This is a brain dump of something Alan Burchill and Lilia Gutnik presented at TechEd Australia 2009. It covers managing local administrators on your workstations using the power of Group Policy Preferences.
- Create a new GPO if necessary, link it to the OU where it needs to be applied
- Edit the new GPO, and go to Computer Configuration, Preferences, Control Panel Settings, Local Users and Groups
- Right-click in the pane on the right, and select New, Local Group
- Set up the “New Local Group” as per below. I’ve got it removing all existing users and groups so that we can define everything we need using Group Policy. You add variables like %computername% by pressing F3 whilst the cursor is in a text entry field.
I also included the Description text that is shown on the default local Administrators group; "Administrators have complete and unrestricted access to the computer/domain”
- You also need to add a member called “domainname\%ComputerName%-Admins”. This will allow you to define a group in AD that can be used to assign local admin rights to a particular machine.
The good thing about this is that you only need to define groups for PCs that you wish to add local admins to, but all PCs that have the GPO applied are ready for this type of setup.
- You can also go into the Common tab and select “Remove this item when it is no longer applied”
- The last step is to create a Security Group in AD with the name {computername}-Admins. For example, if you have a computer named syd-60128, you create a group in AD called syd-60128-Admins. Adding users into that group will then make those users a local administrator for that particular PC.
- Do a “gpupdate” on the machine in question, and you should see the group’s membership change:
Published at 28 April, 2009
in Windows.
Thanks to the guys at The Green Button forums, Vista Home Premium users can now also enjoy an oft-missed feature; RDP. This currently works with SP1, but SP2 isn’t far off so expect Microsoft to close this loophole again.
Below are some instructions found on the forum, and the rest of the process that I followed:
- Download patched DLL
- Run a Command Prompt as an Administrator, and run the following commands:
- takeown /a /f %SystemRoot%\System32\termsrv.dll
- icacls %SystemRoot%\System32\termsrv.dll /Grant Administrators:F
- Stop the Terminal Services service (Windows Key + R, services.msc)
- Rename the original termsrv.dll (in %systemroot%\system32) to termsrv.dll.bak
- Copy the patched dll into place
- Run Registry Editor (Windows Key + R, regedit)
- Find HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
- Change the following 2 items:
- fDenyTSConnections – New value: 0
- fSingleSessionPerUser – New value: 0
- Start the Terminal Services service
Below is a screen shot of it working on my home PC.
Don’t contact me for help in getting this running, or if this procedure breaks your PC.
If you’re not keen on doing this, an excellent alternative is LogMeIn’s free remote desktop solution.
I’ve been sitting on this post for a long time, and intended to write a more detailed description.
Here are some things you may need to consider (outside of the obvious like DHCP scopes, DNS server settings, Firewall settings & rules, etc) when changing the IP range your Windows network operates on:
- TCP/IP Printer ports on print server
- Printer/Copier IP/DNS/SMTP settings
- Exchange allowed relay ranges
- Any copy/print accounting devices attached to copiers
- Monitoring host settings. Eg. Big Brother/Hobbit – Both client and server side, if not configured to use DNS in config files
- Server iLO IP addresses
Some steps for changing domain controller IP addresses. Do these first before any other important servers:
- Change IP
- ipconfig /flushdns
- ipconfig /registerdns
- Either restart the Netlogon service, or run ‘nltest /dsregdns’
- Reboot
Disclaimer: This is by no means a complete list. Use these directions at your own risk.
This tool should be a part of any self-respecting SysAdmin’s toolkit. mRemote is “a full-featured, open source, multi-tab remote connections manager”.
What does this mean?, you say. It means you’ve got one neat console where you can manage all your remote connections in one place. mRemote currently supports these protocols:
I haven’t set it up fully yet, but it will be really handy to have all my web-based admin areas and SSH to Linux boxes in there too.
A side note, it uses the same rendering engine as Firefox, so some web-based admin pages may not display properly. This, however is no fault of mRemote or Firefox’s.
I recently figured out a better way to get MYOB Premier to deploy via MSI that the previous method that I posted. This method basically stops the MSI from checking if it’s been run by a bootstrapper (Setup.exe). I’ve tested this with Premier 11 and 12 and it deploys fine on XP and Vista.
Continue reading ‘Update: Deploying MYOB Premier via MSI’
