In this article you will learn some techniques for accessing and manage your Mac OS X computer remotely from Windows.

Here is the situation: you are the systems administrator of a mixed Windows/Mac OS X network environment. Your administrative laptop runs Windows 7, and you realize that you need to establish a remote connection to one of your Mac OS X Server computers to tweak a setting. What do you do?

The good news is that Mac OS X (both the server and desktop varieties) include built-in File Transfer Protocol (FTP), Secure Shell (SSH), and Virtual Network Computing (VNC) servers. Thus, we have immediate, “out of the box” remote connectivity to our Mac boxes.

(more…)

In this article you will learn some techniques for accessing and administering your Windows computer remotely from Mac OS X through Remote Desktop Connection (RDP) and SSH.

Here is the scenario: you are the systems administrator of a mixed Windows/Mac OS X network environment. Your administrative laptop runs Mac OS X 10.7 Lion, and you realize that you need to establish a remote connection to one of your Windows Server 2008 computers to tweak a setting. What do you do?

In this blog post I will share with you reliable methods for establishing both remote desktop and remote command-prompt sessions to a target a Windows computers.

Windows back-end setup

In this tutorial we will use the vendor-neutral Secure Shell (SSH) protocol to establish command-line-based remote access from Mac to Windows. We will also leverage Microsoft’s own Remote Desktop Protocol (RDP) to obtain a Windows desktop session from the Mac.

(more…)

If you didn't start testing Windows 8 yet, then this guide is a must-read. This text is also a must-read if you already played with Windows 8 and started whining because everything is so different and strange.

As expected, there is lots of buzz about Windows 8. Not surprisingly, many are complaining about the huge changes in the user interface. Considering the large user base of Windows, there are always some people who don’t like the changes and some who do like them. The ones who don’t are usually louder.

Windows 8 Lock Screen

(more…)

The PowerShell script introduced in this post is for getting disk space details of multiple remote computers. It also retrieves the space details of mount points.

Disk space monitoring is an important system administration task because disk space shortage can impact system stability and application functionality.

I wrote a PowerShell script that allows you to query the disk space details of any drive connected to a remote Windows computer. Moreover, the script can get the disk space details of multiple computers in a single shot. You can also use it with other cmdlets, such as Get-QADComputer and Get-ADComputer, and pass the output of these commands to the script.

Using the parameters ValueFromPipelineByPropertyName and ValueFromPipeline, the script reads the inputs from the pipeline (output of the previous command). You can learn more details about these parameters by executing the command below in a PowerShell console.

(more…)

In this article I introduce a VBScript script that populates the description field of the Active Directory computer object with the account name of the last user who logged on to this machine.

As a systems administrator, you’ve probably noticed that computer objects in Active Directory have a description field that is shown in the default view of the Active Directory users and computers MMC console. It’s very rare to see an IT department that makes regular use of this field for something useful – never mind keeping it up to date!

I thought that it would be a good idea to automatically populate this field with the last user to logon to the computer object. With a slight tweak to our AD security and a little bit of scripting, it’s quite easily achieved. I also added even more information to the field so I could see the system service tag and model number.

(more…)

Accessing Windows shares from Mac OX is slow? This post gives some tips to speed up file sharing for Mac users.

For pre-Lion users in a corporate network, accessing Active Directory Windows shares can be a painful proposition. OS X 10.7 Lion provides this support through native utilities, but until the release of Lion, Apple has provided Mac users with built-in support for accessing Windows file sharing through the open source FreeBSD SMB library. Here are some tips for speeding up SMB in previous versions of Mac OS X.

Turning “notify off” in nsmb.conf

First, we have to enable the root user account, which is disabled by default in Mac OS X.

1. Go to System Preferences > Accounts > Login Options

2. Click “Join” (don’t worry, we’re not joining anything!)

3. Click “Open Directory Utility”

4. Click the lock and enter your credentials to make changes

5. Go to Edit > Enable Root User. If prompted, choose a secure password; if not, go to Edit > Change Root Password and choose a secure password

(more…)

In my last post, I discussed a few preflight checks that I recommend for Windows deployments. This post explains the code of my VBScript script that helps you with this task for Windows XP deployments.

The script itself is a basic HTML Application (HTA) with lots of Windows Management Instrumentation (WMI) calls to check various hardware properties. The pseudo-code is:

Initialize the HTA
   Function Run Preflight Check
   Check the make (vendor)
   Check the model (is in a text list)
   Check RAM is above value x
   Check HDD is not RAW
  Check CPU architecture<
End

(more…)

Before you deploy a new Windows image, you should always perform a few preflight checks. This article gives an overview of the topic. In the next article, I discuss a script that helps you with this task.

What are preflight checks?

When you start a Windows deployment, once you are happy with the image it’s time to deploy it. However, there are quite a few obstacles to overcome that can stop your deployment at the first hurdle. For instance, what if the target disk is encrypted? Deployments only work with NTFS owing to the use of WinPE, so deployment will fail unless you format the disk. There is a whole list of prerequisites to think about. The main areas to address before deploying an OS to a machine are listed in Table 1 – Requirements overview.

Table 1 – Requirements overview

(more…)

This guide about Administrative Audit Logging in Exchange 2010 explains how to enable this new feature, search the audit log, and write to the audit log.

The Administrative Audit Logging feature is one of the great additions to Exchange 2010. A short time ago, I wrote about eDiscovery which utilizes litigation hold. Administrative auditing is in that similar vein of thinking but, in my opinion, is geared more towards a change control mentality. This feature can be equally useful for small, single administrator environments as well as larger environments where several admins have their hands in the cookie jar.

Administrative Audit Logging takes advantage of the fact that all Exchange Management Console (EMC) activities are actually running Exchange Management Shell (EMS) cmdlets in the background for you. Admin audit logging simply keeps a log of any change you perform that creates, modifies, or removes anything in Exchange. Any cmdlet beginning with Get- or Search- is notlogged by default.

(more…)

In the last implementation of this tutorial I will give you some tips on how to deploy AppLocker.

Now that you’ve established your rules, tested them in Audit mode, and also tested them in Enforce mode, you’re ready to start deploying AppLocker to all of your computers. In your GPO, go to Computer Configuration > Policies > Windows Settings > Security Settings > System Services and find the Application Identity Service. Double-click it, click the checkbox next to Define this policy setting, and set the startup mode to Automatic. This will change the Application Identity Service so that it starts automatically and will start the service at the next policy refresh.

AppLocker – Enable Application Identity Service in GPMC

(more…)

At this point, you should have a list of AppLocker rules that you’re ready to test. Part 3 of this AppLocker guide shows you how.

Go back into your GPO and go to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker. Right-click on AppLocker and choose Properties. Check the box next to Configured for each area of AppLocker that you’ll be testing and change the pull-down to Audit only. This will log all of the rule results to the Event Log without actually blocking any applications.

AppLocker – Properties Audit

(more…)

In part 2 of this tutorial I discuss a few best practices that you should take into account when you prepare the final set of your AppLocker rules.

By now, you should have a pretty long list of rules that have been generated by the GPMC. I would consider these rules as a starting point and not something you should use in production. If you’ve looked through the list, you’ll notice that there is a lot of redundancy. If you scanned the entire C:\ drive, you may also notice some things that you actually want to block with AppLocker. Here are some things I did to clean up my rules:

Use the default rules

If you’re going to use the default rules, you should be able to pare down some of the rules that were automatically generated. You don’t need 100+ rules for executables in the Windows or Program Files folder if you’re already allowing everything in those folders to execute.

Use publisher digital signatures

Most of the reputable software companies like Microsoft, Adobe, Citrix, Cisco, VMware, etc. do a relatively good job at digitally signing their executables. Several of these companies tend to have their installers end up in temporary folders inside of AppData that will be blocked if you don’t include a Publisher rule. Instead of allowing Adobe Reader, Acrobat, Illustrator, Photoshop, InDesign, etc. individually, you can use a publisher rule that allows anything digitally signed by Adobe.

(more…)

In this guide I will share the lessons I have learned during an AppLocker implementation. The tutorial covers the following topics: planning, best practices, testing and deployment.

Like any good systems administrator, I always try to do my research before implementing a new technology. While researching AppLocker, I came across quite a bit of documentation from Microsoft, questions various people posted to message boards, but nothing that really gave me an idea of what I could actually expect during my implementation. Here are the things I’ve learned after a couple of AppLocker deployments that I hope will help you.

AppLocker – Group Policy Management Editor

(more…)

In troubleshooting Group Policy issues over the years, I tend to see the same problems over and over. In the last part of this series I will share some of those experiences.

DNS

Your DCs should be pointing to each other for DNS and your clients should be pointing to the DCs. If your clients are using other DNS servers, you’re going to have problems at some point. If you are, for some reason, required to use third-party DNS for external lookups, put those DNS servers in as Root Hints servers instead of pointing clients or DCs at them.

Just Say NO to top level policies

The Default Domain Policy should be your only top level GPO unless you have a really good reason to add more. In addition, the Default Domain Policy should be edited very sparingly. Why? Anything you link at the top level applies to EVERYTHING in your Domain. Do you really want all of your servers and Admin accounts locked down with the same policies you give to everyday workstations and standard user accounts? Decide on an organizational structure for your OUs where you can link your GPOs instead of linking them at the top level.

(more…)

Of course, Group Policy relies on Active Directory. Part 5 in your Group Policy troubleshooting series covers typical Active Directory problems that prevent Group Policy from working properly.

DNS

If you’ve gotten to the point where it looks like Active Directory (AD) is the problem, you’re most likely looking at some kind of replication issue. By far, the most common cause of AD replication problems (short of failed DCs) is DNS. Are you using AD integrated DNS? Are your DCs pointing to each other for DNS? Are the firewalls between each DC open on the correct ports?

Event Log

So the obvious place to look first is the Event Log. If you’re having replication problems, you’ll have errors in the Event Log, most likely a lot of them. Take a look here first for anything actionable.

GPOTool

GPOTool.exe is a handy utility that Microsoft puts into the Microsoft Product Support Reports suite of utilities. It is buried a bit, but after extracting the executable before installing the tools, GPOTool.exe can be found in your computer’s temp.

Running GPOTool.exe from one of your DCs without any switches will run through all of your GPOs and verify that your Group Policy Templates and Containers are synced and consistent across all of the DCs. You can also use the /gpo option if you just want to check one specific GPO.

(more…)