We'll it's been forever since I blogge. Millions of readers must be disappointed. It's been beautiful weather here the last few days; the rains have stopped, the sun is out. Oh, and I built a step.

A couple of Microsoft things that might interest you:

The Beta 2 version of Internet Explorer 7 has been posted: http://www.microsoft.com/windows/ie/default.mspx. Feel free to check it out.

And, some of my work is going public. One of the teams I work with, System Integrity, has started a BitLocker team blog. You can read our insights at: http://blogs.technet.com/bitlocker.

But there's an unusual catch... the testing program is looking for novice or home users. So if you're an ITPro, hang in there, but this offer's not for you. The program includes full support from our PSS group. Now, I don't know exactly how many people can get in, and I don't know how quickly the program will fill up.

You also should realize that Vista is going to require a fairly modern computer, and, like all pre-release or beta software this will occassionally misbehave and could potentially even corrupt data. So, although we are looking for novice users, if you get easily frustrated or flustered by software, you might want to pass.  On the other hand, Vista is really cool.

This is a friends-and-family program, so my nominations would go first (obviously) to my friends and family (who I figure are about the only ones who read my blog). Drop me a note by email if you're interested.

(This blog posting is provided as is, and conveys no rights. No one's acceptance is guaranteed, and the offer can be closed at any time.)

1. Determine that your computer can boot from a USB device. 
    
   The smarter computers allow you to set the BIOS to look for a USB device first, then check to other options. My Dell Desktop does this. My Toshiba M4 does this and also allows you to use the cursor keys to select the boot device at each startup. My HP TC1100 tablet is not a “smarter computer” and it does not allow you to select to boot from the USB unless the USB is present. (Which means you have to change the order in the BIOS every time you boot with the USB, if it’s been booted without the USB in between.) Check your manual or explore your BIOS.
    
   USB floppy drives are usually seen differently than USB “sticks” and USB external hard drives. USB memory sticks (aka “pen drives”) usually present to the system as a Hard Drive, so use hard drive tools to deal with them. (CDs use a different file system, so when we want to create a “bootable cd image on a pen drive” it’s not as easy as you’d think.)
    
2. See if you can already boot from your pen drive. Some pen drives may come with this functionality, none of mine did. So we need to totally wipe the MBR and format the USB disk to be bootable.
    
3.  The easiest way* I’ve found to do that is with the HP USB Disk Storage Format Utility (aka “DriveKey”). Works fine on the non-HP pen drives I’ve tried it with, but I can’t speak to your licensing arrangement if you don’t have any “HP hardware” (I figure the HP TC1100 was expensive enough that running the software on it meets that requirement.)

• Download softpaq sp27213.exe from http://h18007.www1.hp.com/support/files/compaqbusinesspcs/us/download/20306.html
   
•  The utility will expect you to provide a location of DOS bootable files. Where to find those in these days of Vista and floppy-less laptops? They are actually packaged in the executable from HP, but the option to use them is grayed out. (Maybe they aren’t grayed out if some HP magic is present, but I always install from clean images, so who knows.) Perhaps you can those files and then point the DriveKey utility to them, but you can use any valid bootable DOS set (so if you want DOS 6.22 or Dos 3.1, go wild).

In a meeting last week, I was asked what I thought was an "exciting" improvement in Windows Server 2003 Service Pack 1 (WS2003 SP1). I responded that I really liked Access Based Enumeration, and when asked, elaborated that it reduced confusion and support calls from my clients, because non-technical managers no longer asked why staff had access to things that they shouldn't.

In reality, these staff never had permissions to the wrong resources, but the folders would show up, unless they were split off into separate sharess, the maintaining of which was a lot of extra overhead.

Of course, nothing is free anymore. It does take a resource hit to enable ABE, so in some environments (especially large ones), that may be an unnacceptable consequence. In my opinion, users in most small and medium businesses will not notice the effect.

You can download the overview document in Word from http://www.microsoft.com/windowsserver2003/techinfo/overview/abe.mspx, and since April 8, you can also download both a GUI and a command-line tool to manage it, from http://www.microsoft.com/downloads/details.aspx?FamilyID=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en.

I just saw a question in a private forum from someone who wants to add a printer for all users of a computer, based on the OU structure that contains the computer account. The commands he was trying to use worked when run as a logged-on user, but not when put in a startup script. Here's how we do it:

We create a start-up script and assign it in a GPO linked to the OU that contains the computers we want to affect.

Then, to add a new printer, we include this command:

rundll32.exe printui.dll,PrintUIEntry /ga /n\\PrintServerName\FrontDeskHP

Where PrintServerName is the name of the server sharing the printer, and in this case, FrontDeskHP is the name of the printer share. You can use FQDNs or NetBios names, as long as the computer running the script can resolve them. If you have removed Authenticated Users from the permissions for the shared printer, you may have to grant permissions for the computer account. (Remember the security context in which startup scripts run.)

Deleting an obsoleted printer is also pretty easy:

rundll32.exe printui.dll,PrintUIEntry /gd /n\\PrintServer\StaffRmHP

However, this will result in a pop-up error on the computer if the printer doesn't exist (that is, every time except the first that this script runs). To avoid this, we actually ADD the obsoleted printer, then delete it again, like this:

rundll32.exe printui.dll,PrintUIEntry /ga /n\\PrintServer\304CW
rundll32.exe printui.dll,PrintUIEntry /gd /n\\PrintServer\304CW

Although it shouldn't really be necessary (famous last words!) we want to make sure that the OS sees all of the changes before the user opens Printers and Faxes or prints from an application, so at the end of the script, we bounce the spooler service (the client workstation's spooler, not the servers!)

start /wait sc stop spooler
start /wait sc start spooler

Printers added this way appear for all users. No errors or problems if you try to add them twice, no need to deal with the oddities of the WScript.Network object.

That's all there is to it. Clean and simple. We've done it this way for nearly two years now, and it's working great. You can make it more advanced by having one script (instead of one per OU) and having the script use logic to determine which printers to connect.

(Our servers are Windows Server 2003, our client workstations are all Windows XP SP2, not tested on anything before Windows XP).

If you need to add printer drivers first, or configure ports, or other less common steps, then there are additional suggestions in these Microsoft KB articles: http://support.microsoft.com/default.aspx?scid=kb;en-us;189105 and http://support.microsoft.com/default.aspx?scid=kb;EN-US;q314486 

Leave a comment if it works (or doesn't) for you.

I own a Tablet PC. I have the HP (aka Compaq) TC1100. Although I was hesitant about buying it, I love it. I don't actually use the pen-and-ink feature a lot, but I do love the form factor, the fact that I can take the keyboard off (great for reading documents on the plane), and that I can impress all of my friends. :)

Recently, the 1,000,000th tablet PC shipped. Tablet PCs aren't always regarded as a big success story (although I see more and more of them), but getting a million people to buy anything is still a pretty big deal.

There's a new freebie for all of us Tablet PC users: the Tablet PC Experience Pack at http://www.microsoft.com/windowsxp/downloads/tabletpc/experiencepack/default.mspx. Some of the items in the experience pack used to be Power Toys (or were based on them), and some of them, you certainly won't use every day; but well worth the time to download.

One of the most promising features in Windows Server 2003 Service Pack 1 is the Security Configuration Wizard (SCW), which can help you automatically lock down servers depending on the roles they play in your network.

One of the roles that SCW knows about is Exchange Server 2003. Unless, of course, you would (gasp!) install Exchange to the non-default path. While this is not a very complicated thing to fix, and it's documented well in KB article 896742, it seems to me that this kind of defeats the purpose of having an automated tool. The KB states "The Windows Server 2003 SP1 Security Configuration Wizard assumes that you installed Exchange 2003 by using the default installation path. The wizard does not automatically detect the paths of service .exe files."

Disk provisioning is one of the most important things a designer does when setting up an Exchange enviroment: for performance, for adequate storage, for recoverability. As a result, almost all the Exchange implementations that I know about make sure to specify exactly what paths are used during the Exchange install. Seems to me that to depend on a default (hard-coded?) path to use the SCW is somewhat sub-optimal.

So, for a lot of people, the first thing SCW will do is break Exchange in their organization. If this has happened to you, the fixes are in the KB and fairly simple.

For the one person who gets their news here first... :)

Windows Server 2003 Service Pack 1 is now available at http://www.microsoft.com/downloads/details.aspx?familyid=22CFC239-337C-4D81-8354-72593B1C1F43&displaylang=en. (Or http://tinyurl.com/7xtlu) This SP brings a lot of the advantages found in XP SP2 to the server platform.

While I often go ahead and apply updates to workstations without a whole lot of testing, it's a bit different with a production server. I would suggest you apply the Service Pack in a test lab or at least a Virtual PC (VPC) or Virtual Server (VS) enviroment, and thoroughly read the release notes.

Cheers!

If you configured your networks to block the automatic download of Windows XP SP2 from Windows Update, your time to prepare is almost up. Microsoft has been sending emails this weekend reminding people that April 12 is the magic date when WU/AU will no longer block the automatic distribution of SP2.

Personally, I deployed SP2 as soon as I could, but I liked to have control over the bandwidth and timing, rather than just have it happen during the regular automatic updates cycle.

You can read about the SP2 blocking at http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2aumng.mspx

Ever been stumped by what really seems like a simple helpdesk call?

Solved an issue for a client yesterday; an issue that had us pulling our hair out to discover what was happening. On one particular workstation, people claimed that e-mail was taking "days" to get delivered. In one example, a message sent by someone on their last work shift on Feburary 10, wasn’t delivered until after they came to work again on February 18.

The workstation is shared among several workers in a 24x7 facility. Since Outlook 2003 runs in cached mode, the first thought was that Outlook had been set to work offline, but no, that wasn't it. We checked all of the settings, making sure Outlook was set to deliver immediately while online. Of course, when a technician or I was standing over the computer (or connected by Remote Assistance) everything worked flawlessly.

Then one of the managers mentioned that it seemed to be messages with attachments that were most often delayed. Finally after hours of troubleshooting to nowhere, one of the managers and I went over to walk through all of the steps while logged on as an ordinary worker.

Turns out that the problem needed to be solved by a change in procedure, not a change in technology. The staff would prepare a report from a template in Word, and then send it using Word's Send > As Attachment command. Trouble was, they were consistently doing this after they had already shut down Outlook (often the reports were finalized right at the end of their shift). Word would obediently place the item in the user's Outbox, but only in Outlook's local cache (the .ost file), where it would sit until the next time the user started Outlook – potentially hours or days later.

Once we found the real issue, we considered resetting all the profiles to use online mode only, but decided against it for three reasons:

• Having to touch dozens of existing profiles
• More complexity in explaining to entry-level users; and,
• The loss of Junk E-mail processing in Outlook.

Simple fix: leave Outlook running when sending reports from Word.

Many of you have heard me speak about Spam. If you are a pure Microsoft Exchange shop you probably rely heavily on the SmartScreen technology in the Exchange Intelligent Message Filter -- and you've probably also noticed a recent increase in Spam. An update to IMF was just released, so you would want to apply that to all of your Exchange servers that receive incoming SMTP mail. (Oh, and make sure you've turned on tarpitting and inbound recipient directory filtering while you're there.)

The update is here.

Question from the WS2003 Customer on-site in Sacremento last week: "Can you force the Universal Groups to be updated if you are using Universal Group Caching on your DCs?" Well, I didn't think so, but I have since learned otherwise. Thanks to David Elfassy, who shows how easy scripting can be.

David's script is here.