Windows Client UPDATE--brought to you by the Windows & .NET Magazine Network
THIS ISSUE SPONSORED BY
Microsoft Mobility Tour
SPONSOR: NETSUPPORT MANAGER PC REMOTE CONTROL SOFTWARE
Perform remote support and management on multiple systems simultaneously over a LAN, WAN and the Internet with this powerful PC remote control software. NetSupport Manager provides speedy, secure remote PC access, dynamic inventory, automated scripting and scheduling, file transfer, remote deployment, system monitoring, help requests and much more. Use NetSupport Manager to manage help desk support, mobile computing, desktop management, software training and system automation. A great add-on for SMS. Recently named Editor's Choice by Network Computing Magazine. Installed in millions of desktops worldwide. Download a free, fully functional 30 day trial today.
January 16, 2003—In this issue:
- Yes, You Can Make Users Change Their Password
2. NEWS & VIEWS
- Lirva Worm Might Spoof Microsoft Security Bulletin
- Windows Scripting Solutions for the Systems Administrator
- Get "The Windows XP/2000 Answer Book"
- Back by Popular Demand--Don't Miss Our Security Road Show Event!
- Tip: Forcing an ACL to Accompany a File Across Shares in Win2K
- Featured Thread: Mirroring Hard Disks in NT
5. NEW AND IMPROVED
- Patch your Enterprise Automatically
- Copy Hard Disks over the Network or Locally
6. CONTACT US
- See this section for a list of ways to contact us.
(David Chernicoff, [email protected])
During my time in the trenches, when I was providing frontline IT support, one task I had to attend to almost every day was resetting user passwords. I can understand users having trouble remembering a password that they use only occasionally. However, the majority of the passwords I had to reset belonged to users who had ignored daily warnings from the OS that their password would expire in a certain number of days. In one environment, we forced password changes every 30 days; in this company, some users never deduced that their passwords changed regularly. For these users, when I changed their password, I always used the same word followed by a number, which was the only element of the password that changed. Even so, some users required IT to reset their password 15 times in 18 months because they couldn't remember the password.
My story brings me to one benefit of using Active Directory: AD lets you create groups and delegate simple tasks such as resetting passwords. To reduce the load on IT at one organization in which I worked, we used the Delegation of Control Wizard to grant the right to reset passwords to one manager in every group, so that someone was almost always available to reset a user's password without involving IT.
I have passed this tip along to many friends, colleagues, and readers over the past few years and recently received an email message about this practice. In the company that the message described, managers were complaining that some users were letting their manager take full responsibility for changing their passwords at the required intervals. These users ignored requests to reset their password until they couldn't log on; they then went to the manager to request a password reset. IT professionals are usually astonished by this behavior, and when I chat with average users, I'm always amazed by their "If my manager changes my password every month, that's OK with me" response.
The problem in this situation is that the Delegation of Control Wizard doesn't let you give the delegated authority group the ability to force users to change their password at the next logon. Obviously, doing so would solve the initial problem completely: Users can't access their computer until they change their password. You can give delegated users who have authority to reset passwords permission to force users to change their password at the next logon. After you make the following changes, delegated users will be able to select "Force user to change password" in the Change Password dialog box in User Manager. Take the following steps:
- Open Administrative Tools, Active Directory Users and Computers.
- Click View, Advanced Features.
- Right-click the container object that you want these changes to apply to and select Properties from the context menu.
- On the Security tab, click Advanced.
- On the Permissions tab, click Add.
- Select the group or individual user to which you want to delegate control and click OK.
- Select the Properties tab from the Permission Entry for Users dialog box.
- Click the "Apply onto" drop-down list.
- Select "User objects."
- For Write Account Restrictions, click Allow.
- Click OK through all the exit screens.
After you've made these changes, the managers or users to whom you've delegated the change password authority can force the users for which they're responsible to change their passwords when the users log on after a password reset.
SPONSOR: MICROSOFT MOBILITY TOUR
THE MICROSOFT MOBILITY TOUR IS COMING SOON TO A CITY NEAR YOU!
Brought to you by Windows & .NET Magazine, this outstanding seven-city event will help support your growing mobile workforce! Industry guru Paul Thurrott discusses the coolest mobility hardware solutions around, demonstrates how to increase the productivity of your "road warriors" with the unique features of Windows XP and Office XP, and much more. There is no charge for these live events, but space is limited so register today!
2. NEWS AND VIEWS
(contributed by Paul Thurrott, [email protected])
New variants of a worm, Lirva, are spreading around the Internet, infecting users of Microsoft Outlook. The worm is dangerous because it can shut down antivirus and firewall software and overwrite Microsoft Word, Excel, and PowerPoint files, leaving the file sizes at 0KB, which renders the files unrecoverable without a backup.
Lirva spreads through the KaZaA file-share network, through Internet Relay Chat (IRC) and ICQ, and through email. When spreading through email, Lirva sends a copy of itself to everyone listed in a user's address book by using its own built-in SMTP server, which helps the worm's activity go undetected. Lirva also collects address information from various other files on the user's system, such as .htm, .wab, and .dbx files.
Lirva also collects passwords from users' systems and emails them to an address presumed to be located in Russia. On the 7th, 11th, and 24th day of each month, Lirva automatically opens a Web browser on infected machines to the Web site of a pop singer, http://www.avril-lavigne.com.
The worm can arrive with various subjects, message body content, and file attachments, including one that spoofs a message from Network Associates regarding a security problem with Microsoft IIS. Users need to be aware that Microsoft never distributes its security patches through email to end users, and to my knowledge, Network Associates doesn't redistribute Microsoft patches either.
(brought to you by Windows & .NET Magazine and its partners)
You might not be a programmer, but that doesn't mean you can't learn to create and deploy timesaving, problem-solving scripts. Discover Windows Scripting Solutions, the monthly print publication that helps you tackle common problems and automate everyday tasks with simple tools, tricks, and scripts. Try a sample issue today at
"The Windows XP/2000 Answer Book," by John Savill, answers more than 1000 FAQs about the latest and most powerful versions of Windows. You'll discover key information about installation, customization, Active Directory, Internet support, security, and much more. Amazon.com readers are giving it five stars, so get your copy today!
If you missed last year's popular security road show event, now's your chance to catch it again in Portland, Oregon, and Redmond. Learn from experts Mark Minasi and Paul Thurrott about how to shore up your system's security and what desktop security features are planned for Microsoft .NET and beyond. Registration is free, so sign up now!
(contributed by David Chernicoff, [email protected])
When you drag files across shares on Windows 2000 servers, you need to check to make certain that each file's necessary permissions are set in the new location. By default, a file inherits the permissions of the folder you drag it to--it doesn't automatically retain the permissions it had in its previous location because the file's ACL doesn't accompany the file to its new location. However, with a simple registry edit, you can force Win2K to take a file's ACL along with the file from NTFS volume to NTFS volume. Take the following steps:
- Launch regedt32.
- Open HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer.
- Add a subkey of type REG_DWORD and name it ForceCopyAclwithFile.
- Set the data value to 1.
- Log off, then log back on to make the change take effect.
Forum member "mwhit" is running Windows NT and has two 10GB SCSI hard disks that use NT to mirror each other. He is replacing the 10GB disks one at a time with 34GB disks and wants to know whether he needs to format and partition the new disks similarly to the original disks. The original disks each have two partitions. He knows that the mirror will be only as large as the smaller disk. What he hopes to do is replace the first original disk and mirror it, then replace the second original disk and mirror it to the first replacement disk. If you can help, join the discussion at the following URL:
5. NEW AND IMPROVED
(contributed by Sue Cooper, [email protected])
Ecora Software announced Ecora Patch Manager, patch analysis and remediation software for most Microsoft enterprise products. The software automatically discovers and analyzes patch levels, then alerts and links administrators to necessary service packs, hotfixes, and relevant vendor resources. Automatic installation can be immediate or scheduled. Ecora Patch Manager's interface is an intuitive, tab-based view organized by host, application, or patch. Pricing starts at $500. Contact Ecora Software at 603-436-1616, 877-923-2672, or [email protected]
NovaStor released InstantRecovery 4.0 Professional Edition, hard drive and partition cloning, migration, and image-based disaster-recovery software. Version 4.0 lets you create and access hard disk images over the network or a Network Attached Storage (NAS) device. InstantRecovery lets you copy and recover the entire hard drive or individual partitions. The software supports all Intel-compatible OSs and most media types. Pricing is $99.95. Contact NovaStor at 805-579-6700 or through its Web site:
6. CONTACT US
Here's how to reach us with your comments and questions:
(please mention the newsletter name in the subject line)
- TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
- PRODUCT NEWS — [email protected]
- QUESTIONS ABOUT YOUR WINDOWS CLIENT UPDATE SUBSCRIPTION?
Customer Support — [email protected]
- WANT TO SPONSOR WINDOWS CLIENT UPDATE?
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.