Kevin Remde's IT Pro Weblog

  • Buggy Keyboard

    From the “OOOoops!” department..

    Buggy Keyboard

    (click to show the full picture)

    This apparently is a new wireless multimedia keyboard.  See if you can spot the problem…


  • Windows Server 2003 Administration Webcast Series Starts WEDNESDAY!

    Lead by yours-truly…


    And even more importantly – my teammates will be online answering Q&A during these.

  • RSS is cool, but...

    …here’s what I really want:

    Yeah.. I finally understand RSS.  I’ve been having a fun couple of days finding RSS feeds to interesting news sites – and even better, blogs of my coworkers and counterparts around the world. 

    As I was reading through some of the Microsoft Employee blogs (again, because I’ve subscribed to them) I thought… “Hmm.. this is cool because you are notified when something is new.  Kinda like being a part of an email alias.  But… even more like emails generated by a rule from a sharepoint site…”

    Then it hit me:   I want SharePoint to do RSS!  Simple.  Give me a little orange “RSS” link on any / all sharepoint pages I can copy/subscribe to so that I’m notified if something new shows up!  And while we’re at it – let’s just use SharePoint as a home base for our blogs, too.  Why not?!

    Okay.  That’s my wish.  You folks build it for me or let me know where I can get it if it’s already available.



    Thanks to some great feedback, I see that my wish has been granted even before “I thought of it first!”… <sigh>

    Here’s a great summary of solutions on Daniel McPherson’s blog:

    Also a resource that Jim Duncan shared about how Collutions, Inc. does it on a public SharePoint site.


  • Resource Page for Windows Server 2003 Administration Series Webcast (Part 2 of 12)

    Resource Page for

    TechNet Webcast: Windows Server 2003 Administration Series (Part 2 of 12): User Account Management (Level 100)
    TechNet Webcast: Windows Server 2003 Administration Series (Part 2 of 12): User Account Management (Level 100)

    Wednesday, February 16, 2005
    1:00–2:00 P.M. Pacific Time, United States and Canada (UTC-8)

    Tune in for a discussion of user account management. Including an overview of user objects, the various properties you can assign, and the methods for creating both types of user objects.


    Here are some resources relating to the webcast topic presented.  I hope you find them useful.





    Windows Server 2003 – Common Administrative Tasks:

    Creating User and Group Accounts


    Exchange 2000 Server Resource Kit – Part 2, Ch 5:

    Active Directory Integration and Replication


    User Management Build Guide:

    Chapter 3 – Adding a User Account


    Windows Server 2003 Command-line Reference A-Z



    ..and here is the link to use to register for or view Series Webcast Part 3:


    TechNet Webcast: Windows Server 2003 Administration Series (Part 3 of 12): User Profiles (Level 100)
    TechNet Webcast: Windows Server 2003 Administration Series (Part 3 of 12): User Profiles (Level 100)

    Wednesday, February 23, 2005
    1:00–2:00 P.M. Pacific Time, United States and Canada (UTC-8)

  • "Stay where y're at! I'll come where y're to!"

    “Stay where y’re at!  I’ll come where y’re to!”
    (paraphrase of a subject line from Canadian counterpart
    Rick Claus’ blog.)

    “So, Where is Kevin doing live TechNet Events next?”

    This coming week is is another travelin’ TechNet Briefings week for me.  I’ll be doing live events in Bloomington and Indianapolis, Indiana!

    March 1 – Bloomington, IN
    Indiana Memorial Union
    900 E. 7th Street
    Bloomington, IN  47405
    Phone: 812-856-6381
    Venue URL: Link to WebSite

    March 3 – Indianapolis, IN
    Theater- AMC Clearwater Crossing 12
    4016 East 82nd St
    Indianapolis, IN  46250-1620
    Phone: 317-595-6230
    Venue URL: Link to WebSite

    Click on the date above to go directly to the registration page.

    This quarter we’re talking all about migration:

    • Migrating your NT 4.0 Directory Services to Active Directory
    • Migrating NT 4.0 LOB (Line of Business) Applications
    • Migrating Exchange 5.5 to Exchange 2003

    You may also want to download a copy of the session resource pages that I’ve compiled.  Here’s the blog entry that contains that link.

    Stop by and learn some cool stuff!  Win some prizes!  We also have some of the best giveaways and prize-drawing we’ve had in a LONG time.  (Hey.. we’re giving away a copy of an MS Learning book – Windows 2003 Active Directory Technical Referenceto all attendees!)  Or just stop by to say ‘hi’.

    See you there! 


    PS – If you have any questions about the content, feel free to click the feedback link below and ask.

  • Windows Server 2003 Administration Webcast Series (Part 2) Q&A

    I screwed up and deleted the original Part 2 Q&A document when uploading the Part 3 Q&A over the top of it in my blog.  That will teach me not to retrieve old articles and expect that saving them with changes will cause a new one to be created.  <sigh>

    Anyway – here is now the Q&A again from Part 2 of our webcast Series.

    Thanks again to my teammates for doing such a great job helping to answer questions!  I give them the credit for the information in this document.  Outstanding!

    Also I want to make sure also have the link to the Session Resources I posted for Part 2

    Series Part 2 Webcast Q&A

    “Where do I find the homework again?”

    I’ve posted the homework on my blog.  Here is the homework for Part 2.

    “I wasn't here for last week, is it available to view later?”

    You can go to and view last weeks webcast in the on-demand section (bottom of the page). You can register for last weeks on demand webcast and you will be sent an email with links to download the WMV and the PPT file. Thanks and enjoy!

    “Do I need a computer to watch this WebCast?”


    “Is there a particular time to log in?  How early are we allowed to log in to the webcast?”

    You can log in from 1/2 hour before the webcast starts, throughout the time of the webcast

    “Are local users on Windows XP assigned to the power users group by default?”

    No, you need to assign them to the group

    “When you demo you have 3 Virtual PCs running. I would like to duplicate this and load an ISO file for Exchange, Win2003 and XP. I think this is the three you are running. Where can I get the ISO files ?”

    Think of each Virtual machine as if it were a physical node on your network. You need a licensed copy of the installation CD for each of the OS's and Application servers you want to use and you need to install each of them to create the VM's. These are not available for public consumption.

    “Is there any issues with removing the domain admins from the local administrators group for a workstation in the domain?”

    No – unless you consider now that you may be removing necessary administrative access for your administrators.

    “What's the difference between a group and ou?”

    A group is for assigning permissions.  Group memberships help make it easier to grant rights of access to resources to users and computers.  OUs (Organizational Units) are for grouping objects within an Active Directory domain, and are mainly beneficial for assigning Group Policies to the objects within an OU, or delegating administrative authority over those objects within the OU.

    “In SBS 2003, local users are automatically added to the Local Admin account. Is this a good idea? Should the users always be a member of the local administrators?”

    No, users should not be members of the administrators group unless there is a pressing need. 

    “If I am using Password never expires and I want to change that for all users in my domain, can I change that option for all users at one time or do I have to change it one by one?”

    Select all the users and make the change.  Or better yet, use Group Policy at the domain level to not have expiring password.  But… it’s really a good idea to have passwords expire.  It has big benefits relating to security.

    “Have seen from time to time that the computer when added to the domain, does not appear in the Computers container. Why is that?”

    It’s just an occasional thing?  I’m not sure why that is, unless there are DNS or other issues with how certain computers are not able to see a DC, or perhaps replication isn’t happening the way it should. 

    “Can you leverage any other products besides Exchange for user creation/integration? Or is it because AD and Exchange are both loosely coupled under LDAP to allow for this? Reason I ask was for something like say SharePoint. Thanks”

    Most of our products can use AD for permissions. Account creation is typically a separate process.

    “When you do not select ‘Password never expires’, how long/often does it force a password change from the user?”

    By default, never.  You need to configure the maximum password age setting in Group Policy at the domain level Computer Configuration==>windows settings==>securitysettings==>account policies==>password policies

    “Does this Exchange mailbox option appear only on the Exchange server or on all servers?”

    On all Domain Controllers in a domain in which Exchange has been installed or connected to an Exchange 5.5 organization via the ADC. 

    “Can additional fields be added to the user properties pages in Active Directory Users and Computers, such as a field bound to the employeeID attribute?”

    Yes, almost all objects are extensible.

    “How/where can we get Windows Admin Tools?”

    They are on the CDROM, resource kits,, etc.

    “Is there a place to find out what rights are assigned with each standard user groups (ie Remote Desktop).”

    “At what number of users AD is a good solution for management?”

    It's not really just a matter of number of users. Number of computers, file servers, assigning permissions to resources like a file share all come into play when deciding to move from a peer to a domain model. 

    “Is there a way on an xp desktop to have the exchange options like you do on the exchange server”

    Yes, you can install the adminpak.msi from the Windows server CD to get the AD management tools and you can install the Exchange management tools on your XP machine as well, so that you can manage AD and Exchange from your workstation rather than from the server. see and related links

    “When accounts expire, are they deleted or disabled?”


    “What time of the day do accounts expire on the day that you put in for the expiration?”

    12 am midnight on the date specified

    “Can the Log On To feature be assigned to an OU or Group?”


    “What is an admin share?”

    It’s a hidden share.  Any share who’s name ends in a “$” to hide it.  Example: ADMIN$ is actually c:\winnt shared out for administrators to have access to.

    “Is there an add-in to show you last login or the users sid in the ADUC?”

    I am unaware of one.

    “Can you use the Remote Control tab settings without selecting ‘Require users permission’ for an Administrator to view a users desktop without their knowledge?”

    Unfortunately not.

    “Is there a way to ‘dump’ (in an ‘offline’ readable format) all non-default settings in ADUC?”

    Yes, you can use the resultant set of policy tools to build reports.

    “The exchange server comes within the win2000 server operating system?”

    It integrates with it, AD is the Directory service for Exchange, but Exchange is a separate application that needs to be purchased and licensed separately.

    “Are these exchange tabs available with win 2000 server also?”


    “What is the password for an Admin share?”

    Shares don't have passwords, they have permissions lists. Access Control Lists, if your account is on the list you get in, if not you don't

    “Does adminpak.msi include exchange properties? how do you enable these?”

    By installing the schema for Exchange into active directory via the Exchange forest and domain prep process.

    “How much account specific information about the user is available to other in the domain? Can the amount of information about a user be limited to others in the domain should they search Active Directory?”

    Use ADSIEdit to check. You can modify what is replicated.  Be careful with the tool.

    “How can you disable ‘Outlook Web Access’ by default?

    You could create your users with a template that has this disabled.  Or better still, you can manage it through the properties on the Exchange Server directly.

    “Can the user have a different logon name from the e-mail account name”


    “Are the Exchange features general attributes or can you add to the listings?”

    When Exchange is installed there are a default set of Exchange attributes that can be managed from the ADUC, however, the AD Schema is extensible, so you can create your own custom attributes and replicate them throughout AD see and related links

    “If you disable a user account, will it still accept email to the account in Exchange?”


    “What does dsmod stand for? thanks”

    DSMOD is a utility to modify an existing object of a specific type in the directory.  DS=Directory Services, MOD=Modify

    “How do you use the user template to copy to make many users?”

    Create the template with the fields populated with your generic data (the account should remain disabled) then in the ADUC right click and say copy.

    “Is there a way to export user information into a tab formatted file like Kevin is showing?”

    Absolutely. See CSVDE and LDIFDE  as tools to allow you to do this..

    “In creating a group container, is there a area where you can put the name of the owner on the display?”

    The answer is yes. It is a property for the group although it isn't commonly exposed in our tools UI.

    “After migrating from exchange 5.5 to 2003 I can't seem to find where to make changes to the ‘assistant’ field?”

    That may have been folded into the Direct reports field on the organization tab

    “Is there a way to see all the Q&A later?”

    Yep.  You’re looking at it! J

    “What tool that we use to rename user account in AD and Exch?”

    Just right click the account in the Active Directory Users and Computers console

    “With command line, if you have permission rights to only a part of the AD tree, will the command line be intuitive enough to add to your privilege level or is it an all or nothing meaning you must have enterprise level access?”


    “Is cn short for common name?”


    “Isn't there going to be a problem in AD for Exchange with the capitalized OU object in that command line?”


    “Has mail delivery changed in 2003? because in 2000 mail sent to a disabled user is refused and generates an NDR to the sender”

    Hmmm. You may be correct but I thought it still delivered the mail in the event the account with assigned permissions needs to be changed.

    “Can you find out through AD what computer(s) the user is logged on to?”

    No, but you can enable am audit policy on the DCs that records authentication requests in the Security log of the event viewer.

    “Where can I find a list of all these commands that are being used to query and add accounts from the command line?”

    A lot of the commands are in the Help area of Windows Server 2003 (under the start button). Many are also in the deployment and operation guides.

    “Are this commands only for win2003?”

    Some are new, yes.

    “Why would an Administrator use the command prompt to add users with the dsadd command? Multiple Adds? Faster than ADCU?”

    For some people it's faster, for people who write their own scripts, also, if you're just deploying AD and you're testing, it's easy to create the scripts as you go and then just run them when you're ready to deploy as I did in the demo.

    “Will these commands {line} be able to be used from a remote machine or only on a DC?”

    You can do these remotely also.

    “Can I create two folders in AD Users & Computers under my domain to separate my groups & users or do I have to create two OU's?”

    The folder IS an OU

    “Is there a way of forcing the address book in each users outlook to refresh?”

    Yes, there are Outlook 2003 registry settings that control automatic or manual download and update of the OAB. I don't recall how many of them are exposed via group policy but I know there are reg settings you can implement.

    “This might be coming, but is there a way to randomly generate an initial password for all of the users at once?”

    DSadd includes a command line switch to set a password, but not to randomly generate one.

    “Can you please repeat the Blog Address?” - but you knew that.

    “Can the whole presentation be saved or just the PP?”

    In 72 hours you will be able to register for this webcast and will be sent an email with links to download the PPT and WMV files.

    “If you are a local admin on Windows server 2003 and Windows 2000 Server - Can you use those commands on those servers?”

    Not on 2000, only 2003

    “Not really a question: You did great today, guys! Bravo!”

    Thanks much!

    “Once a computer has been added to a domain, should the local Administrator account be disabled?”

    No, but you may want to change its name.  And you should definitely assign it a a strong password.

    “I'm sorry if this was asked, but where do we find homework?”

    I’m posting all of the homework assignments to my blog.  Here is where you’ll find the homework for this week (week #2).

    “Which username will the variable %username% return? The full username or the pre-windows 2000 username?”

    Pre-windows 2000 username

    “Are you sure DSADD isn’t in Windows 2000?”

    My esteemed colleague, Keith Combs, pointed out that indeed DSADD and DSMOD were supported in Windows 2000 – perhaps as part of the Resource Kit.  See

    “Will you cover changes in scripting for user profiles in 2003 next week?”

    No scripting for profiles.  We talk about User Profiles in great detail – what they are and what they are for, and the different types of Profiles and their implications.

    You can see the series and topics covered at

    “Our users home drives are names with there usernames. Is there a way to record this in a template account? IE..\\server\%username%”

    Yes... That will work there also.

    “I use the command line mail tool Blat in some batch files. It requires an user name/password so it can authenticate so send email. Obviously, being in a batch file, the password is plain text. What's the best way of having an user account that no one can take advantage of?”

    Encrypt the file, or create a folder and enable encryption on that folder.  Put all such sensitive files in the encrypted folder.

    “Can these command be use on Windows Small Business Server 2003?”


    “Does the Remote Control option under user properties affect the computer RC setting?”

    You can override it on the computer side. That wins over the user settings, I believe.

    “hahahaha! ROFL. That picture was soo funny! Kind of looks like Rob Westover! :-)”

    This one?...

     Donald Trumps Dog

    Glad you liked it! (And I’m sure Rob will be glad, too!)


  • Resource Page for Windows Server 2003 Administration Series Webcast (Part 3 of 12)

    Resource Page for:

    TechNet Webcast: Windows Server 2003 Administration Series (Part 3 of 12): User Profiles (Level 100)

    Wednesday, February 23, 2005
    1:00–2:00 P.M. Pacific Time, United States and Canada (UTC-8)

    Here are some resources relating to the webcast topic presented.  I hope you find them useful.





    Webcast Series Part 2


    User profiles overview


    Description of HKEY_CURRENT_USER Registry Subkeys


    Change and Configuration Management Deployment Guide –

    Chapter 6 – Managing User and Data Settings



    ..and here is the link to use to register for or view Series Webcast Part 4:

    TechNet Webcast: Windows Server 2003 Administration Series (Part 4 of 12): Group Management (Level 100)
    TechNet Webcast: Windows Server 2003 Administration Series (Part 4 of 12): Group Management (Level 100)

    Wednesday, March 2, 2005
    1:00–2:00 P.M. Pacific Time, United States and Canada (UTC-8)


  • Systems Management Server 2003 Troubleshooting Flowcharts

    As a followup to the SMS question I answered, I thought anyone using SMS might find this download useful.   Here’s the text from the overview:

    “This bundle of flowcharts helps you to troubleshoot Systems Management Server 2003 during the course of your day-to-day tasks. “

    “This SMS 2003 troubleshooting content is essential reference material for SMS administrators that will help them address problems that are easy to resolve.”
  • Webcast Series HOMEWORK - Week 3

    Homework Assignment #3


    • Go to my blog , click on the category “TechNet Webcasts”, and view the “Resource Page” for part 3 of 12 of this series.  I’ve included several links relating to this topic, so take a look through those resources.  I really want this to be the vehicle we use to share information and open up discussions.
    • I am also posting the homework here now (duh!) as well as a Q&A “best of” summary from each week’s webcast.

    2.  Windows Server 2003 Virtual Lab: Group Policy

    Since we’ve been talking a lot about Group Policy, I thought you might like to learn more about it to help you keep up with some of what we’re discussing.

    • On that Virtual Lab homepage, click on the Windows Server 2003 section.
    • Then click on the “Step into the Windows Server 2003 Virtual Lab for Free”
    • It might take a minute for this page to come up, depending on how busy the demoservers are.  (You will have better luck getting onto these in the early morning or late evening, US-time.) 
    • Follow the signup/logon instructions, and choose the “Introduction to Group Policy” lab.

    Another learning option for you is to watch a previously recorded webcast or two on Group Policy.  In fact, we have a level 300 set of webcasts in 2 parts that cover Group Policy in excruciating detail. 

    (Note: Part 2 was just recorded today, Feb 23, so the recording may not be available until Friday, 2/25.)


  • Download the TechNet Webcast Calendar!

    This is cool!

    Click this link to download the TechNet Webcast Calendar for February!  It’s a Microsoft Word document that is just loaded with links to great resources and the launch pages for all of the scheduled TechNet Webcasts.  Outstanding!


  • Windows Server 2003 Administration Webcast Series (Part 1) Q&A

    Hi folks! 

    Here is where I’m going to attempt to share many of your questions from part 1 of our webcast series, along with answers.  And hopefully the right ones. 

    I’m also adding many of the questions and answers from the webcast Q&A. 
    Thanks again to Bryan Von Axelson and Kelley DuBois for helping to answer questions!

    And finally, here is the link to the Session Resources I posted for Part 1.  Expect to see resources for Part 2 very soon!

    “Does remote assistance work with AOL dialup?”

    It will work over a slow link, although certainly not as quick as broadband or LAN speeds.  Whether or not AOL or whatever provider you are using will allow the required TCP port 3389 over their connection should also be considered.

    “Can I use your postal address for reguistering and then if I win the Portable Media Centre, you could post it to me here in New Zealand ;-)

    Great seminar btw.”

    Can’t do it.  I’d be too tempted to keep it.  Sorry Kiwi.    Thanks!

    “Where’s a good ‘Troubleshooting Remote Desktop’ document?”

    How about one called “Troubleshooting Remote Desktop”.

    “Are all the sessions in this series 100-level? Bit too simple for me today.”

    I’m glad you asked that (several of you did, in fact).  Yes, we’re starting out with the basics, but we will be moving into more complexity as we progress.  My sincere hope is that even though the first few are “simple” for some of you, you’ll still find one or two gems in there.

    Think of it like reading through a technical reference.  If you have some experience in the topic, you might have to read through a few boring chapters of what you mostly already know to be sure you’re not missing something that you don’t.  

    How do I find out about topics in future webcasts?

    We have the series completely mapped out with descriptions and links to the registration pages at the series home page

    If you save [an mmc console] in user mode and can then open by right-clicking in author mode, what keeps the user from doing the same?

    Great question.  One of my Q&A helpers found the link to a page describing how to restrict access to author mode in the MMC.

    I disagree with his statement about the local and remote focus. I just create two snap-ins on one MMC, both for Computer Management, and pointed one at Local and one at a remote server. Can he please clarify?

    Ah yes… this had to do with the pop-quiz question that asked: “Can a snap-in have focus on both the local computer and a remote computer simultaneously?”

    The answer given was “no”, mainly because it is somewhat of a trick question.  Yes, you can have multiple snapins of the same type pointing to different computers.  But no ONE snap-in can focus on two different computers at the same time.

    The content team has discussed changing the wording of that question so that it won’t be so misleading.  Something like, “Can a single instance of a snap-in focus on both the local computer and a remote computer simultaneously?” would be better.

    What port number would the mmc need open?”

    For remote administration, the ports that are required are TCP 135 and 445.  A good way to make sure these are available through the Windows Firewall would be to use Group Policy and under the Computer Configuration – Administrative Templates – Network – Network Connections – Windows Firewall – Domain Profile you enable the “Allow remote administration exception” policy. 

    Also – here’s a great resource for MMC information: MMC Reference

    “If [a group policy] option is set to 'not configured', is it the same as being turned off?”

    No - If it is not configured then no setting is in the registry.pol file.  If it’s disabled there is a setting in the Registry.pol file but set to disabled.  So… “not configured” basically means “don’t change from the default” – whatever the particular policy might be.

    “Does MMC login as a service when being used remotely or is it tied to your domain creds?”

    If for example, you connect the Computer Manager to a remote machine, it will the credentials of the context it is running in. You can use "Run as" to run as different credentials.

    “Remote Desktop sounds great. But is the port configurable?”

    Here is a KB article on “How to change the listening port for Remote Desktop”.

    “Does my machine need to be on or attached to the domain to add snap in for remote servers?”

    No, but you will need credentials that work on that remote machine to perform any operations.

    “Can you run remote desktop from XP pro?”

    To enable your computer to accept remote connections, your computer must be running Windows NT4 Terminal Server Edition, Windows 2000 Server, Windows XP Professional, or a Windows Server 2003 operating system.

    “Is it possible to connect to a Windows 2000 Pro workstation from a 2003 server to take control of the 2000 desktop?”

    No, the Terminal Service feature wasn't introduced into the desktop OS until XP.

    “Will [remote assistance] invitations be sent with other e-mail programs? ie OE or Netscape?”

    Yes.  When you choose MAPI, it will use whatever you have set up as your default email application.

    “What is the difference in setting up a Terminal Service for sharing and a VPN connection? Where can I get information on setting up a VPN ? How do you Open and Close Ports ?”

    This is a big question. First, Terminal Services are services that allows a one machine to simulate and run applications in a "user context" instead on having a physical PC.  A VPN is what provides secure connectivity over a public network for private networks. VPNs are covered heavily on Just put VPN into the search box and you'll get a wave of articles and how-to's back.

    “Where do you find Help and Support Center?”

    Click the Start button.  You should see “Help and Support” available.  Click it.

    “What happens if the user requesting assistance is behind a NAT router?”

    It should still work.  Check out this portion of the “Step-by-Step Guide to Remote Assistance”:
    Administering Remote Assistance in Corporate Environments

    “Can the RDP file be launched by anyone regardless of their access rights?”

    With Remote Desktop Connection, you can easily connect to a terminal server or to any computer running Remote Desktop.  All you need is network access and permissions to connect to the other computer.

    “What if the user is using a VPN, can this still work?”

    You should not have any issues.  During a VPN connection they are essentially just another computer on the local network – provided that this is how your network security and engineering folks have set things up.  

    “Can Remote Desktop by run from WinXP desktop to WinXP desktop, or does a server have to be involved?”

    In addition to Windows Server 2003 family operating systems, this feature can be used with Windows 2000 Server. The Remote Desktop feature must be enabled on the remote computer.

    “Can I use Remote Assistance across the Internet, not over the LAN?”

    Yes  (find some security related link about how you may want to secure it further to allow this.)

    “Can you limit remote desktop and remote assistance connections to within a local IP address range?”

    Yes you can!  You can either use Group Policy or local settings of the Windows Firewall for the Remote Assistance Exception.  Properties of an exception in the Windows Firewall include the ability to specify that you want to allow it only from the local subnet.

    “Making a Remote Desktop connection from an XP Pro Box to an XP Pro box, is there only one connection allowed? When I make a connection, it loggs off the current user on the remote machine.”

    Yes.  Remote desktop to an XP machine essentially takes over the ONE login that is allowed to be running at a time. 

    “How can I print the slides from this presentation? Can I print slides before a presentation (next time)? How long before?”

    You can connect to the live event as early as 1/2 hour before the start time.  During that time, or anytime during the presentation, you can go to the File menu and “Print to PDF” to get a copy of the slides.

    “Will there be followup chats on Thurdays?”

    We haven’t yet scheduled them, but I’m hoping we can have chats set up and do them every two or three weeks during this series – probably on Fridays.

    “What is Kevin’s blog address again?” – but you knew that already.

    “How can you limit who can provide Remote Assistance? We don't people going outside the organization for assistance.”

    You can set Group Policy to permit or prohibit users from requesting help using Remote Assistance. You can also determine whether users can allow someone to remotely control their computer, or just view it. In addition, you can set Group Policy to permit or prohibit a remote assistant from offering Remote Assistance to the local computer.

    “Can you initiate a Remote Assistance session within a Remote Desktop session?”

    Yes, you can.  And you can launch a Remote Desktop session within a Remote Desktop session, too.  (I’ve done it.) 
    However.. Please Please be careful.  You might accidentally discover time travel. 

    “How can I limit the time of conections with remote desktop?”

    Terminal Services configuration on the remote machine.

    “Will the Remote Desktop and Remote Assistance features exist in future Windows workstation and server operating systems?”

    Unknown at this time.  But I am sure there will be something similar if not the same.

    “How can you add/connect to (2) different AD Users and Computers to your Console and have rights to both? Currently, the only way is via a "Runas" via a desktop shortcut.”

    If you're managing what the ADUC sees from the context of two separate servers, it's simply that you are running the MMC with rights (run as or directly) to manage those. If you've used runas to launch MMC and you only have minimal rights to the domain or server you're connecting to in the snap-in, then yes, you'll be limited. I hope that answers your question.

    “What's the difference between Citrix application sharing and Terminal Services application sharing?”

     Citrix is actually based on the built-in terminal services in Windows Server. It adds functionality to the services that are already there as the foundation.

    “Can I get a copy of that picture?....That ruled!”

    <heh> This one?


    There you go!


  • "Why isn't Kevin posting my feedback or answering my question?"

    Hi folks!

    To those of you who attended my live TechNet Briefings this week, and the hundreds who attended the first of our 12 part webcast series: THANK YOU! 

    I am excited about using this blog as a way to keep the communication lines open, and am looking forward to posting answers to the many questions that you’ve had – or just chatting about IT Pro related issues.

    I feel bad, though, that I can’t address all of your questions immediately.  I am thrilled that so many of you have contacted me, and I would so much like to have all the answers the next day – and some weeks I will be able to do that.  But this week I’m still on the road doing yet another event (today I’m in Tacoma, WA) and my promised posts of answers will have to wait until Friday or perhaps sometime this weekend.

    Please check back in a day or two.  And have a great weekend!


  • Webcast Series HOMEWORK - Week 2

    Homework Assignment #2


    • Go to my blog , click on the category “TechNet Webcasts”, and view the “Resource Page” for part 2 of 12 of this series.  I’ve included several links relating to this topic, so take a look through those resources.  I really want this to be the vehicle we use to share information and open up discussions.
    • I am also posting the homework here now (duh!) as well as a Q&A “best of” summary from each week’s webcast.

    2.  Windows Server 2003 Virtual Lab: Active Directory Scripting

    • On that Virtual Lab homepage, click on the Windows Server 2003 section.
    • Then click on the “Step into the Windows Server 2003 Virtual Lab for Free”
    • It might take a minute for this page to come up, depending on how busy the demoservers are.  (You will have better luck getting onto these in the early morning or late evening, US-time.) 
    • Follow the signup/logon instructions, and choose the “Active Directory Scripting” lab.
  • MBSA 2.0 Beta is now OPEN

    Announcing MBSA 2.0 Beta
    MBSA 2.0 is the next version of the Microsoft Baseline Security Analyzer, which utilizes the Windows Update Services infrastructure for security update scanning.  Please help us improve the quality of this release.  We are currently accepting nominations into the MBSA 2.0 beta program.  To nominate yourself for the beta, visit, sign in to the system using your Passport ID and a guest ID of "MBSA20" and complete the survey.

  • Windows Server 2003 Administration Webcast Series (Part 3) Q&A

    Good day/morning/evening!

    Well… I was quite pumped up after our series part 3 webcast today… so much so that I dove right in to the Q&A log and created this list for you!

    Thanks again to my teammates for doing such a great job helping to answer questions!  I give them the credit for the information in this document.  Outstanding!

    Also I want to make sure also have the link to the Session Resources I posted for Part 3

    Series Part 3 Webcast Q&A

    ”Where do I find the homework again?”

    The homework for Part 3 is available HERE.

    “Do you know if the new edition of the MS Press book 70-270 exam prep is available yet? I believe the scheduled release date is Feb-2005.”

    I have it published 02/09/2005 -

    “Where can I check out the rest of this Windows Server 2003 series?”

    “Is this series going to be on the technet Plus cd's”

    Not that I am aware of, however What a great Idea, we will submit it!

    “what is the timeline for windows 2005? or will the upgrade be called something else?”

    We are about to release SP1 for Server 2003 - There will be an in-between release of Server 2003 and Longhorn Code Named R2 - Check out a chat on R2 -

    “Could you repeat the address and directions for getting the materials for this series again at some point in the presentation?”

    Go back to the event page for this event 72 hours after the event and follow the directions there:

    Do you have same type of webcast on VB, C# and C++ .net? If so where can I find”

    Those would be presented by our counterparts on MSDN - Here is a link to some MSDN webcasts, I am not aware of a specific series going on right now -

    “Are you going to show the difference with user profiles on a 2003 Terminal Server?”

    I don't believe he's doing Terminal Service profiles today

    “Can users using roaming profiles on winXP and win2000 machines in the same domain?”


     “Just curious.. What does the H in HKEY stand for?”

    H stands for Hive.

    “Are there any virus or other threats that target NTuser.dat?”

    Yes there have been virus's that have attacked this file

    “At times my users get the error .tmp.tmp.tmp.tmp right after they had logged into a win2k machine.”

    I don't see a specific .tmp.tmp.tmp error.  However I did find a few .tmp errors with Profiles -;en-us;328607

    Also look at this search –

    “Where is system tray information stored? I've noticed that for users with redirected MyDocuments their Quick Launch contents can change.”

    System tray info can come from the taskbar and start menu settings or from an individual app which desires to be displayed in the System tray. The following article provides some interesting info about system tray settings.;en-us;310429

    “I lose the desktop bitmap in roaming profiles.  What am I doing wrong? ”

    You need to ensure to include the graphic that can be accessed irregardless of which machine you login from. As an example, this can be a home share located on a server.

    “[pet peeve] no such word irregardless, the words are regardless and irrespective, irregardless is a double-negative[/pet peeve]”

    Ooops.  <*whack*>  Sorry…

    “Are roaming profiles officially supported by Microsoft?  Are there any compatibility issues changing back and forth between different flavors of desktops (XP, W2K)?”

    Yes they are, and this article highlights some of the differences in profiles:;en-us;269378

    “How does an installation decide what user to put the application information under? I have noticed that it can install under all users, default users or my user name but don't what drives where it puts the information.”

    It will depend on how the installation program is written.  Hopefully it will adhere to guidelines set out by Microsoft as part of the Logo Certification requirements, but it’s really up to them.

    “Is there a "viewer" to see the contents of an NTUSER.DAT file?”

    There is a viewer of sorts, regedit, I have not tried this recent versions of windows, something to test.  Check out this older article for assistance.;en-us;146050

    “Please answer more fully --> How does an installation decide what user to put the application information under? I have noticed that it can install under all users, default users or my user name but don't what drives where it puts the information.”

    Different software vendors can write their installation programs as they want. I have seen installation programs that ask who to put it under, that ask if only logged in user or all users, some that don't ask.  It is going to depend on the installation that has been written by the software vendor.  What drives it is how it is written and what calls it makes to the system as it installs.

    “Can you view/hide hidden folders based on their user access or specific policy?”

    Not really, but you can create DFS trees, which is a folder hierarchy of shared resources that displays as a single tree regardless of the server those resources are housed on. So your users browse that tree rather than the network. I can place only those shared resources I want the users to access in the tree and that is all they see. See

    “We recently used the Microsoft User Migration Tool (USMT) to migrate profiles to a new machine. Will USMT work when moving profiles from Win2000Pro to XP?”

    Microsoft® Windows® User State Migration Tool (USMT) version 2.6 migrates user files and settings during deployments of Windows 2000 or Microsoft Windows XP. USMT 2.6 provides enterprise migration capabilities such as unattended migration, multi-user profile support and compression. USMT 2.6 is intended for administrators who are performing automated deployments.

    “Is the [profile] copy procedure similar on XP home edition?”


    “It is worth to mention to delete temp /inet temp folder item before copying a profile. Big time saver.”


    “Can I copy a profile from XP to NT, and vice-versa?”

    Check out USMT -

    “I am taking users from one domain to another. Can I copy a profile just like that which was just shown from one domain to another?”

    Yes, see;en-us;242067

    “How often should we do clean up of old local profiles?”

    There are no real guidelines as to how often you should clean these up. If there have been quite a few users who logged into a given machine and stored large amounts of data in their profile, I would definitely clean it up to clear up space.

    “In Windows Server 2003, read only attributes keep turning on. When a domain user is logged in and try to access a specific file, it says it is read only and cannot be changed. The group is listed with R/W/C rights. When I right click the file and uncheck the read only box, then hit ok, if I go back to view the file props again, it's back to read-only again. What gives?”

    Has the Creator/Owner of those files set the File attribute to read only?

    “What is the definition of a ‘slow’ link?”

    By default less than 128 kbps.

    “Do you have to log into the new machine once with the user name prior to copying a profile?”

    If copying a user profile on the local machine, yes. If you are using roaming profiles, then no since the roaming profile would be copied to a server location.

    “Can you transfer profiles from a Win2000 to a WinXP PC without problems?”

    This should work without any issue I have not seen any issues on that transfer. Something to test to verify for your environment.

    “What happens to the profile if both pc's don't have the same programs installed?”

    Nothing happens to the profile. The programs that are not installed on the other machine will not function.

    “Can using a roaming profile from computers running Win2003 and others running WinXP cause problems?”

    As a standard computer answer: It depends.  J  Please see the following best practices note the caution halfway down the page -

    “Is it possible to have on the same Domain users who use local profiles and user use roaming profiles?”

    Absolutely.  Roaming profiles are configured as an attribute of the user object in Active Directory, if no roaming profile is configured the user uses local profiles only.

    “So if I set up a new computer to replace an older one. I need to have the user log into the new one once and then back off prior to copying their profile from the old to the new?”

    Yes.  This will set up the registry on the new computer so that the system knows that there is a profile for that user.  You then copy the user’s profile right over the top of the newly created default one.

    “How does Windows know, that there is a "slow" link existing?  Does it have anything to do with sites in the domain environment?”

    Good Question. It does have something to do with sites. Windows uses a connection algorithm to determine whether a link is ‘slow’.

    “Is Kevin going to talk about offline folders with respect to roaming profiles?”

    I did mention it briefly towards the end, really as a good solution for large quantities of data having to be written or synchronized during logon and logoff.  And also as a solution for giving some flexibility to those users who may be using mandatory profiles.

    “Will using roaming profiles on a Terminal Server cause unusual problems not normally seen with using it on a standard OS?”

    Users that connect to the Terminal Server can use their Roaming Profile but there are issues around Terminal server Disk Space and other considerations.  See

    “We are having a problem where on Windows 2000 and XP when a person logs off then logs back on, they are missing things on their desktop or things they have previously deleted are back?”

    Sounds like you may have Mandatory profiles setup so that any changes are discarded - kind of a read-only profile.  Or perhaps you are using roaming profiles and are those users running multiple machines at a time.

    “I modified the GPO to disable the screen saver password protection on my W2K3 servers but some of the servers haven't made the change. Is there something else that I need to do?”

    Verify the computer accounts are in the proper scope of management of the GPO and are members of the domain.

    “Is there a setting you enable to determine whether the profile is roaming or not?”

    In an AD environment, if you specify a path in the user properties for a roaming profile, then they have a roaming profile. If you go to System Properties, Advanced, User Profile Settings, you can see whether you are using a Local or Roaming Profile.

    Recommendations for Roaming Profiles:

    “What NTFS permissions do users need to access their Roaming Profile folder?”

    Check out the following -

    “What happens when a user with a roaming profile logs onto two different machines at the same time?”

    The profile is copied to each of the machines.  A better question though would be, “What happens to the profile when the user logs off these two machines?”  It all depends on which profile is saved off last.  You may be overwriting changes from one machine that you made on the other machine.

    “Can I explicitly deny the right to log on with local profiles, and to the local computer, in a domain environment with GPOs?”

    You can set the GPO for deny log-on-locally user right at the domain level this will restrict a users ability to log on to a computer completely.

    “If a user has logged on to several desktops BEFORE roaming profiles are enabled, how are the profiles handled once the user's AD entry is updated to specify roaming profiles? Are the various profiles merged as the user logs on / off to each desktop or does one desktop take precedence?”

    Assuming he is not logged in at the time the AD entry was modified, the next time he logs into one of the desktops the entry will be "seen" and upon logoff, that particular profile will become his roaming profile. If the administrator had also created a roaming profile for this user, then they would receive that profile upon login, and in that case the roaming profile would overwrite the local copies.

    “What happens to desktop pictures that are stored locally when copying to create a roaming profile?”

    If they are only available to one particular computer (because it is only stored on the local hard drive and not part of the profile or on a shared home directory or network share of some kind), they will not be accessible from another computer as they do not automatically get incorporated into the roaming profile.

    “I have some roaming profiles in my company that will not save newly added printers. Is there a reason for this?”

    Not that I am aware of - You might check permissions -
     - It also might be a mandatory profile

    “If windows crashes will the profile default back to the last known? If it crashes during write back to the server will the profile corrupt?”

    It should default back to the last successfully updated profile. As far as corruption it would depend on when it crashed. If it is an incomplete copy then it should revert back.

    “What causes access is denied on a roaming profile share on 2003 server even when the permission settings are set correctly”

    First I would make sure that your Share permissions and NTFS permissions are consistent. I would also check this article:

    “Removing administrator permission from profiles does not do anything, an administrator can simply take ownership of the directory and get rights back.”

    You are right he could. If we really wanted to we could take away the administrators right to take ownership and thus guarantee the security of the profiles.

    “What is the difference between the User Profile Tab and the Terminal Service Profile Tab? When should you use one or/and the another?”

    The User Profile tab specifies the user environment delivered to the client regardless of what client workstation they log onto. These profiles include everything on the desktop, installed application data, Internet Explorer setting favorites etc...This can be a large amount of data. Because you may have many users logging into a Terminal server and disk space may be a priority on that server, you can specify a single generic profile that all Terminal server users utilize or a restricted profile to minimize profile size and increase security, thus reducing the overhead on the Terminal Server.  

    See and related links for Win 2003 and  for Windows 2000

    “If Folder Redirection stops working, is it best to delete roaming profile and local profile to reestablish?”

    If I redirected with GP I would first use my GPMC and use the Results wizard to see what is going on. Check out a good Q&A on Profiles and Folder Redirection -

    “Is there a reference material that covers this subject as simple and as directly as the presenter?”

    <*blush*> You might try Mark Minasi's “Mastering Windows Server 2003”

    “Did he logon as a local or domain admin....I missed it”

    When I was doing administrative tasks, I was logged in as the domain Administrator account.

    “Can a user add a local printer to their profile without having administrative rights?”

    In a sense, you have to make them a power user and add the "load and unload devices" user right. Check out this KB for assistance:;en-us;Q326473

     “What’s a great resource for Profiles Q&A?”

    “How much longer will the webcast be? It was set for one hour.”

    Yeah.. I apologize.  I ran about 10 minutes over.  If I ever have to deliver this one again, I might skip a portion of the part where I go through the various folders that are found inside the profile.  Most of that is very basic, self-explanatory, or relatively unimportant. 

    I hate running long.  I sincerely want to be respectful of your time, and really appreciate the time you take out of your day to attend the webcast.

    “This was a useful webcast. You guys do an excellent work!  Thanks.  See you next time.”

    Cool!  And if you’ve enjoyed attending it only half as much as I’ve enjoyed delivering it, then I’ve enjoyed it twice as much as you!

    “I have several profiles that are from “Unknown” users.  Why are they there?  Should I delete them?  What should I do?”

    Use the following articles to determine which issue is causing the problem.;en-us;156608;en-us;271924

    “I have roaming profiles and users occasionally get roaming profiles errors when the try to log in.  If I delete their profile from the server it fixes the problem and they can then log in and miraculously their roaming profile is restored...what is happening here?”

    This sounds like a corruption is occurring to the roaming profile stored on the server. When you delete it and the user logs back in, the cached copy of their roaming profile will get uploaded to the server since the server copy is no longer present. If this continues, you may need to contact Product Support Services (PSS) at (800) 936-4900 to better troubleshoot this problem.

    “How do you create a default profile in the NETLOGON share?”

    (Answer to this one given during the webcast really didn’t address the question, so I’ve replaced it…)

    A simple way to do this would be to create and then login as a dummy user account (like I did in the Mandatory Profile demo) for the sake of setting up the defaults.  Then log off, and log back in as an administrator.  Then, just copy that profile (System Properties à Advanced à Profiles…) to any domain controller’s NETLOGON share as a folder named “Default User”.  That will cause this profile to be used as the starting place for any new local profile on any domain connected workstation or server.

    “What would you consider a slow link---dialup only?”

    This article talks to that issue.

    “Should I let the system create Home Dir via %username%?”

    There's nothing wrong with doing it this way. If you want more control over the process, then you can create the directory first and then specify it in the Home Directory path afterwards, but letting the system create it is easier to do.

    “Where can I sign up for the rest of the series?”

    “If you are using folder redirection directing my docs to one server & you want to change path to another server, how do you move all the existing docs?”

    I am not finding an easy tool quickly - There are some Folder and GP tools - One way would be to turn off redirection and have it move it back to local machine - then turn it back on to new location.

    “Is there a place to view the recording of this session?”

    It will be posted in about 48 hours access it by going into and select on-demand.  Or by going back to the webcast series homepage and clicking on that part that you want to review.  Registering for a webcast in this manner that was already recorded allows you to view the recording.

    “We have profiles in Windows 2000 and XP that will lose files off the desktop after logging off and logging back on, we are not using mandatory profiles.”

    Check access rights to the profiles folders, and files.

    “What is necessary to create a roaming profile that includes Outlook 2003 with only a POP3 account?  I realize it is necessary to point the data file to a central location. What else will be required to ensure Send/Receive functions when using the profile from multiple machines.”

    To the best of my knowledge, that is it.  Also keep in mind that the PST file is a single access file so the user cannot be logged into multiple machines running Outlook on each, but only running Outlook on one of them at a time.

    “Will you be posting the link for the contest details so that we may see if we won?”

    You'll be notified by email if you are a winner. I'm not sure if they will post the winners anywhere public.

    “I'm having an issue with the evaluation.”

    Yeah – many people were finding that the evaluation server was timing out.  It was just too busy. 

    Try pasting this link if you still want to evaluate the webcast:

    “If there is no space on the profileserver to save a roaming profile and you have the setting delete local profile, will it still delete the local profile or what?”

    Good question- I don't know what would happen at that point.  I wasn’t able to find anything online about what the result would be.  I would hope that the local profile would be saved, but I’m betting that you would end up with corrupted data in the roaming profile on the server, and you would lose your locally cached profile.

    “Can you copy NT4.0 profiles to a 2003 server for use as roaming profiles on 2000, XP and other NT4.0 machines?”

    Most of what was covered today also applies to NT4. I would not recommend using a roaming profile on an NT4 and Windows XP Pro machine at the same time though.


    And just for fun… here are the pictures I used in today’s webcast…




  • Password Reset Automated using Microsoft Speech Server!

    Another “too cool”…

    A recent article describes how some Microsoft partners got together and built a solution for automating those time-consuming password reset phone calls we get from our users.  Huge costs savings and ROI (i.e. “It paid for itself!”) are described.

    The summary of the solution is HERE.

    or click the picture below to read the full article.

    Industry Partners Build Password-Reset Solutions on Microsoft Speech Server 2004

  • Three Cheers for SysInternals!

    These folks have always provided some great, useful, powerful, and best of all – FREE – tools for IT Pros and Windows administration. 

    Now they’re helping even more in the area of security and, in particular, the detection of hidden malicious software known as a Root Kit.

    Check out their new RootKitRevealer, for a good description of what a Root Kit is, and to download the Revealer tools.


  • Webcast Series HOMEWORK - Week 1

    Homework Assignment #1


    • Go to my blog , click on the category “TechNet Webcasts”, and view the “Resource Page” for part 1 of 12 of this series.  I’ve included several links relating to this topic, so take a look through those resources.  I really want this to be the vehicle we use to share information and open up discussions.
    • I am also posting the homework here now (duh!) as well as an edited Q&A summary for each week’s webcast.

    2.  Windows Server 2003 Virtual Lab: Remote Desktop and Remote Assistance

    • On that Virtual Lab homepage, click on the Windows Server 2003 section.
    • Then click on the “Step into the Windows Server 2003 Virtual Lab for Free”
    • It might take a minute for this page to come up, depending on how busy the demoservers are.  (You will have better luck getting onto these in the early morning or late evening, US-time.) 
    • Follow the signup/logon instructions, and choose the “Remote Desktop for Administration and Remote Assistance” lab.
  • TNT4-04: Webcast Series Resource Page is now live!

    The “related resources” page for the webcast series is now live:

    Microsoft Windows Server 2003 Administration Webcast Series Resources–04


  • Blogcast on Creating a Custom OWA Theme

    This falls under the “too cool not to share” category.  It’s a blogcast created by Kristian Andaker (at the urging of my friend and UK IT Pro Evangelist counterpart Eileen) that demonstrates very nicely how to create a custom theme for your Outlook Web Access users.

    Check out the blogcast here.


  • Wisconsin-Bound!

    Where is Kevin this week?

    This is another TechNet Briefings week for me.  This week I’ll be doing live events in Kenosha and Milwaukee, Wisconsin.  (Go Packers!)

    February 15 – Kenosha, WI
    The Parkway Chateau
    12304 75th Street
    Kenosha, WI  53142
    Phone: 262–857–2011

    February 17 – Milwaukee, WI
    Theater-AMC Mayfair Mall 18
    2500 North Mayfair Rd.    STE M186
    Wauwatousa, WI  53226
    Phone: 414–777–0176

    Click on the date above if you are interested in attending. 

    This quarter we’re talking all about migration:

    • Migrating your NT 4.0 Directory to Active Directory
    • Migrating LOB (Line of Business) Applications
    • Migrating Exchange 5.5 to Exchange 2003

    You can also download a copy of the session resource pages that I’ve compiled.  Here’s the blog entry that contains that link.

    Stop by and learn some cool stuff!  Win some prizes!  We also have some of the best giveaways and prize-drawing we’ve had in a LONG time.  (Hey.. we’re giving away a copy of an MS Learning book – Windows 2003 Active Directory Technical Referenceto all attendees!)  Or just stop by to say ‘hi’.

    See you there! 


  • Things are Looking Up in Air Travel!

    Another in the “too cool not to post” category – especially as someone who logs a lot of air miles.

    FCC to Allow Wireless Access on Planes...


  • SMS Question: Quick updates of infrequently connected PCs

    I received the following email from a webcast attendee of a “Security Patch Management Tools (Part 3) - SMS with the SUS Feature Pack” webcast.   (Yes.. I know the webcast description says my teammate Keith Combs is the presenter, but I took this one over for him at the last minute. )

    “I watched your web cast (on demand), and you stated that if we had any questions not covered to drop you a note.  We currently run sms 2003, to push out all of our updates. We have approx 2000 PC's and out of those there are 200 or so that sit on a shelf, or are not connected to the network consistently. Right now we have to go around an plug them in once a month when we send out our security patches. Is there any way through GPO or through the advertisements to enforce the policy, if you (the PC) do not have this patch, download the minute you hit log on to the network. While not causing properly patched PC's to do an excessive amount of checking to see if they have the current patch version.”

    Well, I have to confess that I’m not an SMS Guru, but I forwarded the question to a coworker of mine who had an idea.  He suggested that, in the case of the SMS 2003 Advanced Client, that you trust the “Persistent Notificaton” feature, which will quickly notify your user on this seldom-connected PC that there are updates available.  Other already-updated machines won’t be continually pestered. 

    Check out this document: Software Update Management Advanced Features, which includes the following text:

    Persistent Notification

    The persistent notification icon is a feature that allows a user on a computer that is running the SMS Advanced Client to receive notifications and schedule software update installations independent of the software update advertisement. This allows for better compliance by allowing users to install updates at their convenience, and it reduces system load because the advertisement does not have to be scheduled as often.

    If this feature is enabled by the SMS administrator for a software updates program or package, an icon appears in the notification area (also called the "system tray") whenever a user is logged on and there are pending, uninstalled software updates. When the computer is in compliance, the notification area icon does not appear.

    I hope that answers your question. 

    If you have additional questions, or if you are someone who has a better answer, please give us some feedback.

  • I want this camera!

    As a digital photography enthusiast, I thought this was worth sharing under the “Very Cool!” category…

    From Wired Magazine: Photographer Seeks Resolution


  • Exchange Migration Question - "Can I leave my users as NT Domain accounts?" (Part 1)

    During our TechNet Briefing in Chicago last week, a gentleman asked me a very interesting question, which he also sent as a followup email:

    “As I stated what I would like to do is take an existing nt 4.0 domain (which can not be upgraded because of legacy apps, citrix XP). Create a two way trust between a new Windows 2003 AD domain and install Exchange 2003 on the new domain.
    Then I would run Exchange 2003 in mixed mode from now until the money becomes available to upgrade the citrix clients.
    What I want to do is use the new domain exclusively for email right now for my NT 4.0 users.
    This should work or am I way off base?
    Is this not just a restructure upgrade approach with a long time frame. I should not even have to move any users off of the NT 4.0 domain because of the two way trust, correct?”

    I took this question as a challenge to try it out myself.  So.. taking the VPCs I used for our Exchange Migration session TNT1–100, but I also created a workstation and user who used Outlook to connect to his Exchange 5.5–hosted mailbox, so I could verify that later, even after moving his mailbox to the 2003 server, he could still log in with his NT account.  (I really didn’t logically see a reason why this wouldn’t work, due to the trusts established and the ADC Connection Agreements configured properly.)

    Also, I found the following text within the Deployment Tools concerning “Exchange 5.5 Coexistence”:

    Active Directory and Windows NT 4.0 Accounts
    Before you install Exchange 2003, you should already have Active Directory deployed within your organization, but it is not necessary to upgrade all of your Windows NT 4.0 domains or user accounts to Windows 2000 Server or Windows Server 2003. Even if your accounts are contained in Microsoft Windows NT 4.0 domains or external forests, you can move mailboxes associated with these accounts to Exchange 2003. During the deployment process, Active Directory Connector creates placeholder accounts in Active Directory for Microsoft Windows NT 4.0 accounts. Each placeholder account associates the mailbox with the Microsoft Windows NT 4.0 account so that the user can access his or her Exchange 2003 mailbox.

    So…After making sure my workstation and user (Aaron) were NT-domain joined and Outlook was up and running, I walked through the deployment tools on the new Exchange-server-to-be; prepping the environment with the two-way trusts, administrative rights, Forest and Domain Prep, the ADC installation and configuration, and the Exchange 2003 installation (including the upgrade to SP1).  Notice that one step I left out was the use of the ADMT (Active Directory Migration Tool) to create the users as new Active Directory domain users.  We’re still going to use our NT account here.

    Now I was ready for the mailbox move.  Unlike the case where I was migrating users, I didn’t have any new AD accounts to run Exchange Tasks against in the Active Directory Users and Computers tool, I tried to use the System Manager to move the mailboxes.  I could use this to move the one mailbox that actually had data in it (my test user Aaron), but in our demo environment, the rest of the defined mailboxes had never been connected to - so they hadn't actually been created yet.

    "But.. didn't the ADC create dummy accounts for you in Active Directory?"

    Yes!  It created a "Recipients" container and populated it with disabled user accounts.  (It even duplicated and populated Distribution Lists that existed on the old Exchange Server, too!)  I selected these, performed "Exchange Tasks" on them in order to do the Move Mailbox wizard.  And this worked just fine for moving all of my NT users mailboxes over to the new server.

    Because Aaron's mailbox was moved within the same “site” (as far as my Outlook profile was concerned), the he was able to re-open Outlook and the profile was automagically tweaked to point to the mailbox now on the new server.

    “So.. that’s it?  It just works?”

    Basically, yeah!  But… I’m not done yet.  I wonder what happens if I now remove the old Exchange Server…

    We’ll save that for Part 2.


    PS – Feel free to comment or question further by clicking on the “Feedback” Link immediately below this post.