Archive for January, 2009

Change those unchangable defaults

You can change the default open and save location for all of the Office 2007 programs except Publisher.  How lame is that???  Or can you?

It turns out that Publisher for some unknown reason looks at the following registry key value:  HKEY_USERS\username\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal to figure out where to open and save from.  So if you change this value to where you really want your default to be, thenPublisher (and any other program that looks at the same key) will magically use that as the default path.

Ah, and here is another one just like that.  MS Paint looks at: HKEY_USERS\username\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\My Pictures to figure out where it opens at.  Change that value and whala!  Default changed.  You can use either UNC or Mapped drive.

The big warning is that any other programs that use these keys will get their defaults changed as well, but then again, if you want your default changed for these programs, you probably want it changed for any others as well.  The other big warning is that these values will be ignored if you have folder redirection enabled for My documents either at the user level or via GPO.


No Comments

Enterprise PKI without enterprise edition of 2003 server.

My, my aren’t we getting advanced???  You have decided to implement an enterprise wide Public Key Infrastructure to start securing your network.  Despite what you read from Microsoft (and all of the articles blindly based on Microsoft blather), you do not need Server 2003 enterprise edition to get this to work at the machine level.  Only if you want to do it at the user level do you need the Enterprise edition.  So, how do you go about setting it up?

If your network is comprised of only one domain, it’s pretty simple.  Just install certificate services on a server in your primary LAN selecting the enterprise root CA role.  You can install certificate services on any other servers that you need to selecting the subordinate enterprise CA role and pointing them at the first server you setup.  typically you would install a subordinate CA on LANs that are at remote locations to help reduce WAN traffic and enhance reliability if a WAN link goes down.  Things get a little more involved when your network is comprised of a root domain and one or more trusted child domains.  Basically, you start out the same - installing the Enterprise Root CA in the root domain and installing a subordinate enterprise CA in each child domain, BUT there are a couple of little tidbits you need to do to make it work.  First, you need to log on to the server in the child domain as the administrator of the root domain (otherwise known as the enterprise administrator) otherwise you won’t have the option to install the cert services as a subordinate enterprise CA.  Second, even though it does not indicate you need to, reboot the server right away otherwise all sorts of wierd mesages pop up in your event logs and the CA doesn’t issue certs.  Third, you will find that the CA still isn’t issuing certs but there are no error messages anywhere!!!  (another WTF - MS is good at making you ask that aren’t they?)  The problem is that the computers in the child domains are not allowed to request certs from the enterprise CA by default.  To fix that, go to the root domain server, open up AD sites and services, in the menu go to view then check Show Services Node, then expand the services node and go to Public Key Services, then Certificate Templates.  The template you are looking for is called Machine (even though the certificate you issued is called Computer - it’s actually the same one).  Right click, properties, security, add the Domain computers group from each of the child domains and change their permission from read to Enroll.  Oh, and fourth - sometimes the cert service doesn’t startup right on server start, you can probably fiddle with dependancies but a simple stop/start of the service after the server is done rebooting works too.

So what good is a computer (machine) certificate you ask?  One hint - 802.11x and ipsec.  Well actually that’s two hints and definately a topic for another post.


No Comments