Today I leave for parts of the country unknown (to me at least), I am headed to Washington DC. This swamp is home to our congress, president and many other crazy agencies that I’m sure are watching me type this blog post. We plan on checking out all the cool monuments that our tax dollars have purchased and maybe hassle our representative about some governmental issue that currently escapes me. In any case, I’m sure Jen and I will have a good time discovering the city and how to get around using their subway system. The one crown jewel for me on this trip I am looking forward to is the Smithsonian, it should be quite the experience at least that is what I am hoping for. The weather looks like it will be okay, we will have a few rainy days but there looks to be plenty of inside activities to do once we get there. We are technically staying across the river in Arlington, VA so we will get to commute in everyday as well. Here is wishing that all our luggage makes it and our flights are not delayed. Good Day.
How to Remotely Manage Workstation in Your Network
You would be surprised at how often I solve a users issue without having to leave my desk. Users typically calls me about issues about how they need an icon, need a printer job canceled, or can’t find the file they are looking for. Here are some helpful methods that you can use your environment to fix problems without leaving your desk.
Using Hidden Drive Shares
This is the one of the easiest to use and the most flexible to help you manage files on remote workstations. By default Microsoft Windows shares hard disk drives as a hidden share that only administrators can access. When you are setting up your domain you basically centralize the user authentication so now you have an administrator account on all the computers in your domain. This does require that file and print sharing is turned on in the Windows Firewall but for most environments this is most likely already on. To enable it from command line just type netsh firewall set service type = fileandprint mode = enable
in command line window or run box. To configure it using Group Policy follow the these instructions
-
Open the Group Policy Object Editor snap-in to edit the Group Policy object (GPO) that is used to manage Windows Firewall settings in your organization.
-
Open Computer Configuration, open Administrative Templates, open Network, open Network Connections, open Windows Firewall, and then open either Domain Profile or Standard Profile, depending on which profile you want to configure.
-
In the details pane, double-click Windows Firewall: Allow file and printer sharing exception.
-
In the Windows Firewall: Allow file and printer sharing exception dialog box, on the Settings tab, click Enabled or Disabled.
To access these shares you need to go to the UNC path of the computer followed by the drive letter and a dollar sign. Ex: \\computername\C$
and bam there is the entire drive of that computer. Now you can browse in the Documents and Settings and the user and add the icon on the desktop all from your computer. This should work for any Microsoft Windows since 2000 including server operating systems.
Remote Microsoft Management Console
If you are not familiar with Microsoft Management Console or MMC then you need to be. It is a unified management console that allows you to adjust not only settings on your computer but remote ones as well. To use this command remotely you need to enable “Remote Administration” in the Windows Firewall this can be done by running the following command: netsh firewall set service type = remoteadmin mode = enable
or you can enable it using group policy by following these Microsoft steps: Microsoft Article
-
Open the Group Policy Object Editor snap-in to edit the Group Policy object (GPO) that is used to manage Windows Firewall settings in your organization.
-
Open Computer Configuration, open Administrative Templates, open Network, open Network Connections, open Windows Firewall, and then open either Domain Profile or Standard Profile, depending on which profile you want to configure.
-
In the details pane, double-click Windows Firewall: Allow remote administration exception.
-
In the Windows Firewall: Allow remote administration exception properties dialog box, on the Settings tab, click Enabled or Disabled.
Once you have the exception in place you can run different commands remotely either by accessing a menu with the console or starting it from command line to open a computer. To start the Computer Management Console from command line just type compmgmt.msc /computer:computername
in your run box or at the command line and it should automatically open the Computer Management console to that remote computer. Now you can go though the different parts of the machines from your desktop without interrupting the user. You should be able to do most things that you could if you were running this locally on the PC except for the Device Manager which is in read-only mode.
Remote Registry Editing
Another less know feature of the registry editor is the ability to open a remote computers registry and make changes. To open the registry editor type regedit
in your run box or command line, once it has open go to the File Menu and select Connect Network Registry… then just type in the name of the computer in the box and it should just open as another computer in the tree view. There are a few things to be aware of when editing another computers registry, you cannot undo your changes, so be sure you know what you are doing or the next call might be about the computer you just hosed by changing something you shouldn’t have. Also, the current user hive is sort of hard to find. It is under HKEY_USERS then it is probably something like S-1-5-XX-XXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXX, if you have multiple entries like this you will need to check the Volatile Environment key named SESSIONNAME, it is set to Console then that is the HKEY_CURRENT_USER hive. The local machine class is in the same place in both the remote registry and the local one.
Disable Windows Games Using Software Restriction Policy
Do you find that your users spend more time in freecell and minesweeper than actually doing work? Then one would say that it is time to block those applications from being started. To do this you can use the Software Restriction Policy that is Built in to Group Policy and your Domain. What you will need to do is create a new Group Policy, you could call it “No Windows Games” and then Edit it and drill down into Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies from there you will probably be presented with “No Software Restriction Policies Defined” now right click back on Software Restriction Polices in the tree view on the left and select Create New Policies. Now you should have the option for Additional Rules. This is where you need your restrictions. Here is the long article about what the different types of rules are, and what you can do with the from Microsoft, but since we just want to block Windows Games we just need to add a New Path Rules with the Disallowed option.
- %SystemRoot%\system32\freecell.exe
- %SystemRoot%\system32\mshearts.exe
- %SystemRoot%\system32\sol.exe
- %SystemRoot%\system32\spider.exe
- %SystemRoot%\system32\winmine.exe
- C:\Program Files\MSN Gaming Zone
- C:\Program Files\Windows NT\Pinball\PINBALL.EXE
Once these restriction are in place you can link them to the OU or workstations to make them take effect. Your end result should look something like this:
Waiting on the HTC Touch Pro 2
Here in the past year I joined the smartphone crowd by the university paying for my data plan. I am currently with AT&T and enjoy their coverage and speed for the most part. It seems to be faster in larger cities but College Station is special in the fact that we have extra capacity in the summer and a lack of capacity the rest of the time. We do have 3G here for AT&T and on a good day my Blackjack can load up most webpages in just a few seconds, of course I have been using just the Internet Explorer WAP browser that comes with all Microsoft Windows Mobile Phones. Although I can’t get full webpages like on other phones like the G1 or iPhone I have been rather happy with it for the most part, but I am ready for an upgrade according to my contract and my preference.
I am very sure that I want a Windows Mobile phone, even with the limitations of the OS. Lots of people complain that the OS is not built for touch and generally hard to use. Well the way Windows Mobile works makes sense to me because I have been using it forever. I bought a Dell Axim X5 Advanced the day they came out, and ever since then I have been sold. It works just like Windows, I just don’t understand how people can’t understand that just like every other Windows computer you go to the Start Menu to find your apps. Then again most people that buy smartphones never added apps until an App Store made it too easy to buy applications. I hate any app store that has rules about what they will and will not allow in because a carrier may not want it running on their network or that it might compete against an application that is builtin to the Phone’s OS. This makes a very slippery slope of soon you won’t be able to use the apps you want on the hardware or network you want to use it on. But that could be a whole other post, I am unhappy that the Microsoft App Store has so many limitations that help protect it’s sub par media player and other software.
Anyways, it isn’t the software that sells me, it is the WVGA touch screen with the slideout keyboard. I think it will be cool to see what developers will be able to do with a full sized screen on a mobile device. The keyboard also looks large enough for me to handle, the one on the Blackjack is a little small and I keep finding that I mistype things because my fingers are a bit too big. I defiantly do not want an onscreen keyboard. I’ve support iPhones at work and find them to have the most horrid keyboard ever, I have a hard time typing configuration information for the device and I can only imagine if I had to type on it everyday and how bad that would be. The other thing I don’t like about Blackjack is that I have a hard time getting to certain numbers and symbols that are much easily found on the Touch Pro.
With my mind made up, I am waiting for the HTC Touch Pro 2 to come to AT&T whenever that might be, I am hoping for sometime this Summer when Windows Mobile 6.5 finally comes available. So until then just behold in the glory of the Touch Pro 2.
Passing Parameters to VB Script to Map Network Drives
The other day I got an instant message from a fellow network administrator asking for a script that would map drives to by simply passing parameters from command line. This caused me to go into Google mode checking how parameters are passed in to Visual Basic Script and then applying the basic network drive mapping script. Now I feel that only the proper thing to do is share it with everyone out there that is looking for the same thing he was. This is a very simple script that does something equally simple. Hopefully this will simply some of the group policies that are out there.
Usage: mapme.vbs Z //server/share
This would result in passing Z as the drive letter and mapping it to the UNC path of //server/share
Set objArgs = WScript.Arguments Set objNetwork = WScript.CreateObject("WScript.Network") objNetwork.MapNetworkDrive objArgs(0) & ":" , objArgs(1)