Tuesday, November 10, 2009

Server 2008 "Preparing your Desktop" stalls

Recently I built a new Server 2008 SP2 Domain Controller. When logging into it the "Preparing your desktop" would stall for a long period of time. The machine itself wouldn't freeze and functionality continued normally and you could even use the task bar, just not the desktop.

Fix:
Open cmd prompt and type: Net localgroup Users Interactive /add

Logoff and back on with no more stalling.

Monday, November 9, 2009

Manage Temporary Internet Files with Group Policy

Temporary Internet Files should be proactively managed to help reduce security risks. In addition it can help with other issues as well, such as the Outlook attachment opening issue: "Can't create file: filename. Right-click the folder you want to create the file in, and then click Properties on the shortcut menu to check your permissions for the folder." http://support.microsoft.com/kb/305982

  • Get the Group Policy Client Side Extensions for all of your machines. http://support.microsoft.com/kb/943729
  • Depending on your machine SP level you may also need to install XMLLite. Check out this site for a list of requirements depending on the SP level: http://blogs.technet.com/grouppolicy/archive/2009/03/27/group-policy-preferences-not-applying-on-some-clients-client-side-extension-xmllite.aspx
  • Both can be pushed using your favorite method (third party, group policy, manually, etc)
  • At this point you can begin to push the new Group Policy objects
  • Open Group Policy Management (note that you cannot manage these new GPO's from Windows XP, they can only be managed from Vista, 7, or 2008)
  • This can be done several ways depending on your preferences. I did it by computer role / operating system.
  • In Active Directory I have all Terminal Servers in one OU, Workstations in another OU, Laptops in another, etc. As such it made sense to link the GPO by the computers role and operating system
  • It is important (to some extent) that the operating system be specified with this. For instance XP and Vista do not have the same paths to the Temporary Internet Files
    • Windows 2000, XP, 2003 = C:\Documents and Settings\%LogonUser%\Local Settings\Temporary Internet Files
    • Windows Vista, 7, 2008 = C:\Users\%LogonUser%\AppData\Local\Microsoft\Windows\Temporary Internet Files
  • User Configuration - Preferences - Windows Settings - Folders
  • New Folder - Replace - proper pathing to TIF location (depending on which OS you are targeting)
    • Check the following:
    • "Recursively delete all subfolders"
    • "Delete all files in the folder"
    • "Allow deletion of read-only files/folders
    • "Ignore errors for files/folders that cannot be deleted"
  • Common Tab - Item-level targeting
  • Targeting Button - New Item - Operating System
  • Set the operating system (notice that you can add multiples and right click it change the AND to OR, for instance if you want it to read Windows Server 2003 OR Windows Server 2003 R2)

Ensure that you have the GPO linked to the proper Active Directory OU and that if you link it to an OU with computers in it rather than users that you enable loopback policy - merge.

Friday, November 6, 2009

Migrate Print Server with Server 2008

Below is a guide on how I moved my Windows Server 2003 print server to Windows Server 2008 SP2 with little to no end user interaction.

With Windows Server 2008 there are a lot of new Group Policy options that are really cool! These help tremendously in helping manage an enterprise and this is what you'll use to change printers (and even set defaults).


  • Build your new Windows Print Server (in my case Server 2008)
  • Extract printers from old print server (in my case Server 2003)
    • From Print Management console
    • Right click old print server and select Export Printers to a File. **In my case I had some corruption issues with 2 ports that caused this to fail. To get around this I used the printmig tool to export and import my printers initially. Upon import with printmig it told me which ports where at fault so I removed them from the new server and all associated drivers/printers and recreated them.
    • Right click new print server and import printers from a file (file you just created)
  • At this point you should have 2 print servers
  • Get the Group Policy Client Side Extensions for all of your machines. http://support.microsoft.com/kb/943729
  • Depending on your machine SP level you may also need to install XMLLite. Check out this site for a list of requirements depending on the SP level: http://blogs.technet.com/grouppolicy/archive/2009/03/27/group-policy-preferences-not-applying-on-some-clients-client-side-extension-xmllite.aspx
  • Both can be pushed using your favorite method (third party, group policy, manually, etc)
  • At this point you can begin to push the new Group Policy objects
  • Open Group Policy Management (note that you cannot manage these new GPO's from Windows XP, they can only be managed from Vista, 7, or 2008)
  • Come up with a map of which Active Directory OU's will need different printer configurations. There are a lot of cool ways to do this by specifying specific OS's, Users, Computers, etc
  • Create a new (or edit an existing) GPO with a link to the desired OU
  • Under preferences, Control Panel Settings you'll find Printers
  • NOTE: notice that there is a column for Order.... you get the idea, they are applied in order
  • Right click, new, Shared Printer (for Shared networked printers)
  • At this point you'll have options for Create, Replace, Update, Delete
  • Set the first one for action Delete, check box "Delete all shared printer connections"
  • Common tab, check "apply once and do not reapply" and "Item-level targeting"
  • Click Targeting
  • Enter the criteria you want to target (ie Computer, User, Security Group, Operating System). I targeted Operating System with the overall GPO linked to an OU of the department that the users work in. This way it hits the user object for any computer of that operating system they log into. For instance All accounting users are in one OU so they all get this specific setting when they log into a Windows XP workstation (thus it doesn't affect their Terminal Server printers unless I set it to).
  • Right click, new, shared printer again
  • This time select create and path to the printer (\\servername\printersharename)
  • Set as default if desired
  • Common tab, "Apply once and do not reapply"
  • Item-level targeting again as you desire
  • Continue for each printer

NOTE: if you link the GPO to an OU that has computer accounts rather than user accounts then you will also have to enable loopback policy - merge (under computer config - Policies - Admin - system - Group Policy - User Group Policy loopback processing mode)

At this point as long as the computers have the Client Side Extension and the GPO's are linked properly they will get the old printers removed and new ones added / default set

Once all users have a policy setup for them and all CSE's are deployed to workstations you can zap the old print server (notice that you can Log Spooler information events to see if anyone is still printing to the old server)

Scenario:

  • User group of 10 needs 2 printers Printer1 and Printer2
  • 9 users need printer1 to be the default. 1 user needs Printer2 as default
  • All 10 users are in the same active directory OU
  • You don't want to split them into new OU's
  1. Create Delete All printers policy (apply once only option)
  2. Create Printer 2 policy (apply once only option)
  3. Create Printer 1 policy and select the set as default (apply once only option)
  4. Update Printer2 policy and select the set as default (apply once only option). Important: Item-level targeting - New Item - User - Enter the user. Should read "the user is domain\username (SID match)". This could also be done by computer or however you desire