Blog of the Bao-‘dad’ Tree

In Active Directory on your domain server, create a new Organizational Unit (OU) called 'Restricted Users' or something like that.

Now right-click on your new OU, and select 'Properties.'  Click on the 'Group Policy' tab.  Create a new group policy called "No Internet" or something.

Edit the settings for this policy (make sure they meet or exceed the security level of the other existing group policies in your domain).

Under 'User Configuration' > 'Internet Explorer Maintenance' > 'Connection', set the Proxy Settings to some non-existent IP address and port.

Now, you can move certain users over to the new restricted OU by right-clicking on the user and choosing 'Move...'  Any user belonging to this OU will have these proxy settings loaded by default when they log in and will not be able to use standard windows methods to connect to the internet (IE, Outlook Express, etc.)

Of course, there are workarounds for this.  It's not hack-proof, but it may be better than nothing in your organization.  For instance, if the workstation that the restricted user logs on to has Firefox or some other browser/email client installed, they will be able to access the internet.  So you must restrict those users from being able to install software and/or run existing non-Microsoft internal applications.

I've had to look this up enough times that I thought I'd blog about it so it'll be easy for me to find next time I need to look it up.

When wiring a standard electrical plug–

• The white wire goes on the silver terminal, which in turn goes to the wider of the two prongs on a polarized plug.  The white wire is the neutral wire.
• The black (hot) wire goes to the brass colored terminal, which goes to the narrower of the two prongs.

At work I've got this computer set up with Windows 2000 and Office XP just like I like it.  Now I want to "image" the hard drive so that later on if anything happens I can just restore the image to this computer (with all the drivers and updates and everything) and it will be just like it is now.

I've done this before.  I use a great free Linux program called Partimage.  This can be found in the Knoppix distro, but recently I've been using System Rescue CD.  I shut down the computer and booted from System Rescue CD ver. 1.1.4 using the "dodhcp" option so it would connect to my network.

Then, to make the disk image smaller, I wanted to delete the Windows paging file (pagefile.sys) before I made the image.  To do this, I first needed to mount my Windows partition.  From System Rescue CD Linux command prompt, I typed:

mount -t ntfs-3g /dev/sda1 /mnt/windows

then just   cd /mnt/windows   and    rm pagefile.sys

Next, I had to mount a shared folder from my Windows 2000 domain to save the disk image to.  Usually, I have been doing this using smbfs, but when I did this the other day, the new Linux kernel told me smbfs is deprecated and to use cifs now instead.  Here's how I used to do it with smbfs:

mount -t smbfs -o lfs,username=administrator //machinename/sharename /mnt/smb

but this time I did it with cifs:

mount -t cifs -o username=administrator //machinename/sharename /mnt/smb

When I ran Partimage, I kept getting this error "Cannot create temp file" "no space left on device" from Partimage.  I couldn't believe that I had ran out of space at first.  So I went back and tried to unmount the cifs share, but I got an "Unable to umount, device is busy" error.  I tried googling around for a solution, and finally found this page.  I needed to do a "lazy" unmount:

umount -l /mnt/smb   (I'm very thankful for this tip!)

After further research, I found that the device I was trying to save the image to actually _was_ full, and after deleting some files, partimage worked just fine.  What's more, cifs is significantly faster than smbfs!

At work I restored a disk image I had saved from a previous Windows 2000 install onto a Dell Optiplex GX260.  Except I saved the image from a 20GB drive, and restored it onto a 40GB drive.  (Disk images saved and restored using Partimage.)  After I restored the image, Windows showed the C: drive as having a capacity of 20GB, but I knew it was more than that.  Here's what I tried:

1. Ran chkdsk C: /f  which needs to be done after a restart.  No change.
2. Updated the BIOS, and checked the drive capacity there.  It reported the drive capacity correctly.  No joy.
3. Opened a recovery console using the Windows 2000 install CD and ran fixmbr.  But even when the drive capacity was correct in the MBR, still Windows reported it as only a 20Gb drive...
4. Ran GParted off System Rescue CD 1.1.4.  The partition showed as the correct size there.  However, I noticed GParted had a "Check and repair" option, which I ran on the primary partition.  This finally did the trick!

I believe that pain forces people into one of two attitudes:

It can humble us and enlarge our compassion for others, whose pain we had not previously comprehended.

Or it can lead to bitterness, self-pity, envy, and the seeking for company in misery.

Christ is the example of the first.  Lucifer is the example of the second.

See Alma 62:41.

Update: This trick enables the display of pro security options in XP Home, but I'm not sure the permissions are actually valid...

If Microsoft ever found out about this, I'm sure they would "have a cow," as we used to say. Here is a simple patch (brilliant, really) that is small, harmless, reversible, which immediately and effectively enables the 'Security' tab in Windows XP Home to make it like XP Pro.

http://www.rt-sw.de/en/freeware/freeware.html

Scroll to the bottom and download "Security for files and folders."

When I uninstalled PCanywhere from our Windows 2000 Server (Dell Poweredge 2600 Tower) at work, my display adapter stopped working (i.e. I could only display in 16 colors and at limited resolution).

My first attempt at troubleshooting was to buy a PCI video, card and install it, but that still didn't work. Whether it was the onboard video, or the new video card, it kept giving me "Code 31" errors when I clicked the device properties in the device manager.

I kept hunting around on the web, and this is what finally led me to a solution:

http://support.microsoft.com/kb/270008

Even though this link is about CD-ROM devices, the problem was the same for me and my display adapter trouble. In the registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}] there was an entry called "UpperFilters" that was set to "aw_host." It turns out this was left over from PCanywhere (found that out by Googling "aw_host.") I deleted that registry entry, and now my video works again! (high color, higher resolution display settings work now.)

I haven't tried the regular on-board video, but it probably still works too.