Windows Client UPDATE—brought to you by the Windows & .NET Magazine Network
http://www.winnetmag.net


THIS ISSUE SPONSORED BY

Windows Scripting Solutions
http://www.winscriptingsolutions.com


SPONSOR: WINDOWS SCRIPTING SOLUTIONS

WINDOWS SCRIPTING SOLUTIONS FOR THE SYSTEMS ADMINISTRATOR
So, you're not a programmer, but that doesn't mean you can't learn to create and deploy timesaving, problem-solving scripts. Discover Windows Scripting Solutions online, the Web site that can help you tackle common problems and automate everyday tasks with simple tools, tricks, and scripts. While you're there, check out this article http://www.winscriptingsolutions.com/articles/index.cfm?articleid=20376 on WMI scripting for beginners!
http://www.winscriptingsolutions.com


August 15, 2002—In this issue:

1. COMMENTARY

  • Delegating Administrative Authority Within AD

2. ANNOUNCEMENT

  • Real-World Tips and Solutions Here for You

3. RESOURCES

  • Tip: Disabling the Dynamic Disk Option
  • Featured Thread: Locking Down Desktop Icons

4. NEW AND IMPROVED

  • Store Your Informational Tidbits Without Clutter
  • Add, Delete, and Rearrange Pages Within a PDF File

5. CONTACT US

  • See this section for a list of ways to contact us.

1. COMMENTARY
(David Chernicoff, News Editor, david@winnetmag.com)

  • DELEGATING ADMINISTRATIVE AUTHORITY WITHIN AD

  • Last week, I had lunch with four network administrators from small local companies. One subject that came up was applications that require users to have administrative access to run. Almost all the administrators had encountered this situation.

    When I asked how they handled it, they replied that they just gave the users who needed to run the application Domain Administrator rights or, if the application runs locally, Local Administrator rights. When I asked them why they didn't use the more granular rights controls that Windows 2000 provides, they gave me blank stares. None of the four administrators were aware that you can assign more granular rights within Active Directory (AD) than you can within the OS.

    Similar to the way in which users can have specific domain or AD-wide rights if they're in the Backup Operator account, users on a Win2K network can have a fixed set of rights that let them perform certain tasks in a specific part of the network. Those rights don't carry over to other parts of the network. Small-network administrators rarely need to delegate administrative authority in this granular manner, but I was sure that most small-network administrators would at least be aware of this ability. Apparently, I was wrong—or it was simply a strategy that these administrators had never considered. When pressed, they all admitted to having user accounts in the Backup Operators group and hence were aware that different enterprisewide rights assignments are available to user accounts.

    Delegating granular authoritative control is simple. Just load the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in and right-click the organizational unit (OU) or domain in which you need to provide the administrative authority. In the context menu, click the Delegate Control option to launch the Delegate Control Wizard. The wizard walks you through the process of delegating administrative control to a specific user or group of users. If you have an otherwise unrelated group of users to which you want to grant the same administrative authority, it makes sense to create a group for these users before you run the wizard. After you create this group, you can add or remove users from this administrative role simply by changing the users' group membership. If the task you want to delegate isn't in the list of preconfigured administrative tasks, you can create a custom task by clicking "Create a custom task to delegate" and defining the custom task that you want to create. At the end, the wizard summarizes what you've selected and lets you click Finish to create the delegated task or Back to edit the delegation you've created.

    If the authority you need to delegate isn't at the OU or domain level but is instead related to a container object (e.g., site, subnet, service), you can use the MMC Active Directory Sites and Services snap-in's Delegate Control option. After you load this snap-in, right-click the target container object in the display and click the Delegate Control option in the context menu.

    Delegating authority through AD is one of the most compelling reasons to implement an AD structure, even if you aren't running a huge enterprise. The ability to give nonadministrators access to rights that they need in specific situations can simplify the job of any network administrator.

    2. ANNOUNCEMENT
    (brought to you by Windows & .NET Magazine and its partners)

  • REAL-WORLD TIPS AND SOLUTIONS HERE FOR YOU

  • Register online for Windows & .NET Magazine LIVE! before this conference sells out. Network with the finest gathering of Windows gurus on the planet. This conference is chock-full of "been there, done that" knowledge from people who use Microsoft products in the real world. Register now and you'll receive FREE access to sessions of concurrently run XML Web Services Connections.
    http://www.winnetmagLIVE.com

    3. RESOURCES

  • TIP: DISABLING THE DYNAMIC DISK OPTION

  • (contributed by David Chernicoff, david@winnetmag.com)

    While shooting the breeze over pizza with a member of my company's sales team, he asked me what a dynamic disk was. Knowing his penchant for playing around with his notebook's OS and requiring the help of the IT desk to fix what he breaks, I replied warily, "Why do you want to know?"

    He mentioned that he had been playing with the Microsoft Management Console (MMC) Computer Management console and noticed that he had the option to upgrade his basic disks to dynamic disks. Hearing that he found this option was a bit of a shock to me because dynamic disks aren't supported on notebooks. I checked his notebook, and sure enough, the option was present. So, I called my IT guy and had him check the reserve notebooks for the sales team members. He discovered that these notebooks also had the option enabled.

    I wanted to turn off the option to prevent an inquisitive user from getting into trouble. After a little research, I discovered that you can disable this option in three steps:

    1. Launch regedt32.
    2. In the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmload registry subkey, double-click the Start entry and enter 0x4 in the "Value data" field.
    3. Restart the machine.

    If you're checking the registry of a remote computer, check the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IDConfigDB\CurrentDockInfo\DockingState entry. If the value is set to 0x1, the Dynamic Disk option isn't present.

  • FEATURED THREAD: LOCKING DOWN DESKTOP ICONS

  • Do you know how to prohibit changes to desktop icons in a terminal services session? If so, this forum participant needs your help. Go to http://www.winnetmag.com/forums/messageview.cfm?catid=45&threadid=42984

    4. NEW AND IMPROVED
    (contributed by Judy Drennen, products@winnetmag.com)

  • STORE YOUR INFORMATIONAL TIDBITS WITHOUT CLUTTER

  • Forty Software announced Note Wonder 1.50, a program that offers the note-taking capabilities of a personal information manager (PIM) but is as easy to use as Notepad. Note Wonder gives you a place to store and retrieve information that you don't want to lose but never know where to keep. In addition, you can set reminder alarms, categorize notes into folders, email and print notes, and create and use templates. The program runs on Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x and costs $29.77 for unlimited notes. Contact Forty Software at 877-386-8833 or mklein@forty.com.
    http://www.forty.com

  • ADD, DELETE, AND REARRANGE PAGES WITHIN A PDF FILE

  • BroadGun Software released a new version of pdfMachine, software that lets you create a PDF file, then add, delete, and rearrange pages within that file. Developed as a Windows print driver, pdfMachine provides an interface that lets you produce PDF files from any Windows application. The new version makes emailing PDF files easy because it integrates with Messaging API (MAPI)-compliant email programs, such as Microsoft Outlook and Outlook Express. You can even encrypt your PDF files for security. The software costs $49 per user and runs on Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x. Contact BroadGun at jenny@broadgun.com or go to the Web site.
    http://www.broadgun.com/pdfmachine

    5. CONTACT US
    Here's how to reach us with your comments and questions:

    • ABOUT THE COMMENTARY — david@winnetmag.com
    • ABOUT THE NEWSLETTER IN GENERAL — mlibbey@winnetmag.com

    (please mention the newsletter name in the subject line)

    • TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
    • PRODUCT NEWS — products@winnetmag.com
    • QUESTIONS ABOUT YOUR WINDOWS CLIENT UPDATE SUBSCRIPTION?
      Customer Support — windowsclientupdate@winnetmag.com
    • WANT TO SPONSOR WINDOWS CLIENT UPDATE?
      emedia_opps@winnetmag.com

    This weekly email newsletter is brought to you by Windows & .NET Magazine, the leading publication for Windows professionals who want to learn more and perform better. Subscribe today.
    http://www.winnetmag.com/sub.cfm?code=wswi201x1z

    Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
    http://www.winnetmag.net/email

    Thank you for reading Windows Client UPDATE