After we understand how UAC works and realize the importance of enabling UAC to prevent potential problems that may arise during your Windows Vista deployment inyour environment, we can move on to discussing how to configure UAC to optimize security and ease of use. The consent UI behavior as well as some other UAC features can be changed by group policy for administrators.
This section details the main method for configuring UAC by Administering UAC with the local Security Policy Editor and Group Policy. For administrators in a domain environment, they can configure UAC settings in domain security policy.
1. Click Start, click All Programs, click Accessories, click Run, type secpol.msc in the Open text box, and then click OK.
2. From the Local Security Settings console tree, click Local Policies, and then Security Options.
3. Scroll down and double-click corresponding UAC policy settings to configure
4. Close the Local Security Settings window.
There are in total eight Group Policy Object (GPO) settings that can be configured for UAC. The following list includes the policy settings:
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
User Account Control: Behavior of the elevation prompt for standard users
User Account Control: Detect application installations and prompt for elevation
User Account Control: Only elevate executables that are signed and validated
User Account Control: Run all administrators in Admin Approval Mode
User Account Control: Switch to the secure desktop when prompting for elevation
User Account Control: Virtualize file and registry write failures to per-user locations
User Account Control: Admin Approval Mode for the Built-in Administrator account
User Account Control: Only elevate UIAccess applications that are installed in secure locations
Hereby we outline three common tasks that administrators perform during the set up and configuration of client computers running Windows Vista. The following policies brief the tasks of disabling Admin Approval Mode, disabling UAC from prompting for credentials to install applications, and changing the elevation prompt behavior.
For more information on how to configure UAC via policy, view the following links:
How to use User Account Control (UAC) in Windows Vista
http://support.microsoft.com/?id=922708
http://technet.microsoft.com/en-us/windowsvista/aa905117.aspx
Many customers may have questions as to how to confirm that KMS is working properly prior to reaching the 25 client threshold.
To determine whether the KMS machine and the client machine are working, you should be able to view the event logs on each machine.
1) On the client machine in the application event logs.
Look for event iDS 12288, 12289 as well as 12290. (the 12288 and 12289 should be in pairs: client query-kms response)
The client machines will report 12288 which is the request to the KMS server machine.
The 12289 is the response back from the KMS server
l If there are no 12289s, look into the first field (before the comma) for the error code.
l Also note the name of the targeted KMS machine in the 3rd field of the 1228 – usually helpful to figure out if it was misaddressed.
2) On the KMS server side, you should look for event 12290 messages. These are in their own event logs. These are created for each activation and renewal requests from each client.
So the client sends a 12288 to the server, the server generates a 12290 on its own machine, and the client records a 12289 as the response back from the KMS server.
E-mail authentication built on the Sender ID Framework (SIDF) is gaining wide adoption, providing a major advancement in the fight against spam and phishing messages. In fact, more than a third of the world’s e-mail volume is already authenticated and SIDF-compliant. Using Send ID as well as other anti-spam features in Exchange Server 2007 can effectively protect customers from spam attacks and save on the total cost of operation. Here’s how it works and how to configure SIDF in Exchange Server 2007.Exchange Server 2007: Fighting Spam and Phishing with Sender IDhttp://www.microsoft.com/technet/technetmag/issues/2006/12/sidf/default.aspx
Network Monitor is a very useful tool to troubleshoot Network related issues. Microsoft has released the new Network Monitor 3.0 which is supported on Windows Vista.
Here are some of the key features of Network Monitor 3.0:
l A completely new user interface
l Real time capture and display of frames
l Simultaneous capture on multiple network adapters
l Multiple simultaneous capture sessions
l Network conversations and a tree view displaying frames by conversation
l A new script-based protocol parser language, and script-based parsers
l Support for Vista/Windows XP/Windows Server 2003
l Support for 32bit and 64bit platforms
To download Network Monitor 3.0, please visit the site below:
https://connect.microsoft.com/
The site does require you have a passport account to sign in, but it is free. Then you may find Network Monitor 3.0 in the Available Connections field. Click Apply to participate. Then you can then download Network Monitor 3.0 there.
For more information about Network Monitor 3.0, please visit these links:
Netmon 3 Public Release FAQ (requires participation first)
https://connect.microsoft.com/content/content.aspx?ContentID=3952&SiteID=216
Network Monitor blog
http://blogs.technet.com/netmon
Network Monitor 3 Newsgroup (requires participation first)
https://connect.microsoft.com/messageboards/community.aspx?SiteID=216
Can a popup put you in prison?
You love it, you hate it....ok, you may hate it, but....
You’ve seen it, or at least heard about it in Windows Vista: User Account Control or UAC (formerly known as LUA or Least Privileged User Account). With the release of Windows Vista, we hope that more and more ‘cyberholics’ will better appreciate this new feature.
There has been tons of speculation, concern and anxiety around how UAC will impact troubleshooting and workflow so I want to be sure everyone understands the basics and knows where to get more information. Much of this will be obtained in a well constructed UAC technical documentation released on the Microsoft TechNet portal. We would also like to recommend you read the Tim Sprinston’s blog, which provide unique perspective to have a good understanding to UAC:
http://blogs.technet.com/ad/archive/2007/01/29/i-ll-say-it-again-user-account-control.aspx.
Here is some data that you should keep in mind before deciding to turn UAC off!
1. -Does it have an application compatibility database entry?
2. -Is it made for Vista by having a manifest?
3. -Is it a setup/install routine?
In Exchange 2007, the Recipient Configuration node and its child nodes (Mailbox, Distribution Group, Mail Contact, Disconnected Mailbox) of the Exchange Management Console (console) are used for recipient management. By default, up to 1000 recipients in the current domain are displayed in the result pane of the Recipient Configuration node and its child nodes. For organizations with more than 1000 recipients, 1000 recipients have to be displayed by default while they may not be the specific set of recipients that you want to manage, and you may not want to wait until they are displayed. This article gives a few tips to manage and speed up the console view.
Tip#1: Scope the recipients to be displayed to a specific domain or OU level
You can control the scope of recipients shown to a domain or OU by using the "Modify Recipient Scope" context menu of the Recipient Configuration node. Narrowing down the recipient scope improves performance as it reduces the scope to query specific recipients and the number of recipients to display in the console. This also improves manageability if you use a domain or OU-based organizational design. The scope set at this top level applies to the recipient objects of the Recipient Configuration node and also its child nodes Mailbox, Distribution Group and Mail Contact.
Tip#2: Set a smaller maximum number of recipients to display
You can set the maximum number of recipients to display to a smaller value than the default value 1000 using the "Modify the Maximum Number of Recipients to Display" context menu of the Recipient Configuration and its child nodes Mailbox, Distribution Group and Mail Contact to reduce the number of recipients to display in the result pane. This takes less time to load recipients, but it only works if your scoped and/or filtered recipients have fewer results than this smaller maximum number of recipients to display. Or else, you'll have to enlarge this maximum number to load all intentional recipients.
Tip#3: Save a filter as a default filter for a result pane
A filter is used to display specific recipients that you want to manage. You can save a filter as a default filter for a result pane by accessing the "View" menu and then the "Save Current Filter as Default" context menu of the Recipient Configuration node or its child nodes. Each time you go to the Recipient Configuration node or its child nodes, the default filter is applied to display a specific set of recipients.
This tip also applies to the Server Configuration node and its child nodes (Mailbox, Client Access, Hub Transport and Unified Messaging), whose result panes have filter settings.
Tip#4: Click the "Stop Loading" button to stop the display of recipients
When the result pane is displaying recipients, there is a "Stop Loading" button available on top-right side of the result pane. You can click it to stop of the display of recipients instead of waiting for the load to finish. Press "F5" or click the "Refresh" context menu of the Recipient Configuration node or its child node to restart loading the recipients.
Queue Viewer
Queue Viewer contains Queues and Messages tabs and a result pane for each tab with filter settings. The list of queues and messages in Queue Viewer can be very large, depending on the current mail flow. Unlike the display of recipients in the console, queues and messages are displayed in Queue Viewer using multiple pages with each page displaying 1000 queues or messages by default.
The above Tip#2 and Tip#3 can be applied to Queue View similarly to speed up the display of queues and messages:
l Change the number of queues or messages displayed on each page of Queues and Messages tabs by using the "View" menu, then "Options" submenu and the "Number of items to display on each page" field.
l You can create a filter to display the specific set of queues or messages that you want to monitor and save it as default of the Messages or Queues result pane by using the "View" and then "Save Current Filter as Default" context menu of the result pane.
Known Issues and Resolutions
Known issues and resolutions
Problem
Resolution
Unable to install some ActiveX controls in Internet Explorer
Launch Internet Explorer elevated by clicking the Start button, and then pointing to All Programs. Right-click Internet Explorer and select Run as administrator. Next, perform the ActiveX installation. Exit this instance of Internet Explorer and start a new instance running as a standard user to continue.
Non-administrator users cannot create files on the system root drive, for example, c:\
By default, Windows Vista redirects any writes to protected areas (E.G. C:\ and C:\%systemroot%) to the currently logged-on user's profile.
Resolution:
•
Create files and folders in the user’s profile (under \users\(user) or \users\public).
OR
Right-click Command Prompt and select Run as administrator. Create the directory from the elevated command window.
Setup detection may not detect all setups
Run the setup.exe elevated. See the section Marking an Application that Requires a Full Administrator Access Token.
No elevation prompts from command windows
Launch the program by clicking the Start button and then pointing to Run.
Unable to run an .msi file to install an add-in for Visio 2007
1. Open the .msi file in an MSI editor. For example, use the Orca MSI Editor that is provided in the Microsoft Windows Software Development Kit (SDK).
For more information about the Windows SDK, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/aa370834.aspx
2. Open the .msi file in the MSI editor.
3. Locate the Custom Action table.
4. Locate the VisSolPublish_BumpVisioChangeId custom action, and then change the type to 3622.
5. Save and then close the .msi file.
Error message “Hook cannot be created” is received while running .Net Framework 1.1-based applications
Install hot fix in article 925168
The "Add" and "Remove" commands on the Drivers tab are unavailable on a remote Windows Vista-based print server
1. Click Start , type regedit in the Start Search box, and then click regedit in the Programs list.
If you are prompted for an administrator password or confirmation, type your password or click Continue.
2. Expand the following subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
3. Click System, right-click LocalAccountTokenFilterPolicy, and then click Modify.
4. In the Value data box, type 1 , and then click OK.
MBSA version 2.1 will fully support Windows Vista. The first beta version of MBSA 2.1 will be available in the first quarter of 2007. The full release version of MBSA 2.1 will be available in the third quarter of 2007.
But the current version of MBSA is version 2.0.1, which provides limited support for scanning computers that are running Windows Vista.
We recommend that you install MBSA 2.0.1 on a supported operating system. Then, scan Windows Vista-based computers remotely. MBSA 2.0.1 supports the following Windows operating systems:
Microsoft Windows Server 2003
Microsoft Windows XP
Microsoft Windows 2000
Vulnerability assessment (VA) scanning of Windows Vista-based computers is not supported. Disable VA scanning when you scan Windows Vista-based computers. If you do not disable VA scanning, MBSA 2.0.1 may return inaccurate results.
To support full Microsoft Update (MU) and Windows Server Update Service (WSUS) scans in Windows Vista, use one of the following methods:
Use the MBSA GUI
When you use the MBSA graphical user interface (GUI) to scan for updates, scan only Windows Vista-based computers that are not configured for WSUS. Or, scan by using only the Scan using Microsoft Update only option.
Use the MBSA command-line tool
When you use the MBSA command-line tool to scan for updates, scan only Windows Vista-based computers that are not configured for WSUS. Or, use the /catalog switch.
More information available:
l KB931943
l Microsoft Baseline Security Analyzer http://www.microsoft.com/mbsa
l How to use the Microsoft Baseline Security Analyzer http://msdn2.microsoft.com/en-us/library/aa302360.aspx
l How to implement patch management http://msdn2.microsoft.com/en-us/library/aa302364.aspx
l To download MBSA, version 2.0.1, visit the following Microsoft Download Center Web site: http://www.microsoft.com/downloads/details.aspx?FamilyId=4B4ABA06-B5F9-4DAD-BE9D-7B51EC2E5AC9&displaylang=en
This article contains information that may answer questions from customers regarding upcoming patches / tools needed to correctly handle the changes to Daylight Saving Time (DST) in the US and elsewhere across the world resulting from the Energy Policy Act of 2005.
Starting in the spring of 2007, daylight saving time (DST) start and end dates for the United States will transition to comply with the Energy Policy Act of 2005. DST dates in the United States will start three weeks earlier (2:00 A.M. on the second Sunday in March) and will end one week later (2:00 A.M. on the first Sunday in November). This will impact not just our US customers, but international customers and partners who transact business with companies in the US.
Impacted Dates for 2007 (please note: dates may change in future years):
Previous DST Start New DST Start
1st Sunday of April 2nd Sunday of March
April 1, 2007 March 11, 2007
Previous DST End New DST End
Last Sunday of October 1st Sunday of November
October 28, 2007 November 4, 2007
The change in DST will have an impact on many automated and technology reliant products. Individual consumers, small to medium size businesses and large enterprises may be impacted by the new change in time. In many cases, making the necessary changes to accommodate the new DST legislation will be a relatively minor task. Users may need to manually adjust the time on their devices when the change occurs.
Microsoft is producing updates for Microsoft products affected by the new United States daylight saving time transition dates. These updates will be released through a combination of channels including Microsoft Customer Support Services (CSS), hotfixes incorporated in Knowledge Base articles, Windows Update, Microsoft Update, Windows Server Update Services (WSUS), and the Microsoft Download Center.
2 important points:
- This is NOT a fix and it is not something that Microsoft did wrong in the products. This is a change to country laws that Microsoft is taking a proactive position in addressing. It affects everyone in this industry and many others. It’s important that we not act like or communicate that we “broke something” as the wording “fix” implies.
- Public information is constantly being updated and you should keep abreast of the changes. We’ll try to keep everyone updated. We expect customer segment focused content to be available in the coming weeks.
A Windows patch that updates the time zone definitions is currently available for download. The update for pre Vista systems is obtained via KB 928388 <http://support.microsoft.com/kb/928388/en-us>. These updated time zone definitions will also be included with Windows Vista.
Impact to SMS:
None at this time since it primarily relies on the OS for getting time information. The expectation is that this will be the same as any other Daylight Saving Time change. For example, site servers that are not using UTC/GMT for software distribution may see advertisements starting an hour earlier or later (local client time) at the time of the changeover. If any significant issues are discovered they will be communicated appropriately.
SMS and ITMU:
As of 1/31/2007 the DST patch will not deployable via ITMU. It is of course deployable using normal software distribution.
==========================
IMPORTANT: On February 13 (next Patch Tuesday) there will be an update to the DST OS patch, and it will be marked as a Critical Update.
The plan at this time – subject to change pending final testing – is to release the patch as an Update Rollup at the same time.
As a result, the patch Will be available in the WSUSSCAN/WSUSCN2 cab file, and therefore in ITMU.
ITMU works only with the contents of the wsusscan.cab / wsusscn2.cab file.
This .CAB file comes from the Microsoft Update team and only contains data on updates matching one of these 3 categories:
- Security
- Update Rollup
- Service Pack
The DST patch does not fall into any of the above categories, and as a result is not in the .CAB file that ITMU will consume. The remaining 2 categories are Critical Update and Update.
This design will not change for SMS 2003, but it has been changed for v4.
SMSv4 (SCCM) and its integration with WSUS3 would offer the DST updates as critical updates when they are flagged as such.
Manual Changes (Windows 2000)
Hardware Inventory Implications:
The vast majority of Windows 2000 customers do not have the necessary Extended Hotfix Support Agreement (EHSA) required to get a patch from Microsoft that they can deploy. As a result they will be pushing out manual changes. KB 914387 <http://support.microsoft.com/Default.aspx?kbid=914387> covers the details of this.
Customers may be pushing out .REG files with SMS or placing them on common file shares and simply advertising the command line (no package source files). For reporting it’s likely they will extended the SMS_DEF.MOF to collect the TimeZone registry key. As a result you should be prepared for potential hardware inventory related issues, and make sure you are familiar extending the .MOF file to include a new registry key. See http://www.microsoft.com/technet/sms/20/sms-regx.mspx
More details for Win2K deployments will almost certainly appear soon on community sites such as myitforum and intelliadmin. Be aware of their contents, but also know that any solutions they offer likely are not be supported.
Impact to Outlook
Microsoft Office Outlook 2007, the newest version of Outlook, can automatically update a person's calendar to conform to the new daylight saving time rules. For other releases of Outlook, a program will be released in late January 2007 at the Microsoft Download Center that can update calendar items in Microsoft Office Outlook to accommodate the changes in DST during the extended DST period. This program is called the Time Zone Data Update Tool for Microsoft Office Outlook.
For more detailed information of this issue, please refer to the following article.
Outlook: Prepare calendar items for daylight saving time changes in 2007
http://office.microsoft.com/en-us/outlook/HA102086071033.aspx
Impact to Directory Service:
The customers may have concerns regarding the hotfix 924840 in the domain-based environment. A common question is whether the Daylight savings Time Change patch will affect the active directory? Basically, the Directory services rely on the Windows Time Service (W32Time), which is based on the Simple Network Time Protocol (SNTP) as specified in RFC RFC 1769 (now superseded by RFC 2030). SNTP is designed to ensure loose synchronization only, which in the W32Time implementation means the clocks of all Windows 2000/XP/2003 machines in a forest will agree within 20 seconds of one another (or 2 seconds difference within a particular site). W32Time expresses clock times in Coordinated Universal Time (UTC), an atomic time scale previously known as Greenwich Mean Time (GMT).
The daylight savings 2007 patch only updates the time zone information in the registry. Active Directory does not rely upon this time zone registry for its functioning. In that, the hotfix 924840 has no impact to the Domain Controllers.
RMS 1.0 SP2 added native support for SharePoint Server 2007. For a step-by-step guide about deploying RMS with SharePoint Server 2007, please refer to this document:
http://www.microsoft.com/downloads/details.aspx?FamilyID=7bab2321-71e6-4cf2-8bcd-0880e0d1cda3&DisplayLang=en
Due to the file format change of WSUSScan.cab file, MBSA 2.0.1 has already been released for a while. MBSA 2.0.1 is REQUIRED in order to use the new file format.
In March 2007, the previous version of WSUSScan.cab will no longer be maintained. Users must therefore upgrade to 2.0.1 before March 2007 or new patches will not be detectable.
You can find the new version of WSUSScan.cab, renamed to WSUSScn2.cab, in this KB:
http://support.microsoft.com/kb/926464.
You can also download the previous version of WSUSScan.cab using this URL:
http://go.microsoft.com/fwlink/?LinkId=39043.
E-mail is one of the most mission-critical and storage-intensive applications in today's business world. Designing a right storage solution for Exchange Server 2007 is hence very important to any IT professional.
This blog provides the following four objectives:
1. Understand what information you need to correctly design a storage solution for Exchange 2007.
2. Apply hardware and technology to these storage designs.
3. Validate the storage design.
4. Monitor the storage design.
It should help you get the right solution for your organization's needs.
Check out the following link for more details:
http://msexchangeteam.com/archive/2007/01/15/432199.aspx