Free Windows Certification
HOME OVER VIEW TUTORIALS TESTS BOOKS CONTACT US  
   
Google
 
Windows Tips
ACTIVE DIRECTORY
TCP / IP
SECURITY
RECOVERY
SYSTEM CONFIGURATIONS
PRINTING
NETWORK
RAID
RAS
SERVICE PACKS


Windows XP : Windows 2003 : Windows 2000
 

Security

How can I enable users to set the Administrator password during a Remote Installation Services installation?

When you use the Microsoft Remote Installation Services (RIS), by default the Administrator password is set to null (blank) during the installation. You can, however, let the user set a password during the final GUI portion of installation. Perform the following steps:

  1. On the RIS server, open the .sif file of the installation you want to modify. By default, this file is in the RemoteInstall\Setup\[language]\Images\[folder name]\I386\Templates folder with a name of Ristndrd.sif.
  2. Go to the [GuiUnattended] section of the .sif file, and find the following line:

    AdminPassword = *

  3. Change this line to read as follows:

    AdminPassword = ""

  4. Save the change.

During installation, the system will prompt the user to type an Administrator password. You should test this change to ensure that it works correctly.

As a side note, instead of "" you could type a password (e.g., AdminPassword = "fred"), which sets the Administrator password to the password you specify and doesn't prompt the user. However, this password travels as clear text, so I don't recommend this approach.

The Windows 2000 Resource Kit describes another option (although not well!). You can use a Custom Installation Wizard (CIW) and let the user type in a password. However, this approach is quite complex.

How can I prevent users from changing their passwords except when Windows 2000 prompts them to?

You can configure your domain via a group policy so that users can change their passwords only when the system prompts them:

  1. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in (Start, Programs, Administrative Tools, Active Directory Users and Computers).
  2. Right-click the container (site/domain or organizational unit—OU) you want to enforce the policy on, and select Properties.
  3. Select the Group Policy tab.
  4. Select the policy and click Edit.
  5. Expand User Configuration, Administrative Templates, System, Logon/Logoff.
  6. Double-click Disable Change Password, and on the Policy tab, select Enabled.
  7. Click Apply, then OK.
  8. Close all dialog boxes.
  9. Refresh the policy with the following command:

    C:\> secedit /refreshpolicy user_policy

You can also configure this feature on a per-user basis. Perform the following steps:

  1. Start regedit.exe.
  2. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies.
  3. If the System key exists, select it. Otherwise create it (Edit, New, Key, System).
  4. Under System, create a new value of type DWORD (Edit, New, DWORD value).
  5. Type a name of DisableChangePassword, and press Enter.
  6. Double-click the new value, and set it to 1. Click OK.
  7. Close regedit.
You don't need to log off; the change takes effect immediately.

How can I stop a Windows 2000 upgrade overwriting special security settings?

When an NT installation is upgraded to Windows 2000 security defined in one of the following templates

  • dwup.inf for Windows 2000 professional upgrades
  • dsup.inf for Windows 2000 server upgrades

To stop these files overwriting your custom security settings you need to edit the files which means you need the files on a central/local writable form for the upgrade:

  1. Copy the appropriate template file (Dwup.inf for Professional or Dsup.inf for server) from your Windows 2000 distribution share into the %WinDir%\Security\Templates folder on your local computer. It may be in unexpanded from in the I386 folder so you may need to expand it:
    D:\I386>expand dwup.in_ dwup.inf
    Microsoft (R) File Expansion Utility Version 5.00.2134.1
    Copyright (C) Microsoft Corp 1990-1999. All rights reserved.

    Expanding dwup.in_ to dwup.inf.
    dwup.in_: 17285 bytes expanded to 252850 bytes, 1362% increase.

    D:\I386>copy dwup.inf %windir%\security\templates
    1 file(s) copied.
  2. Start Microsoft Management Console (Start - Run - MMC).
  3. From the Console menu select Add/Remove Snap-in, click Add, click Security Templates, click Add, click Close, and then click OK.
  4. Expand the Security Templates root, then the templates folder. You will see your copied template, e.g. dwup.inf
  5. Click the security area that you want to modify (Registry or File System).
  6. In the result pane, a list of all of the registry keys or file system objects configured by the default upgrade template is displayed. Determine whether or not the object you want the upgrade to ignore is explicitly configured by the template, and then use one of the following:

    If the object you want the upgrade to ignore is not explicitly configured by the upgrade template, you must add it using the following steps: 

    1. Right-click Registry or File System, and then click Add Key or Add File.
    2. Browse the dialog box to select the key or file system object you want to protect (for example, Machine\Software\DelOld). If the key, folder, or file does not exist on your computer, you can type the path to the object in the available box.
    3. Click OK to start the Access Control List (ACL) editor.
    4. Click OK again to accept the default security provided by the ACL editor.
    5. Click Do not allow permissions on this key\file to be replaced.
    6. Click OK to add the object to the template, and then go to step 7.

    If the object you want the upgrade to ignore is already explicitly configured in the upgrade template, modify it using the following steps: 

    1. In the result pane, double-click the object you want to protect.
    2. Click Do not allow permissions on this key\file to be replaced, click OK, and then go to step 7.
  7. In the result pane, the object you want the upgrade to ignore should now be listed with the Ignore property listed under both the permission and audit columns. Right-click the name of the template, and then click Save.
  8. Copy the modified template back to the distribution share. If you had to uncompress the file recompact the file before copying back to the distribution share:
    F:\WINNT\security\templates>compress dwup.inf dwup.in_
    Microsoft (R) File Compression Utility Version 5.00.2134.1
    Copyright (C) Microsoft Corp. 1990-1999. All rights reserved.

    Compressing dwup.inf to dwup.in_.
    dwup.inf: 251177 bytes compressed to 46002 bytes, 82% savings.

 1    2    3    4    5    6    7    [>>]

 

   

Contact Us | Bookmark This Page | Make Your Home Page