NT Security
Security is an important topic for systems administrators, and the number of quality security applications is steadily increasing. But before you invest in expensive security tools, you need to take full advantage of the security configurations on your Windows NT servers and workstations. In my past 2 years of experience with NT implementations, I've discovered that many companies make considerable investments in security tools and utilities but leave their NT security configurations open to users who can easily abuse the system. Security administrators and managers must ensure that their NT systems' base settings provide hardened security before they commit financial resources to additional tools. Then, administrators can use security tools and utilities to enhance, configure, and confirm the status of their NT implementations.
—John Walker
jw@ads-derby.u-net.com
Logon Problem
Users in my company recently reported trouble logging on. One user had experienced several failed logon attempts to her Windows NT 4.0 Service Pack 3 (SP3) machine. Other users were unable to load their profiles and had to use the default system profile.
The application event log showed the well-known event ID 1000 (userenv error). The system event log recorded an event ID 12288 from the SAM, saying the SAM was unable to write changes to its database.
I ensured that enough disk space existed and that the Registry and pagefile maximum sizes were adequate, but the SP3 user still couldn't log on. I consulted the Microsoft article "Restoring a User Profile On a Windows NT Workstation or Server" (http://support.microsoft.com/support/kb/articles/q171/7/69.asp). According to the article, overwritten SAM and security information causes the problem. I removed the user's machine and added it to the domain again. The user was finally able to log on to her machine.
—Matthew Larlick
mlarlick@hillier.com
Use KiXtart to Write Logon Scripts
As a Windows NT consultant, I often must write logon scripts. The best tool I've found for writing these scripts is the Microsoft Windows NT Server 4.0 Resource Kit's kix32.exe tool (KiXtart). This tool isn't well known, and few articles about it exist. Perl is a more powerful tool than KiXtart, but most network administrators don't have experience programming or writing scripts. KiXtart is easy to use and powerful enough for most scripts.
I'm working on a migration project in which I'm regularly decommissioning servers and migrating users. I've found that using KiXtart to centralize and implement changes to the user environment is simple. Listing 2 shows a script that I've used to remove drives D to Z. Listing 3 shows a script that removes access to a drive and paths. Listing 4 shows a script that removes access to a drive and paths but changes the drive mapping based on the condition of the old mapping. Listing 5 shows a script that assigns drive mapping and printers by department. Finally, Listing 6, page 44, shows a script that changes the default printer location. I've used these scripts on NT 4.0 and NT 3.51. To use the scripts in your environment, you must replace the server names (i.e., FSxx).
—Robert Hartley
robert.hartley@outpost-it.com
Use KiXtart to Display a Logon Server
In Letters to the Editor: "Pick Users' Domain Controller" (July 1999), Jim McAllister told a reader that he could edit the Registry (directly or with poledit.exe) to display a user's logon server. In my position as a consultant, I'm using the Microsoft Windows NT Server 4.0 Resource Kit's KiXtart tool to display logon servers.
KiXtart can display a host of information, which the tool stores in variables. To display a logon server, I used the script in Listing 7, page 44.
You can also use KiXtart for other tasks. For example, the tool lets you load-balance the use of software on the network, which is handy in remote locations. To read about all the utility's variations, see the kix32.doc file in the resource kit's \kix32 folder.
—Frank Hooglander
frank.hooglander@philips.com
Fault Tolerance on Compaq Servers
If you have a Compaq server and want to use Windows NT's Disk Administrator for fault tolerance rather than spend money on a RAID array controller, you need to be aware that Compaq puts the setup software on servers' hard disks. Having the setup software on the hard disk doesn't cause a problem if you have a RAID controller for mirroring. But in a typical installation, in which NT places the system partition on the boot drive and then establishes mirroring, you can't mirror the Compaq setup partition because NT doesn't recognize it. In addition, if the boot drive fails, you can't simply swap it with the other hard disk or use a boot disk because the second hard disk doesn't contain the setup information and the server doesn't recognize the hardware. To fix this problem, install the system partition on both hard disks before you install the OS. In the event of a failed boot drive, you can swap the good hard disk to get your system running again.
—Bruce Brannan
brannab@wgtsd.com
Register
