| This article talks about Windows XP and | | | | multiple terminals the profile from |
| all the new features it brings along | | | | which he logs on last will the last |
| with it. Microsoft has really | | | | profile updated. This can also be made |
| introduced a powerful new operating | | | | ad a mandatory profile for e.g. in kiosk |
| system which brings lots of flexibility | | | | environment where you want the user to |
| and ease of use to the user. It also at | | | | have the exact same profile whenever he |
| the same time is an extremely reliable | | | | she logs on. You can do this by going |
| and sturdy operating system for both the | | | | into the user profile and renaming a |
| average and the excessive user. In this | | | | file ntuser.dat to ntuser.man and no |
| article we start by talking about the | | | | changes will be saved when the user logs |
| requirements XP needs for optimum | | | | off so he/she will get the same default |
| operation and how we can meet those | | | | profile when he/she logs back on. |
| requirements. We also talk about the | | | | Local Security Policy: |
| bits and pieces of installing, upgrading | | | | Local security policies give the |
| and migrating user settings. We also | | | | administrator several measures to |
| highlight the new powerful features in | | | | maintain security in the workgroup. |
| Windows XP installation like unattended | | | | There are three different types of |
| installations and remote installations. | | | | policies like auditing, user rights and |
| Microsoft also aims to target the home | | | | security settings. There are also |
| market with this new operating system | | | | account policies which include password |
| and has included several new features | | | | policies and account lockout policies. |
| such as user account management and | | | | Password policies enable us to enforce |
| group's management at a much easier GUI | | | | password laws where the administrator |
| level. Yet it remains the same reliable | | | | can set password length, history, age |
| operating system if not even better for | | | | and even complexity for secure |
| setting security, group security and | | | | environments. Account lockout policies |
| domain security policies. Microsoft | | | | prevent hackers from constantly trying |
| also includes several new features in | | | | to log on to the system using brute |
| terms of auditing and generating a lot | | | | force like all combinations of |
| of reports in logs for the | | | | passwords. Local policies give us a |
| administrative user. We also talk about | | | | variety of features. One section is user |
| the Windows installer included in this | | | | rights assignments where the |
| new operating system which helps remove | | | | administrator can assign specific |
| code clutter and in turn provides us | | | | policies to specific users and groups |
| with a more stable operating system than | | | | which allow different users to have |
| earlier releases. We also see a | | | | different powers and rights on the |
| significant improvement in user | | | | network and the machine. Auditing |
| interface and options with a greater | | | | properties enable us to generate reports |
| ease-of-use for the average day user and | | | | on how the system is performing to be |
| options like multilingual support which | | | | clear who is trying to do what on the |
| target the corporate environment. | | | | machine or the network. Microsoft does |
| Windows XP also takes hardware support | | | | make our work easier by giving us |
| and installation to a new level with its | | | | preconfigured security templates. These |
| new plug-and-play features an extremely | | | | are groups of settings for various |
| good compatibility with mobile hardware. | | | | scenarios. These can be accessed through |
| We then discuss the Revolutionary new | | | | a bunch of .inf files provided by |
| NTFS file system on which Windows XP | | | | Microsoft and you can implement these by |
| runs and all its new advantages over the | | | | either importing the .inf file into the |
| old FAT and FAT32 file systems. Windows | | | | group or by using the Microsoft security |
| XP also gives us a good Networking set | | | | configuration and analysis snap-in. |
| up and troubleshooting environment with | | | | These can be applied to a local machine |
| new features like off-line folder | | | | or a group and are easy to create |
| sharing and resource management. Remote | | | | through the MMC. The preconditions are |
| connectivity has become a much | | | | to first create a snap-in and add the |
| achievable target with the launch of | | | | security policies and security |
| Windows XP giving the telecommuter the | | | | configuration and templates modules in |
| flexibility to work from home. We | | | | it and then create a database and then |
| finally talk about how this new | | | | import a security template into it. Then |
| operating system stands up to its older | | | | you can compare and analyze or even set |
| legacy brothers in terms of performance, | | | | your computer to these configurations. |
| optimization, recovery, back up and | | | | You can also save these security |
| other services. All in all Microsoft | | | | templates as shortcuts for access to |
| has definitely released a powerful beast | | | | each machines security settings. |
| of an operating system onto the | | | | Group Policies: |
| consumers and it is up to us to realize | | | | The main function of group policies is |
| and utilize Windows XP at its full | | | | to implement restrictions on their |
| potential. | | | | computer to prevent unintentional mess |
| Meeting Minimum XP Requirements: | | | | up of the OS on the computer. In a |
| Microsoft Win XP minimum requirements | | | | workgroup background you can implement |
| can be classified into various | | | | local group policies which are specific |
| categories. The most important | | | | to that local machine only and to the |
| requirement is the minimum processor | | | | users on that machine, so in order to |
| power needed, which is set to 233 MHz by | | | | implement this on the entire workgroup |
| Microsoft. I personally do not agree | | | | you will have to implement this locally |
| with such low standards since the cost | | | | on each machine which can become a |
| of processors is dropping fast and it is | | | | headache. However, you can have remote |
| the biggest driver for a machines | | | | shortcuts to each desktop's MMC (focus |
| performance factor. A minimum of 300 MHz | | | | MMC on remote machines) on your computer |
| is what I would recommend on the lowest | | | | and then can implement those policies |
| level. The control terminal investigated | | | | through this procedure. In a domain |
| in this report is up to the benchmark or | | | | setting you need to implement these |
| just above average requirements for the | | | | policies through the organizational |
| user. The processor is a 2.5 GHz Pentium | | | | units in active directory on the active |
| 4 and is performing at an optimal rate. | | | | directory server. By default group |
| Win XP pro does support multi processor | | | | polices have a refresh period after |
| support, but is not necessary in this | | | | which group policies will be downloaded |
| scenario. The next requirement brought | | | | but you can run a GPUPDATE to refresh |
| to my attention is the amount of RAM | | | | and implement new group policies |
| Microsoft recommends for minimum | | | | immediately. Group policies are accessed |
| requirements for Win XP Pro to operate | | | | through the same way as local policies |
| is 64MB, which is clearly too low | | | | by adding the snap-in of group policies. |
| according to current standards. However, | | | | You can create group policies on that |
| Microsoft does state a serious lack of | | | | local machine or connect to remote |
| Win XP pro function availability while | | | | machine by clicking the browse icon, but |
| using 64MB of RAM. An example of this | | | | you need to have administrative rights |
| would be disabled Fast user switching | | | | on each machine and also on that |
| during this mode. I personally recommend | | | | machine. As ever domain policies |
| a minimum of 256MB for any machine with | | | | override local computer policies. |
| average performance requirements running | | | | Auditing Windows XP: |
| Win XP Pro. The control machine | | | | As a network administrator one of the |
| undertaken in this report has excellent | | | | main tasks is to make sure that the |
| RAM support with 1GB of available RAM. | | | | resources are being used the way they |
| The RAM level in this machine takes a | | | | are used or not being used they should |
| load of the processor as well and at the | | | | not be. Auditing in Windows XP is just |
| same time provides excellent performance | | | | the feature which helps us track these |
| for heavy multi usage of various | | | | key events. This can be used to track |
| software's in the market. The hard drive | | | | successful or failed system events. It |
| requirements for Microsoft have been | | | | helps the administrator choose between |
| ever increasing with new releases of | | | | either tracking things being done |
| operating systems and Win XP pro | | | | correctly or things not being done |
| requires a minimum of 1.5GB of hard | | | | correctly. The most important factor is |
| drive space. This higher increase can be | | | | file access and account logon. One |
| accounted for bigger operating systems | | | | drawback of auditing is that it should |
| with more included in them, for e.g. Win | | | | be turned on locally on each machine, |
| XP pro includes a several features like | | | | since it cannot be enabled on a domain |
| media support for writing to CD media | | | | basis. Auditing should not be turned on |
| and also a built in firewall. The | | | | in the entire domain since it does take |
| control machine does a pretty good job | | | | a performance hit on the system. An |
| of satisfying these hard drive | | | | example would be the Audit object |
| requirements with a 120GB primary | | | | failures which tracks failures or |
| (Master) hard drive and another 120GB | | | | successes of files and printers. |
| secondary (Slave) hard drive. However | | | | Enabling this would not turn on auditing |
| there are some flaws in this | | | | on the file, in order to that you need |
| implementation which are highlighted in | | | | to go to the properties of the folder or |
| the backup section of the report. One | | | | files you want to audit. Head to the |
| advantage of having two hard drives is | | | | security tab, if you cannot see the |
| clear that the paging file can be placed | | | | security tab this either means that |
| on a separate hard drive for better and | | | | simple file sharing is turned on or that |
| faster performance. The control machine | | | | your drive is based on FAT32 |
| also exceeds the display requirements of | | | | partitioning style. You need to have a |
| Win XP. Microsoft has stepped up the bar | | | | NTFS partition style and simple file |
| with this release and has made 800 x 600 | | | | sharing tuned off for this security tab |
| a minimum display requirement for this | | | | to show up. However, in a domain |
| operating system and a lot of video | | | | environment simple file sharing is |
| drives will not let you shift below this | | | | turned of by default. Once you can see |
| resolution. The control machine had | | | | the security tab hit the advanced tab |
| capabilities above this with display | | | | and select the auditing tab and add the |
| potential up to 1600 x 1200. Win XP Pro | | | | user or the group you would like to |
| also recommends setup floppies or | | | | audit. Auditing reports can be seen |
| bootable CD standards for repair and | | | | through the event viewer which can be |
| reinstall, which is also met by the | | | | located through control panel and then |
| control machine. However I personally | | | | in administrative tools. Finally the key |
| recommend bootable CD's to setup | | | | thing to remember about auditing is that |
| floppies which are more prone to failure | | | | it has to be turned on at two separate |
| of a long period of time. A better way | | | | places, once in the local security |
| would also be image backups and image | | | | policies and second at the resource you |
| installs which are discussed later in | | | | want to audit like a file or a printer. |
| this report. The BIOS is ACPI (Advanced | | | | Windows Installer: |
| Configuration and Power Interface) | | | | If you install an application on Windows |
| capable, which enables power management | | | | XP you are most probably using the |
| features and shut down through HAL | | | | Windows Installer. Microsoft started |
| (Hardware abstraction Layer) | | | | this through Windows 200o to prevent |
| installation. Win XP pro has a lot of | | | | other applications from just installing |
| graphical user features which can only | | | | themselves and breaking and clobbering |
| be utilized through a good graphics | | | | other DLL's. There are also problems |
| card. The control unit in this audit has | | | | during uninstall where the program would |
| a good graphics card with 128 MB of | | | | take away a critical Windows component |
| dedicated graphics memory for exploiting | | | | and then your system might not boot. |
| these features. | | | | This new service is integrated into the |
| Installing Windows XP: | | | | operating system to make the programs |
| I would like to bring to notice some | | | | well behaved. Windows Installer |
| installation features available from | | | | introduces package files (.msi) which |
| Microsoft during a windows install. The | | | | are installation files on the CD itself. |
| text mode option is enabled during a | | | | There are a lot of advantages to using |
| clean install and gives us the ability | | | | the Windows Installer, for e.g. the |
| to press the F5 key to choose a HAL | | | | ability to self-heal in a case where the |
| enable BIOS from the menu. This is | | | | program detects that a DLL is corrupt or |
| critical for an individual or an | | | | missing and then can heal itself by |
| organization which wants to enable the | | | | pulling that file back from the source |
| feature of auto power off. The BIOS has | | | | CD or network. There is also a rollback |
| to HAL capable in order to use this | | | | capability where something terrible |
| feature. It is always recommended to | | | | happens during the installation, Windows |
| update the BIOS to HAL capability before | | | | Installer makes sure to take snapshots |
| installing Win XP. Changing BIOS after | | | | of the system before and after the |
| installing Win XP has some serious risks | | | | installation. In case of failure it |
| of resulting in an unbootable OS and | | | | rollback's the system to the state how |
| should not be attempted without proper | | | | it was before. There is also on-demand |
| back up of data. Microsoft advertises | | | | installation where you can install |
| the F6 option during this to install any | | | | features as needed and required later on |
| SCSI/RAID adapters. You can also turn of | | | | by the system. These can be obtained |
| ACPI by pressing F7 to get a HAL that is | | | | from the source on either a media format |
| not ACPI capable. ACPI can interfere | | | | like a CD or on the network. Source |
| with some features on the machine, for | | | | resiliency also enables us to define |
| e.g. if the machine is a server type | | | | several source targets where you can |
| auto shut down would not be really a | | | | connect and download the files you need |
| good feature to implement. The rest of | | | | incase one source is corrupted. You can |
| the process is old style mode where you | | | | publish application in a domain setting |
| can create and delete partitions on your | | | | and then can assign a group or users who |
| hard drive. There is also the option of | | | | can connect to download and install this |
| choosing between NTFS and FAT32. However | | | | application. Also, you can assign |
| I would recommend NTFS, if your hard | | | | applications to users or groups where |
| drive is over 32GB NTFS is the only | | | | the application doesn't really install |
| choice for you. Windows XP does all the | | | | itself but it places a link or a |
| hard work and jumps into the GUI mode | | | | shortcut of that application on that |
| installation and then asks the user for | | | | terminal for that user to access it and |
| information like the windows key, name | | | | when the user tries to access it the |
| and regional settings. The most | | | | first time it goes ahead and installs |
| important thing is setting the windows | | | | itself using the Windows Installation |
| administrator password and writing it | | | | services. This also enables us to have |
| down and keeping it somewhere safe. It | | | | two different versions of the same |
| also asks for computer names and network | | | | program using two different DLL's which |
| configuration and also asks for whether | | | | can coexist on the same terminal in the |
| you are in a domain environment or a | | | | same hard drive. MSIEXEC is the command |
| workgroup environment and our IP | | | | prompt installer which is the core of |
| settings. NetBEUI has been disabled in | | | | the Windows Installer. There are several |
| this version of Microsoft operating | | | | flags to this command and you can run |
| system. You can also enter the hard | | | | this from the command line to install |
| drive for file access during this | | | | those problematic applications. One of |
| installation by pressing Shift+F10. This | | | | the most important flags is the /f which |
| enables you to move files across the | | | | can be used to repair bad installations |
| hard drives, access files you need and | | | | and even find corrupt DLL files. |
| even install drivers for new hardware | | | | User Interface: |
| during installation. For people who want | | | | Windows XP gives the average user a lot |
| the old style installation you can press | | | | of power with the ease to configure his |
| Shift+F11 for the old style wizard | | | | her user interface. Configuring the |
| settings. Microsoft has also implemented | | | | desktop is something you can do almost |
| dynamic update which means that as long | | | | to an extreme in Windows XP. Standard |
| as you have an internet connection it | | | | desktop settings remain the same as the |
| will try to connect and try to download | | | | ability to change wallpapers, colors and |
| all the updates needed before your | | | | sounds. There are also themes and skins |
| machine is up and running. It will also | | | | which can change the entire look the |
| try to install new device drivers, as | | | | Windows XP and work as API's which run |
| long as the manufacturer has his drivers | | | | on the machine and not any third party |
| windows logo certified. However dynamic | | | | tools you need to get. Simple day to day |
| update is only available for updated | | | | tasks have been made a lot easier with a |
| installs and is not available on clean | | | | folder and file options available on the |
| installs. Microsoft also enables you | | | | left hand side of the windows explorer. |
| implement your own dynamic update sites | | | | The start menu has become more powerful |
| to prevent clogging of bandwidth in a | | | | than it was before. It also incorporates |
| corporate environment for machines | | | | the ability to customize itself as per |
| searching for updates through the | | | | your program usability. However for you |
| Microsoft's website. The admin can link | | | | old school people Windows XP does give |
| to windows update corporate site and | | | | you the option of switching to the old |
| download all the updates and package | | | | style desktop or the classic desktop. |
| them together and put it up on a web | | | | All you have to do is right-click and go |
| server for the staff to install. A | | | | to properties and change the theme to |
| switch can be installed inside the | | | | Windows classic to obtain the old style |
| setting of the answer file for | | | | Windows look. The appearance tab helps |
| downloading from these installs. Another | | | | the user pick a color scheme they like |
| feature is windows product activation | | | | best or you could also enter advanced |
| which does not exist for the volume | | | | mode and pick colors for each part |
| license user where the same media kit is | | | | yourself. The effects tab is the most |
| going to be used for multiple installs. | | | | underused tab which gives the user the |
| However retail and OEM licenses require | | | | ability to get cleaner fonts and even |
| windows product activation by creating a | | | | remove and set animations on your |
| hash of your computer depending upon | | | | windows. Most appearances are |
| several features like hardware. Windows | | | | customizable in Windows XP and |
| product activation can also be done in | | | | Microsoft's is trying real hard towards |
| the answer file and the information sent | | | | a goal to please every user type. |
| through HTTP or HTTPS and Microsoft's | | | | Interface Options: |
| minimal requirement is that reactivation | | | | Microsoft has added a lot interface |
| is required after changing 3-4 pieces of | | | | options for users who otherwise have |
| hardware on your computer. | | | | problems using the computer. One is |
| Upgrading Windows XP: | | | | accessibility services where Microsoft |
| Most administrators do not have the | | | | has included several options like the |
| luxury to make a clean install because | | | | sticky keys, filter keys or toggle keys |
| there are a lot of software and data | | | | and even sounds and onscreen keyboard. |
| installed on the current operating | | | | There is also a narrator which gives us |
| system. The biggest drawback to this is | | | | text to speech for the visually |
| that all the legacy code and baggage in | | | | challenged. There is also the magnifier |
| the old operating system will be carried | | | | which is also a great asset. An easy way |
| over to the new operating system. An | | | | to access the narrator, magnifier and |
| upgrade is possible from Windows 98/98SE | | | | the onscreen keyboard is pressing the |
| ME/2000 and Windows NT 4.0 with SP6. | | | | Windows key + U. Multilingual support |
| However the server class cannot be | | | | has also been included in Windows XP |
| upgraded from windows 2000 professional. | | | | just like as in Windows 2000. However, |
| You cannot upgrade from Windows 95 or | | | | not all applications support this but |
| Windows 3.x. A compatibility check | | | | you can almost enable this all API's. |
| should always be made before upgrading | | | | All that is required is to head to the |
| to the new OS. Check using the switch | | | | regional settings in the control panel |
| (-checkupgradeonly) for hardware report | | | | and install the language you want to |
| on compatible hardware on the machine to | | | | work with the remap the keyboard |
| install windows XP. If you're running | | | | accordingly and you're done. One |
| Windows NT 4.0 with fault tolerance and | | | | drawback is that for other users to use |
| volume sets the drives are going to be | | | | a document created in this language they |
| inaccessible once you install XP since | | | | must have the same language settings |
| it does not support fault tolerance or | | | | installed on their computer. You can |
| volume sets. Microsoft does give you an | | | | even change entire interface of the |
| easy way to use the key FTONLINE to | | | | computer into another language by |
| bring the fault tolerant set online to | | | | installing support for that language. |
| backup the information or recreate a | | | | This servers as a strategic advantage |
| volume set or striped volumes and get | | | | for global organizations which operate |
| that information back. However you | | | | in different regions in terms of saving |
| cannot create fault tolerant drives with | | | | space in terms of storing a file in |
| Win XP. In a case of serious error you | | | | different languages since multi language |
| can always roll back the upgrade. This | | | | support enables us to store only one |
| feature can be accessed from the "Add | | | | copy of the file and have it available |
| Remove Programs" in the Control Panel. | | | | in different languages. |
| However the biggest drawback is that | | | | Hardware Installation: |
| once you change from FAT32 to NTFS you | | | | Windows XP supports plug and play |
| cannot go back to uninstall the upgrade | | | | feature where you can just plug in |
| and get your old operating system | | | | devices and it will detect them |
| running. The install procedure is pretty | | | | automatically without any installations. |
| much the same as the once we encountered | | | | One of the most important advantages of |
| on a clean install without the headache | | | | this feature is that signed drivers are |
| of drive partitioning. It even tries to | | | | installed automatically without |
| download updates (Dynamic Update) if an | | | | prompting. However, non plug and play |
| internet connection is detected. The | | | | devices require manual installation. |
| software and regional settings and other | | | | This saves a lot of headache to the |
| user settings are preserved on the | | | | administrator when it comes to |
| computer. The upgrade does come with | | | | installing different pieces of hardware. |
| different view screens after the | | | | The user needs to have the |
| install. Views change with the kind of | | | | administrative privileges to install |
| environment you are running in for e.g. | | | | these hardware's and drivers. These can |
| a domain environment the user gets to | | | | be maintained to the device manager |
| see the Ctrl+Alt+Del screen whereas the | | | | which can be accessed from right |
| user gets to see the welcome screen in a | | | | clicking my computers icon. Microsoft is |
| workgroup environment. | | | | pushing to wears a new setting known as |
| Migrating User Settings: | | | | driver signing. This enables Microsoft |
| User settings are an extremely important | | | | to see what drivers are installed on the |
| feature needed in a corporate | | | | system. In a case of an unsigned driver |
| environment to preserve the same look | | | | the user is warned about this before |
| for a user. The file and transfer | | | | installing it but he/she can still |
| settings wizard comes to our rescue down | | | | choose to go ahead or not go ahead with |
| to the last solitaire icon on the users | | | | it. Vendors have to actively pursue to |
| computer. File and transfer settings | | | | get their drivers signed by Microsoft to |
| transfer transfers files in four | | | | achieve a signed driver rating. In a |
| categories. The first category is | | | | case of an unsigned driver Microsoft |
| appearance which includes color schemes, | | | | raises a flag which warns the user about |
| sounds and others. Second, it also keeps | | | | the unsigned driver. This can raises |
| internet settings like your favorites | | | | several issues in a network for the |
| and your internet security settings. | | | | administrator to handle where people |
| Third, it also backs up all your account | | | | bring in their own USB devices to plug |
| settings like all your e-mail accounts | | | | in to their systems and then can raise |
| and all the internet addresses stored in | | | | several flags and incompatibilities in |
| your machine through outlook. Finally it | | | | the environment. The administrator can |
| even transfer the settings for installed | | | | handle this situation by disabling and |
| software's like Microsoft office and | | | | blocking the installation of unsigned |
| even third party software's like adobe. | | | | drivers. One of the drawbacks in windows |
| However the drawback is that the | | | | 2000 was the ability for a user to |
| required software's should be installed | | | | modify the registry keys and install an |
| before their settings can be reapplied | | | | unsigned driver and then change back the |
| to the new operating system. The File | | | | keys after the installation. This loop |
| and Transfer settings wizard can be | | | | hole has been fixed by Microsoft and the |
| reached through the windows CD by | | | | user is not given the ability to change |
| accessing the icon "Perform Additional | | | | registry keys and hence he cannot |
| Task". The process is simple and | | | | install unsigned drivers without |
| visually guided. It gives you the option | | | | administrative permission. One of the |
| to choose just files or both files and | | | | other features that will is the facility |
| settings and transfer all the required | | | | of the drivers or to even roll back |
| files through a direct cable, floppies | | | | drivers incase of a mishap. Updating |
| media or network. This can also be used | | | | device drivers still requires the user |
| from XP to XP machines, in a case of | | | | to have administrative privileges. |
| customizing a brand new machine to | | | | However updating device drivers is one |
| industry standards. However this is | | | | of the most frequent causes of system |
| should be used for only for small | | | | crash. This is where the ability of |
| offices or a very small office. A better | | | | rollback kicks in where Windows XP |
| version of this for large offices is | | | | maintains copies of older versions of |
| user state migration tool for scripting | | | | your driver which you can kick back to |
| mass XP migration of files. The user | | | | incase of an update failure. There is |
| state migration tool is made up of | | | | also something known as the last good |
| several tools once of which is | | | | option which should be a last resort in |
| scanstate.exe which includes files like | | | | case of a safe boot. Driver signing |
| migapp.inf, migsys.inf, miguser.inf and | | | | gives us the options to free install, |
| sysfiles.inf and you can change these | | | | warn or block drivers that are unsigned. |
| files as you please. A simple | | | | A normal user can always go to a much |
| illustration would be to access the | | | | stricter option like if the |
| migapp.inf file, put in the settings you | | | | administrator has selected warn the |
| need and put in the files you need to | | | | normal user can choose block, however he |
| transfer and run scanstate.exe on every | | | | she cannot choose to ignore it. |
| computer. The new machine would run a | | | | Hardware Support: |
| different program loadstate.exe which | | | | Windows XP supports most kinds of |
| will unpack the file and load those | | | | hardware these days. You can pretty much |
| settings. However like in file transfer | | | | take anything in the market and it will |
| settings this cannot transfer | | | | be supported by Windows XP. Windows XP |
| application and only settings to | | | | even supports smartcard operations fresh |
| applications for e.g. it will not | | | | out of the box. One of the coolest |
| install adobe acrobat on your computer | | | | features is the ability to hook up to |
| and then transfer its settings. If an | | | | twelve display devices on to one |
| application is not detected on the | | | | machine. As a matter of fact you can |
| computer the settings for it will not be | | | | link up to ten display devices onto one |
| used. This application can be accessed | | | | single terminal. There's also dual head |
| in the following directory | | | | technology incorporated into Windows XP |
| "CD:VALUEADDMSFTUSMT". This ability is | | | | which gives the user power to connect |
| completely scriptable so an | | | | multiple monitors with a single video |
| administrator can send these as e-mail | | | | card adapter, for e.g. in case of a |
| messages to all the users and does not | | | | laptop you can connect it to monitor and |
| have to present at all the machines to | | | | have it perform different from the |
| run this. | | | | screen on your laptop or as an extension |
| Unattended Installation: | | | | to the screen on your laptop. Windows XP |
| Microsoft also supplies us with tools | | | | supports Directx and OpenGL which are |
| for unattended installation which is a | | | | graphics technologies or graphics API's. |
| great feature for network administrators | | | | Microsoft is offering this towards the |
| working in large corporate environment. | | | | gaming market where they have finally |
| This feature saves the tedious task of | | | | been able to run Directx on the NT core |
| sitting down at each computer and | | | | for the games to perform an optimum |
| installing Windows XP on each one of | | | | level. Another Windows XP service |
| them. Unattended installation is made | | | | included out of the box is faxed support |
| possible through a tool called the Setup | | | | .This practically will meet most users |
| Manager which links to the file | | | | average day to day tasks of receiving |
| unattend.txt which makes it possible | | | | and sending faxes. Fax support of course |
| answer all the questions which Win XP is | | | | is not installed by default and the user |
| going to ask us during the process of | | | | has to install it through and remove |
| installation. A simple way to implement | | | | windows components. As soon as you |
| this is to drop all the required | | | | install facts aboard Windows XP creates |
| information for setup in the | | | | a virtual printer through which it will |
| unattend.txt and drop this file in a | | | | send it to your faxes. |
| floppy disk during the installation | | | | You can even have your terminal receive |
| process or script this file inside if | | | | faxes through a virtual printer. Setting |
| you are setting up through an image. | | | | up fax services is pretty easy for the |
| There is one drawback to this since the | | | | average user to configure. It does |
| each computer requires some unique | | | | require a telephone number and other |
| information like computer name and IP | | | | information. You can even set it up to |
| addresses. This can be handled through a | | | | auto print faxes or choose how you would |
| UDF file which is the unique database | | | | like to be alerted. One of the |
| file. IP addresses on the other hand can | | | | directions most new hardware is trying |
| be handled through DHCP and other | | | | to move this towards using USB and |
| processes. If you are booting off an | | | | firewire (IEEE 1394) ports. These are |
| image, this can be achieved by scripting | | | | plug and play hot swappable devices |
| the winnt32 file. The command line | | | | which you can connect and disconnect |
| should read like this winnt32 /s: source | | | | without having to install any drivers. |
| path /u: unattend.txt /udf: udf path. | | | | One of the features of USB is that you |
| However, if booting of a CD then this | | | | can target USB root hub through device |
| file should be placed inside the floppy | | | | manager to allocate power to each hub. |
| disk with the name winnt.sif. This | | | | Another way to get out of this power |
| feature is again hidden inside the Win | | | | drain is to use a self powered external |
| XP and can be accessed through the | | | | hub which draws its power externally to |
| SUPPORT/TOOLS/ path and then by | | | | function. You can even take a look at |
| extracting the deploy.cab file. This | | | | the universal host controller in device |
| file had to be extracted and will then | | | | manager under the USB drop down menu to |
| reveal all the tools you require to | | | | see the amount of bandwidth taken by |
| deploy and unattended installation of | | | | each controller. |
| Win XP. There are also three very | | | | Mobile Computer Hardware: |
| helpful reference files inside this | | | | Windows XP has a pretty good mobile |
| folder which give you a lot of | | | | hardware support. As more and more users |
| information of using these tools. The | | | | switch from desktops to laptops |
| setup manager tool a GUI tool which | | | | Microsoft has increased its support and |
| guides you through setting up the | | | | capabilities towards mobile hardware. |
| process of creating the uanttend.txt and | | | | One of the most important features is |
| the unique database file. It follows the | | | | included support for ACPI which saves a |
| simple procedure of asking questions | | | | lot of battery power on laptop machines. |
| starting from the organization and user | | | | Applications can also request no power |
| name, Win XP key (This is the most | | | | saving incase of server machine where |
| important feature and has to entered | | | | applications need to keep running |
| correctly otherwise the installation | | | | constantly. Dynamic docking and |
| would not take place), workspace or | | | | undocking creates separate profiles for |
| domain settings, regional and internet | | | | docked and undocked mode. ACPI gives the |
| settings, language and time zone | | | | capabilities of power management through |
| settings, computer names and even | | | | power options available in control |
| external commands to start up other | | | | panel. Power management facilities give |
| installations for e.g. installing | | | | us the flexibility to maintain different |
| Microsoft office after Win XP install. | | | | power settings incase of desktops and |
| This setup manager also gives us the | | | | laptops. Also it even creates different |
| options of several types of install like | | | | settings when the laptop is in docked |
| GUI installation, read only installation | | | | mode and running on AC power and when in |
| (user can see everything but cannot | | | | undocked mode and using battery juice. |
| change anything) and others. You do not | | | | One of the power saving modes is the |
| have to create this unattned.txt file | | | | hibernation mode where the computer |
| from scratch for each terminal and can | | | | dumps its memory on the hard drive and |
| modify this file as per your needs for | | | | shuts itself off and when you start it |
| every other user. However this does | | | | again it reloads its RAM from the hard |
| become extremely cumbersome for large | | | | drive. An easier way for an average user |
| environments and the headache of | | | | are built in power schemes given by |
| creating a unattned.txt file for each | | | | Microsoft that help you mange your power |
| user in a larger corporate working area. | | | | settings better to get the maximum time |
| Microsoft does have its answer to that | | | | out of your laptop. Windows XP also |
| which is called the sysprep tool or the | | | | gives you the flexibility to set up UPS |
| system preparation tool which gives us | | | | and adjust hibernation. In order to |
| the ability to roll out clones of | | | | bring your computer to hibernate mode |
| operating systems on each machine. This | | | | initiate a shit down sequence and then |
| does give the network administrator the | | | | when the window pops up hold down the |
| ability to somewhat use a cookie cutter | | | | shift key to change the standby option |
| style to roll out machines with | | | | to hibernate. Hibernate is much bigger |
| preinstalled applications and operating | | | | power saver then standby, since standby |
| systems customized before the mass | | | | still consumes a lot of power. You do |
| installation procedure. The problem | | | | need to log back on to the system after |
| however can arise in the security | | | | hibernation. Windows also has wireless |
| identifiers (SID) that Microsoft uses to | | | | support for Windows XP through Bluetooth |
| identify each machine and unique to that | | | | (802.11b) and Infrared technology built |
| machine. You can use cloning tools to | | | | in to the operating system. Windows XP |
| roll out these clones but you still have | | | | can detect and connect automatically to |
| to use sysprep to authenticate support. | | | | wireless networks using either an access |
| Microsoft's strips those SID's out and | | | | point or an ad hoc ability (ad hoc |
| repacks them so when the user sits down | | | | ability connects multiple computers to |
| on the brand new machine he has to enter | | | | each other without having to connect to |
| some information for the machine to get | | | | an access point). |
| going. The applications are installed in | | | | Storage Devices: |
| the background though, but its | | | | Windows XP hard disk support comes in |
| Microsoft's way of making sure that each | | | | two different flavors. The first one is |
| machine has a unique SID after | | | | the old style know as basic disks which |
| installation. Administrators are advised | | | | include four primary partitions or three |
| to run the latest third party cloning | | | | extended partitions and one extended |
| facilities to achieve the optimum | | | | partition. Microsoft has now implemented |
| results and then use sysprep to repack | | | | a new strategy know as volumes disks. |
| the machine as a brand new one for the | | | | You can have up to 200 volumes per |
| SID's to work safely and in accordance | | | | driver, however Microsoft does recommend |
| to Microsoft. However you have to be | | | | you to not go this high and has set a |
| extremely careful before rolling out | | | | limit of at most 32 volumes per drive. |
| clones since they are very hardware | | | | If you plan to multiboot using this |
| specific, so your terminals should have | | | | drive dynamic disks and dynamic volumes |
| identical HAL's, mass storage device | | | | are only usable by Windows XP and Widows |
| controllers and ACPI support. VAR's | | | | 2000. Applications don't really have an |
| (Value added resellers) should use the | | | | issue with dynamic disks. One drawback |
| -factory mode switch to install and | | | | is that laptop computer and removable |
| reconfigure the machine as per according | | | | storage cannot have dynamic disks since |
| to their requirements. This is also | | | | this is really used when there are |
| known as the audit mode and the machine | | | | multiple drives. You cannot mix dynamic |
| can resealed after this by running | | | | and basic disks on one drive. On basic |
| sysprep again with a -reseal switch. | | | | disk you can primary and extended |
| This can also be done automatically | | | | partitions only and you cannot create |
| using the file WINBOM.INI. | | | | fault-tolerance volumes or even span |
| Remote Installation Services: | | | | drives. Dynamic disks have this ability. |
| A remote Installation service gives us | | | | The first step is a simple volume which |
| the power to install Win XP over the | | | | can be NTFS, FAT or FAT32. The next step |
| network. Microsoft uses a PXE (Preboot | | | | above this is a spanned volume used in a |
| Execution environment) to achieve this | | | | case of multiple hard drives where you |
| and the setback is that you're network | | | | can add more space to hard drive without |
| card should be PXE certified. However, | | | | adding another drive letter. Simple |
| Microsoft also gives some hope to some | | | | volumes can be extended to create |
| left behind by giving us the option of | | | | spanned volumes but the kicker is that |
| using boot disks for people who do not | | | | you cannot extend a system or boot |
| have PXE certified network cards but, | | | | volumes. The third case is a striped |
| there always is setback and this time | | | | volume which is written on both drives |
| it's that this feature is supported by | | | | which doubles your throughput on both |
| only very specific network cards. | | | | drives. This in turn increases |
| Unfortunately, if you're network card | | | | performance and also doubles your |
| does not belong to any one of these | | | | throughput on reading and writing. You |
| classes you are out of luck and cannot | | | | can access these management tools by |
| use this feature. The basic way to setup | | | | right clicking on My Computers and then |
| is to connect to a RIS sever (Remote | | | | selecting manage and choosing Disk |
| Installation server). Once you are | | | | management in the computer management |
| connected to the RIS server there are | | | | window. It is very simple to convert a |
| three ways to connect and install Win | | | | disk to a dynamic disk, the process |
| XP. The first one is a simple | | | | involves right clicking on the disk icon |
| installation where you download and run | | | | itself on the left most side and |
| an image of Win XP CD. The second | | | | choosing convert to dynamic disk. This |
| process is a scripted installation by | | | | renders it unusable by other operating |
| creating an answer file and achieving an | | | | systems since the partition table is |
| unattended installation. The final and | | | | rewritten. You can extend a simple |
| the most powerful is the System image | | | | volume by just right clicking and |
| which uses a tool RIPrep (Remote | | | | choosing extend volume and choose the |
| Installation Preparation tool). This | | | | desired size you would like to extend |
| allows us to create an image with all | | | | the volume to. Converting an existing |
| the customized applications installed on | | | | basic setup to dynamic setup requires at |
| them and then transfer that image to all | | | | least 1MB of unpartitioned space but |
| the required machines. RIS requires an | | | | vice versa is only possible through |
| active directory environment with | | | | reformat. For users updating their |
| integrated DNS built it. The RIS server | | | | system from other legacy system you need |
| must be setup in the active directory. | | | | to use FTONLINE to bring your data |
| Most administrators would dedicate a | | | | online mount it and then wipe out your |
| separate sever for this process. | | | | drives and bring your data back to the |
| Microsoft also states that the RIS | | | | drives. It is not a long term solution |
| partition should a separate one and | | | | for storage. There are also other |
| should not a boot or system partition, | | | | removable storage media like CD's |
| so you would have to throw in a spare | | | | floppies and USB hard drives. Windows XP |
| hard drive and drop this image on it. | | | | has full support for burning CD's |
| Also, the partition must be an NTFS. RIS | | | | included into the operating system. |
| installation utility and RIS preparation | | | | However, it's not as advanced as other |
| utility will allow you to put the | | | | third party applications. |
| different images on the server. The | | | | File Systems: |
| process then requires the Win XP CD and | | | | As a network administrator you need to |
| copies the I386 directory on the server | | | | know the kinds of file systems that are |
| and you can then choose to scripted | | | | supported by Windows XP. NTFS is the new |
| installs or simple installs after that. | | | | file system which has a lot more |
| The RIS uses single instance storage | | | | capabilities incorporated into it. The |
| which means that it stores only one copy | | | | FAT file system is the universal file |
| of each file when you upload different | | | | system, which has a lot of limitations |
| images on the server. This result's in | | | | which were overcome by FAT32. One of |
| saving a lot of space on the server as | | | | the biggest drawbacks was the cluster |
| well but this makes another reason the | | | | size in FAT, so for e.g. the bigger your |
| put this on a dedicated server and once | | | | drives got the bigger the cluster became |
| all this configured you can put access | | | | so for a 1K file you would've used a 32K |
| levels on the images to allow users | | | | cluster and ended up wasting 31K space. |
| restricted access so that they cannot | | | | This becomes a considerable waste when |
| install any image they like. End users | | | | thinking in terms of gigabytes. FAT32 |
| will boot from the network and boot from | | | | overcame this problem by introducing a |
| the PXE network card or PXE floppy disk | | | | 4K cluster, but still has a lot of |
| and it asks them to log on and | | | | limitations. NTFS has a lot of new |
| authenticate themselves to the domain | | | | features like compression, encryption |
| server and then give them choices of | | | | and permissions. Users still using FAT |
| installation images. In a multi-domain | | | | or FAT32 systems on Windows XP can |
| environment the administrators will be | | | | convert to NTFS by running a command |
| required to set up these RIS servers on | | | | from the prompt known as convert |
| each domain. Similar drawbacks exist on | | | | [driverletter]: /fs:ntfs. However, you |
| hardware compatibility. There are | | | | cannot convert back to FAT or FAT32. In |
| limited allowable differences in | | | | a case when you convert your boot drive |
| hardware on the machines but the HAL's | | | | it will convert on reboot. A backup is |
| must be identical and as well the hard | | | | recommended to prevent data loss before |
| drives should be equal or larger in | | | | running this command. In a case you have |
| size. PXE book disks will work only on | | | | already started the process and haven't |
| limited NIC cards so laptop users with | | | | backed up your data you can jump into |
| PCMCIA are out of luck. Also remote | | | | registry editor using the regedit |
| installation can only be done on C | | | | command and look up inside |
| drives and segregations on drives don't | | | | HKEY_LOCAL_MACHINE - system - |
| allow the service to work. | | | | CurrentControlSet - Control - Session |
| Installation Troubleshooting: | | | | Manager. |
| Troubleshooting is always an enemy an | | | | Inside here you will see boot execute. |
| administrator has had to face during his | | | | When you run this you will see the |
| work. Even though Win XP is a quite | | | | conversion process listed there and you |
| sturdy operating system, there is a | | | | can delete it to stop the conversion |
| slight chance that you will run into | | | | process. There are also other file |
| problems during installation. The first | | | | systems maintenance tasks which most |
| step would be to check the hardware | | | | administrators like to do whenever they |
| compatibility and hardware health. Most | | | | find time for e.g. disk defragmentation. |
| the time the problems I have encountered | | | | The new feature in Windows XP is that |
| on Win XP have been due to bad hardware. | | | | you can schedule this defragmentation |
| There is no guarantee that devices on | | | | via the command line. Disk cleanup is |
| Windows 2000 will work on Windows XP. A | | | | also a pretty safe way that deletes |
| first step is to install Windows XP with | | | | cache files and other temp files stored |
| minimum hardware and then drop in extra | | | | on your computer. It even tells you of |
| hardware components after the install. | | | | files which you haven't used in a long |
| That will allow you to isolate the bad | | | | time. |
| or incompatible piece of hardware. You | | | | NTFS: |
| can also access the Microsoft's website | | | | NTFS clearly has a lot of benefits |
| access the hardware compatibility | | | | compared to others like FAT and FAT32. |
| listing. You should also check if the | | | | NTFS is the default choice when you |
| BIOS is ACPI compatible as described | | | | start from scratch. However, one |
| earlier. | | | | difference is that formatting NTFS will |
| User Accounts: | | | | set file security during installation |
| Windows XP requires user accounts to | | | | which you do not get when you convert |
| operate on it. It is based on the | | | | from FAT or FAT32. This can be securing |
| Windows NT kernel formula. Every user on | | | | access from critical system files which |
| Windows XP needs a user account. A big | | | | was not present in FAT and FAT32. |
| advantage of having user accounts is to | | | | Microsoft has introduced the quick |
| be able to customize Win XP according to | | | | format option during setup process. NTFS |
| your environment. Windows XP can operate | | | | also introduces file and directory |
| in a workgroup environment or an active | | | | security settings which are very helpful |
| directory domain. Windows XP also | | | | in corporate environments. IT also gives |
| provides us with built in user accounts. | | | | us the abilities of quotas, compression |
| The most powerful of all is the | | | | and encryption. By default if the user |
| administrator account and time and time | | | | is not in a domain environment then the |
| again it has been said to not do day to | | | | sharing and NTFS permissions are |
| day tasks logged on as the | | | | combined into one. Simple file sharing |
| administrator. The control machine in | | | | is turned on in the tools folder option |
| this case is at a serious threat since | | | | which disables the security tab from the |
| the only user account present on this | | | | properties of a folder or a file. This |
| machine is the administrator account and | | | | can be turned back on by just disabling |
| is not password protected. This is | | | | simple file sharing. Windows XP creates |
| serious threat since this user has | | | | a My documents and Shared Documents |
| complete control for e.g. format a drive | | | | folder. You can make you My Documents |
| even by accident. The other account is | | | | folder private and even when you place a |
| the guest account which is open for | | | | password on your user account then |
| users to access the machine but not | | | | Windows asks you to privatize your |
| giving it the power to corrupt or mess | | | | entire files and folders. Shared |
| with the installed programs. A workgroup | | | | Documents enables multiple users to |
| environment is good for a small | | | | share documents with each other. |
| corporate network but the biggest | | | | However, in a workgroup setting you can |
| drawback is the each terminal should | | | | only make folder private in your user |
| have a user account for that user on | | | | account. In order to disable this option |
| that machine, since Windows XP | | | | you as an administrator need to turn off |
| authenticates user accounts. However, | | | | simple file sharing. In a domain |
| domain environment has a central storage | | | | environment this is turned off by |
| of all accounts which reduces overhead | | | | default and security tab is available. |
| and makes it easy to add new accounts | | | | Permissions granted to a user always add |
| and terminals. In a domain environment | | | | up as most permissible but deny always |
| if there is one user account, you can | | | | overrides other permissions. There is |
| use that account to log on to any | | | | also inheritance which trickles down to |
| machine in the local domain. User | | | | the file level which means that file |
| accounts in a workgroup can be | | | | permissions override the folder |
| maintained through user accounts in the | | | | permissions. However, you can always |
| control panel. By default user accounts | | | | block inheritance and override a lower |
| in Windows XP does not need a password | | | | level permission with the higher one. |
| but the administrator can change these | | | | Windows XP has also added a feature to |
| default settings. Microsoft has also | | | | view effective permissions on a file. |
| installed a feature known as "prevent | | | | These can be accessed through the |
| forgotten password" where through the | | | | effective permissions tab available in |
| administrator account you can create a | | | | the security tab of a file or folder and |
| floppy disk with your password stored on | | | | by clicking the advanced tab. You can |
| it for recovery. However, this floppy | | | | select the user or the group you want to |
| disk should be safeguarded, since it can | | | | view permissions on. NTFS utilizes the |
| be a security loop hole to the entire | | | | concept of ownership of file where the |
| network. In a domain environment you | | | | owner always has full control of the |
| must log on as a member of the | | | | file they created; even after they are |
| administrator's group to create and | | | | locked out they can take ownership of |
| delete user accounts. However, in a | | | | the file and give themselves access to |
| domain environment you have to add | | | | it. Administrator can take ownership of |
| domain users to the local group to grant | | | | any file available in the system, but so |
| them access to the machines in that | | | | that this cannot be abused they cannot |
| group using that user account. The | | | | give ownership to someone else, they |
| concept is a little different, since | | | | sure can give them permissions to view |
| domain user accounts should be granted | | | | and modify but not ownership. This is a |
| access to a local group and are then | | | | key concept of recovering files when a |
| able to log on to any machine in that | | | | user has left the company or has been |
| group using that domain account, whereas | | | | locked out from his files. Taking |
| each computer in a domain environment | | | | ownership is very easy, head to the |
| can also have local user accounts | | | | security tab and click advanced tab and |
| specific to that machine and only | | | | choose the owner tab and then you can |
| accessible through it. | | | | add yourself back. Then you can go ahead |
| Group Accounts: | | | | and add yourself back into the file |
| Groups are a boon to an administrator in | | | | permissions to give you back full |
| settings permissions. This allows us to | | | | control. NTFS also gives us the ability |
| take users and combine them to manage | | | | to compress files on a case by case |
| resources. Local groups allow us to set | | | | basis. Compression and decompression |
| permissions to a group and have it | | | | happen automatically. Compressing |
| trickle down on to the members of that | | | | folders will also compress files and |
| group, local groups existing on each | | | | adding new files to it will also keep |
| machine that give us this ability. | | | | the new files compressed. Windows XP |
| Windows XP also gives us some built in | | | | does highlight them with different color |
| groups like the administrator's group | | | | to mark them as compressed. Encryption |
| and the users group. Local groups | | | | and compression do not mix well in |
| however have authority on that local | | | | Windows XP. You can access encryption |
| machine. Microsoft's management console | | | | and compression through the properties |
| allows us to create, delete and manage | | | | and advanced tab and choosing between |
| groups. A user can be a member of | | | | compression and encryption. Microsoft |
| multiple groups so that allows the user | | | | uses the EFS (Encrypting File Systems) |
| to have a combination of most | | | | for safeguarding files and folders. |
| permissible abilities. However, deny | | | | Encrypting a folder will encrypt all |
| always overrides an allow so if a user | | | | files inside the folder as well. The key |
| is denied a permission in one group that | | | | is encryption is stronger than |
| overrides that permission in all his | | | | permissions because the data gets |
| member groups. There are several built | | | | scrambled using certificates. This means |
| in groups like administrator's, backup | | | | that user who owns that certificates can |
| operators, guest, network configuration, | | | | only access that data. There is no |
| power users, remote desktop users and | | | | longer the security hole where encrypted |
| help users group. The name pretty much | | | | file transfer was not possible and data |
| defines most of these groups. Most of | | | | had to be decrypted for the other user |
| the members belong to the power users | | | | to read it. Now when you give access to |
| group which gives them the opportunity | | | | somebody else for your encrypted files |
| to install applications and do day to | | | | he/she gets a copy of the certificate to |
| day tasks. However there are some | | | | decrypt those files. One drawback is |
| restrictions placed on this group for | | | | that if you move files into an already |
| e.g. they cannot access other user's | | | | encrypted folder it will not be |
| files and cannot format hard drives or | | | | encrypted, however the ones created will |
| change user group settings and other | | | | be. You can give access to another user |
| user's accounts. There are also some | | | | of your encrypted file by adding them |
| system groups which are used by Windows | | | | through the details tab available |
| XP itself to perform certain tasks. The | | | | through the properties and advanced |
| operating system handles these groups | | | | tabs. The catch is that the user |
| and you do not need to manage these | | | | should've have encrypted a file at least |
| groups. One such group is the "everyone | | | | once to have a certificate available on |
| group" which explains itself of how it | | | | the computer. This is needed by Windows |
| includes everyone. If you want to give | | | | XP since the first time you encrypt a |
| wide open access to computer you can | | | | file it issues you an encryption |
| grant a user as a member of the | | | | certificate. In a domain environment you |
| "everyone group". However, this does | | | | must trust the server for delegation in |
| include anonymous access so a user | | | | order to encrypt files on the server. |
| cannot log on using anonymous access. | | | | You can also use WebDAV for providing |
| There are also other system groups like | | | | secure transport and storage to avoid |
| authenticated users which have to proved | | | | trust for delegation. |
| themselves worthy to log on to the | | | | EFS Recovery: |
| system and creator/owner groups. There | | | | Recovering encrypted data can be made |
| are also network and interactive groups | | | | possible since Microsoft's introduction |
| which differentiate on the basis of your | | | | of the DRA or the data recovery agent. |
| location. Network group classifies users | | | | This utilizes a special key which is |
| who log on using a network whereas | | | | tagged on to every file encrypted. In a |
| interactive users are users who actually | | | | domain setting the administrator is |
| sit down at the machine to log on. | | | | defaulted as the being the data recovery |
| Creating and managing user groups can be | | | | agent so there is always a back door for |
| achieved through the Microsoft | | | | recovering encrypted files. In a |
| management console. This saves a lot of | | | | workgroup environment there is no |
| headache at the domain level since the | | | | default data recovery agent, so you need |
| domain administrator can create a domain | | | | to create a data recovery agent. The key |
| level group in the domain environment. | | | | is to create a DRA before any files get |
| The local administrator can then add | | | | encrypted, since you won't be able to |
| that domain level group into the local | | | | recover files which were encrypted |
| machine group he just created and this | | | | before that. The first things you need |
| gives the members of that group | | | | to do are access your security policies |
| immediate access to that machine. | | | | by heading into the local security |
| Logging onto Windows: | | | | policies and then into public key |
| Logging on Windows XP is different from | | | | policies which will show you encrypting |
| a workgroup to a domain environment. | | | | file systems. Making a DRA is a little |
| Microsoft has finally stepped away from | | | | tricky to begin with. Start by running |
| the Ctrl+Alt+Del key combination to log | | | | the command prompt and running the |
| onto to Windows. In a workgroup | | | | cipher command as follows cipher |
| environment the user is greeted with a | | | | r:[filename]. This command will create |
| welcome screen, however the old style | | | | your two recovery certificates, one is |
| log on can be made compulsory in a | | | | public key (.cer) and the other is |
| workgroup environment by the | | | | private one (.pfx). It also asks you for |
| administrator. In a domain environment | | | | a password to open your private keys. |
| the Ctrl+Alt+Del screen in the default | | | | Once done you then right click on the |
| and you cannot get away without it. In a | | | | encrypting file systems in the local |
| workgroup setting you can disable the | | | | security policy and add a new DRA and |
| welcome screen but this also switches | | | | then browse to the recover file you just |
| off the fast user switching option. Fast | | | | created and add that. Now, when any user |
| user switching is available only in a | | | | encrypts a file you will be listed as a |
| workgroup setting targeted towards a | | | | data recovery agent. You can also reset |
| home environment. This enables multiple | | | | password for another user if he or she |
| users to run their sessions on the same | | | | forgets it but this trashes that user's |
| terminal without closing the other | | | | certificate, so he/she will not be able |
| person's session or let a user log on | | | | to access files which were encrypted |
| without logging another user off. This | | | | with the previous certificate before. |
| uses terminal services made available to | | | | This is where the DRA comes as a savior. |
| us by Microsoft. There is at least a | | | | In order to disable EFS you need to |
| 128MB memory requirement needed for | | | | completely remove the encryption policy, |
| using this service. You can use fast | | | | it doesn't just go away by removing the |
| user switching by using the Windows key | | | | DRA. Disabling EFS is through accessing |
| + L, but you require the welcome screen | | | | the encrypting file systems menu in the |
| switched on for this. You can also see | | | | local security policies and right |
| what accounts are currently logged on by | | | | clicking to go to all tasks and then |
| using the task manager and switching to | | | | selecting delete policy. However, |
| the users tab which will show you all | | | | turning off EFS is not quite that easy |
| the current users logged on and it show | | | | in a workgroup environment. You can find |
| which user is currently active and which | | | | more details about in recently published |
| are disconnected. Troubleshooting user | | | | Microsoft's documents. |
| accounts can be a simple task. Be sure | | | | Networking Setup and Troubleshooting: |
| to check if passwords are correct and | | | | Windows XP is very powerful operating |
| caps lock is not turned on and also if | | | | system which includes a lot of features |
| your account has not been disabled. You | | | | when it comes to networking. Windows XP |
| can also turn on the guest account as a | | | | is multi protocol ready and uses NWLink |
| last resort to have limited access. This | | | | which is easily configured for simple |
| can be a security loop hole so most | | | | file sharing. However, it also supports |
| administrators avoid it. In a domain | | | | the universal TCP/IP protocol. The |
| environment XP caches user log on | | | | advantages are numerous and even a |
| information so you as an administrator | | | | working copy to new IPv6 protocol for |
| can turn on a feature which prevents a | | | | all you network wizards to play around |
| user from logging on if the domain | | | | with. NetBEUI support is not longer |
| controller is down. You can prevent this | | | | available as a standard but as a hidden |
| by accessing the security policies from | | | | add-on on the disk. Windows XP also |
| the administrative tools from the | | | | gives us the ability to bridge different |
| control panel. This gives you an option | | | | media types. The network connection box |
| of changing the number of cached logon's | | | | shows you one entry for each network |
| to zero which will prevent a user from | | | | connection available on your computer. |
| logging on if the domain controller is | | | | Bridging them can be very easy by just |
| down. Changes such as this require the | | | | selecting them all and right-clicking to |
| user to be a member of the | | | | select bridge connections. You can |
| administrative group and also these | | | | install other protocols like NetBEUI by |
| security policies can be overridden by | | | | clicking install and then by choosing |
| policies set on the domain level. | | | | "have disk" and browsing through the |
| User Profiles: | | | | disk to install it. Windows XP has |
| User profiles in Windows XP give the | | | | introduced an alternate configuration on |
| user the power to maintain his/her own | | | | TCP/IP settings where it kicks into the |
| settings for each user. This is just a | | | | alternate configuration if the primary |
| group of files personal to that user and | | | | one is not obtained. This can be used to |
| HKCU portion of the registry. All the | | | | store two different connection settings |
| user profiles and the default profiles | | | | for home and office for your laptop or |
| are found in the folder Documents and | | | | in another applied scenario. Networking |
| Settings. However this is only in a case | | | | with Windows XP is not without its |
| of a clean install of Windows XP, but | | | | pitfalls. Networking troubleshooting in |
| when we upgrade from Windows NT the user | | | | Windows XP begins at a basic level where |
| profiles are found in the system root | | | | the first thing the administrator should |
| directory. Profiles are specific to each | | | | do is look if the cable is plugged in |
| machine, so if a user has an account on | | | | and the lights are blinking. You can |
| ten different machines his user profile | | | | then go ahead and type the net config |
| on each machine will and local and | | | | redirector command which displays the |
| different. This exception in this case | | | | entire current network configuration on |
| can be a roaming user profile where the | | | | your computer. You can even repair a |
| user roams around from one terminal to | | | | connection by right clicking on the |
| another. In this case the user can log | | | | connection you want to fix and Windows |
| on to any machine and his user profile | | | | XP then runs a lot of commands behind |
| is downloaded at the terminal he sits | | | | the hood to fix that connection. If this |
| down on and he can make changes to his | | | | still doesn't work you can then use the |
| her profile and when he logs off those | | | | command "nets hint ip reset [logfile]". |
| changes are saved on to the active | | | | In essence this tears the stack down all |
| directory. In order to set up this user | | | | the way the base and rebuilds that TCP |
| profile the administrator must create a | | | | IP connection or in other words |
| user account and put a UNC (Universal | | | | reinstalling the connection. You can |
| naming convention for e.g. | | | | access the advanced settings by clicking |
| domainnamefoldername%username%) tab in | | | | advanced tab and then choosing advanced |
| the profile tab of the user in the | | | | settings which shows you the bindings on |
| active directory. However, the trick is | | | | that computer. Another command used is |
| to give proper permissions to directory | | | | IPCONFIG with flags like /all, /renew, |
| where the user profiles are saved in | | | | flushdns and /registerdns. Other simple |
| order for the user to access his/her | | | | commands used are PING command for |
| profile; otherwise the user will receive | | | | pinging IP addresses, TRACERT for |
| a default profile. This profile is also | | | | tracing IP addresses, NBTSTAT -R to |
| cached locally incase the roaming | | | | empty and reload name cache, NETSTAT for |
| profile is not available or the profile | | | | showing all the incoming and outgoing |
| server goes down the user can still log | | | | active connections and NETSTAT - R which |
| on using the locally stored profile. | | | | shows you the routing table. |
| However, incase the user logs onto | | | | READ 'Pt 2' for more details. |