Description: Windows 7/cannot connect to 2003 Printer Server

Symptom:  Windows 7 client, connect to Windows 2003 Printer Server using \\servername or using IPP will get the error messages as following:

· Issue 1:

The error message  show “access denied “, but if we add this domain user to local admin group solve the issue, it must be something related to Windows 7 print permission.

· Issue 2:

If the Printer driver use the old driver, the error message show “ windows cannot connect to the printer…”

Solution:

Issue 1:

· Set the following policy at Windows 7 clients:
============================
Computer Configuration | Administrative Templates | Printers | Point and Print Restrictions: Disabled

Use Windows XP-Level Security

You can use the Point and Print Restrictions group policy setting to provide a Windows Vista client computer with the same level of Point and Print security that it had with Windows XP.

User Experience

Users will not see any additional warning messages when they connect to a shared printer and Point and Print installs a new printer driver or when Point and Print updates the printer driver for an existing connection.

Issue 2:

· After we change the printer driver at Windows 2003 Print Server to use universal driver, client can download the appropriate driver without error.

Reference:

Begin from Windows Vista, there have more restriction at Printer management, Windows 7 will also be the same architecture, please see the following doc:

http://technet.microsoft.com/en-us/library/cc753269.aspx

The default security settings for Windows 7 and Windows Server 2008 R2 allow users who are not members of the local Administrators group to install only trustworthy printer drivers, such as those provided with Windows or in digitally signed printer-driver packages. This helps to ensure that users do not install untested or unreliable printer drivers or drivers that have been modified to contain malicious code (malware). However, it means that sometimes users cannot install the appropriate driver for a shared printer, even if the driver has been tested and approved in your environment.

Administrator 並沒有特權可以防止PWD policy 的套用, 而下列資料表達的是:

-> 預設狀況下Administrator 帳戶不會被”真的”鎖定是由於pwdProperties這個值預設是1 – (Passwords must be complex, and the administrator account cannot be locked out).

-> 所以也就是說沒有文件提到Administrator 這個帳戶有特權, 主因是由於pwdProperties這個值在控制。

-> 所以Administrator account 是可以被鎖定的囉? 是的! 可以透過ADSIEDIT.msc 修改pwdProperties參數來達到。(不建議)

How to set account lockout policies in Windows 2000 and Windows Server 2003
http://support.microsoft.com/kb/885119/en-us

To configure the account lockout policies in Active Directory, follow these steps:

1. Install the ADSI snap-in if it is not already installed on your system. This snap-in is included in the Windows 2000 Support Tools. For additional information about how to install the Windows 2000 Support Tools, click the following article number to view the article in the Microsoft Knowledge Base:

301423 (http://support.microsoft.com/kb/301423/ ) How to install the Windows 2000 support tools to a Windows 2000 Server-based computer

Warning If you use the ADSI Edit snap-in, and you incorrectly modify the attributes of Active Directory objects, you may cause serious problems. These problems may require that you reinstall Windows 2000 Server, Microsoft Exchange 2000 Server, or both. We cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

2. Click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit.

3. Expand Domain NC [Your_Domain_Name].

4. Right-click DC=Your_Domain_Name,DC=Your_Domain_Name, and then click Properties.

5. Click the Attributes tab, and then in the Select a property to view list, click pwdProperties.

6. In the Edit Attribute box, type the value that you want to use. The following value options are available.

Collapse this tableExpand this table

7. Click Set, click Apply, and then click OK.

8. Quit the ADSI Edit snap-in.

HOWTO: Set up DNS auditing for records that disappear from the zone
==============================================
1.Enable Directory Service Access auditing in your default Domain Policy:
- open domain security policy
- navigate to Local Policies -> Audit Policy
- Define "Audit directory service access" for success and failure
- Refresh domain policy on all domain controllers
2. Enable auditing on the zone
- open AdsiEdit
- Navigate to the location of your DNS zone
- Right click the zone to audit and choose properties.
- go to the security tab, click the advanced button
- select the Auditing tab and click Add
- for the user or group, type in Everyone
- On the Object tab, select Success and Failure for the following Access
types:
-- Write All Properties, Read All properties, Delete and Delete Subtree
- OK out of the policy and refresh the policy again.
3. When a record is deleted from DNS the following event is logged in the Security
Event log:
Event ID: 566
Source: Security
Type: Success
Category: Directory Service Access
Description: Will post a message similar to following:
Object Name: DC=recordname,DC=domain,DC=domain,CN=System,DC=dcname,DC=domain
Properties: Write Property
Default property set
dnsRecord
dNSTombstoned

==============================================

執行完上述動作後，如果往後有人刪除A記錄，您將可看到看到下列資訊。
範例
================
事件類型:   稽核成功

事件來源:   Security

事件類別目錄:     目錄服務存取

事件識別碼:        566

日期:         2010/3/29

時間:         下午 04:22:01

使用者:              HJHROOT\administrator

電腦: W2003RDC03

描述:

物件操作:

物件伺服器:        DS

操作類型:   Object Access

物件類型:   dnsNode

物件名稱:   DC=test001,DC=hjhroot.com,CN=MicrosoftDNS,CN=System,DC=hjhroot,DC=com

處理識別碼:        -

主要使用者名稱:  W2003RDC03$

主網域:      HJHROOT

主要登入識別碼:  (0x0,0x3E7)

用戶端使用者名稱:       administrator

用戶端網域:        HJHROOT

用戶端登入識別碼:       (0x0,0x537E2)

存取: 寫入屬性

內容:

寫入屬性

                Default property set

                        dnsRecord

                        dNSTombstoned

        dnsNode

其他資訊:  

其他資訊 2:       

存取遮罩:   0x20

請在 http://go.microsoft.com/fwlink/events.asp 查看說明及支援中心，以取得其他資訊。
================

There is a policy, usually at the domain level, that sets this and it supercedes DNS IP issued by DHCP or manual entry.

To check for existence of this policy, look in the client's registry for the

following entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient

NameServer entry of type SZ (string) with the ip address the client is using for DNS.

If it exists, the policy may need to be reveresed (Disabled, not "Not Configured") or corrected at the DC.

From the group policy:

Computer Configuration...Administrative Templates...Network...DNS Client...DNS Servers.

Set the policy to either "Disabled" or the correct IP address, but do not set it to "Not Configured" or no changes will take place.

Note: This policy may be set somewhere other than at the domain level. Use GPResult or rsop.msc to find the source location.

Problem
=========
How to Hide "My Network Places" from Windows Explorer view

Solution
==========
You can remove “public” folder by deleting the registry key below.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{4336a54d-038b-4685-ab02-99bb52d3fb8b}

To remove the user folder, you can delete the below one.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{59031a47-3f72-44a7-89c5-5595fe6b30ee}

To remove the My Network Places, you can delete the below one.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}]

PS: please take a backup of these registry keys before deleting.