Disabled Win2k Account Can Access Network Resources
A user logged on to a Windows 2000 account interactively can continue to access network services (e.g., remote file shares) even after you disable the user's account. You might expect to see such behavior when the Enforce Logon Restrictions setting is disabled; however, this behavior might also occur when the setting is enabled. An account can remain active when you disable it and don't delete the user’s active network connection, when a user has a cached Kerberos service ticket that permits access, and when a user has a Ticket Granting Ticket (TGT). In the Kerberos cases, service and TGT tickets have a default expiration time of 10 hours. I assume this problem also exists in Win2K Service Pack 1 (SP1) because Microsoft posted this notice on December 22; see Microsoft Support Online article Q274064 for details.
Win2K SP1 Installs IE 5.0 and Outlook Express
Some of you might like the fact that Win2K SP1 upgrades Internet Explorer (IE) to IE 5.01 SP1 and Outlook Express to version 5.5, whether you want or need the extra components. Those of you who don't appreciate the upgrades are out of luck—there’s no way to disable either option. And to make matters worse, you can’t use the Control Panel Add/Remove Programs applet to restore the previous version of IE or Outlook Express after you complete the SP1 installation. Microsoft article Q273940 documents this issue.
Win2K SP1 Changes DDNS Name Registration Behavior
Win2K SP1 changes the way that Netlogon performs dynamic DNS (DDNS) name registrations. When you disable DDNS registration by clearing the "Register this connection's addresses in DNS" option under Advanced TCP/IP Settings or setting the TCP/IP parameters value entry DisableDynamicUpdate to 0x1 in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry key, the Netlogon service doesn't register either A or PTR records, but it does register SRV records.
When you update a Win2K system to SP1, the SP1 version of Netlogon doesn’t register A, PTR, or SRV records. Microsoft article Q280439 explains how Win2K sets DisableDynamicUpdates to 1, but you can always set it manually or with a script. You can force a Win2K SP1 system to register SRV records the same way the pre-SP1 version does by setting the Netlogon value entry DnsUpdateOnAllAdapters to 0x1. You can find this entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry key.
Disabling NetBIOS On Win2k Dial-Up Connections
If you don’t want your Win2K dial-up connections to send NetBIOS traffic, you must disable NetBIOS by unbinding File and Printer Sharing for Microsoft Networks on the dial-up adapter. To display the bindings, open Network and Dial-up Connections, click Advanced, and click Advanced Settings. Locate the dial-up adapter among the adapters that appear at the top of the window, highlight it, and clear the File and Print Sharing checkbox at the bottom of the screen. Microsoft article Q282519 documents this configuration option.
Virtual Disk Drives in Win2K SP1
Have you disabled or removed the diskette drive on a Win2K SP1 system? If so, you might have noticed that Win2K’s Plug and Play (PnP) component insists on reinstalling the diskette controller and assigning the phantom drive an IRQ of 6. According to Microsoft article Q275180
The Win2K TelnetClients Group
Microsoft article Q250908 presents a simple procedure you can follow to restrict Telnet access to specific individuals: Create a new local group with the name TelnetClients and add the users that you want to grant Telnet access. The article explains that with a TelnetClients group in place, only general users who are members of the group have Telnet access to the computer. However, accounts with Administrator rights always have access to Telnet, regardless of whether they are members of the TelnetClients group.
Adaptec CD-ROM Software Win2K Blue Screen
On a Win2K system, when you run Adaptec Easy CD Creator version 3.5b or earlier or Adaptec Direct CD version 3.0 or earlier, the CD-ROM software might not start and might hang the system. If the system hangs, you’ll see one of three stop codes. And, after you clear the blue screen, you might not be able to boot the computer in Safe mode. Microsoft article Q237468 describes three ways to disable the offending Adaptec CD drivers:
- Disable the CD-ROM-specific drivers CDR4VSD, CDRPWD, and CDUDF. To locate these drivers, start Device manager, expand hidden devices, and select non-PnP devices.
- Disable all three CD-ROM drivers in the registry (if you can boot in Safe mode). Each driver has its own key in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry path. To disable a driver, change the value of the Start entry to 4.
- Boot from setup disks and use the Recovery Console to delete the offending drivers.
See the Microsoft article for detailed instructions for each method. Good luck!
