Internet Explorer 7 "Fix My Settings" Domain Group Policy

As part of Internet Explorer 7's security, users are prompted to "Fix My Settings" if the application checks the security settings and sees that they are not the "default" from Microsoft. The prompt is a flashing "Information Bar" when the browser is first opened, and the user is asked if they would like to "Fix My Settings". I needed a way to get rid of this for a specific group of computers, and any user that logs into the computer.

When Internet Explorer 7 is installed on a computer, an administration template is created in the local computer policy (User Configuration->Administrative Templates->Windows Components->Internet Explorer) that adds some new configuration options. One of those options is "Turn off the security settings check feature". Currently, this is not available as a domain policy. To accomplish this I copied the default Internet Explorer 7 administrative template (named inetres.adm), edited it to be the way I wanted, changed the class from USER to COMPUTER so it would apply to the computer instead of the a specific user account, saved it with a different name (so as not to confuse the group policy editor) and imported it to my domain group policy. The template is below.


CLASS MACHINE
CATEGORY &#;33;&#;33;WindowsComponents
CATEGORY &#;33;&#;33;InternetExplorer7_Customized
#;if version >= 4 EXPLAIN
&#;33;&#;33;IE_ExplainCat
#;endif
POLICY &#;33;&#;33;Disable_Security_Settings_Check
#;if version >= 4 SUPPORTED
&#;33;&#;33;SUPPORTED_IE7
#;endif
KEYNAME "Software\Policies\Microsoft\Internet Explorer\Security"
EXPLAIN &#;33;&#;33;IE_Explain_DisableSecuritySettingsCheck
VALUENAME DisableSecuritySettingsCheck
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY ;
InternetExplorer7_Customized
END CATEGORY ;
WindowsComponents [strings]
WindowsComponents="Windows Components"
InternetExplorer7_Customized="Internet Explorer 7 Customized Settings"
Disable_Security_Settings_Check="Turn off the Security Settings Check feature"
IE_Explain_DisableSecuritySettingsCheck="This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk.\n\nIf you enable this policy setting, the security settings check will not be performed.\n\nIf you disable or do not configure this policy setting, the security settings check will be performed."
IE_ExplainCat="Custom config of Internet Explorer 7";
Supported on Information SUPPORTED_IE7="At least Internet Explorer 7.0" ;
Additional strings that will be used to generate Online Help
ADM_TITLE="Group Policy settings for Internet Explorer"
USER="User Configuration"
COMPUTER="Computer Configuration"
COMPUTER_Explain="Contains settings that may only be used to configure Computers"
USER_Explain="Contains settings that may only be used to configure Users"
SUPPORTEDON="Requirements:"


Windows XP Service Pack 3 Blocker Template

As an administrator of several branch offices with many dispersed systems, I rely heavily on Group Policy and WSUS (Windows Server Update Services - http://technet.microsoft.com/en-us/wsus/default.aspx) to handle updates. Sometimes, there are updates that are not ready for our production environment. One of the more recent updates that we are not ready for is Windows XP Service Pack 3 (http://technet.microsoft.com/en-us/windows/bb794714.aspx). A list of some of the problems can be found on Michael Horowitz's Blog, "Defensive Computing" (http://news.cnet.com/dont-install-windows-xp-service-pack-3-yet/). To combat this, I imported an ADM (administrative) template that blocks the installation of Service Pack 3 to our Windows XP workstations. Microsoft has actually provided the template and it can be found at http://www.microsoft.com/downloads/details.aspx?FamilyId=D7C9A07A-5267-4BD6-87D0-E2A72099EDB7&displaylang=en. This template adds and sets the registry key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowSP". Setting this to 1 (or enabled through Group Policy Editor) will block the installation of this service pack.

Event ID 1030 & 1058: Can't Access the File GPT.INI

For some time, two (only two) of our domain controllers have been receiving the following errors every 5 minutes:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 8/26/2008
Time: 11:24:10 AM
User: NT AUTHORITY\SYSTEM
Computer: ComputerName
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

and

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 8/26/2008
Time: 11:24:10 AM
User: NT AUTHORITY\SYSTEM
Computer: ComputerName
Description:
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=com. The file must be present at the location <\\domain.com\sysvol\domain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

After many hours of research, I tried each of the below to fix the errors with no success:

1. Domain.com\Domain Controllers group was added manually on the security of GPT.ini file - removed this as it is not the default setting
2. Added the Everyone group to the Default Domain Policy->Computer Configuration->Windows Settings->Security Settings->Local Policies->User Rights Assignment ---- REMOVED ---- as this did not fix the problem
3. Removed DNS servers that are no longer running DNS
4. Added Registry Key HKLM\software\microsoft\windowsnt\currentversion\winlogon\WaitForNetwork DWORD and set it to 1

None of these changes corrected the problem. Finally, after reading the following article: http://support.microsoft.com/kb/840669 (which says it only applies to Windows 2000, Windows XP SP1 and SP2) I added the Registry Key HKLM\software\microsoft\windowsnt\currentversion\winlogon\GpNetworkStartTimeoutPolicyValue set to decimal 60 on each of these servers.

According to the article, "If the TCP/IP protocol registers with NDIS before the network adaptor driver, for a short time it prompts higher user mode networking components that network connectivity is not available. During this short time, the Group Policy startup script cannot be downloaded." Reading on, "This problem is more likely to occur on fast networks that use 1-gigabit network adaptors or in teaming environments where the network takes several additional cycles to negotiate link speed."

Both of these conditions are true on these servers:

1. They have teamed network cards
2. They have gigabit ethernet cards

After setting the Registry key, I rebooted and the errors have not returned.

MSDTC: Cluster Failure

We experienced a problem with one node of our Windows Server 2003 cluster that serves a dual purpose: file sharing and Active Directory services. In fact, one of the nodes of the cluster holds our FSMO roles. The server is typically set to have the PDC as the passive node. Unfortunately (and to this day, I'm not exactly sure why), the primary node (let's call it DC1) would no longer start the MSDTC service, thus causing the cluster to flip over to the passive node (DC2 - the PDC). This caused quite a problem, for several reasons:

1. No redundancy for the clustered resources, as one of the nodes was unusable.
2. The active node has several IP address resources that, when on the PDC cause numerous errors due to the fact that the PDC is now multihomed.

It took quite some time for me to figure out what the problem was. There were many different (seemingly unrelated) errors in the System Log, Application Log, and the DFS Replication Log. I tried to keep with the original problem at hand, that the MSDTC resource would not operate on DC1. While developing my course of action, I found that there was something that wasn't configured according to the Microsoft documentation on setting up the MSDT resource: "How to configure Microsoft Distributed Transaction Coordinator on a Windows Server 2003 Cluster - http://support.microsoft.com/kb/301600. The article is very adamant about the fact that the Network DTC service must be installed and configured, prior to starting the MSDTC resouce.

To accomplish this requires installing a Windows component through Add/Remove Programs and then configuring it. The instructions for "How to enable network DTC access in Windows Server 2003" are located here: http://support.microsoft.com/kb/817064/. Since completing all of these things, the MSDTC service has been running smoothly. I have been able to fail it over several times and there have been no related errors for the Clussvc.

Some additional notes about this problem are the many errors that are logged. An explanation of what I found is below:

• System Log
  
  • 1137: Clussvc - Event Logger - event log was filling up with events due to a bigger, yet unknown problem
  • 5775: Netlogon - due to multihomed PDC
• DFS Replication Log
  • 1202: DFSR - failed to contact DC to access configuration information. Replication is stopped.

Currently, I am still receiving 1058 and 1030 errors in the Application Log, but I should be able to get this worked out now that the cluster is stable.

PowerShell Error Handling

When writing any script, there needs to be some level of error handling. If for no other reason, than to make it easier to debug if there is a problem. The easiest, and most basic form of error handling that I have found is the $? variable. This variable contains true if the last operation succeeded and false if it didn't. I have found that I use this a lot when using conditional statements when looping. For example, when looping through an array:

for-each ($objObject in $colObjects){
if (!$?) {
$foreach.movenext() }
else {
do some processing here
}

I used this in my script for exporting mailbox statistics from Exchange (see post: PowerShell - Mailbox Size to CSV). I had some problems with aliases not being unique and it was causing the script to error. To avoid this, I simply said if there was any error, move to the next record.

Another way to handle this would be using the $lastexitcode variable. This returns an integer, rather than true or false. If the lost operation was successful, 0 (zero) is returned and 1 (one) is returned if the last operation failed.

These are global variables built-in to PowerShell. So, you don't have to assign them. Much like Err.Number in VBScript the system handles the assignment of the variable.

PowerShell - Mailbox Size to CSV

Unfortunately, we don't have the luxury of using a software package that provides reporting on our mailbox sizes and statistics like Quest's MessageStats (http://www.quest.com/messagestats/). So, I had to devise a way to get the requested (from my boss) statistics for all user's mailbox sizes. The information that was requested included:

• Display Name
• Department
• Total Items
• Mailbox Size (MB)

All of this information needed to be put into a CSV file that could later be used for analysis using Excel.

There are two cmdlets needed to access this data:

• get-mailbox
• get-mailboxstatistics

It is possible to get information from one command to the other by piping (|) it, but I couldn't make this work because I needed to aggregate the data for each user. To address this, I created a collection of the mailboxes, then as I looped through the collection, I create an object that contained the information from the collection $colMailboxes (information from the get-mailbox cmdlet) and from the $mailboxStats object (information from the get-mailboxstatistics cmdlet). As I looped through the mailboxes, the script creates a string that is then appended to a file.

#create the output file

#create object of mailboxes
$colMailboxes = get-mailbox -resultsize unlimited

$strHeaders = "Display Name, Department, Total Items, Mailbox Size (MB)"
write-output $strHeaders

foreach ($objMailbox in $colMailboxes) {
     $mailboxStats = get-mailboxstatistics -identity $objMailbox.alias
     #if there is an error
     if(!$?){
          $foreach.movenext()}
     else{
          $strOutput = $objMailbox.DisplayName + "," + $objMailbox.office + "," + $mailboxStats.ItemCount + "," + $mailboxStats.TotalItemSize.value.toMB()
     write-output $strOutput
     }
}

I saved this as mailbox_size_toCSV.ps1. When running the script the results must be put out to a file.

./mailbox_size_toCSV.ps1 | out-file mbstats.csv

There are probably several things that I could do to improve this script, but it works for me and was pretty easy to put together.

Help and Support Service is Missing

If the Help and Support service is ever missing from the service snap-in, there are two things that can be tried to fix it.

1. Download the helpsvc.zip from here: http://windowsxp.mvps.org/reg/helpsvc.zip. Extract the file and double-click it. Answer yes and reboot.
2. Go to %systemroot%\inf and locate the file named pchealth.inf. Right-click on this file and choose Install. This will force a reinstall of the entire Windows Help and Support system. Reboot.
   

File Server Resource Manager Not Working

1. File Server Resource Manager service doesn't start
2. File Server Resource Manager snap-in doesn't display information about server (Displays the message "Unable to connect to File Server Resource Manager..."

All of this appears (just from what little information I was able to find on the web) to stem from the fact that a 64-bit R2 disc was used on a 32-bit installation of Windows Server 2003. To correct the problems, I followed these steps:

1. Compared the file %systemroot%\system32\dfsext.dll on this server with the one on another 32-bit install. The file size was 96KB on mine and 42 on the other server. I copied the file over to my server and magically, the service would start. There was no need to register the DLL with RegSrv32.exe.
   
2. Compared the file %systemroot%\system32\srmsvc.dll on my server with on on another 32-bit install. The file size was exactly the same, and even the dates were the same. Initially I didn't copy this file as it looked identical. After 2 hours of messing with this, I finally revisited this file and decided to copy it over anyway. I stopped the File Server Resource Manager service and copied the file. I did register this file using RegSrv32. The file registered and I restarted the File Server Resource Manager service, opened the snap-in and it worked perfectly.

Hopefully, I will never see this problem again, but if I do I now know how to fix it and it only took around 3 hours to get it fixed.

Reset the Directory Services Restore Mode Password: Windows Server 2003

There are several different instances in which this password may need to be changed. These include:

1. An administrator leaving the company
2. The server was not setup to standard
3. To ensure that you know what the password is

Additionally, a backup of AD is only as good as your ability to restore it. One of the very important items needed (in addition to a good backup) is the directory services restore mode password. Without this password, the directory will not be restored and more than likely, you won't be in a position at that time to change the password.

To change the password use the ntdsutil utility at the command line (or from Start->Run):

ntdsutil: set dsrm password

This will start the password reset utility. At this point, you can reset the password on a remote machine, or on the local machine. To reset the password on a remote machine, enter the command:

Reset DSRM Administrator Password: reset password on server server name

Use "null" to reset the local machine's password:

Reset DSRM Administrator Password: reset password on server null

You will be prompted to enter the new password and to confirm it.

Please type password for DS Restore Mode Administrator Account:
Please confirm new password:
Password has been set successfully.

That's it.

SQL 2005 Database Schema

I needed a way to view the schema of the database (all tables, columns, data types, etc.) and I found a blog (http://www.digitalmediaminute.com/article/1278/printing-sql-server-database-schema) that provided a quick way to get this. It is an ASP (classic) page that you drop into IIS, change the server name, database name, user ID, and password and boom! You now have a web page that quickly displays the schema. This is great for printing, discussing, saving, or using as a comparison of another database.