I want to thank Rhonda Layfield for her article, “Using WDS with Windows Server 2008” (December 2008, InstantDoc ID 100439). I was indeed able to set up a Windows Deployment Services (WDS) server in about an hour—actually, just over an hour (but I was using a Windows Server 2003 box). I never really considered using WDS during our Windows Vista migration. I actually used most of the base components—ImageX and WinPE for capturing and applying images—but without the benefit of a WDS server. I thought WDS would essentially be Remote Installation Services (RIS) 2.0, and I was never happy with RIS 1, so I approached WDS with some trepidation. Now that I’m using it, I've found that it’s a great product at the right price. Not only have I moved our Vista images to it, I've also started using it for the Windows XP images we have left over. It’s a snap to use, and there’s no RISprep or OSChooser to get in the way.
Thanks Mike! WDS is one of the new deployment tools I'm most excited about. If you like WDS, you really need to learn about WDSUtil, a command-line utility that lets you tweak WDS in ways that aren't available to the GUI.
Darren Mar-Elia’s article, “Securing Windows Desktops Using Group Policy” (November 2008, InstantDoc ID 100264), touches on Software Restriction Policies (SRPs). I was hoping you could confirm one thing for me: SRPs only restrict application use; they can't elevate rights. Correct? In other words, if a user doesn't have local administrative rights, you can't use an SRP to configure certain applications to run as an administrator?
—Richard Van Alstine
You're correct with respect to SRP’s limitations. They can't elevate a process. A feature in Vista's SRP implementation—called Basic User—actually removes administrative tokens from an otherwise elevated process, but not the other way around.
After reading Darren Mar-Elia’s November article, I have a question. If I use the System Services policy to change the service account password, will it update both the user account password (Active Directory—AD—or SAM database) and the service account password (Service Control Manager—SCM)? Can you clarify?
The System Services policy doesn't update service account information. For that functionality, you'd have to use Group Policy Preferences' Services feature, which can do both of the things you've identified.
What Would Microsoft Support Do?
I'm really enjoying Michael Morales’s “What Would Microsoft Do?” column, particularly the December installment, “Simplify Process Troubleshooting with DebugDiag” (InstantDoc ID 100577). As a freelance Windows administrator, I've been working with Microsoft products for 10 years. Occasionally, I run into a problem that ends with an Internet search telling me to debug something—and then I'm lost. I've tried looking into the debugging tools, but most of them seem incredibly difficult to use, or they give results that tell me absolutely nothing. So, I end up looking for other solutions. Next time I run into a problem that requires debugging something, I'll grab one of your articles and try it the Microsoft way! Keep up the good work.
I read Michael Otey’s “Virtualization Rematch” (December 2008, InstantDoc ID 100573), and I have a question. In a few months, I'll be implementing Hyper-V and Essential Business Server (EBS) 2008 on four servers running Windows Server 2008 64-Bit Edition. I'm currently researching HP ProLiant Servers that are compatible with Server 2008 or Hyper-V or both. You mention using a ProLiant ML370 G4 to test the retail version of Hyper-V and the 64-bit Server 2008 Enterprise Edition. I was wondering if that information is correct. In my research, I found that—in general—only the G5 series is capable because of its support for Intel-VT, its No Execute feature, and its BIOS support for virtualization. The Windows Server Catalog doesn't list the G4 as capable of running Hyper-V. Am I missing something?
Yes, I used the rack-mounted HP ML370 G4, and it does support virtualization. However, if you're planning on running Hyper-V, you're correct to pay attention to the server's ability to support either the Intel-VT or AMD-V CPU virtualization feature set. Many servers today use the required x64 architecture but don't support hardware-assisted virtualization. The hardware vendors are aware of each system's ability to support virtualization, and you should be certain to verify this before you purchase your next server platform.
On the November issue's Ctrl+Alt+Del page, we incorrectly attributed a tech quote to Anonymous. It was actually Robert Wilensy who wrote, "For years there has been a theory that millions of monkeys typing at random on millions of typewriters would reproduce the entire works of Shakespeare. The Internet has proven this theory to be untrue." Thanks to Dimitrios Kalemis for the correction!
Letters - 01 Feb 2009