Fine Grained Password Policy in WS2008; Virtualising Servers in Hyper-V; Windows 7 WAIK; Integris on Windows 7

Before Windows Server 2008 your Windows domain could only have one password policy for the whole domain, even though the password policy settings appear in any GPO. Only the settings in the Default Domain policy would be actually applied. One of the advances of Windows Server 2008 is to allow multiple password policies to be applied, generally to a specific group of users. The official UI isn’t too hot just yet. I used a tool from Christoffer Andersson as an alternative to the tedious process of setting up the password policy in ADSIEdit (which requires certain fields to be encoded in a very specific way). The domain functional level must be Windows Server 2008 at least. This is readily accomplished since now we have two WS2008 DCs, but I had to raise it from WS2003 where it was when DC01 was a WS2003 R2 server. Then I started testing it out. One small but important point to note is that just putting a user into the group doesn’t force them to comply immediately. The policy is not actually enforced on an existing user until the next time they change their password. So the way to ensure this is to check the box for a password change at next logon in the user’s account settings each time you add a user to the group. The FGPP will let us have a stronger password policy for remote login users to ensure there is less chance of their account being compromised.

We set our TS up from scratch again by making it a virtualised server. This is another step in the direction of making all our servers virtualised, running under Hyper-V. By the end of the year instead of four physical servers, we will have two Hyper-V servers running about six virtual servers. In every day use the workload of the virtual servers will be distributed across the two servers but if one of them breaks down then in theory the other should be able to pick up most of the load. I am really looking forward to having everything virtualised because it nearly means an end to down time when a server has to be shut down. Just move the VM to another server and have everything back in action real quick while maintenance is performed at your leisure, in fact the maintenance can be done in ordinary working hours.

This week I downloaded the new WAIK for Windows 7. That was something of an ordeal. It took four goes to get it to download completely so that it would install. Finally I managed to get one that would work, and that’s a big thing with a 1.7 GB download. As I am installing it on an x64 workstation it will only be able to build Windows 7 images for x64. I’m also installing it on Vista x86 on the Vista boot disk of my dual boot Vista-7 workstation and that will be able to build x86 images should that ever prove necessary. The Vista disk also has Windows PE 2.0 already on it from the previous WAIK and I have used this a lot with boot CDs and very recently learned how to inject drivers into it, which came in handy big time when I had to ghost a server with special RAID drivers. We are, however, not likely to build any new images for anything except Windows 7x64 now because it is my full intention to only use x64 because that is the way of the future. 

I am looking at a more expensive option for rebuilding my home PC. This is to go for the bleeding edge and choose a LGA1156 board and CPU, which is superseding LGA775. Since LGA1156 is pretty new, it is still relatively expensive; these options will push the overall cost to about $500. The board does have other useful higher end features like DVI and HDMI outputs, eSata connectors, but not Firewire which one of the LGA775 boards I looked at provided. Obviously the more powerful the system is, the longer it will be of use. I am about to order the power supply (Enermax Tomahawk 400W) which is $80. I have recently purchased a new Acer 17” screen which is a huge step up for my home computer over the Philips glass CRT.

If you use RM Integris Classic SMS in your school, you’re probably wondering about its compatibility with Windows 7. When I was testing the 7 RC, I tried the install of Integris onto x64 and found no problems. I was therefore surprised to experience crashes when installing the latest NZ release (6.91.10) onto both Windows 7 Pro x64 and our Windows Server 2008 R2 Terminal Server. The specific problem experienced is at startup when an error dialog comes up stating

Quitting Omnis due to unrecoverable error: Insufficient memory available.

When I searched Google I found people referring to problems with corrupted printer drivers. In the terminal server, I disabled the Print Spooler service and have had no more problems. Of course, this is a temporary fix; since there is only one printer installed, the Microsoft XPS Document Writer, I will have to try uninstalling that to see if it resolves the problem. The most important issue for Integris users is that the NZ edition has a core module that isn’t certified for Windows 7 and will have to be updated to a later edition, and I have been advised that this probably won’t take place until the middle of this year. So the current edition of Integris is not W7 certified.

Windows 7 now available in MOE schools deal

Since the Windows 7 RC came out we have run it in a variety of systems. While it is good, it is not the gold release version of Windows 7 and has a few bugs. And from March 1, it will start to shut down every two hours on PCs where it is still installed. So it was with some pleasure that I recently downloaded the full release of Windows 7 from Microsoft’s web site along with the MAK key for our school to use for installing on our PCs, which has now started in earnest. After the well known problem with lack of display drivers for Intel D915 chipsets, it was a pleasant surprise to install W7 Pro onto an Intel D101GGC board, which replaces the Intel chipset with the ATI Radeon Xpress 200 with a Radeon X300 graphics set. Drivers up to Vista x64 have been released for this chipset which means it has very good support under W7 for Aero and so on although the driver does not fully support the latest features of W7. So far all of our installations of 7 are 64 bit which works well as a dual boot with the 32 bit editions of either XP or Vista. Naturally I am also setting up virtual machines. Sysinternals have released a great tool for turning a physical HDD volume into a VHD. It has worked well with XP up to now but when it comes to Vista or 7, I have to work out how to use the new Sysprep tools with it to generalise the image. So because at the moment I don’t have time to set up the new Sysprep, I will just create a couple of new images from scratch, this is much easier to do than physical machines because we have the boot image as an ISO file already and you just hook it onto the VM and start it up. I can even do two or three at once.

I presume we will get Office 2010 in due course, maybe at renewal date next year. Software Assurance should also give us Windows Fundamentals for Legacy PCs, a stripped down version of XP that can be used as a Terminal Services client. This obviously gives the attraction of the possibility of making some of our older PCs last longer by hooking them onto a terminal server.

On the home front I am making a start soon to rebuild my old PC. Actually I will get another old chassis from work and refit it with new power supply, motherboard, CPU and RAM. I estimate the parts by the excellent deals we get from our school community will cost me around $350 or so and this is for an Intel brand motherboard, a dual core CPU that can do hardware virtualisation, and 2 GB of RAM to start with (adequate for home use). Of course the chassis has to be in good condition and I need to bring across my HDDs and so on. But it is a good way to get practically a new PC at a good price and just as a prelude I have bought an LCD screen for my home PC so that I have the higher resolution and the superior picture quality and all the advantages over CRT for the work I am now doing by remotely logging in to our systems.

Nasty crashes in Word (probably all MS Office) if the user’s Documents folder cannot be found

Note that this could happen if the folder exists but the permissions are set such that the folder is inaccessible to some degree. Experience has taught me that Office suite programs are pretty poor at handling permission restrictions like a user has only Read and Execute rights on a folder. This latest problem with Word appears to be an extension of this and it is deplorable that Microsoft can’t produce application software that correctly handles some of the most fundamental features of its own operating systems.

In this case, the user’s home path was set incorrectly in their user account properties and was non existent. This meant that the Documents folder could not be found. When the user tried to save a document, Word simply crashed. I have spent the best part of two days trying to resolve this problem which was obviously user dependent. Office has been installed and uninstalled numerous times, the laptop has been reimaged, the user’s profile dropped and recreated several times etc etc. It was becoming clear I would have to try one more step, a new user account. Before I did this I tried logging on as a different user and it quickly became clear the default Save location is their Documents folder. Then checking the settings for the problem user account, it became clear they did not have such a folder. As soon as that was fixed the problem went away. Note that Office Diagnostics could not solve this problem.