How can I delete the Recovery Console?

To delete the Recovery Console follow these steps:

1. Open My Computer.

2. Double-click the hard drive on which you installed the Recovery Console.

3. On the Tools menu, click Folder Options.

4. Click the View tab.

5. Click Show hidden files and folders, clear the Hide protected operating system files check box, and then click OK.

6. At the root directory, delete the \Cmdcons folder.

7. At the root directory, delete the file Cmldr.

8. At the root directory, right-click the Boot.ini file and then click Properties.

9. Clear the Read-only check box, and then click OK.

10. Open Boot.ini in Notepad, and remove the entry for the Recovery Console. It will look similar to this:

C:\cmdcons\bootsect.dat=”Microsoft Windows Recovery Console” /cmdcons

1. Save the file and close it.

Can I configure the Windows XP/2000/2003 Recovery Console to auto-logon whenever I run it?

By doing this, any user can gain access to your computer by using the Recovery Console and without being prompted for an administrative password.

To set an automatic administrator logon for the Recovery Console, complete the following steps while you are logged on with administrative privileges:

1. Double-click Administrative Tools in Control Panel, and then double-click Local Security Policy.

2. Expand Security Settings , expand Local Policies, and then click Security Options . Locate the “Recovery Console: Allow automatic administrative logon” policy. Double-click this policy, and then set it to “Enable”.

3. Close the snap-in. The policy is effective immediately. Be sure to go back into the Local Security Policy snap-in to make sure that the effective setting for the policy is “Enabled”.

The next time you boot to the Recovery Console, you won’t be prompted for a password.

How does Ntdsutil.exe know it’s in Directory Restore mode

NTDSUTIL is a tool used for many Active Directory database maintenance tasks, such as defragmenting the DB, moving the DB and/or log files to a different place, cleaning the DB and more.

NTDSUTIL will allow you to perform many of it’s functions while the DC is up and running. However some of the maintenance tasks (such as performing an offline defragmentation of the DB and moving the files to a different location, along with the Authoritive restore commands) require that you start the DC in Directory Restore mode, found when you access the boot menu by pressing F8 before the server starts it’s startup sequence.

When you start the domain controller in Directory Restore mode, the DC sets the environment variable safeboot_option to “dsrepair.”

If, for some reason, you want to access the “protected” features of NTDSUTIL while it is NOT in the Directory Restore mode, you will receive an error similar to this:

C:\WINDOWS>ntdsutil ntdsutil: files *** Error: Operation only allowed when booted in DS restore mode “set SAFEBOOT_OPTION=DSREPAIR” to override – NOT RECOMMENDED! ntdsutil:

If you want to check something in NTDSUTIL that is allowed only in Directory Restore mode, you can “trick” the program by typing the following statement at a command prompt:

set SAFEBOOT_OPTION=DSREPAIR

C:\WINDOWS>ntdsutil
ntdsutil: files
*** Error: Operation only allowed when booted in DS restore mode
“set SAFEBOOT_OPTION=DSREPAIR” to override – NOT RECOMMENDED!
ntdsutil:

NTFS Permissions

Before NTFS became the default file system on all Windows operating systems, one of the main considerations to use NTFS, instead of FAT or FAT32, was the possibility to assign permissions for individual files and folders. Each file and folder on an NTFS volume contains an Access Control List (ACL). This list contains entries for groups and individual user accounts mapped to their corresponding permissions. When a user tries to access a resource, Windows checks the ACL if the user is listed and what level of permission is assigned. It doesn’t matter whether the user tries to access the resources on the hard drive or on a remote server.

First let’s go over the main NTFS permissions that can be assigned for files and folders:

READ
Read permission allows a user to read the files, list the contents of folders, subfolders and volumes, and read the attributes, permissions and ownership. A user with only Read permission will not able to change the contents of the file or folder.

WRITE
Write permission allows the same as Read, but additionally allows the user to modify and create files and subfolders as well as change attributes.

READ AND EXECUTE
Read and Execute permission allows the same as Read, but additionally allows users to run applications.

MODIFY
Modify permission allows the same as Read, Write and Read and Execute combined, but additionally allows deleting.

FULL CONTROL
Full Control allows everything permitted by the other permissions, but additionally a user with Full Control can change permissions for other users and take ownership of files and folders.

LIST CONTENTS
List Contents permission applies to folders only. It allows user to read files and list the contents of folders and volumes. Users with this permissions can see the files and folders, but cannot read or modify them nor can the create new files and folders.
By default, Windows 2003 assigns Full Control permissions to the Administrators group and the System group to any NTFS volume, which are also inherited by the folders and files in it. The Users group is assigned Read & Execute, List Folder Contents, and Read permissions. Users or groups who need to write and or modify files and folders will need additional permissions.

The above list describes what the NTFS permissions ‘allow’, but you can also explicitly deny the permissions to users. Denying permissions is usually only done to make an exception. For example, you could allow Modify permission for the Sales group and deny the same permission for certain user account in the Sales group for whom you want to make an exception.

Allow permissions are cumulative, which basically means the least restrictive permission becomes the effective permission. For example, John is a member of the Sales group and the Management group. Sales has been allowed Modify permissions for the folder SalesReports. Management has been allowed Read permissions for the same folder. Since John is a member of both groups, his effective permission in this case is Modify. The following table lists some more examples. Note that the listed permissions in these examples are ‘allowed’.

	User Permissions	Sales Group	Management Group	Effective NTFS Permissions
John	Full Control	Read	Modify	Full Control
Lisa	Read	Write	Read	Write
Bob	Write	Modify	Read & Execute	Modify
Alice	Read	Read	Full Control	Full Control

Configuring NTFS Permissions

There are several different ways to assign NTFS permissions but the most common way is to use Windows Explorer or My Computer, right-click a file, folder, or volume, click Properties and then the click on the Security tab. Under Group or user names on the Security tab, select or add a group or user. Then at the bottom allow or deny one of the available permissions.

By default, when you add a user or group to the list in the dialog show above, this user or group will have Read & Execute, List Folder Contents, and Read permissions.

File permissions override folder permissions. For example, if user David has been allowed Read permissions for the folder and Modify permission for a file work.doc, his effective permissions for the work.doc file is Modify. The exception to this rule is the permission Full Control on folders. Groups or users that have Full Control for a folder can delete files and subfolders in it regardless of the permissions set on those files and subfolders.

In addition to the permissions listed in the tables above, you can also assign special permissions by clicking the Advanced button on the Security tab to open the Advanced Security Settings dialog with the Permissions tab opened as displayed in the following screenshot. Here you can add, remove, and edit the permissions for users on a more granular level.

Permission Inheritance

Besides explicitly assigned permissions on a file or folder, it may inherit permissions from its parent folder (up to the root folder, which is the volume itself). By default, permissions set on a folder are automatically inherited by all files and subfolders in it. This simplifies administration but is not always desired.

In the image above, you can see the following two options:

Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here.
When this option is cleared, the file or folder will not inherit permissions from the parent folder.

Replace permission entries on all child objects with entries shown here that apply to child objects.
This option will actually reset the permissions on child objects (files and subfolders) to make sure they inherit the permissions from this folder and those permissions are not overridden by permissions explicitly assigned on child objects.

In some situation you may want to inherit most of the permissions from the parent, but make an exception for one or more users/groups. In that case you should set the opposite permission of the one that is inherited. For example, if James inherits Modify permissions from a parent folder through group permissions, you could deny Modify permissions for James on the child object to prevent inheritance for James only and still allow Modify access to the rest of the group.

Effective Permissions

On the Effective Permissions tab of the Advanced Security Settings for a file or folder you can select a user or group and see the effective permissions. These are the results of the permissions directly assigned to the file or folder and permission inherited from parent folders.

Change ownership of files and folders

When a user creates a file or folder Windows 2003 automatically assigns Full Control permissions to the creator/owner. This allows the user to assign permissions to other users for the files he or she creates. This means that besides the ACL, files and folders need to include information about who owns the file. By default, this is the account who creates the file or folder or the Administrators group. For several different reasons, the ownership of a file or folder may need to change. For example, if a user leaves the company, the ownership of his or her files and folders may need to be transferred to other users.

You can take ownership of a file by replacing the owner with your own account or with one of the groups you are a member of. You must have Full Control or the special permissions Take Ownership to be able to take ownership of a file or folder. Users who has the Restore files and directories privilege can assign ownership to any user or group.

Moving and copying protected files

Moving and copying NTFS protected files is similar to moving and copying compressed file. When you copy a protected file to a folder on the same, or a different volume, it inherits the permissions of the target folder. When you move a protected file to a different NTFS volume, the file inherits the permissions of the target folder. A move between volumes is actually considered a copy; the source file is deleted after it is copied to the target volume.

However, when you move a protected file to a different location on the same volume, the file retains its permission. When data is moved within the same volume, the data is not actually relocated, the pointer to it is merely changed and that is why it retains the ACL. In all cases the target volume needs to be a NTFS volume as well because as mentioned earlier, FAT, FAT32 and other file systems do not support NTFS file and folder permissions.

Shared Folder Access

A shared folder (commonly referred to as a share) is a folder or entire volume that is published on the network and can be remotely accessed by other users. The shared folder can be used as if it were a local folder; to store data, and even to run applications from the share over the network. Members of the built-in group Administrators, Server Operators and Power Users can share folders. If the shared folder is located on an NTFS volume, users need at least the NTFS permission Read for the local folder to be able to access it, regardless of the share permissions assigned to it. Following are some of the common methods for creating shared folders:

1. Using the Shared Folders snap-in, which is included by default in the Computer Management console. In the console tree, click Shares (below ComputerManagement|System Tools|Shared Folders). On the Action menu, click New File Share. You will be prompted to select the folder or drive, enter the share name and description, and set permissions.

2. Use the net share command at the prompt: net share sharename=drive:path

3. In Windows Explorer/My Computer right-click the folder or drive, click Properties and then the Sharing tab. Enable the option Share this folder, enter a name for the share, a description and configure other settings as depicted in the following image.

Users can connect to a share in several ways, for example:

1. Use My Network Places/Windows Explorer a user can browse to the share or use the Add Network Place wizard to create a shortcut.
2. Use a direct UNC path, for example: //FileServer12/ShareX
3. Use My Network Places/Windows Explorer or the net use command to map a drive letter to a share.

By default, Windows 2003 creates the following hidden administrative shares depending on the configuration of the server:

Admin$	This is the system root, usually C:\Windows, Administrators are assigned Full Control share permissions.
C$, D$, E$, etc.	Each volume on a hard disk is shared by default and provide easy access of the entire volume to Administrators. Administrators are assigned Full Control share permissions.
IPC$	A system share that allows named pipes connections for communication between applications and other computers.
Print$	This points to the %systemroot%\System32\Spool\Drivers folder, and is created when printers are shared to allow clients to automatically download the printer drivers.
Fax$	A system share used by fax clients.

You can create hidden shared folders yourself by adding a $ sign to the end of the share’s name. Hidden shares do not show up when users browse the network through My Networks Places for example. To access these hidden shares, users need to enter the name including the $ sign. NETLOGON and SYSVOL are two other administrative shares that exist on domain controllers, but they are not hidden.

Shared Folder Permissions

There are three different share permissions that can be assigned to groups and individual user accounts. These permissions apply only when connecting to the share over the network. The share permissions do not apply to users who log on to the local machine. The following share three permissions are available for shared folders:

READ
Allows user to read files and list the contents of folders and volumes. This allows executing applications as well. The default for new shared folders is Read permissions for Everyone.

CHANGE
Allows the same as Read and allows the user to modify, create and delete files and subfolders.

FULL CONTROL
Allows the same as Change, but additionally allows the user to modify permissions.

Whether the permissions actually allow the desired access depends on the NTFS permission of the shared folder and the file subfolders in it. For example, if a user has the share permission Change for a shared folder, that user will not be able to actually change files for which the user has only Read NTFS permissions. We will go over some more examples in the following section “Combining Shared Folders with NTFS Permissions”. However, you can create share folders located on a FAT or FAT32 disk and assign share permissions to provide protected access for users that connect to the shared folder. Remember that share permissions are only used when a user connects to the shared folder from a remote computer. So if a user logs on locally to a computer with a FAT/FAT32 drive, the share permissions are ignored.

To configure share permissions in Windows Explorer/My Computer right-click the folder or drive, and then click Properties and then the Permissions button on the Sharing tab. Under Group or user names: select or add a group or user, and allow or deny one of the permissions listed in the table above.

When you set permissions, you can either Allow or Deny them to a user or group. Typically you would allow a group share permissions and deny the same permissions to certain members of that group. The default permissions for new shared folders is Read to Everyone. Whether Everyone will actually be able to read depends on the NTFS permissions.

Combining Shared Folders with NTFS Permissions

When you combine NTFS permissions and share permissions the most restrictive effective permission counts. For example, if you create a folder with files and assign them Full Control NTFS permissions to Everyone and share the same folder and assign the share permission Read to Everyone, users connecting through the network will have Read permissions.

Probably the most common mistake made when combining share permissions and NTFS permissions is to add them all to a single pile and then take the most restrictive. Instead, you need to determine the effective share permissions amd the effective NTFS permission before taking the most restrictive.

So to determine what the permissions are for a user connecting through a shared folder to a local folder protected with NTFS permissions you need to do the following:

1. Determine the ‘effective’ NTFS permissions
2. Determine the ‘effective’ share permissions
3. Take the most restrictive of these two.

Following is a practice questions that raised discussion in our forums several times:

X. You share a folder on your computer and you assigned the share permission Change to Everyone. John, a user from the Sales department, has been granted Full Control NTFS permission to the folder. John is also a member of the Sales group, which has been assigned Read NTFS permissions. What are John’s effective permissions when connecting to the shared folder?

a. Read
b. Read & Execute
c. Change
d. Full Control

The correct answer is c. Change, but many people seem to be inclined to choose answer a. Read instead because Read is the most restrictive permission. However, it is the most restrictive effective permissions that counts.

1. Determine the effective NTFS permissions:
As mentioned earlier in the NTFS permissions section, NTFS permissions are cumulative. This means the least restrictive applies when considering only NTFS permissions. In this case, this means John has Read NTFS permissions for the folder through the Sales group, and Full Control NTFS permission through his own account, hence his effective NTFS permissions is Full Control.

2. Determine the effective share permissions:
The question only mentions that the share permissions are Change to Everyone, so no other share permissions have been explicitly assigned for the Sales group or John and hence the effective share permission is Change.

3. Take the most restrictive of these two:
The most restrictive of the previous two effective permissions is Change. Although John has Full Control NTFS permission for the folder, he is accessing the folder through a shared folder for which he only has Change permissions.

Troubleshoot access to files and shared folders

Problems accessing shared folders are often caused by underlying network connectivity problems. Before you scratch yourself a bold spot trying to find an incorrectly configured ACL or Shared Folder, make sure you check basic network connectivity, ping the file server by name, check if the user is properly logged on to the domain, etc.

Probably the most common cause of problems with accessing files and shared folders is an incorrect configuration, so when things are not working as expected you should verify the configuration. A user that is not able to access a file or folder maybe a member of a group who was recently denied certain permissions. Configuration changes of permissions assigned to a parent folder my also cause problems through inheritance.

The Effective Permission tool on the Advanced Security Settings dialog provides an easy method to determine the NTFS permissions, but it does not include share permissions. I n large environments with many users and groups, it can be hard to determine the effective share permissions so it is important to maintain a structured user and group design and folder hierarchy. The following link points to document with Best practices for Shared Folders.

The Shared Folders snap-in, included by default in the System Tools of the Computer Management console, provides an overview of the Shares configured on the local computer, the active Sessions, and the currently Open Files. These can provide valuable information when troubleshooting access to shared folders.

Connecting printer in network

To understand printing in Windows XP, it is important to understand the differences and relationship between a print device and a printer.

• A print device is the physical printer. This printing device can be connected directly to the print server using a serial, parallel or IR connection for example. A print device can also be a network printer with a built-in or external network interface.
• A printer is the icon in the Printers folder that represents the software interface between applications and the physical print device.

Multiple printers can exist for a single print device. This is typically done to allow different priorities for specific security groups. For example, in a small company with a Sales and Marketing department, two printers could be created for one high-capacity network print device. One printer would be configured with a priority of 50, and assigned Print permissions for the Sales group. Another printer would be created and configured with a priority of 1, and assigned Print permissions for the Marketing group. This configuration would prevent members from the Sales group from having to wait on their utmost important reports because of a large graphical brochure is printed by the Marketing department. The lowest priority that can be configured for a printer is 1, the highest is 99.

Additionally, a single printer can point to multiple print devices, this is called a printer pool. Printer pooling allows clients to print to a printer that will forward the print job to an available print device, allowing heavy workload to be divided over multiple print devices. The print devices in the printing pool must use the same driver.

An important component of the Windows XP printing services is the Spooler. When client send print job to the print server, the spooler on the server processes and stores the job until the print device is available. The location for the print spooler can be changed on the Advanced tab of the Print Server properties, which can be accessed through the File menu in the Printers folder. The default location is %systemroot%\system32\spool\PRINTERS.

Install and connect to a print device

Windows XP provides several ways to connect to a printer, depending on the client version and software. The Add Printer wizard allows you to create printers for the following print devices:

• Local print devices directly attached to a serial, parallel, USB, FireWire, IR, or SCSI port on the computer. USB, FireWire and Infra Red connected printers can usually be installed using plug & play, hence without restarting the computer.
• Remote print devices directly connected to the network. These are equipped with either a built-in network interface, or attached to an external network adapter. The most typical examples are printers with a HP JetDirect card or Intel Netport.
• Remote print devices connected to a remote print server. These are typically printers shared on a Windows server.

Only members of the Administrators are allowed to install Local printers. The options provided by the Add Printer wizard may seem a bit confusingat first; to create a printer for a remote network print device, you need to choose the option: Local printer attached to this computer. Only for print devices that are connected to a remote print server you must choose the option: A network printer. This is the option used on clients to connect to a shared printer on a Windows 2000/2003 server for example.

If you choose to create a Local printer the wizard can automatically detect and install directly attached plug and play print devices when you enable the Automatically detect and install my Plug and Play printer check box. Clear the check box, if you want to add a local printer for a remote network print device, or if you want to choose the manufacturer and printer type, and install drivers manually.

By using the Local printer option, you can select an existing port (i.e. LPT, COM, and FILE port), or create a new port. The latter is typically used for remote network print devices. The new type of port dictates the protocol that should be used for communication between the print server and the print device. Most networks today use TCP/IP as the primary protocol, and virtually all modern network printers support it. Hence, the most common type of local ports, for network printers, is the Standard TCP/IP port.

To add a Standard TCP/IP port, select Create New Port (after you selected Local printer and clicked next), and select Standard TCP/IP port from the Type of port list. When you click Next, the Add Standard TCP/IP Printer Port Wizard starts, where you need to provide a host name or an IP address of the network printer and a name for the port. The name of the port defaults to the host name.

If you installed the optional Other Network File and Print Services component Print Services for Unix, you can also select an LPR port from the Type of port list. An LPR port can be used to create a printer for a print device connected to a UNIX print server or a network printer with LPD support. The line printer daemon (LPD) is the server part, the line printer remote (LPR) is the client part. When you add an LPR port, you must supply the IP address or host name of the UNIX print server or the printer itself. Additionally, you must enter the name of the print queue on the UNIX server, or the name of the network printer.

The DLC protocol is no longer part of Windows XP, hence the DLC printer port that was used to connect to older Hewlett Packard JetDirect cards is not available either.

After you created a printer for one of the Local ports mentioned above and provided the required information, the driver will be installed. You may need to choose the model and insert the Windows XP Professional product CD-ROM or a driver disk.

If you want to create a printer for a remote network printer shared on another Windows computer, use the Network Printer option in the Add Printer Wizard. When you click Next, you will be presented with the following three options:

• Browse for a printer.
• Connect to a printer by using an UNC path. For example: \\printserver\printershare
• Connect to a printer by using an URL.

Windows XP Professional will automatically download the drivers from the print server if required.

If you want to connect to a shared printer on Windows XP, using DOS, Windows 3.x, or from a DOS (16-bit) application under Windows, you need to map an LPT port to the UNC path using the NET command. For example: net use Lpt3 \\printserver\printershare
Printing and IIS

When IIS is installed on the Windows print server, i.e. a Windows XP Professional print ’server’, the print server and the connected printers can be managed from any client by using a web browser. The web interface allows you to perform the same tasks as with the regular printer management tools. Additionally, the web interface can be used to show the list of all printers on a print server and, if the printer driver supports it, their status. The URL is http://servername/printers. If you want to connect to a printer directly, to manage print jobs for example, use the URL http://servername/sharename, where sharename is the name of the shared printer.

IIS also supports the Internet Printing Protocol (IPP), which allows clients to print to an URL instead of an UNC path. The URL is http://servername/printers/sharename/.printer.
Clients running Microsoft Internet Explorer 4.01 and later with IPP printing support can print to the Internet printers. All versions of Windows 2000, XP and 2003 have IPP printing support, and it is available as an add-on for Microsoft Windows 95 and Microsoft Windows 98 clients. Windows 9x-based clients need an internet printing client from the Windows 2000 Server CD-ROM (\clients\win9xipp.cli\wpnpins.exe). When you connect to a Windows XP Internet print server using the “Connect to an Internet Printer” option in the Add Printer Wizard, the port is automatically installed as an HTTP printer port. IPP packets are transferred using HTTP.

Another way to for users to connect to a shared printer is the Point and Print option. Point and Print allows users to install a printer by right-clicking the printer in the Printers folder of a print server in the Network Neighborhood, and then clicking Connect. The printer will be installed, if necessary the drivers are downloaded and installed and the printer will be ready for use.

Sharing Printers

If you didn’t choose to share the printer while using the Add Printer wizard, you can manually enable and configure sharing on the Sharing tab of the printer’s Properties, by selecting Share this printer and entering a name for the shared printer. As with shared folders, you can put a $ sign at the end of the name, hiding it effectively from the browse list in Network Neighborhood.

When clients running versions other than Windows 2000 or XP will use the shared printer, you can install all the appropriate drivers (i.e. Windows 95/98, Windows NT 4, etc.) on your computer, so those clients will download the drivers automatically when they connect to the network printer. To install drivers for other Windows versions, click the Additional Drivers button on the Sharing tab. When you install the first shared printer, the %systemroot%\System32\Spool\Drivers folder is shared as Print$. Clients download the drivers from this hidden share.

Shared Access Permissions

The Security tab of the printer’s Properties allows you to control access to printers by allowing or denying the following permissions:

Print	Allows users to connect to the printer, and print and manage their own print jobs. This is the default permission assigned to the Everyone group.
Manage Documents	Allows a user to print and manage their own print job as well as other users’ print jobs. This includes pausing, restarting and removing print jobs from the print queue.
Manage Printers	Allows a user to configure and remove the printer, share the printer and set permissions for the Printer, in addition to all task allowed by Manage Documents. Administrators and Power Users have Manage Printer permission by default.

Managing Printers

The Device Settings tab of the printer ’s Properties usually allows you to choose the form, i.e. Letter, A4, A5, and additionally, configure device specific settings and information such as font cards and memory.

On the Advanced tab of the printer ’s Properties you can configure the printer to allow printing only during certain hours of the day, configure the priority for the printer, and configure spooler settings. Separator pages can be created or a default for PCL or PostScript can be used; check the system32 folder for files with the .sep extension. To select a separator page, click the Separate Page button on the Advanced tab of the printer ’s Properties to browse for a .sep file.

The Ports tab allows you to manually add, delete and configure printer ports. If the Enable printer pooling check box is enabled, you can select multiple ports associating multiple print devices with the same printer. The port for a printer can be changed even when there are documents in the print queue. This can be useful when a print device fails and you want to redirect the print jobs to another device. To redirect the print jobs, Pause the printer, and change the port on the Ports tab to an identical print device.

Manage print jobs

Users with Print permissions are able to manage their own print jobs, and user with Manage Documents permissions are able to manage all print jobs. Following are the common tasks related to print jobs in a queue, and are available from the Document menu in the printer’s queue:

• Pause – This will pause the print job, which will remain in the queue.
• Resume – This will resume a paused print job.
• Restart – This will restart a print job from the first page. This is especially useful when a mechanical problem occurred, i.e. the print out got stuck in the print device.
• Cancel – This will cancel a print job and remove it from the queue. Any data already send to the print device will be printed.

Troubleshooting

Troubleshooting printer problems is probably every system admin’s least favorite task. Following are some of the most common printer problems and their solutions:

• When paper gets stuck in a print device, Pause the printer, remove and replace the paper and Restart the job. This will start the job from the beginning.
• If the output is garbled, the printer driver probably doesn’t match the print device.
• If everything seems to be correctly connected and configured but print jobs are not directed to the print device, a common solution is to restart the Spooler service.
• In case of excessive hard disk drive activity, you may need to add more RAM to process the print jobs. If the print job is not processed at all, you may need to change the location of the spooler to a disk with sufficient free disk space.

Internet Information Services (IIS)

Windows XP includes a stripped down version of Internet Information Services (IIS), which allows you to publish web pages and other web content to any operating system with a compliant browser. IIS on Windows XP is not designed to host public websites, but instead is meant for sharing resources with a small group of users. The version of IIS on Windows XP is limited to only 1 website and 10 simultaneous client connections, and has less advanced features compared to IIS on a Windows Server. To serve a larger number of websites to a larger number of users, you will need to use IIS on Windows 2000/2003 Server instead.

You can install IIS by using the Add/Remove Windows Components option in the Add or Remove Programs wizard. The Internet Information Services (IIS) component has several subcomponents including a WWW service, FTP service, SMTP service, FrontPage 2000 extensions, and the IIS snap-in. The latter is used for managing the IIS services in the Microsoft Management Console (MMC). You can start the IIS snap-in by running the inetmgr command from the Run dialog box.

Following are some of the common configuration and management tasks and relevant considerations.

Configuring directories

The version of IIS on Windows XP allows for only one website, which is the Default Web Site in the IIS management console. By default, its home directory is c:\inetpub\wwwroot\ but you can change this path in the Default Web Site Properties. A website can have several subdirectories, i.e. www.techexams.net/forums. These subdirectories, as they appear in the URL, do not necessarily need to be a subfolder of the home directory. They can be located outside the c:\inetpub\wwwroot\ folder or on a shared folder in your local network. This is referred to as a virtual directory. To create a virtual directory, right-click the default website, or a subdirectory of the default website, and select Virtual Directory from the New submenu to start the Virtual Directory Creation Wizard. You will need to provide an alias, the name as it appears in the URL, and browse for the local directory you want the alias to point to. If you want to use a folder on another local computer, you must provide the full UNC path (i.e. \\workstation2\share).

You can also create a virtual directory by right-clicking a folder in Windows Explorer/My Computer (only on NTFS), select Properties and create one or more aliases on the Web Sharing tab.

Configuring Permissions

Another important basic configuration task for IIS is configuring authentication and file and folder permissions. When IIS is installed, a new user account for anonymous access is created automatically. It is named IUSR_ComputerName and needs appropriate NTFS permissions for the files and folders anonymous users should be able to access. You can disable anonymous access on the Authentication Methods dialog (click the Edit button on the Directory Security tab of the Default Web Site Properties) or change the account or password.

As you can read in the screenshot above, there are two ways to force username and password authentication. You can disable anonymous access for the entire website, or you can restrict access based on NTFS permissions. The latter would allow you to grant anonymous access to the website and public resources, while requiring username and password authentication for particular files and folders.

Restarts

With the IIS snap-in you can restart the Default Web Site, the Default FTP Site, or the Default SMTP Virtual Server independently by selecting it and clicking the stop, and start button. You can also restart all the IIS services by right-clicking the local computer component in the IIS snap-in and choosing Restart IIS from the All Tasks menu.

Troubleshooting

Besides permissions issues and other incorrect IIS configuration settings, the most common problems with connecting to an IIS service such as the WWW service are caused by incorrect or incomplete TCP/IP settings and services. A common issue is the lack of a DNS service. Without DNS, users will not be able to access the website by using a friendly URL, but would have to use the IP address instead. In small networks you can use HOSTS files instead of a DNS server.

Groups

GROUPS

The main purpose of a group is to simplify administration by allowing permissions to be assigned to a collection of users instead of individual users. A group can contain user accounts, computer accounts, or contacts, as its members. In addition to the previous, a group can also contain other groups, which is referred to as group nesting. Which items a group can contain and what they can be used for, depends on the group type, the group scope and the domain functional level.

Group Types
Windows 2003 Active Directory supports the following two group types:
• Security Groups – Used for assigning permissions for directory objects and resources such as shared folders and printers. Security groups are also used for assigning rights to users, for example by using Group Policies.
• Distribution Groups – Used for creating e-mail distribution lists (ie. for MS Exchange server). It allows a user to send e-mail to all the members by using a single address.

You can change the group type from security to distribution, or vice versa, if the domain functional level is set to Windows 2000 native or Windows 2003. Group types cannot be changed if the domain is running in Windows 2000 mixed mode.

Group Scopes
A group scope defines from which domain from which members can be added and in which domain, tree, of forest, rights and permissions can be assigned to a group. When you create a new group, it will be a security group with global scope by default. You can modify the group scope if the domain functional level is set to Windows 2000 native or Windows Server 2003. Changing a group scope in Windows 2000 mixed mode domains is not possible.

Windows 2003 Active Directory supports the following three group scopes:
• Domain Local – Used for assigning permissions within the local domain only. A domain local group can contain user accounts and global and universal groups with from any domain, and other domain local groups from the same domain. A domain local group can be changed to a universal group only if it does not have other domain local groups as its members.
• Global – Used for assigning permissions throughout the entire forest. A global group can only contain user accounts and global groups from the same domain the global group is in. If the domain is running in Windows 2000 Mixed mode, you can add only user accounts to a global group. A global group can be changed to a universal group if it is not a member of another global group.
• Universal – Used for assigning permissions throughout the entire forest. A universal group can contain user accounts, computer accounts, and global and universal groups from any domain in the forest. Security type universal groups can be created only when the domain functional level is set to Windows 2000 native or Windows Server 2003. Opposite to domain local and global groups, universal groups are replicated to every global catalog in the entire forest. A universal group can be changed to a domain local group at any time. A universal group can be changed to a global group only if it does not have other universal groups as its members.

The preferred method to use these group scopes is explained in the following example:
When you assign permissions to all the users in the Sales department, for a shared resource, i.e. Printer1, you should create a domain local group for the sales department, i.e. SalesPrinters, and assign it permissions for Printer1. Then you should group the users into a global group, i.e. Sales, and add the global group to the domain local group. A universal group is particularly useful when the group needs to contain members from multiple domains. Universal groups should be members of domain local groups, and have global groups as their members.

Local vs. Active Directory Groups
The group types and scopes outlined above are pertinent to Windows 2003 servers that are members or domain controllers in an Active Directory domain. They are stored in the Active Directory on domain controllers. However, groups also exist on a local machine level, even if ADS is not in use. You can create local groups on the local computer using the Local Users and Group MMC snap-in and the can be used for assigning permissions on that computer only.

Default Groups
Windows 2003 creates default groups in the Builtin container and the Users container. The following lists show the groups created in a Windows 2003 domain by default (this may vary per configuration and on the installed Windows components). The first list shows the groups in the Builtin container. These groups are all domain local groups and cannot be moved to another container or OU.
• Account Operators – Members of this group can administer domain user and group accounts, log on locally, and can shutdown domain controllers. Account Operators cannot modify the Administrators or Domain Admins groups and accounts.
• Administrators – Members of this group have full access to the domain or computer. By default, this group contains the Domain Admins and Enterprise Admins groups and the Administrator user account.
• Backup Operators – Members of this group can back up or restore files without being limited by file permissions. Back up Operators can also log on locally and shutdown domain systems.
• Guests – Members of this group have the same permissions and right as the Users group by default, The Guest user account is disabled by default. This Guests group contains the Domain Guests group as a member.
• Incoming Forest Trust Builders -Members of this group can create incoming, one-way trust relationships to this forest. This group appears only in the root domain of the forest.
• Network Configuration Operators – Members of this group can change the TCP/IP settings on domain controllers in the domain.
• Performance Monitor Users – Members of this group can monitor performance counters on domain controllers in the domain.
• Performance Log Users – Members of this group can manage performance counters, logs and alerts on domain controllers in the domain.
• Pre-Windows 2000 Compatible Access – Members of this group have read access to all users and groups in the domain. This group provides backward compatibility for computers running Windows version pre-Windows 2000, such as Windows NT 4. The Everyone group is a member of this group by default.
• Print Operators – Members of this group have the appropriate rights to administer printers connected to domain controllers and shared printer objects in the Active Directory. Print Operators can also log on locally and shutdown domain systems.
• Remote Desktop Users – Members in this group are granted the right to logon remotely using a terminal session.
• Replicator – A system group account used for file replication in a domain. This group has no members and you should not add them either.
• Server Operators – Members of this group can administer shared resources on domain servers, start and stop certain services, and format hard disks. Additionally, members of this group have the same rights Backup Operators have.
• Users – Members of this group have sufficient permissions and rights to run certified Windows applications, but cannot run most legacy applications. This prevents regular users from making system-wide changes.

The following default groups reside in the Users container in the Active Directory. The Users container contains domain local, global, and universal scope default groups. These groups can be moved to another OU if desired.
• Cert Publishers – Members of this group can publish digital certificates for users and computers.
• DnsAdmins – Members of this group have permissions to administer DNS.
• DnsUpdateProxy – Members of this group can act as a DNS proxy for clients. A DHCP server that handles dynamic updates for DCHP clients should be a member of this group.
• Domain Admins – Members of this group have full control of the domain. This group is a member of the Administrators group on all domain members including domain controller. The Administrator user account is a member of this group by default.
• Domain Computers – This group contains all the computer accounts of the client and servers joined to the domain.
• Domain Controllers – This group contains all domain controllers in the domain.
• Domain Guests – This group contains all domain guests.
• Domain Users – This group contains all domain users. When you create a new user account in the domain, it will automatically become a member of the Domain Users group.
• Enterprise Admins – Members of this group have full control of all domains in the forest. This group is a member of the Administrators group on all domain controllers in the forest. The Administrator user account is a member of this group by default.
• Group Policy Creator Owners – Members of this group can modify Group Policy settings in the domain. The Administrator user account is a member of this group by default.
• IIS_WPG – A system group account used by Internet Information Services (IIS) 6.0.
• RAS and IAS Servers – Servers in this group have access to the remote access properties of users. This group is used for IAS servers that perform authentication for a collection of RRAS servers.
• Schema Admins – Members of this group can modify the Active Directory schema. The Administrator user account is a member of this group by default.

The following special identities can also be considered groups as they allow you to assign permissions to a dynamic group of users:
• Everyone – Includes everyone with a user account.
• Anonymous Logon – Includes everyone without a user account.
• Network – Includes users that are currently logged on to a computer over the network. This is the opposite of the Interactive group.
• Interactive – Includes users that are currently logged on to the local computer. This is the opposite of the Network group.

Managing Groups
Groups are created by using the Active Directory Users and Computers MMC snap-in. To create a new group, right-click the domain or OU in which you want to create the user, select New, and then click Group. The New Object – Group dialog, displayed below, will open. You will need to provide a name and you can choose the group scope and group type.

When you open the properties sheet of an existing group, you can associate a description and an e-mail address with the group and change the scope and type on the General tab. The Members tab of the group’s properties allows you to add members to this group, and the Member Of tab allows you to join this group to other groups. On the Managed By tab, you can specify a person that is responsible for this group, and specify whether this person should be able to add and remove members to and from this group.

You can move a group to another container, from the Users container to a departmental OU for example, by right-clicking the group and selecting Move from the context menu. With the exception of universal groups, groups can be moved within a domain only. When you move a universal group from one domain to another, you will have to reassign permissions and rights as they will be lost in the process. The member settings of the universal group will be retained.

Find domain groups in which a user is a member
On a large Active Directory with many group it can be hard to keep track of which groups a user belongs to. The Member Of tab of a user’s properties, displays a list of groups the user is a member of. It does not show groups that reside in trusted domains but the user is a member of. For a more complete list of groups a user belongs too, you can use the Dsget.exe command line utility. The syntax for displaying group membership is:
dsget user UserDN -memberof -expand

The UserDN parameter is the user’s distinguished name, for example:
dsget user “CN=Johan Hiemstra,CN=users,dc=testdomain,dc=techexams,dc=corp” -memberof -expand

Without the -expand option, only the groups the user is joined to directly are displayed. With this option, each group is expanded to determine membership through nested groups. For example, when a user is a member of the Domain Users default group, it is also a member of the Users built-in group, because the Domain Users group is a member of the Users group.
Click here for more information about the dsget command.

Automated Group Management
Instead of creating and modifying groups manually, you can also automate group management using command-line utilities. Csvde.exe is one of the tools that can be used to perform batch changes to the Active Directory. It can be used to import and export data from and to a file in comma separated value (CSV) format. Ldifde.exe is a more advanced tool that allows you to create, modify, and delete active directory objects. You can use Ldifde to extend the schema, and export and import Active Directory user and group data to or from other directories.

Click here for more information about the Csvde.exe command line utility.

Click here for more information about the Ldifde.exe command line utility.