Re: Multiple Questions

From: Adrian Marsh (hidden_at_somewhere.com)
Date: 07/24/04 

Date: Sat, 24 Jul 2004 15:49:33 +0100
Paul,

Many thanks for taking the time to answer. I appreciate it was a long read, but I was on a flow....  I've given some more details below in Red.

ptwilliams wrote: 
I've answered in-line...

"Adrian Marsh" <hidden@somewhere.com> wrote in message
news:u9m3nQYcEHA.644@tk2msftngp13.phx.gbl...
Hi,

Sorry for the cross-post, but I've a bunch of questions covering a range
of topics. I've posted some of these independantly to seperate groups in
the past, but haven't had answers to some (and I didn't understand the
others...)  Hope you can help...

Setup:  test network at present, Currently 1 W2K AS DC/DNS/DHCP.  W2K
Pro/XP only clients.  Real network will be only 1/2 user ids spread over
about 50-60 clients, one domain.

1) Script Replication -  Do the W2K Login scripts in Group Policies get
automatically synced across DCs ?  I know NT4 didn't.

Yes, if they're in the SYSVOL they'll get replicated.
Ta.
2) Admin of local Clients - I've a Domain "Lab", under that I've the
standard Container for Builtin, and a labadmin user defined. Then theres
a test OU, with its own test\testlaptop1,2,3 computers and test\testuser
user.

I want the testuser user to be local Administrator of the testlaptops
themselves, but not of the Domain or test OU itself. If I make
test\testuser part of the Lab\Builtin\Administrator group then won't
they be "admins" of the whole Domain?? How can I do what I want here ?
I think the answer is something to do with Restricted groups, but
haven't quite got the concept..

You are correct: adding to the (domain) local administrators group is giving
them administrative rights across all DCs.  What you'll need to do is
configure the restricted groups part of a GPO.  Adding users into the
Administrators via this will add them to the local administrators group on
all domain members.
Could you give a summary on the Restrited usage?  Do I add the user to the Lab\Builtin\Administrator group, and then put the Administrator group in the restictions or something?  Wouldn't that then affect ALL Admin users in that OU?? Rather than just the testuser id.

3) Login scripts -  I've a bunch of various apps I need installed on
each testlaptop, everything from Office 2k to mcafee to DrTcpIp. I've
written some .bat login scripts that will do the job of installing,
logging and uninstalling/running the setup.exe, etc. But I'm wondering
if its worth my while trying to put these into .zap scripts. I don't
have any 95/98/NT4 clients, 2000 and XP only.  Opinions??
BTW: When do .msi/.zap installations run - at login only ??

If the apps are already .msi files deploy them via GPO.  .zap is another
good way of doing this.  When you deploy apps using GPOs you have a few
options: publish to a user, assign to a user and assign to a computer.

Publishing to a user means that a user goes into add/ remove and the add
programs part and any published apps will show up in here.  The user
selectes the app he/ she wants and it gets installed using a set of elevated
credentials

Assigning to a user will install the app upon logon.  Note.  If the user
logs onto multiple computers the app will be installed on each computer.

Assigning to a computer will deploy when gpo is applied before the winlogon
screen.
Using "assign to computer ", what happens if there are prompts in the setup - "Press Ok to continue.. "etc?

And for Assign to user, does that mean that - for example - Office 2K would get installed twice if two users login to the same PC ??
 

4) Start vs CMD - My initial script will be "hidden" so that I can
guarantee the sub-scripts run.   My Logon scripts execute Start "with
params" to install the above apps, actually running another .bat script
first. This leaves the CMD window open at a prompt (because Start calls
CMD with a /K option). If I put an "exit" at the end of the Start'ed
.bat script then the window closes in error (I hear a beep when Login
finishes). I want my master login script to kick off "about to
install..." messages windows before kicking off the actual setup.exe
runs- whats the best method?  I can live with the beeps, but I must be
missing something...

Yes, there's a way of hiding the windows, but I don't know it...somebody
else will have to answer that ;-)
Ta anyway.
5) Protected Windows - When the above .bat scripts are running, I see
that they can actually be "closed" by the user, prior to completion. Any
way of disabling the "close window" buttons during Logon ?

See above answer.


6) Disable local PC logins - I'd like to disable the ability to login
locally on a client PC, except with a Domain ID, but I think that'l
conflict with 2) above where users have admin rights. Once a PCs added
to the domain I'd like to remove the "testlaptopX" from the drop down
Domain selection list at the login prompt.  If I can't do that, then I
need a way of automatically removing all logins except the Administrator
login, and then a way of changing the Administrator login password.

If you want to stop users logging on using local accounts either disable or
delete the local accounts.

I don't think you can remove anything from that drop-down list.  The best
thing is to uncheck the options button so that the users cannot see that by
default.
Ok - do you know any tools/commands for removing accounts from scripts or remotely??

7) Midnight scripts - Most of the PCs in the domain will remain logged
on. I'd like to have each PC run a script at midnight to check for
updated s/w installs. I've experimented with Scheduled tasks, but hit
authentication issues. Can AD help with this??

I don't understand what you mean here.  Can you elaborate please?  What kind
of s/w installs, and what kind of authentication issues?
Ok - some more detail -  If I install apps via logon scripts, and the user never logs off, then that PC may not get the patches I need to install. So I thought the best way around that was to have the PC run a standard "re-fresh"ing script each day. Then I can put into that script any updates.

When I tried to do this, I tried to put the Scheduled Task in via "reg" update commands within the Login scripts. But in 2000/XP you have to also specify a user/password in the Scheduled Task. And thats where I hit a problem as I couldn't enter the user/password as part of the script.  Is there an AD way of doing this??
8) Auto lock - Whats the GPO for having the PC auto-lock after xx
minutes?? - buggered if I can find it.

It's the screen saver time out and password protect screen saver options:

\User Configuration\ Administrative Templates\ Control Panel\ Display\
Password protect the screen saver
\User Configuration\ Administrative Templates\ Control Panel\ Display\
Screen Saver timeout
Ta.
9) Timezone - I've got the SNTP working, and I've put a net time /domain
/set /y command in the login scripts, but I can't figure out how to
force the clients to use a specific timezone - any advice ??

There's no need to do that in the logon scripts.  Windows Time (w32time.exe)
automatically keeps your time synchronised.  Only configure the forest root
domain PDCe to synchronise time with another source.

Timezone's are regional options.  Either configure upon building the PC, or
have a look through the GPO.
Any idea where? I've looked but can't find it.
10) SUS Reboots - I've got SUS services and Autoinstall running. I can't
have the PCs auto-reboot straight after install, only when users aren't
doing critical work, so it'll pop-up with the "should reboot to
continue..." message at present.  Is there any way of seeing which PCs
have been rebooted after install?? Or forcing a reboot if, say, that PC
hasn't been rebooted within 7 days after install.  I'll be logging
within the Login scripts so I could tell manually which PCs have been
rebooted, but is there a way of automating it?

Here's a good place to have a look: www.susserver.com


11) SUS Reboots 2 - Within SUS, does the white-paper says the above
no-reboot settings apply when a user is logged in. Does that mean that
when a PC is left at the login screen that it will auto-reboot anyway??

No, I believe if you set it to not reboot it doesn't - period.


12) Finally - I'm trying to figure out which is the best starting point
for Microsoft training courses.  I'm reading books, online, etc on AD,
DNS and DHCP, but when i try to see what course/certificate to try and
start with I get lost...  MVP vs MSFT... and can anyone recommend a good
company for this in the UK?

An MVP isn't a certification as such.  You cannot sit an exam and get it.
MS simply awards you one for being a real expert and helping people in these
newsgroups and public forums, etc.

Microsoft certifications are MCP, MCSA and MCSE for administrators (there's
also DBS and Developer ones).  If you are planning on becoming an MCSA/E
then you will need to buy the books, read the books, work in an environment
that uses this technology, setup labs, and work very hard.  Choose what you
want and then have a look at www.microsoft.com/learning for more info.

I'm currently heading towards both my MCSA and MCSE in Win2000.  I then plan
to upgrade this to 2003.  Some of my collegues who are NT4 MCSEs are simply
going for the 2003 certs as we've got a lot of work coming up with 2003...

As for courses, there are loads.  I would use www.google.co.uk to try and
pin down what you want.  Prices are usually fixed at a certain price and
then go up and up.  You can barter these prices ;-)


Ok, thats all I can think of.  Come on you MVPs and MSFTs... see if you
can meet the challenge...

Ta v. much.
Adrian

Maybe next time, you could try and post several different questions, eh??
;-)

I hope I've helped in some way, as that took ages to work through!!!
Your a star!