NW Doc

Enable the Windows 7 God Mode control panel:

1. Create the folder.

First, create a new folder. For this example, I am simply doing this on my desktop via the right-click context menu.

2. Rename the folder with the specific string.

Rename the folder to specifically be: GodMode.{ED7BA470-8E54-465E-825C-99712043E01C} . Failure to include this in the folder name will result in this Easter egg not working as expected.

Copy & Paste:

Windows 7 Ultimate users, READ THIS:

Microsoft has amped-up their new operating system with some new security standards, which notably fix their aging Samba (SMB) Windows File Sharing protocol. By default, Windows Seven comes pre-configured to only communicate with other file sharing clients and servers which are also using the new beefed-up and more secure version of the Samba file sharing protocol. Because of this, it will not properly communicate with computers running older versions of Samba (SMB) Windows File Sharing protocol.

Restore your file sharing capabilities with older Windows File Sharing computers including but not limited to Windows Vista, Windows XP, Windows 2000, Windows 95/98/ME, and even Linux distributions running the SMB service.

1. To start us out, you need to go to your Start Menu, and search for "Local Security Policy". When it comes up, don't click it straight away. Right click, and say "Run as Administrator".

"Start - Local Security Policies"

2. Select Local Security Policies from the Directory Tree on the left, and then beneath of that, select Security Options.

"Local Security Policies - Local Policies - Security Options"

3. Under the policy browser select and open "Network security:Minimum session security for NTLM SSP (including RPC based) Clients".

"Network Security - Minimum session security for client."

4. Uncheck both boxes so that neither "Require NTLMv2 session security" or "Require 128-bit encryption" are checked. Apply the settings and close that window.

"Un-check the box "require minimum security" for clients."

5. Below the currently selected policy in the policy browser, select and open "Network security:Minimum session security for NTLM SSP (including RPC based) Servers". Again, Uncheck both boxes so that neither "Require NTLMv2 session security" or "Require 128-bit encryption" are checked. Apply the settings and close that window.

"Uncheck the "require encryption" box for servers, and apply the changes."

6. In the Security Policies browser for Local Security Policies - Security Options, locate and open the policy "Network Security LAN Manager authentication level".

"Network Security - Lan manager authentication level."

7. In the drop down selector for the options of this policy, Locate and select the option "Send LM & NTLM - use NTLMv2 session security if negotiated". Click Apply, and close out of all policy management windows.

"Set the lan manager authentication level to "Send LM and NTLM responses."

After changing these settings, you should be able to access any SMB server, assuming that you've properly configured the server itself to allow you to connect to it.

Windows 7 Home Premium users, READ THIS:

Windows 7 Home premium users do not have the ability to follow the above instructions

FOR HOME EDITION
1 . Open registry editor ( Start search - regedit)
2 . Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. Create a new DWORD value with the following properties:
NAME: LmCompatibilityLevel
VALUE: 1
4. Restart your PC and try the connection again…

If you are still having trouble after doing this, double check that the machine you are connecting to has it's Samba file sharing configured properly as well, that your network connection on both computers is solid and configured properly, and that if you are running any firewalls on either machine, that you have set them up properly to allow for Windows Samba File Sharing on the network.

Note to Linux Users: The new NTLMv2 protocol in Windows Seven has been known to cause the Samba server process on a Linux operating system to hang and or crash when receiving attempted communication from a NTLMv2 enabled client. You may need to restart the samba service on your Linux server if you have previously attempted to connect from a NTLMv2 Client (such as Windows Seven).

Source

When you use a user account and Connect to Printer

Error : " Windows Cannot connect to the printer. Access is denied. "

o resolve this issue, You need to go into the local group policy on the Windows 7 machines.
Note: User must be an administrator in order to open the Local Group Policy Editor

Click on Start button, type gpedit.msc in the Start Search box, and then press ENTER. Press Yes if User Account Control (UAC) dialog prompts.

Go to Group Policy:
Computer Configuration\Administrative Templates\Printers\Point and Print Restrictions | SET TO DISABLED
Restart your computer

Windows XP Professional and Windows XP Media Center Edition (MCE) has Remote Desktop (RDP) service that allows the computer to be remotely connected, accessed and controlled from another computer or host. However, Windows XP machine only allows one concurrent remote desktop connection from a single user been connected to it with no multiple remote desktop sessions or connections support.

Whenever there is a remote user who user Remote Desktop Connection (RDC) client to connect to a Windows XP host, the local user is disconnected with the local console screen locked, with or without his or her permission. Remote Desktop, unlike Terminal Server Services in Windows 2000, Server 2003 and Server 2008, is designed for single user use only, no matter it's local or remote user.

Here's a hack to unlock the single user limitation and enable multiple concurrent remote desktop connection sessions support in Windows XP Professional and Media Center Edition, using a either a patched termserv.dll or old patched cracked termserv.dll build version version 5.1.2600.2055, so that unlimited users can simultaneously connect to a computer via Remote Desktop.

1. Download a copy of patched termsrv.dll (in ZIP file) which has the Remote Desktop connection limitation deactivated for your version of Windows XP:

   Windows XP RTM, SP1 and SP2: termsrv.dll (version 5.1.2600.2055)
   Windows XP SP2: termsrv.dll (version 5.1.2600.2180)
   Windows XP SP3: termsrv.dll (version 5.1.2600.5512)

   For information, the termsrv.dll patch normally has the following HEX code bits overwritten with following value:

   00022A17: 74 75
   00022A69: 7F 90
   00022A6A: 16 90

2. Restart the computer and boot info Safe Mode by pressing F8 during initial boot up and select Safe Mode. This step is only required if you're currently running Windows Terminal Services or Remote Desktop service, and System File Protection has to be skipped and bypassed, else it will prompt the following error message to restore the original termsrv.dll.

   

3. Go to %windir%\System32 and make a backup copy (or rename) the termsrv.dll.
4. Rename or delete the termserv.dll in the %windir%\System32\dllcache folder.
5. Copy the downloaded termsrv.dll into %windir%\System32, %windir%\ServicePackFiles\i386 (if exist) and %windir%\System32\dllcache.
6. Then download and run the ts_multiple_sessions.bat (in ZIP file) to merge the registry value into registery, or you can run Registry Editor to manually add the following registry value:

   [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Licensing Core]
   "EnableConcurrentSessions"=dword:00000001

   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   "EnableConcurrentSessions"=dword:00000001

   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   "AllowMultipleTSSessions"=dword:00000001

7. Click on Start Menu -> Run command and type gpedit.msc, follow by Enter to open up the Group Policy Editor.
8. Navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Terminal Services.
9. Enable Limit Number of Connections and set the number of connections to 3 (or more). The setting allows more than one users to use the computer and logged on at the same time.
10. Ensure the Remote Desktop is enabled in System Properties' Remote tab by selecting the radio button for Allow users to connect remotely to this computer.
11. Enable and turn on Fast User Switching in Control Panel -> User Accounts -> Change the way users log on or off.
12. Restart the computer normally.

Note that if you cannot replace or overwrite termserv.dll with access denied or file in use error, turn off the "Termine Services" in "Services" control panel of "Administrator Tools". Besides, each connecting physical connections must have their own user account in the target host, and must authenticate with corresponding own user name and password credential.

To uninstall and revert back to original termsrv.dll, simply delete the patched version, and rename the backup copy back to "termsrv.dll". You probably have to do it in Safe Mode if the Terminal Services is enabled and running.

If the Windows XP computer is connected to a domain on local networks, Windows will set the value of the regkey "AllowMultipleTSSessions" to "0″ every time the computer is restarted. To ensure that multiple or unlimited Remote Desktop connection sessions is allowed in AD domain environment, the value data for "AllowMultipleTSSessions" has to be set to "1″ on each system startup. To change the value, simply rerun the ts_multiple_sessions.bat every time the computer is started. Alternatively, put the ts_multiple_sessions.bat at C:\Documents and Settings\All Users\Start Menu\Programs\Startup folder so that it will be automatically run on first user with administrative privileges that logs on to the desktop. Another workaround is to install additional service or define a sub-key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry branch that run the registry batch file automatically on boot up, and this is useful if the computer won't be logged on by anybody, but still requires the hack to allow unlimited Remote Desktop users to work.

Another issue is that if user closes the remote connection instead of logging off, when he or she tries to log back in, an error message related to TCP/IP event ID 4226 may occur. To resolve the issue, download and apply the Windows XP TCP/IP connection limit and Event ID 4226 patch, and set the connections to at least 50.

When attempting to connect or establish Remote Desktop connection to a remote Windows XP or Windows Vista computer in order to remotely logon to the machine, the log on may be rejected with Remote Desktop client returns one of the following error messages.

Your credentials did not work.

or,

Unable to log you on because of an account restriction.

or,

An authentication error has occurred.
The Local Security Authority cannot be contacted

Remote Computer: xxxxx

By default, Windows XP and Windows Vista does not allow nor permit user account without password set or user name with blank (null) password to connect and log in remotely via Remote Desktop Protocol (RDP).

The obvious resolution is definitely to create and set a password for the user account that requires to logon remotely to a computer via Remote Desktop, and it's recommended for security reason too. However, user who for some reason such as for the purpose of convenient, and thus unable or cannot assign a password to the user account, can use the following workaround to allow user to login remotely via Remote Desktop Connection (RDP) client to Windows XP and Windows Vista PC.

How to Enable Remote Login via Blank Passwords using Local Security Policy or Group Policy Editor

The configuration to enable null (blank) passwords logon must be done on the host computer, i.e. the remote computer to remotely controlled. To configure the Remote Desktop host computer to accept user name with blank password, go to Control Panel -> Administrative Tools (Under System and Maintenance in Windows Vista) -> Local Security Policy. Alternatively, run GPEdit.msc (Group Policy Editor).

Then, expand Security Policies -> Local Securities -> Security Options (for user using Group Policy Editor or GPEdit.msc, expand Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options). Locate Accounts: Limit local account use of blank passwords to console logon only policy, and set its value to Disabled.

Once disabled, user account with blank or null passwords can now login remotely instead of just able to do so via local console.

How to Configure Blank Passwords Allowed for Remote Log On via Registry

Windows XP and Windows Vista stores the value of the policy set above in a registry key named "LimitBlankPasswordUse". To unlock the limitation of cannot establish Remote Desktop logon with user account without a password, simply set the value data for LimitBlankPasswordUse to 0 (so that there is no limit on blank or null password use), as according to the code below. Alternatively, copy and paste the following text to a text file, and save with a .reg extension. Then run the .reg file to merge the value to registry.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]
"LimitBlankPasswordUse"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"LimitBlankPasswordUse"=dword:00000000

For convenient, two registry files have been created and available for free download, which will enable or disable usage of blank password (or absent of password) to login remotely. Download BlankPasswords.zip and run EnableBlankPasswords.reg to enable or DisableBlankPasswords.reg to disable remote login via blank password.

The trick works on both 32-bit and 64-bit operating systems.

The user interface of User Account Control (UAC) settings in Windows 7 has changed to reflect the move to make UAC less annoying, more user control and more user friendlier approach. In Windows 7, the UAC has a slider bar which allows users to configure and select which level of notification (and hence protection against unauthorized and malicious access) they want. With the fine-tuning of UAC, the wording 'disable' or 'turn off' is no longer available. So how can you disable UAC? Or at least, how can you turn off the notification prompt or pop-up so that they appear less regularly?

In fact, the steps to disable UAC is Windows 7 is similar to steps to disable UAC in Windows Vista, only with slight user interface change, and there is plenty of methods to turn off UAC too.

Method 1: Disable or Turn Off UAC (User Account Control) in Control Panel

1. To user Control Panel to disable UAC in Windows 7, there are several methods to access the User Account Control settings page:
   1. Go to Start Menu -> Control Panel -> User Accounts and Family Safety -> User Account.
   2. Go to Start Menu -> Control Panel -> System and Security -> Action Center.
   3. Click or right click on Flag icon in notification area (system tray), and then Open Action Center.
   4. Type "MsConfig" in Start Search to start System Configuration, then go to Tools tab, select Change UAC Settings, then click on Launch button.
2. Click on User Account Control settings link.

   

3. Slide the slider bar to the lowest value (towards Never Notify), with description showing Never notify me.

   

4. Click OK to make the change effective.
5. Restart the computer to turn off User Access Control.

Method 2: Disable UAC with Registry Editor (RegEdit)

1. Run Registry Editor (RegEdit).
2. Navigate to the following registry key:

   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System

3. Locate the following REG_DWORD value:

   EnableLUA

4. Set the value of EnableLUA to 0.
5. Optional step to suppress UAC consent prompt dialog, locate the following REG_DWORD value:

   ConsentPromptBehaviorAdmin

6. Set the value of ConsentPromptBehaviorAdmin to 0 (optional).
7. Exit from Registry Editor and restart the computer to turn off UAC.

Method 3: Turn Off UAC Using Group Policy

For Windows 7 Ultimate, Business or Enterprise edition which has Local Group Policy, or computer joined to domain and has Active Directory-based GPO, the group policy can be used to disable UAC for local computer or many computer across large networks at once.

1. Enter GPedit.msc in Start Search to run Local Group Policy editor. (Or gpmc.msc to run Group Policy Management Console for AD-based domain GPO editor).
2. Navigate to the following tree branch:

   Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options

   In GPMC, browse to the required GPO which is linked to the domain or OU where the policy wants to apply.

3. Locate the following policy in the right pane:

   User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

   Set its value to Elevate without prompt.

4. Locate the following policy in the right pane:

   User Account Control: Detect application installations and prompt for elevation

   Set its value to Disabled.

5. Locate the following policy in the right pane:

   User Account Control: Run all administrators in Admin Approval Mode

   Set its value to Disabled.

6. Locate the following policy in the right pane:

   User Account Control: Only elevate UIAccess applications that are installed in secure locations

   Set its value to Disabled.

7. 

   Restart the computer when done.

Method 4: Using Command Prompt to Disable User Account Control

The command line option can also be used in batch script command file, i.e. .bat and .cmd files, providing greater convenient to advanced technical user. In actual, the commands,, which are also used to disable or enable UAC in Vista, are just doing the same thing as directly modifying the registry.

1. Open an elevated command prompt as administrator.
2. To disable the UAC, run the following commands:

   %windir%\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

   and optionally, the following comand to suppress all elevation consent request and notification:

   %windir%\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f

   Tip: To re-enable UAC, the command is:

   %windir%\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f

   and to turn on prompt for consent UI:

   %windir%\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 2 /f

Disable UAC may cause gadget not working in Windows 7. User who facing the issue can use another workaround to suppress User Account Control.

User Account Control (UAC) is a new security feature in Windows Vista that requires all users to log on and run in standard user privileges mode instead of as administrator with full administrative rights, thus prevent unauthorized or accidental changes that could destabilize the computers or allows virus and malware to exploit the system-level privileges provided to the local administrator to attack the network security, compromise computer safety and privacy, and damage files and settings in the network. However, in a lot of cases, administrator rights are needed by end-users to perform certain tasks such as install or update programs and perform typical system-level task. Beside, many software applications also need administrator privileges to run properly without conflicts, as they are designed to write to system locations during normal operation, and computer in locked-down state in which users operate in standard user mode severely limits user productivity.

In Windows Vista, as and when standard end-user requires administrator privileges to perform certain tasks such as attempting to install an application or write to registry, Windows Vista will prompt a UAC credential prompt to notify the user that a credential of administrator user account is needed for authorization or permission, thus reduce the chance user can accidentally make modifications to vista system files or settings and eliminate the ability for virus or malware to invoke administrator privileges without a user's knowledge. Even for domain or local administrator, with UAC turns on and enable, most applications, components and processes will run with a limited privilege, but have "elevation potential" or Administrator Approval Mode where administrators must give consent through a User Account Control consent prompt.

User Account Control Administrator Credential Prompt

User Account Control Consent Prompt

However, these security clearance and prompting processes may felt by a lot of users as too troublesome, and sometime annoying especially when you're the only single user who uses the computer, and has all the latest anti-virus and anti-spyware utilities installed and updated. User Account Control is enabled by default in Windows Vista, so you will have to turn off and disable the User Account Control. However, Microsoft recommends that users do not turn off UAC for security reason.

There are a few ways that you can use to turn off the UAC, but most home and personal users should find method to disable UAC via Control Panel easiest to do.

Method 1 - Using Control Panel

1. Click Start and then open Control Panel.
2. In the Control Panel, click User Accounts and Family Safety.
3. Click User Accounts.
4. Click Turn User Account Control on or off.

   

5. Clear the tick or check mark on the box beside the Use User Account Control (UAC) to help protect your computer option.

   

6. Click OK.
7. When prompted, restart the computer. Note that the changes will affect all users on the computer.
8. To enable the UAC, simply tick or select the checkbox again.

Method 2 - Using Control Panel on Single User

A similar method with method 1, but access to UAC via a user account.

1. Click Start and then open Control Panel.
2. In the Control Panel, click User Accounts and Family Safety.
3. Click on Add or remove user account option.

   

4. Click to select any user account.
5. Click Go to the main User Account page.
6. Click Change security settings under "Make changes to your user account" section.

   

7. Clear the tick or check mark on the box beside the Use User Account Control (UAC) to help protect your computer option.

   

8. Click OK.
9. When prompted, restart the computer. Note that the changes will affect all users on the computer.
10. To enable the UAC, simply tick or select the checkbox again.

Method 3 - Using Registry Editor

1. Run Registry Editor by typing "regedit" in Start Search or command prompt.
2. In Registry Editor, navigate to the following registry key:

   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
   CurrentVersion\Policies\System

3. Locate the following DWORD registry subkey in the right pane:

   EnableLUA

4. Right click and choose modify or double click on EnableLUA to modify the setting. On valud prompt, set the new value to 0.
5. Exit from Registry Editor.
6. Restart the computer.
7. To enable the UAC again, simply change back the value of EnableLUA to 1.

Method 4 - Using MsConfig System Configuration

1. Run MsConfig from Run option.
2. In System Configuration window, click on the Tools tab.
3. Scroll down and locate "Disable UAP" or "Disable UAC" option item. Click on that line.

   

4. Click the Launch button.
5. A command prompt window will open and automatically execute and run certain process to disable UAC.
6. Close CMD window when done.
7. Close Msconfig.
8. Restart computer for changes to apply and effective.
9. To re-enable UAC, simply select "Enable UAP" or "Enable UAC" instead of "Disable UAP" or "Disable UAC", and then click on Launch button.

Method 5 - Using Group Policy

If you're an IT administrator or system administrator that manages many Windows Vista computers or clients across your computer, group policy can be an effective and easy to mass enable or disable a group of computers. To disable UAC, both Local Group Policy or Active Directory GPO can be used.

1. Click Start -> Run.
2. Type gpedit.msc and click OK to open the Group Policy Editor.

   Note: If you're using Active Directory Domain GPO which controls many computers, open Group Policy Management Console by click on Start -> Run, then type gpmc.msc and click OK from a Windows Vista computer that is a member of the AD domain. In the Group Policy Management Console (GPMC) window, browse to the respective GPO which is linked and enabled to the OU (organization unit) or domain where the Vista computers are located, then edit it.

3. Navigate and browse to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options.
4. In the right details pane, locate the User Access Control policies.
5. Right click each of the following policies and configure or change the value as indicated below after the dash (-):

   * User Account Control: Detect application installations and prompt for elevation - Disabled
   * User Account Control: Behavior of the elevation prompt for standard users - No prompt
   * User Account Control: Run all administrators in Admin Approval Mode - Disabled

6. Restart the computer.

Method 6 - TweakUAC

TweakUAC allows users to easily turn on or turn off UAC with a single click, or put UAC into silent mode where all admin users will be auto escalate when needed.

This article has been updated and reposted to Tip and Trick.

Note: After disable and turn off UAC, a little red X shield icon of Windows Security Center comes out in the notification area.

Registry Editor, a main registry editing tool equipped in all versions and editions of Windows operating system, can be disabled, blocked and locked to prevent the RegEdit from been ran or executed by users in order to protect important system registry. Other possibility of Registry Editor been disabled is caused by virus or worm such as W32/Brontok-C.

When Registry Editor is disabled, user unable and cannot open or run Registry Editor anymore. Any attempt to run RegEdit.exe will return the error "Registry editing has been disabled by your administrator". Hence it's impossible to remove the restriction on Registry Editor usage by using the Registry Editor itself. However, it's possible to use various workaround to directly edit the registry to remove the policy that blocks Registry Editor usage.

Enable Registry Editor using Local Group Policy Editor

For user using Windows XP Professional, Windows Vista Ultimate, Windows Server 2003 or 2008 with Local Group Policy Editor and has access to an administrative user account, user can change the registry editor options in the Local Group Policy Editor.

1. Click on Start -> Run (or Start Search in Windows Vista).
2. Enter GPEdit.msc and then press Enter.
3. Navigate to the following location:

   User Configuration -> Administrative Templates -> System

4. In the Settings pane, locate the Prevent access to registry editing tools option, and then double-click on it to open the settings dialog.
5. Select Disabled or Not Configured.
6. Click on OK button.
7. Try to run RegEdit.exe, and if required (still blocking yet), restart the computer.

VBS Script to Enable or Disable Registry Editor

Doug Knox has created a .vbs VB script that able to toggle between enable or disable the Registry Editor. Right click to download and save the regtools.vbs into a folder. Then double click on the VBS file to run it.

The regtools.vbs VB script file will check for the appropriate value related to disabling/enabling of Registry Editor. If the registry key is not found, the key will be created to disable Registry Editor. If the value was found, it will be toggled to its opposite state and you will be informed that you need to log off and log back on or restart your computer. All change by the script is made in HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System.

UnHookExec.inf by Symantec to Reset Registry Values to Default Settings

In many cases, disabling of Registry Editor is caused by virus, worm or Trojan, which attempts to stop user from fixing any changes to the registry, which normally affects changes to one or more of the shell\open\command keys. For example, exefile\shell\open\command key is changed, the virus, worm or Trojan threat will run each time that system run any .exe file. As such, Symantec create a .inf script tool to reset these registry values to their default settings.

WARNING: The UnHookExec.inf will reset registry keys and values related to BAT, COM, EXE, PIF, REG and SCR extensions, beside re-enabling the Registry Editor. Hence, users who just want to re-enable the Registry Editor has to manually modify the .inf file to remove the unnecessary commands.

Download the file UnHookExec.inf and save it to your Windows desktop.

Right-click the UnHookExec.inf file and click install. Action will be taken immediately. No display, nor any notice or boxes will appear before or after running. Try to run RegEdit.exe again, restart and reboot PC if it's still blocked.

How can I install the Remote Desktop Connection 5.2 client by use of GPO (Group Policy Objects)?

RDP (Remote Desktop Protocol) client is the client-side component of the Terminal Server connection. In order to allow a client to connect to a TS, the client needs to install the RDP client on their machine.

The RDP client can be installed by use of one of 3 methods:

• Local manual installation

• Login script initiated script

• Group Policy initiated installation

In this article we will focus on the 3rd option. Naturally, the steps described here will also work for any other software installation, as long as it is packaged as an .MSI file.

System requirements

In order to install (anything) via GPO you will need the following:

• Active Directory in place (Windows 2000/2003 AD)

• Client machines that are part of the domain

• Client machines running W2K and beyond.

• Proper administrative rights

Note: In case you cannot install the RDP client on the computer you're working at (in situations where you don't have the necessary rights for example) you can still connect to the TS by using the Remote Desktop Web Connection component. Read Download Remote Desktop Web Connection for Windows Server 2003 and Install Remote Desktop Web Connection on Windows Server 2003 for more info.

Obtaining the RDP client installation file

One of the best TS clients is the Microsoft RDP client (others exist, but we won't discuss them here). The RDP client was first introduced in Windows XP (version 5.1), and was later upgraded (version 5.2 in SP2 and Windows Server 2003). Last year RDP client was upgraded to the latest version -

(Note the new Security tab and the version number)

You can get the new RDP version from any Windows Server 2003 SP1 installation - Look for it in the %systemroot%system32clientstsclient folder.

If you don't have a Windows Server 2003 computer accessible, you can also download the file from the Microsoft's site (Download RDP 5.2 (Old Version)), but after downloading it you will need to extract its content.

Extract the msrdpcli.msi file from the archive

As said above, after obtaining the file called msrdpcli.exe from Microsoft's website you will now need to extract the files from it. In order to do so you should install some 3rd-party extracting tool such as WinZip or WinRAR.

Lamer note: You do NOT need to perform the following action if the file you've obtained is already named msrdpcli.msi.

Navigate to the folder where you've placed the msrdpcli.exe file, and right-click it:

Choose either the WinZip or the WinRAR context menu and select the command that'll extract the files from the archive.

You will find a few files that were extracted from the archive. We do not need them for this guide, however you do need to copy the one file called msrdpcli.msi. The file's size and attributes may vary as there are at least 3 versions of the RDP client. The latest version that can be freely downloaded from Microsoft's site is v5.2.3790.0. This version's size is 922kb.

In case you've copied the msrdpcli.msi file directly from the %systemroot%system32clientstsclient folder on a Post SP1 Windows Server 2003 computer, the file's version will be v5.2.3790.1830 and its size will be 959kb. This is currently the latest version available, and it can also be obtained from the Download RDP 5.2 page.

Whatever version you're using, just copy it. We will need it in a second.

Creating the installation point

You will need to create a network share and place the msrdpcli.msi file in it. You could do so on one of your servers (you could use one of your Domain Controllers, depending on the number of clients on your network).

Let's assume you're using one server called zeus and that the network share you'll create will be located on that server. Let's assume that server is also a Domain Controller.

1. Open Windows Explorer, navigate to one of your partitions, create a folder (I'll call it RDP Client, just for the purpose of this article).
2. Right-click that folder and choose Sharing and Security.

3. Give the share a name. It's best to use a short name of less than 8 characters, but you can use any name you want. You can also add a $ sign after the name in order to hide the share from curious eyes (note that this however won't protect the share's content, it will only hide it from unknowing users). I've named the share RDP_Client$.

4. Grant the Everyone group Read access for the share. On Windows Server 2003 this is the default. You do not need more than that in order for the users to be able to install the software.
5. Click Ok all the way out.
6. Check to see if the share is accessible from the network by typing 'servernamesharename (in our case - 'zeusRDP_Client$). If the share opens in a new window, we're set.
7. Needless to say, you need to paste the msrdpcli.msi file in that share, duh...

Note that in some cases, with a large network containing many users, one installation point won't be enough. You will then need to use some load balancing method such as DFS (Distributed File System) and replicas of the content inside, but that's for a different article.

Choosing computer account or user account-based installation

The next decision you need to make is whether to install the software on the computers based on the computer's account location, or based upon the user's account location. For example, if in your AD infrastructure you have an OU called Workstations OU, and, OU called Sales OU and a third one called IT OU:

Lets say you decided to configure the software to be installed on all the users in the Sales OU. Then the GPO will need to be linked to the Sales OU, and the software will need to be configured on the User Configuration part of that GPO:

You will now link this GPO to the Sales OU (or to the IT OU, or to both, depending on your choice). If you choose this option, the software can be installed in one of two methods:

• Published - Which means that it won't be actually installed, the user will need to manually install it from the Add/Remove Programs applet in the Control Panel.
• Assigned - Which means the software will "seam" to be installed, it will show in the Programs folder on the Start menu, but it won't actually do anything. The first time a user clicks the shortcut, it will automatically be installed.

However, if you choose to install the software for all the computers in the company, and these computers have their computer accounts in the Workstations OU, then you will need to configure the software installation on the Computer Configuration part of that GPO:

As a "bonus" of this option you will also get the added value of installing the software as a mandatory installation to the computer, and it will be installed during the computer's booting, right before the CTRL-ALT-DEL screen appears. That means that software installed to the Computer Configuration part of the GPO can only be Assigned, and not Published, as with the Users Configuration option. However, unlike the Assigned option in the User Configuration, the software will fully install itself and not "wait" for the first use of it by the user.

You will then have to link this GPO to the Workstations OU.

Creating or editing the Group Policy Object (GPO)

You will now need to decide what scope will your GPO cover. For example, will you need to install the software for ALL your users/computers, or just for some of them, according to some internal company logic. Based upon your design you will need to either edit an existing GPO, or create and edit a new one. This GPO will need to be linked to the right OU, or to the entire domain or site, depending on your design. I will not go into this area in this article, perhaps in a future one.

Lets say you need to create a new GPO and want to link the new GPO to the Sales OU:

1. Open Group Policy Management Console (GPMC). You don't have GPMC yet? Bad boy! Read Download GPMC for more info.
2. Expand the domain tree, right-click Group Policy Objects, and choose New.

3. Enter a descriptive name for the new GPO, press Ok.

4. Right-click the new GPO and select Edit.

5. In the new GPO editor window select either the Computer Configuration part of the GPO or the User Configuration part of the GPO, depending on the choice you made in the previous step. Expand it, go to Software Settings > Software Installation. Right-Click Software Installation and choose New > Package.

(I chose the User Configuration option)

6. In the Open window, make sure you manually type in the full network path (UNC path) to the installation point (to remind you, in our case it's 'zeusRDP_Client$). Do NOT make the mistake of browsing to the local location of the file, you MUST provide the network path to the share.

This is where the msrdpcli.msi file is supposed to be waiting for you. Click to select the file, then click Open.

7. In the Deploy Software window click on the right choice based on the decision you made in the previous step. I chose Assigned.

8. The new installation package will appear on the right pane.

That's it, you're done.

Now, in order for the new installation to work, you'll need to wait for AD replication to finish (depending on the size of your AD infrastructure, this can take anywhere from a few seconds to a day or two, but assuming you're using 2 or 3 DCs, this'll take a minute or less).

Next, ask your user(s) to reboot their computer. In some cases a refresh of the GPO (gpupdate /force) and/or a logoff will be enough, but we need to make sure.

Ask the user to look for a window saying "Software installation" right before the CTRL-ALT-DEL window appears (in case of a Computer-based installation), or right after it (in case of a User-based installation). Ask them to look for the program in the Start menu.

If something doesn't work right, you can begin to troubleshoot by looking at replication issues, permissions, GPO inheritance and filtering, and at event ids. But that's for a different article.

Group Policies are a powerful tool for a Windows system administrator as they allow the administrator to manage computer and user accounts. It basically can be used to allow or disallow certain features and options of the operating system. Group Policies are usually used in corporate environments but also in organizations, schools and even in some homes.

Enter gpedit.msc into a run box or the start menu search form to start the Group Policy Editor. This will open up the Local Computer Policy view which is separated into computer configuration and user configuration. It would take a long time to browser through all the menus and submenus offered in the editor.

That's why Microsoft has created an Excel spreadsheet that can be used as a reference for the Group Policy Settings in Windows and Windows Server which makes it a lot easier to locate the settings of interest.

Overview
Using column filters, you can filter the information in these spreadsheets by operating system, component, or computer or user configuration. You can also search for information by using text or keywords.

These spreadsheets include the following categories of security policy settings: Account Policies (Password Policy, Account Lockout Policy, and Kerberos Policy), Local Policies (Audit Policy, User Rights Assignment, and Security Options), Event Log, Restricted Groups, System Services, Registry, and File System policy settings. These spreadsheets do not include security settings that exist outside of the Security Settings extension (scecli.dll), such as Wireless Network extension, Public Key Policies, or Software Restriction Policies.

* Group Policy Settings Reference for Windows Server 2008 R2 and Windows 7: This spreadsheet lists the policy settings for computer and user configurations included in the Administrative template files (.admx/.adml) delivered with Windows Server 2008 R2 and Windows 7. The policy settings included in this spreadsheet cover Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista with SP1, Windows Server 2003 with SP2 and earlier service packs, Windows XP Professional with SP2 and earlier service packs, and Windows 2000 with SP4 and earlier service packs.
* Group Policy Settings Reference for Windows Server 2008 and Windows Vista Service Pack 1: This spreadsheet lists the policy settings for computer and user configurations included in the Administrative template files (.admx/.adml) delivered with Windows Server 2008 and Windows Vista with Service Pack 1 (SP1). The policy settings included in this spreadsheet cover Windows Server 2008, Windows Vista with SP1, Windows Server 2003, Windows XP Professional with SP2 or earlier service packs, and Windows 2000 with SP4 or earlier service packs.
* Group Policy Settings Reference for Windows Vista: This spreadsheet lists the policy settings for computer and user configurations included in the Administrative template files (.admx/.adml) delivered with Windows Vista with no service packs installed. The policy settings included in this spreadsheet cover Windows Vista, Microsoft Windows Server 2003, Windows XP Professional with SP2 or earlier service packs, and Windows 2000 with SP4 or earlier service packs.
* Group Policy Settings Reference for Windows Server 2003 Service Pack 2: This spreadsheet lists the policy settings for computer and user configurations included in the Administrative template (.adm) files and Security Settings that shipped with Windows Server 2003 with SP2. The policy settings included in this spreadsheet cover Microsoft Windows Server 2003 with SP2 or earlier service packs, Windows XP Professional with SP3 or earlier service packs, and Microsoft Windows 2000 with SP4 or earlier service packs.

This spreadsheet includes separate worksheets for each of the .adm files and the security policy settings that shipped in Windows XP SP3, a consolidated worksheet for easy searching, and an Update History worksheet that lists policy settings that have been added since the Windows Server 2003 operating systems were released.

The spreadsheet can be downloaded directly from the Microsoft website.

Technorati : Group Policy, Security, Windows
Del.icio.us : Group Policy, Security, Windows
Zooomr : Group Policy, Security, Windows
Flickr : Group Policy, Security, Windows