How can I prevent users from using USB removable disks (USB flash drives) by using Group Policy (GPO)?

4:13 AM | Posted by Srinivas


I have seen this question several times at different message boards, so I've decided to write an article about it.
USB removable disks (also known as flash drives or "Disk on Key" and other variations) are quickly becoming an integral part of our electronic life, and now nearly everybody owns one device or another, in forms of small disks, external hard drives that come enclosed in cases, card readers, cameras, mobile phones, portable media players and more.

Free Tool to Simplify IP Address Management
Toss your spreadsheets into the recycling bin! SolarWinds Free Tool, IP Address Tracker, lets you track an unlimited number of IP addresses for a unified, at-a-glance view of our entire IP address space.
  • See which IP addresses are in use, and which aren't
  • Eliminate manual errors, while ensuring that IP addresses are listed in the right place
  • Determine the last time an IP address was used
  • Pre-populate key statistics like DNS and response time
Download FREE IP Address Tracker from SolarWinds Now!
Portable USB flash drives are indeed very handy, but they can also be used to upload malicious code to your computer (either deliberately or by accident), or to copy confidential information from your computer and take it away.
As a variation to Disable USB Disks, you can prevent users from using any portable USB removable disk or flash drive by using a custom .ADM file that can be imported into the Local Group Policy (thus effecting only the local computer) or by using Active Directory-based Group Policy Objects (also known as GPOs).
Follow the steps outlined in the Adding New Administrative Templates to a GPO article on general instructions on how to add or remove an .ADM file from the Administrative Templates section in GPO.
Note: This tip will allow you to block usage of USB removable disks, but will continue to allow usage of USB mice, keyboards or any other USB-based device that is NOT a portable disk.
Windows Azure Infrastructure Services. Scalable on-demand infrastructure.
It's worth mentioning that in Windows Vista Microsoft has implemented a much more sophisticated method of controlling USB disks via GPO. If you have Windows Vista client computers in your organization you can use GPO settings edited from one of the Vista machines to control if users will be able to install and use USB disks, plus the ability to control exactly what device can or cannot be used on their machines.
Needless to say, as with any GPO setting, this option will only work on Windows 2000 operating systems or higher.
In KB 555324 written by fellow MVP Simon Geary he has provided a nice sample .ADM file that can do just that, and also added other removable storage media to it. You can effectively block usage of any drives containing removable media, such as USB ports, CD-ROM drives, Floppy Disk drives and high capacity LS-120 floppy drives.
However, the original .ADM was pretty simple, so I added a must-have explanation and changed some of the wording in it. By using the file provided below you will also be able to understand the exact settings and scenarios in which the blocking will or will not be successful.
After downloading the .ADM file, read Adding New Administrative Templates to a GPO.
You might also be interested in reading Disable Writing to USB Disks with GPO.
Note: In order to successfully view and configure the new .ADM file settings you will need to change the default filtering view for the GPO Editor (or GPedit.msc). Unless you change these settings, the right pane will appear empty, even though it has the settings in it.
Follow these steps:
  1. In GPEdit.msc (or any other GPO Editor window you're using) click on View > Filtering.
  1. Click to un-select the "Only show policy settings that can be fully managed" check-box. Click Ok.
  1. Now you will be able to see the new settings in the right pane:
  1. You can now configure any of the above settings:
An additional step that needs to be performed before the above tip will work has to do with modifying the file access permissions for 2 files. You need to remove the SYSTEM access permissions from the usbstor.sys and usbstor.inf files.
You can do so by right clicking these files > Properties, then going to the Security tab. There you need to remove the line for the SYSTEM account.
Note: Under some circumstances, the SYSTEM should have write access to these files during Service Pack installation. For example, when the SP is installed via GPO or SMS, the installation runs under the SYSTEM Account.
Service Pack needs to replace the files to a new version and without proper write access to the file, installation will fail... Therefore, before each SP deployment we need to allow access to the SYSTEM account for these files.

Read Users' Comments (0)

Defragmenting an Active Directory Database

4:12 AM | Posted by Srinivas


Performing an Offline Defragmentation

Before you attempt an offline defragmentation, I strongly recommend making a full, system state backup of the domain controller. I have never had an offline defragmentation go belly up on me, but since there is at least a potential for database corruption to occur, I recommend starting with a backup.
Once you have created a backup of your domain controller, the next thing that you should do is to make note of the existing Active Directory database’s size. By default, the Active Directory database is located at C:\Windows\NTDS, although the DCPROMO process does allow you to choose a different location. The name of the actual database file is NTDS.DIT.  A freshly installed Active Directory database on a Windows Server 2008 domain controller is about 12 MB in size, but the database can grow to be several GB in size, depending on the amount of data that is stored in the Active Directory.
Once you have noted the database’s size, you will have to create a directory that you can use as a temporary repository for a copy of the Active Directory database. When you perform an offline defragmentation, Windows does not alter the original Active Directory database. Instead it creates a defragmented copy database. I recommend creating a folder named TEMPbeneath the \Windows\NTDS folder.
The next step in the process is to stop the Active Directory Domain Service. Unlike previous versions of Windows, Windows Server 2008 offers the ability to start and stop the Active Directory just as you would any other service. Depending on how your server is configured, there may be dependency services that Windows will also have to shut down.
When the Active Directory Domain Service finishes shutting down, open a Command Prompt window, and enter the NTDSUTIL command. The command prompt will now display an NTDSUTIL prompt. Now enter the following command:
Activate Instance NTDS
At this point, NTDSUTIL will display a message stating that activate instance has been set to “NTDS”.  Now enter the Files command. This will cause NTDSUTIL to switch to the File Maintenance prompt. You should now enter the Info command. This will cause NTDSUTIL to display information about the size and location of the Active Directory database, as shown in Figure A.
Figure A You should double check the database size against the size that you recorded earlier.
You should make sure that the information that is displayed coincides with the size that you recorded earlier. Otherwise, some corruption may exist. Assuming that everything looks good, you can launch the defragmentation process by entering the following command:
Compact to c:\Windows\NTDS\temp
The command shown above assumes that you have created a folder named Temp beneath the c:\windows\ntds folder.
The amount of time that the defragmentation process will take varies depending on the speed of your server, and on the size of the Active Directory database. You can see what a successful defragmentation looks like in Figure B.
Figure B This is what a successful defragmentation looks like.
When the process completes, enter the Q command at the NTDSUTIL prompt to close NTDSUTIL. Next, verify that Windows has created a copy of the Active Directory database in the C:\Windows\NTDS\Temp folder. This copy is the defragmented version of the database. To use it, you must either delete or rename the original database (the one in C:\Windows\NTDS), and then copy the defragmented database from C:\Windows\NTDS\Temp to C:\Windows\NTDS. You must also either rename or delete the log files located in the C:\Windows\NTDS folder.
You can now restart the Active Directory. The easiest way to do this is to simply start the Active Directory Domain Service that you shut down earlier. If a bunch of dependency services were also shut down too though, it may be easier to just reboot the server.

Conclusion

In this article, I have shown you how to perform an offline defragmentation of the Active Directory database. It is important to remember though, that you should always perform a full, system state backup prior to attempting this procedure.
Got a question? Post it on our Active Directory Forums!

Read Users' Comments (0)

Grant DNSAdmins the Right to View DNS Event Log Entries Remotely on Windows Server 2008 R2

4:11 AM | Posted by Srinivas


This is an issue we’ve struggled with in the past day or so. An organization running Windows Server 2008 R2 is delegating control of their DNS servers to specific people, and in order to do so, they added these users to the DNSAdmins built-in group in Active Directory. However, since these users are not members of any administrative groups, while they can view the DNS Event Logs and manage them locally, on the DNS server(s), they cannot do so remotely from another Windows Server 2008 R2 or Windows 7 management workstation.

The Problem: Access Denied when Viewing Event Logs Remotely

To demonstrate this in our lab environment, we created a user called DNSManager, and added him to the DNSAdmins group. Once the user logs on to their management workstation and opens Event Viewer, they connect to a remote computer.
Connecting to a Remote Computer
Figure 1: Connecting to a Remote Computer
In the “Another Computer” area, they type the name of the remote machine. In this case, it’s a remote Domain Controller that is called DC1, which also hosts the DNS service.
Select Computer to View Event Logs on
Figure 2: Select Computer to View Event Logs on
Once connected, they attempt to open one of the Event Logs, but get an “Access is Denied (5)” message:
Access Denied Error Message when Viewing Event Logs Remotely
Figure 3: Access Denied Error Message when Viewing Event Logs Remotely

The Solution: Granting DNSAdmins to the Event Log Readers Group

This can be easily fixed by adding these users (or group of users) to the “Event Log Readers” built-in group on the servers that you need to have remote access to.
Adding DNSAdmins to the Event Log Readers Group
Figure 4: Adding DNSAdmins to the Event Log Readers Group
Now, if the DNSManager user logs off and logs back on to the remote management machine, he can view the relevant event logs.
Access Granted to DNSAdmins
Figure 5: Access Granted to DNSAdmins

The Problem: Access Denied to DNS Event Logs

However, while this trick works for most Event Logs, it does NOT work for the DNS Event Log, as can be seen from this screenshot below.
Access Denied Error
Figure 6: Access Denied error when Viewing DNS Event Logs
This problem persists even if the user opens up the DNS management console, while they CAN manage the DNS properties, zones and records, as shown below.
DNS Management Console works find
Figure 7: DNS Management Console works find
Yet when they attempt to view the remote DNS Event Log, they still get the “Access is denied” error.
Unable to Access DNS Event Logs
Figure 8: Unable to Access DNS Event Logs

The Solution: Granting Remote Access to DNS Event Logs

The fix lies in a somewhat complex Microsoft knowledgebase: How to set event log security locally or by using Group Policy in Windows Server 2003
But the trick is that in Windows Server 2008 R2, the procedure is a lot simpler. Here are the steps:
  1. Open Command Prompt with elevated permissions (Run as Administrator), and run the following command:
    wevtutil gl "DNS Server" > C:\Temp\DNS_Server.txt
    Note: Change the path to fit your needs.
    By the way, if you need to perform the same trick on other custom or application logs, you can find out the name of the log by running the following command and examining the resulting text file for the exact name syntax:
    wevtutil el > C:\Temp\All_Logs.txt
  2. Next open the text file from the above path, and look for the channelAccess: entry.
    ChannelAccess entry
    Figure 9: ChannelAccess entry
  3. Now we need to find the SID of the DNSAdmins group. To do so, if the logged on user is a member of that group, you can find the SID by typing the following command (assuming this is Windows Server 2008 R2 or Windows 7):
    whoami /groups | find /i "dnsadmins"
    The result should look something like this:
    PETRI-LAB\DnsAdmins                    Alias            S-1-5-21-3903327414-3371247034-3746192915-1102 Mandatory group, Enabled by default, Enabled group
    Naturally, the domain name and SID will differ, but you get the point…
    You can also use other tools such as PSGetsid from Sysinternals.
    Copy the SID, we’ll need it in a moment.
  4. Going back to the text file, append the following text string to that long line:
    (A;;0x1;;;XXX)
    Where XXX is the SID you’ve copied from above.
    In this case, I will append the following line:
    (A;;0x1;;;S-1-5-21-3903327414-3371247034-3746192915-1102)
    Adding Your SID
    Figure 10: Adding Your SID
  5. Next, copy the entire text from the O:BAG… part till the end of the line (including your recent addition):
    O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-21-3903327414-3371247034-3746192915-1102)
  6. And finally, run the following command in the Command Prompt, pasting the above string just after the /ca: parameter:
    wevtutil sl "DNS Server" /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-21-3903327414-3371247034-3746192915-1102)
    Run The Command
    Figure 11: Run the command
    You can now close the text file, we don’t need it anymore. No need to save it.
    Going back to the management workstation, open Event Viewer or open DNS management console as the DNSManager user, and behold, you can now view the DNS Event Logs:
    Problem solved, the DNS Event Logs show up
    Figure 12: Problem solved, the DNS Event Logs show up
    Problem Solved
    Figure 13: Problem solved, the DNS Event Logs show up

    7. Summary

    In our next blog post, we will show you how to add these settings to Group Policy in order to configure them for multiple servers.

Read Users' Comments (0)

Windows 7 commands every administrator should know

5:43 AM | Posted by Srinivas

PC troubleshooting is becoming less common in larger organizations, but consultants and techs in smaller shops still have to get their hands dirty identifying and fixing desktop problems. Often times, troubleshooting Windows 7 means delving into the command line. Here are 10 fundamental Windows 7 commands you might find helpful.

Before I begin…

This article is intended solely as an introduction to some useful troubleshooting commands. Many of them offer numerous optional switches, which I won’t cover here due to space limitations. You can find out more about each command by checking out TechNet’s command-line reference.

1: System File Checker

Malicious software will often attempt to replace core system files with modified versions in an effort to take control of the system. The System File Checker can be used to verify the integrity of the Windows system files. If any of the files are found to be missing or corrupt, they will be replaced. You can run the System File Checker by using this command:

sfc /scannow

2: File Signature Verification

One way to verify the integrity of a system is to make sure that all the system files are digitally signed. You can accomplish this with the File Signature Verification tool. This tool is launched from the command line but uses a GUI interface. It will tell you which system files are signed and which aren’t. As a rule, all the system files should be digitally signed, although some hardware vendors don’t sign driver files. The command used to launch the File Signature Verification tool is:

sigverif

3: Driverquery

Incorrect device drivers can lead to any number of system problems. If you want to see which drivers are installed on a Windows 7 system, you can do so by running the driverquery tool. This simple command-line tool provides information about each driver that is being used. The command is:

driverquery

If you need a bit more information, you can append the -v switch. Another option is to append the -si switch, which causes the tool to display signature information for the drivers. Here’s how they look:

driverquery -v
driverquery -si

4: Nslookup

The nslookup tool can help you to verify that DNS name resolution is working correctly. When you run nslookup against a host name, the tool will show you how the name was resolved, as well as which DNS server was used during the lookup. This tool can be extremely helpful when troubleshooting problems related to legacy DNS records that still exist but that are no longer correct.

To use this tool, just enter the nslookup command, followed by the name of the host you want to resolve. For example:

nslookup dc1.contoso.com

5: Ping

Ping is probably the simplest of all diagnostic commands. It’s used to verify basic TCP/IP connectivity to a network host. To use it, simply enter the command, followed by the name or IP address of the host you want to test. For example:

ping 192.168.1.1

Keep in mind that this command will work only if Internet Control Message Protocol (ICMP) traffic is allowed to pass between the two machines. If at any point a firewall is blocking ICMP traffic, the ping will fail.

6: Pathping

Ping does a good job of telling you whether two machines can communicate with one another over TCP/IP, but if a ping does fail, you won’t receive any information regarding the nature of the failure. This is where the pathping utility comes in.

Pathping is designed for environments in which one or more routers exist between hosts. It sends a series of packets to each router that’s in the path to the destination host in an effort to determine whether the router is performing slowly or dropping packets. At its simplest, the syntax for pathping is identical to that of the ping command (although there are some optional switches you can use). The command looks like this:

pathping 192.168.1.1

7: Ipconfig

The ipconfig command is used to view or modify a computer’s IP addresses. For example, if you wanted to view a Windows 7 system’s full IP configuration, you could use the following command:

ipconfig /all

Assuming that the system has acquired its IP address from a DHCP server, you can use the ipconfig command to release and then renew the IP address. Doing so involves using the following commands:

ipconfig /release
ipconfig /renew

Another handy thing you can do with ipconfig is flush the DNS resolver cache. This can be helpful when a system is resolving DNS addresses incorrectly. You can flush the DNS cache by using this command:

ipconfig /flushdns

8: Repair-bde

If a drive that is encrypted with BitLocker has problems, you can sometimes recover the data using a utility called repair-bde. To use this command, you will need a destination drive to which the recovered data can be written, as well as your BitLocker recovery key or recovery password. The basic syntax for this command is:

repair-bde   -rk | rp

You must specify the source drive, the destination drive, and either the rk (recovery key) or the rp (recovery password) switch, along with the path to the recovery key or the recovery password. Here are two examples of how to use this utility:

repair-bde c: d: -rk e:\recovery.bek
repair-bde c: d: -rp 111111-111111-111111-111111-111111-111111

9: Tasklist

The tasklist command is designed to provide information about the tasks that are running on a Windows 7 system. At its most basic, you can enter the following command:

tasklist

The tasklist command has numerous optional switches, but there are a couple I want to mention. One is the -m switch, which causes tasklist to display all the DLL modules associated with a task. The other is the -svc switch, which lists the services that support each task. Here’s how they look:

tasklist -m
tasklist -svc

10: Taskkill

The taskkill command terminates a task, either by name (which is referred to as the image name) or by process ID. The syntax for this command is simple. You must follow the taskkill command with -pid (process ID) or -im (image name) and the name or process ID of the task that you want to terminate. Here are two examples of how this command works:

taskkill -pid 4104
taskkill -im iexplore.exe

Read Users' Comments (0)

how to config email in outlook

4:17 PM | Posted by Srinivas


This tutorial shows you how to set up Microsoft Outlook 2003® to work with your e-mail account. This tutorial focuses on setting up Microsoft Outlook 2003, but these settings are similar in other versions of Microsoft Outlook. You can set up previous versions of Microsoft Outlook by using the settings in this tutorial.

To Set Up Your E-mail Account in Microsoft Outlook

  1. In Microsoft Outlook, from the E-mail Accounts menu, select Tools.
  2. On the E-mail Accounts wizard window, select Add a new e-mail account, and then click Next.
  3. For your server type, select POP3 or IMAP, and then click Next.
  4. On the Internet E-mail Settings (POP3/IMAP) window, enter your information as follows:
    5. Your Name
    Your first and last name.
    E-mail Address
    Your email address.
    User Name
    Your email address, again.
    Password
    Your email account password.
    Incoming mail server (POP3)
    POP, Pop.secureserver.net or IMAP, imap.secureserver.net.
    Outgoing mail server (SMTP)
    Smtpout.secureserver.net
    Click More Settings.
    NOTE: "smtpout.secureserver.net" is an SMTP relay server. In order to use this server to send e-mails, you must first activate SMTP relay on your e-mail account. Log on to your Manage Email Accounts page to set up SMTP relay. If you do not have SMTP relay set up and your Internet Service Provider (ISP) allows it, you can use the outgoing mail server for your Internet Service Provider. Contact your Internet Service Provider to get this setting.
  5. On the Internet E-mail Settings window, go to the Outgoing Server tab.
  6. Select My outgoing server (SMTP) requires authentication.
  7. If you did not change the SMTP relay section, select Use same settings as my incoming mail server. If you changed the user name and password in the SMTP relay section of your Manage Email Accounts page, select Log on using and enter the user name and password. The following example assumes you did not change your SMTP relay section in your Manage Email Accounts page.
  8. Go to the Advanced tab, and then change the Outgoing server (SMTP) port to 80 or 3535.
  9. Click OK.
  10. Click Next.
  11. Click Finish.

Read Users' Comments (0)

How to uninstall ie in windows

3:43 PM | Posted by Srinivas



Uninstall, Disable, or Delete Internet Explorer 8 from Windows 7



A lot of Windows users out there dislike Internet Explorer enough that just using a different browser is not enough, they want it gone.  Although there is not a way to completely uninstall it, let’s take a look at how to disable IE 8 in Windows 7 so you won’t have to deal with it anymore.
Click on the Start Menu and go to Control Panel and change the View by category to Large or Small icons then from the Control Panel list go into Programs and Features.
CP View 
In the Programs and Features window click on the “Turn Windows features on or off” link on the left hand side.
The Windows Features screen opens up and here you want to uncheck the box next to Internet Explorer 8.
You will get a confirmation box when you uncheck it saying it may affect other Windows features.  It will if you don’t have another browser installed but otherwise everything that usually opens in IE will open in your default browser.
After verifying you want to turn it off click OK.
You will get a progress notification while Windows turns off IE 8.
When everything is turned off you will need to restart your system.
 
After coming back from the restart you will notice Internet Explorer 8 is no longer there.  Anything you had linked to IE will be associated with another browser if you have one installed. It will also no longer appear in the Set Default Programs section.
 
If you go to the Open With list in Explorer you will see a generic Internet Browser icon that will open up whatever is your default browser.
 
This doesn’t completely remove all traces of Internet Explorer 8 as other programs and processes rely on its rendering engine.  This will definitely get it off your way when doing your daily computing tasks.

Read Users' Comments (0)

Subscribe to: Posts (Atom)