1.

    Figure 1

  5. Figure 1By Selecting “Disabled”, you will stop the status notification from popping up on all your HP printers.
  6. NOTE: This is a User Configuration policy, thus, you can only apply this to an OU that contains users, not PCs.  Also, this will ONLY work if you are using/installing shared printers from the server.  If you are using local IP printers, jump to the next section.

If you are using local IP printers, disabling the status notification is a bit more complicated.  This is because you can only affect the HP Laser Jet settings using the options under the Computer Configuration section, not the User Configuration section since these are installed as local IP printers, not shared printers.  The printer settings are connected to the PC, not the users.  Unfortunately, the HP AD Template only adds options under the User Configuration, not the Computer Configuration, so you need to follow these steps to accomplish the same task.

  1. On an XP workstation, install the IP printer(s) you need to modify. Go to the following registry section: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\
    Printers\<PrinterName>\PrinterDriverData
  2. Create a DWORD value named: SSNPNotifyEventSetting, Give it a “0” value and  repeat this step for EVERY printer you need to modify.
  3. Create a new GPO called: Disable HP LJ Printer Status Notification
  4. Expand Computer Configuration\Preferences\Windows Settings\Registry
  5. Right click on the right side and choose New/Registry Wizard.
  6. Select the PC on which you installed the printers above.
  7. In the bottom section, go to the registry DWORD setting you just created and select it.
  8. Most of the default settings should suffice, but you may want to associate the

    Figure 2

    preference with a specific OU. See Figure 2.  If you do:

  • Open the preference you just created.
  • Click the Common tab.
  • Check Item-level targeting and then click the Targeting button.
  • Click on New Item and select Organizational Unit.
  • Select the OU to which you want to apply this preference.

Note: You can rename the preference in order to keep track of the printers you are modifying.

Finally reboot the PC

Attached Files:

Installing 32 Bit Print Drivers on Server 2008 R2 or 2008 x64

Remember the days when you could right click inside of the “Printers and Faxes” window and add an additional print driver? Me too, but those days are gone my friend. Apparently Microsoft fired the “good ideas” guy.

So you’ve got 32 bit Clients and a 64 bit Server sharing a printer huh? Are Clients prompting for the driver every time you try to connect…?

Follow these steps to resolve it:

  1. First download both the 32 and 64 bit version of the EXACT SAME DRIVER, make sure they are exactly the same, (Lexmark 4600 and Lexmark 4600 XL are not the same,  make sure yours are the same)
  2. Once both are extracted you can add them one of two ways

Method one: Installing them from the server

  1. Open Server Manager
  2. Click Roles
  3. Add the Print and Document Services Role (really you say?  Yes really.)
  4. After the Role finishes installing, click on Administrative Tools, and then Print Management
  5. Inside Print Management, expand Print Servers
  6. Right Click on the Print Server in question, and then Select Properties….
  7. Click on the Drivers tab and then Click Add. Click Next. Check off both X64 and x86 Drivers, and Click Next. When prompted select the location for one or the other, and when prompted again, specify the location of the remaining driver.
  8. Now Create a new printer, using the installed driver, and share it.

Method two: Installing the Drivers from the Client

  1. Install and share the printer as you normally would on the 2008 server
  2. From the client browse to the server using \\%servername%
  3. Open the folder “Printers and Faxes” from the \\%servername% window
  4. Right click on the empty white space and select “Server Properties”
  5. Click on the Drivers tab and then Click Add. Click Next. When prompted select the location of the remaining driver.

Windows 7 Not Rembering Remote Desktop Credentials for Server 2008 / Server 2008 R2

If you’re like me you use RDP all of the time, You’ve probably got tons of RDP icons with the passwords saved in each one so that you can quickly bounce into all of the servers you are managing. If you’ve upgraded to Windows 7 as your workstation OS, you’ve probably also noticed that those RDP connections are now no longer remembering your passwords for connections that connect to Windows Server 2008 or Server 2008 R2.

Here is how to resolve this problem:

  1. Click on Start, and then in the search bar type: gpedit.msc
  2. Expand Computer Configuration, Expand Administrative Templates, Expand System, Expand Credentials Delegation
  3. Double Click on “Allow Delegating Default Credentials with NTLM-only Server Authentication“. Click the “Show…” button, Enter the following: TERMSRV/*
  4. Click OK, to close the Show Contents Window, Click OK again to close the next window.
  5. Double Click on “Allow Delegating Saved Credentials with NTLM-only Server Authentication“. Click the “Show…” button, Enter the following: TERMSRV/*
  6. Click OK, to close the Show Contents Window, Click OK again to close the next window.
  7. Click on Start, and then in the search bar type: GPUPDATE /FORCE

You’ll now be able to save credentials into RDP connections for Server 2008 / 2008 R2 connections.

Getting System State Only Backups from Server 2008 / 2008 R2

If you’re like me you’re pretty crazy about backups. I hate not having backups, it never happens that you have an error or a data loss after a successful backup, it’s always after the backup fails. That’s why I always go the extra step and backup core components with their specific tools and then backup those backups with another 3rd party backup software. In server 2000/2003 I used to use NTBackup to make 2 overlapping system state backups, one for Monday, Wednesday, Friday, and one for Tuesday and Thursday. That way if Active Directory ever crapped out on me I’d have the last two days worth of system state backups, and in the original Microsoft form to boot. (it always easiest to do the restore with Microsoft tools, ever get stuck between two vendors swearing it’s the other guy’s fault? )

Anyway, so when Server 2008 came out I wasn’t happy with the fact that I had to either backup the entire C: volume, or that I had to backup to another volume other than the once i was taking a backup of, or that the command line option wasn’t automated. Sometimes you’ve got servers in a rack that only have 1 volume, and there’s not room for a USB drive, or if you’re like me you’re backing up with a 3rd party tool and you just want to keep the native format backups on the server as a spare copy. I ended up doing a bit of research and this is how you get it done:

First you’ve got to enable the ability to backup to the same volume you’re making a backup of. In Microsoft KB 944530 it gives you instructions on how to create a registry entry that enables the ability to backup to any volume. Here is the Location and Key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wbengine\SystemStateBackup\
Name: AllowSSBToAnyVolume
Data type: DWORD
Value data: 1

Or You can download it here: AllowSSBToAnyVolume

Once that’s been done, reboot and then you’ll be able to run a Windows Backup to any volume. Now the next time I do is create two batch scripts, one for MWF, and one for TTh, but again I’m crazy.

MWF’s Backup Batch Script:
Rmdir c:\systemstatebackups\mwf /s /q
Mkdir c:\systemstatebackups\mwf
Wbadmin start systemstatebackup –quiet –backuptarget:c:
Xcopy /s /e /c /h /y c:\windowsimagebackup\*.* c:\systemstatebackups\mwf\*.*
Rmdir c:\windowsimagebackup /s /q

and TTh’s Backup Batch Script:
Rmdir c:\systemstatebackups\tth /s /q
Mkdir c:\systemstatebackups\tth
Wbadmin start systemstatebackup –quiet –backuptarget:c:
Xcopy /s /e /c /h /y c:\windowsimagebackup\*.* c:\systemstatebackups\tth\*.*
Rmdir c:\windowsimagebackup /s /q

Schedule these to run on their proper days and there you have it, the last two days worth of system state only backups, ready to be picked up by a 3rd party backup software, or to be used to restore system state in the event of Active Directory corruption or deletion. It’s maybe a little bit unnecessary, but I’d rather have them and not need them than need them and have to deal with Symantec backup exec support trying to restore a lost CEO user account at 3 in the morning.

Attached Files: