Sometimes you need to lock down the browser so that a user can only access a single site. This can be achieved by the use of a single group policy setting.
User Configuration \ Administrative Templates \ Windows components \ Internet Explorer
Set Enforce Full Screen Mode to Enabled this will force the Desktop version of internet explorer to have no menus, toolbars, status bar or even the address bar, and no address bar means no way to get to a new site. This has been possible since IE7 but with the addition of the new modern browser in Windows 8, they always had the other option accessed by clicking on the IE shortcut on the start menu.
But Microsoft did think of that so there are 2 more group policy settings at:
User Configuration \ Administrative Templates \ Windows components \ Internet Explorer \ Internet Settings
First one
Open Internet Explorer tiles on the desktop should be enabled to force the use of the desktop version which you can then control
Second one
Set how links are opened in Internet Explorer can be enabled and set to Always in Internet Explorer on the desktop
As all of these settings are User Configuration they can also be set using Multiple Local Group Policy, so that you can set them for any non Administrators on the device making an option of Kiosks or other single task systems.
Thursday, 8 January 2015
Saturday, 29 June 2013
TechEd Europe 2013
The last week has been spent in Madrid at the annual Microsoft TechEd conference. This was my first time at the European version of the event having previously attended the north american version 3 times in the past. so I thought it might be interesting to compare the events.
I first attended TechEd in 2008 in Orlando followed the year later in Los Angeles, these were both paid for by my employer and returned last year to Orlando but having to pay for my own flights, hotel and food. this year was the same setup as it worked out significantly cheaper to go to Madrid than New Orleans.
Venue
Overall the venue in Madrid felt significantly larger than the convention centres in the USA, but the in use space was smaller, such as where we had the keynote, the breakout sessions and especially the tech expo. The conference venue in Madrid was also much more isolated from the city and hotels compared to the us, but thinking about other cities I think this is just a USA thing to have them more centrally located.
I had taken a hotel in the near by in the suburb of Barajas so was only a 20 min journey via the metro, but most other attendees I talked to seemed to be 40+ minutes away and as everyone seemed to arrive and leave at the same times the metro trains heading into Madrid were very crowded.
Keynote
The main feeling of the event is one of after the lords mayors show, with almost nothing that could be announced as these had been made at the US event 2 weeks before, and even some details of windows 8.1 had to be delayed till a second keynote in order to happen after the keynote at //Build that had been scheduled to clash with this event.
The first keynote started with the same us centric video from New Orleans but without the Aston Martin actually being there in Madrid. This also gave the impression that bar the "announcements" of the R2 bits being available for download all the rest was a direct replay of the US keynote. The R2 bits did also hammer the WiFi network for the rest of the day making access even more strained for the first day, but this did seem to get better during the week.
Sessions and crowds
The breakout sessions seemed like a good mix of the US and European content and most sessions I attended were the same level of crowds as a similar session in the USA, with only the Mark Russinovic sessions on malware hunting and Case of the unexplained becoming absolute sell outs (I managed to attend the first but baulked at having to wait in the room for the whole break to also do the second) But overall the crowds were slightly smaller than in the US. But this is only really noticeable by the size of the keynote location and the meal hall.
Parties and people
For me this is one of the biggest differences as I did keep meeting people that I have met at other UK based events, where as in the 3 trips to the USA I had never had those interactions, the closest being last year when by being able to use the alumni lounge and in it they had a TV showing the euro championship which had a regular group of European visitors (and one South African).
The main attendee party was listed as country drinks, which took over a group of restaurants in the south west of the city (a good distance from the convention centre) and divided up these venues by country but everyone was able to wander between these. The differences between the 5 venues i popped into were minimal, which was a slight name that the major countries could not showcase their own culture more, rather than them all being Spanish tapas and drinks and just the voices in each venue being different. But this was still more entertaining than the beach party in the conference centre in LA, but not close to the hiring of a theme park that happened on both the Orlando trips.
My other main party of the week was the Krewe meet and greet, held on the Thursday night, again some good and bad points, It was in an official hotel but one that was a long way from any public transport, which probably lead to it being less attended than the number of people signed up, those that did seemed more welcoming and less insular than the american version, helped by the music being in the background so that we could talk to each other, especially with most attendee's not having English as a first language. It would be better at the start of the week, possibly the Monday night if we are going to continue with a Tuesday start, but overall I hope that this can go from strength to strength to rival the US version in future years.
Tech
One of my personal differences between this and previous trips was the technology I took, this was the first trip I can remember where I have not taken a laptop. I had just my phone (Sony Xperia z) and a nexus 7 tablet. This worked well, with the roaming charges being significantly lower than on a US trip, the WiFi was good enough in all the session rooms to be able to take notes using OneNote and have these sync back to the cloud. And I am writing this on the flight home, but I will need to edit on a PC when I get home.
we did have a similar surface deal to the US attendees apart from them being shipped rather than collected in the half, but this also seemed to smooth out the orders so the queue never got very long and both devices are now waiting for me when I land.
Conclusion
Overall I think I will be targeting the European version in the future probably with the exception of when the North American event is in Orlando or somewhere else I really want to visit but still has cheep hotels, to over come the more expensive flights.
Saturday, 8 December 2012
Windows Domain Refresh Issue
So this weekend I was starting the refresh of my home setup, removing all the Windows 2008 servers and replacing them with Windows 2012 servers, the first old Domain controller went fine, but the 2008 R2 DC would not run DCPromo correctly to demote the server out of the domain.
All the FSMO roles had been moved to the replacement servers but on running dcpromo i go the message "Directory Service is missing mandatory configuration information...unable to determine ownership of floating single-master operation roles"
This directed me to http://support.microsoft.com/kb/949257 which did not seem to be a solution, but did fix the solution. This does seem to show a potental issue with Active Directory that the Infrastructure master FSMO role is stored in both the domain configuration and the DNS zones, As such it is probably worth checking any forest/domain where the original Domain controller has been removed to confirm if the DNS zones have also been updated.
All the FSMO roles had been moved to the replacement servers but on running dcpromo i go the message "Directory Service is missing mandatory configuration information...unable to determine ownership of floating single-master operation roles"
This directed me to http://support.microsoft.com/kb/949257 which did not seem to be a solution, but did fix the solution. This does seem to show a potental issue with Active Directory that the Infrastructure master FSMO role is stored in both the domain configuration and the DNS zones, As such it is probably worth checking any forest/domain where the original Domain controller has been removed to confirm if the DNS zones have also been updated.
Wednesday, 7 November 2012
Windows Active Directory Version Upgrades
This week I am on a Windows 2012 course to update my technical certification and a question was asked by one of the other attendees could he update his Active Directory currently running on a pair of Windows 2000 and 2003 servers to two new ones both running Windows 2012 and what the easiest way to get from A to B. All we could find on-line was that the ADPrep tool would only run on a 64Bit Windows 2008 Server.
This needed a definitive answer so here it is.
I started with a Windows 2000 SP4 Active Directory Single Domain Forest. Running in Native Mode.
The Windows 2003 AdPrep was run against the Forest and Domain with no comments. From there a Windows 2003 SP2 Domain controller was added with no issues. I made both these servers Global Catalogs. On the Windows 2000 server (as it held all the FSMO roles) the Windows 2008 R2 AdPrep ran for Forest and Domain preparation with no complaints (just making sure that all the Windows 2000 servers were running SP4) and again a new DC was added this time a 64Bit Windows 2008 R2 server.
So still in Windows 2000 Forest and Domain Functional Level, it is possible to host, Windows 2000 SP4, Windows 2003 SP2 and Windows 2008 R2 (and I assume R1) Domain Controllers with no problems.
The next stage was to do the AD preparation for Windows 2012, this stated that it needed a minimum of only Windows 2003 servers in the domain, so all the FSMO roles were moved to the other domain controllers and the Windows 2000 was demoted. The ADPrep ran successfully at this point for both Forest and Domain preparation.
On trying to promote the Windows 2012 to become a Domain Controller it announced that the Forest Functional level needed to be raised to Windows 2003, do this also raised the Domain functional level to 2003, but then the Windows 2012 Server could be made a Domain Controller.
This needed a definitive answer so here it is.
I started with a Windows 2000 SP4 Active Directory Single Domain Forest. Running in Native Mode.
The Windows 2003 AdPrep was run against the Forest and Domain with no comments. From there a Windows 2003 SP2 Domain controller was added with no issues. I made both these servers Global Catalogs. On the Windows 2000 server (as it held all the FSMO roles) the Windows 2008 R2 AdPrep ran for Forest and Domain preparation with no complaints (just making sure that all the Windows 2000 servers were running SP4) and again a new DC was added this time a 64Bit Windows 2008 R2 server.
So still in Windows 2000 Forest and Domain Functional Level, it is possible to host, Windows 2000 SP4, Windows 2003 SP2 and Windows 2008 R2 (and I assume R1) Domain Controllers with no problems.
The next stage was to do the AD preparation for Windows 2012, this stated that it needed a minimum of only Windows 2003 servers in the domain, so all the FSMO roles were moved to the other domain controllers and the Windows 2000 was demoted. The ADPrep ran successfully at this point for both Forest and Domain preparation.
On trying to promote the Windows 2012 to become a Domain Controller it announced that the Forest Functional level needed to be raised to Windows 2003, do this also raised the Domain functional level to 2003, but then the Windows 2012 Server could be made a Domain Controller.
Wednesday, 28 September 2011
System Centre Configuration Manager - Discovery
Now that SCCM 2012 is installed, need to configure it to work with the network to discover the clients and networks so that it can start to be useful. So first port of call is the new Discovery Methods section.
First one that I notice is Active Directory Forest Discovery.
This was run and after checking the status messages
It then apeared in the Active Directory Forest section of the Hierarchy.
The older AD Security Group, System, System Group, & User Discovery methods were configured for the Proof of Concept domain, and within a couple of minutes there was plenty of information in the Asset lists.
Finally a Boundary Group was created from the IP and Site Boundarys discovered from the AD Forest discovery to scope the SCCM server
As this is a test lab, initaly only client push for new agents will be used.
So first was to install the agent on the site server.
First one that I notice is Active Directory Forest Discovery.
This was run and after checking the status messages
It then apeared in the Active Directory Forest section of the Hierarchy.
The older AD Security Group, System, System Group, & User Discovery methods were configured for the Proof of Concept domain, and within a couple of minutes there was plenty of information in the Asset lists.
Finally a Boundary Group was created from the IP and Site Boundarys discovered from the AD Forest discovery to scope the SCCM server
As this is a test lab, initaly only client push for new agents will be used.
So first was to install the agent on the site server.
Tuesday, 27 September 2011
System Centre Configuration Manager
As this blog really does not have a purpose bar somewhere to hold ramblings, i thought i would a quick series on SCCM 2012 and Windows 8, as these will start to appear in Windows based network over the next couple of years and it really becomes my holding place for my own experiences with these technologies.
Rather strapped for modern hardware and not wanting to virtualise the SCCM product, I was able to get a HP DL360 G5 as a test server (8Gb Ram, couple of processors and a reasonable set of disks - configured as a System drive (C) 136Gb, and Data Drive (D) 410Gb. Windows 2008 R2 was installed, network configured (4 NIC's teamed to a single virtual NIC with static IP). The WDS and WSUS roles were installed (along with required features) but NOT configured and the .Net 3.5.1 feature was also installed.
SCCM 2012 Beta 2 was downloaded, and I was informed that .Net 4.0 was also required so this was downloaded from Microsoft along with the latest security updates, then SCCM was attempted to be installed again.
As this was a test system, I went with a Primary Site Install, but did not click the Typical check box as I have always been advised against this on previous version of SMS/SCCM. At the download screen I originally went with a path that had a space, but replacing that with a hyphen it allowed me to progress to seeing the extra updates be downloaded.
I then got to the first gotcha, you must have SQL Server already installed, So installation cancelled and SQL install started. SQL must be 2008 SP1 with CU10 (it does not support 2008 SP2 or R2). SQL 2008 Installation does not appear to work in remote desktop mode, so a switch to the KVM switch and another attempt.
The following SQL 2008 feature were installed.
The AD had already been extended for SCCM schema extensions, as SCCM2007 had previously been installed.
Then create and install the required certificates on the CA as per the guidance on Technet but that then hit a problem as the CA was running Windows 2003 but the client was 2008, so the web enrollment would not work so had to use certreq commands instead, NOTE that at this point you need to be logged into the SCCM server with a domain account to ensure that you can access a AD CA.
On trying to enable HTTPS access via the IIS console, this was not installed so the following role features where added to the IIS role.
And then it stopped again, it moved its own self signed certificate in and stopped the SQL server, so this new certificate was fixed as per the blog above and SQL started and the SCCM started to move on.
And then you wait. a good while later I have a working admin console. next I will start to look at the guided test cases and especially the Operating System deployments.
Rather strapped for modern hardware and not wanting to virtualise the SCCM product, I was able to get a HP DL360 G5 as a test server (8Gb Ram, couple of processors and a reasonable set of disks - configured as a System drive (C) 136Gb, and Data Drive (D) 410Gb. Windows 2008 R2 was installed, network configured (4 NIC's teamed to a single virtual NIC with static IP). The WDS and WSUS roles were installed (along with required features) but NOT configured and the .Net 3.5.1 feature was also installed.
SCCM 2012 Beta 2 was downloaded, and I was informed that .Net 4.0 was also required so this was downloaded from Microsoft along with the latest security updates, then SCCM was attempted to be installed again.
As this was a test system, I went with a Primary Site Install, but did not click the Typical check box as I have always been advised against this on previous version of SMS/SCCM. At the download screen I originally went with a path that had a space, but replacing that with a hyphen it allowed me to progress to seeing the extra updates be downloaded.
I then got to the first gotcha, you must have SQL Server already installed, So installation cancelled and SQL install started. SQL must be 2008 SP1 with CU10 (it does not support 2008 SP2 or R2). SQL 2008 Installation does not appear to work in remote desktop mode, so a switch to the KVM switch and another attempt.
The following SQL 2008 feature were installed.
- Database Engine Services
- SQL Server Replication
- Reporting Services
- Client Tools Connectivity
- Management Tools - Basic
- Management Tools - Complete
The AD had already been extended for SCCM schema extensions, as SCCM2007 had previously been installed.
Then create and install the required certificates on the CA as per the guidance on Technet but that then hit a problem as the CA was running Windows 2003 but the client was 2008, so the web enrollment would not work so had to use certreq commands instead, NOTE that at this point you need to be logged into the SCCM server with a domain account to ensure that you can access a AD CA.
On trying to enable HTTPS access via the IIS console, this was not installed so the following role features where added to the IIS role.
- Common HTTP Features
- Directory Browsing
- HTTP Errors
- HTTP Redirection
- Health and Diagnostics
- HTTP Logging
- Logging Tools
- Request Monitor
- Tracing
- Performance
- Static Content Compression
- Management Tools
- IIS Management Console
- IIS 6 Management Compatibility
- IIS 6 Metabase Compatibility
- IIS 6 WMI Compatibility
And then it stopped again, it moved its own self signed certificate in and stopped the SQL server, so this new certificate was fixed as per the blog above and SQL started and the SCCM started to move on.
And then you wait. a good while later I have a working admin console. next I will start to look at the guided test cases and especially the Operating System deployments.
Monday, 6 June 2011
Beware of colleagues bearing gifts
Sometimes an Architect has to get out of their lofty white towers and get their hands dirty with some real work, and that has been my lot over the last few weeks.
A colleague being helpful and resourceful managed to obtain a couple of SAN switches and some disk storage that we could use in the test lab, but by the time i got involved, couldn't remember anything about where they were from or what any of the passwords were.
So time to investigate, The switches were labelled with HP StorageWorks SAN Switch 2/16V which in reality are just rebadged Brocade 3850. So after a couple of attempts at finding a reset button (no such luck) I connected to the serial port and pulled the power to force a reboot. On booting you are given a option to boot into a PROM state where I found that the recovery password had not been set (they had now) and a few Linux type commands
So finally we have 2 working switches all be it with old versions of the Firmware so more hands on work for me as we go through the upgrade processes, hope the lab is worth it when it is done.
A colleague being helpful and resourceful managed to obtain a couple of SAN switches and some disk storage that we could use in the test lab, but by the time i got involved, couldn't remember anything about where they were from or what any of the passwords were.
So time to investigate, The switches were labelled with HP StorageWorks SAN Switch 2/16V which in reality are just rebadged Brocade 3850. So after a couple of attempts at finding a reset button (no such luck) I connected to the serial port and pulled the power to force a reboot. On booting you are given a option to boot into a PROM state where I found that the recovery password had not been set (they had now) and a few Linux type commands
printenvThis produced the PROM environment settings, confirming the memory OS loader location.
boot MEM()0xF00000 -sManually starting the OS from the memory location shown before
mount -o remount,rw,noatime /
mount /dev/hda2 /mnt
/sbin/passwddefaultThis reset all the built in accounts to there factory defaults
reboot -fRebooted the switch then we were able to get into the Fabric OS using the default root account and password (fibranne - if you have the same switches as me or google is your friend)
So finally we have 2 working switches all be it with old versions of the Firmware so more hands on work for me as we go through the upgrade processes, hope the lab is worth it when it is done.
Subscribe to:
Comments (Atom)