Thursday, April 28, 2011

"Extra Registry Settings" GPOs

Recently went to add some trusted sites to an existing IE GPO on a Windows 2003 DC. Found the GPO and the sites already in there were listed in the Settings tab under "Computer Configuration\Administrative Templates\Extra Registry Setting".

However... when I went to EDIT that GPO there was no "Extra Registry Settings" under Computer Configuration\Administrative Templates. Looked all over and couldn't find it anywhere!

Eventually came upon this gem on MS Technet:
When searching for a given .adm file, GPMC will only use the first .adm file it finds in the listed search order. If there are policy settings in the GPO for which no .adm file can be found, these settings will be displayed in the report in a section called “Extra Registry Settings” which displays the registry keys and values for those settings.

Found a DC that was running Windows 2008 and tried editing the GPO and what do you know, the "Extra Registry Settings" were not there, but there was a looooong list of other settings, one being named "Policy: Site to Zone Assignment List" under "Computer Configuration\Admin Templates\Windows Components\Internet Control Panel\Security Page\". The existing trusted sites were in it so just added the new ones and did a gpupdate and was ready to go.

Wednesday, April 27, 2011

Exchange 2007 Public Folder Permissions

To grant a group permissions on an Exchange 2007 public folder the group MUST be mail enabled. To do this you must first create a Universal Security group and then mail-enable the group via Exchange Management console/shell. Once these two steps are complete you will be able to assign permissions via Outlook or Exchange management shell.

As a final step I recommend hiding the group from the GAL via Exchange Management Console > Recipient Configuration > Distribution Groups > GroupName properties and finally Advanced tab.

Monday, April 25, 2011

Mac RDP and Time Zone Redirection

This issue is becoming more and more popular as an increasing number of users have been accessing terminal servers from the Mac RDP client.

The Mac RDP client does not forward the client time zone correctly. When Mac RDP clients connect to Windows 2008 or Windows 7 computers remotely, the system time appears to be correct, but it's really set to "(GMT -07:00) Unknown time zone" [May be different for those outside of PST]. This issue is most apparent when launching Outlook and looking at calendar appointment times.

Server 2008 and Windows 7 include a utility called tzutil that you can use to update the time zone. Example: TZUTIL /s "Pacific Standard Time"

Or this can be resolved by turning off the TS Time Zone Redirection GPO, but then all users get same time zone:

GPO for it:
Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Device and Resource Redirection\Allow time zone redirection


Edit: Aforementioned GPO is location on a Server 2003 DC, for Server 2008 DC look in: Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Allow time zone redirection

Friday, April 22, 2011

Turn off Windows 7 Error Reporting

Get a lot of these?
Heres how to disable it in Windows 7

Start > Control Panel > All Control Panel Items > Action Center > Change Action Center settings > Problem reporting Settings:

For the domain administrators out there, to disable via GPO try:

Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting

Disable Windows Error Reporting:
“If this setting is enabled, Windows Error Reporting will not send any problem information to Microsoft. Additionally, solution information will not be available in the Action Center control panel.”

Check Computer BIOS version remotely

Just learned how to do this, thought it would be helpful to share:

Start > Run > msinfo32 from another machine on the network

View > Remote computer… and enter your target machine

Enable Remote Desktop... REMOTELY!

I often need to RDP to a client's computer from another machine on the domain, however it becomes problematic when RDP is not enabled on their machine. Well here is a registry hack that you can do to enable RDP ... wait for it... REMOTELY!

1.Logon to a machine on the same network as as a domain admin:Start > run > regedit.
**Insert cautionary registry editing warning here**

2.From regedit: File > Connect Network Registry… > Input the computer name you need to enable RDP on and click OK

3.Navigate to the HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server key and change the “fDenyTSConnections” REG_DWORD value from 1 TO 0 (Remote Desktop enabled)

4.Reboot the target machine from command prompt with: “shutdown /m \\computername /r” MAKE SURE YOU USE THE /m FLAG OTHERWISE YOU COULD ACCIDENTALLY REBOOT THE SERVER!

5.RDP to their machine

6.Send Mike a cookie

I would assume this goes without saying, but just in case, the target computer must be connected to the same network as the machine you are on.

Make Windows 7 Explorer open My Computer

Right click the explorer icon on the task bar > Right click windows explorer and select properties

Change “%SystemRoot%\explorer.exe” to:

%SystemRoot%\explorer.exe /root,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}

To make all new explorers open My Computer and then anything from there will open in a new explorer window.


%SystemRoot%\explorer.exe ::{20D04FE0-3AEA-1069-A2D8-08002B30309D}

To make all new explorers open My Computer and then anything from there will open in the same explorer window.

Convert scanned form to Fillable PDF

I found this site online:

Tested and I was able to create some fields and then download the pdf and it all worked. (Note: only for pdfs < 5mb and < 50 pages)