OMG, M$ does something right

[altivo]

Converting those Dell GX280 machines over for new staff users here. As I mentioned before, two of the three got restored to the original Windows XP that came with them, then patched up to current SP2 levels. Both the destined users were on older P3 machines with Windows 98SE. I was not looking forward to trying to gather up their files and bookmarks and such to transfer them to the new machine.

Ta-da! Files and Settings Transfer Wizard. A thing from Microsoft and it actually worked. I don't believe it. Sucked both of their settings and many files right over the network from their old machines to the new. The only major thing it missed was Thunderbird e-mail folders, but fortunately neither of them is big on saving old e-mail and I may not have to frog around with that.

On the other hand, a Microsoft irritation. Security levels for XP machines that are members of a domain are a pain in the you know what. The domain appears to override the user's local security on their own machine, so severely that one application was unable to print and required registry tweaking to make it work. Grrr. This is probably a legacy of the tech consultants and I'm going to have to dig into those Win2K servers to find out why it is set this way. Ugh. (We had no staff using XP until now, so only public machines were affected by whatever they did.)

Oh, and VMWare is slick, once you get it installed. I now have Win98 running in a box under my Slackware 10 at home. Both machines are pretty much oblivious to each other. And unlike wine, the applications don't know they aren't on a real Windows box. I hope I can do the same at work with XP under Slackware.

Comments

[corelog.livejournal.com]

That's odd. We never had the domain security override the local security settings on our domain at HSBC. Maybe it's a setting on the domain controller.

[altivo.livejournal.com]

I'm sure it is at the domain controller. Probably something about defaults for new or "untrusted" machines or something. Ugh. Now I'm going to have to go study yet another ghastly Microsoft thing.

[niko-winterset.livejournal.com]

*headtilts* Perhaps add their username to the Domain and grant them admin or elevated security permissions on the Domain and not on the local machine? Our users never had security settings on their local machines, all permissions were granted from the server.

Have you checked your security settings on the printers?

[altivo.livejournal.com]

It's not the printer itself that's an issue. User can print a test page or a plain document. But the printer is actually used for pin-feed labels, so the application has to set parameters like form length and such. While she was running Win98, there was no issue. The printer isn't even on a server queue, it's a JetDirect and she writes to it using a TCP/IP port. But the domain is apparently insisting that the PowerUser doesn't have enough clout to set print parameters. It's dumb.

I'd rather set all security locally anyway. Domain is meaningless for us in our setting, with only a handful of machines. Probably I should have left the XP machines as workgroup rather than joining them to the domain, but I didn't realize it had been meddled with to this extent.

[niko-winterset.livejournal.com]

Just take them off the domain then and set them back to workgroup.

But anyway, with only a little info and not sitting there with you it would be hard to diagnose exactly what is going on or how to solve it.

[altivo.livejournal.com]

Policy files, I think. I've been referring to "security" but that's not exactly correct. I've used policies before with NT and Win98, but they appear to be much more sophisticated now.

[niko-winterset.livejournal.com]

Not ringing a bell. Names may have changed with the switch to 2000 or XP. Still I would check your security setting on the printers, could be that your users only have limited permissons to them and can only print, not configure variables from their workstations. Do your users have admin rights on their pc's?

Sent you the pics as well. Look for an email from nikolai_winterset.

[altivo.livejournal.com]

Got your e-mail, thanks. Yes, the users are set as administrator on their own local machines, yet they don't get the privileges. For instance, they are not allowed to install software, or create new printer ports. This surprised me at first, but it appears that since they are not domain administrators, they are being forbidden. Probably you're right, I should just cut them loose from the domain. All they really need is file sharing and printing.

[niko-winterset.livejournal.com]

Welcome. Pretty pony isn't he. :)

Makes sense now. The are not part of the Admin group on the Domain so therefor they do not have admin rights to network resources.

Two choices, take them off the domain or add them to a domain group with admin rights. I would choose the second as it will take less time, bit that would also give them admin rights to the server as well perhaps. Not always a good choice.

I will have my hooves on my 2000 Server Training material in a few days when I return home. It might be a good resource for you if you are interested. There is a section that deals with security and permissions.

[altivo.livejournal.com]

Well yes, except that installing application software on your own PC (e.g., Photoshop or Winzip) is really not affecting network resources, yet they are being barred from doing that. The application that couldn't print labels turned out to be unable to even write a scratch file into its own local directory, but if administrator runs it, then it performs flawlessly, so privilege really is what's at issue.

This is some really weird shit. I'm sure the tech consultants who used to control our network did it to achieve some other purpose entirely. I'm going to have to find what they did and undo it. No, I don't want to give end users administrative power on the servers themselves. Not that I think any of my users would be malicious, but they definitely could mess something up unintentionally. Our administrator password is not a secret anyway. But at least they have to deliberately log in as administrator to mess with that stuff, and none of them would do that I'm sure.

LMA (the consultants) were using Windows policies and domain security to keep the public from messing with configurations and settings on machines that ran Windows XP. I think those same policies are being applied by default to regular staff users when they are logged into the domain as opposed to just sharing directories and print queues.

[niko-winterset.livejournal.com]

Start, Control Panel, User Accounts

Look for a listing of usernames for that machine. Should be a list of 'domain name'\'username' and beside that it will show the permissions, i.e. Admnistrator or not. At least that is how it was on our machines at work

[duskwuff.livejournal.com]

VMWare is indeed neat. VMWare Server doubly so - did you know that they used to charge well over $2,000 for that product, as "VMWare GSX"?

[altivo.livejournal.com]

I didn't know it was that high, no. I was impressed that it installed itself successfully on Slackware (unsupported Linux distribution) even though it had to recompile a couple of modules in order to do so. Some excellent script writing in the install there.

The VMWare Workstation license is only $189, and I would be willing to pay them that to keep this capability if they cancel the beta licensing for the Server product and it quits working. I see that after I supplied the license key they gave me it appears to have a 3 month expiration.

[duskwuff.livejournal.com]

VMWare is moving more and more toward the idea of free (as in beer) software with non-free support. Workstation is the only major product that there isn't a good free version of yet - Player is almost there, but I don't know as it has some of the features. Server is more or less fully functional, though - there isn't a lot it doesn't do, and it has some nifty features that Workstation doesn't (connecting to a VM remotely, for example).

I think the three-month expiration is mostly just a way to keep people up to date on newer versions, incidentally. It's definitely not the way that I'd like them to handle that, but oh well.

[duskwuff.livejournal.com]

Incidentally, there's exactly one thing that VMWare doesn't support that I sort of wish it did: graphics acceleration. Not an issue if all you're doing is browser cross-testing, but eventually it's going to be more or less required to run a current version of Windows decently (as well as Linux, once xgl gets popular).

[altivo.livejournal.com]

Well, I think they can do that if/when they choose to. If they create a fullscreen viewport as a virtual screen, much the way Xwindows lets you flip between virtual desktops, then they can let the hardware acceleration operate on it. Right now that's pretty much irrelevant for what I do, or probably for most business type applications, but of course gamers and graphic artists are going to want it eventually.

[calydor.livejournal.com]

Not entirely true. The problem is that a graphics accelerator needs full access to the graphics card, and they only work with their proprietary drivers (which, incidentally, get updated about every other week). Since VMWare is just running on top of Linux, allowing full control of the graphics card becomes troublesome. The best bet in getting this working would be a make-believe driver, but since they update constantly - and let's face it, reverse engineering is never 100% right - that would be downright messy.

[altivo.livejournal.com]

A pseudo driver is indeed one answer. And reverse engineering can eventually get things 100% right. Many of the drivers in Linux have proven that.

I was looking at the difference between the way XP performs under VMware and the way Win98 does just last night. They've almost got it working for XP, but oddly, not with Win98. It's largely a matter of translation, or of passing control with a hook for getting it back when necessary.

[altivo.livejournal.com]

Player can't create a virtual machine. Since they can't distribute a pre-built virtual machine with Windows in it the way they can many flavors of Linux, you need a version of VMware that can create the empty virtual machine and then run the Windows installation inside it. Server (and Workstation, I imagine) can do that.

I have a legit license for XP on the machine I'll be using at work, I just prefer not to install XP as the primary OS. This will let me install Linux and then install XP as a guest OS. Perfect, since I anticipate needing that XP for precisely one application but it's one I can't manage without.

[goldenstallion.livejournal.com]

Dear Rider. Now why is it, lately, I feel this important need to cushion you and hold you under wings that always offer this good and very honest friendship in spite you are turning into a GEEK!

Sorry, just grinning but my wings are yours.

Imperator

[altivo.livejournal.com]

No, they are your wings. The reason I love to touch them and hide under them is just that, because they are attached to you. :)

[kamodragon.livejournal.com]

I have NO idea what all this stuff is about, but I am glad somone does...

[altivo.livejournal.com]

Just local area networks and Microsloth's normally uncooperative software.