Installing, Configuring, and Administering Microsoft Windows XP ...

PUBLISHED BY Microsoft Press A Division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright © 2005 by Microsoft Corporation All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Library of Congress Control Number 2004117425 Printed and bound in the United States of America. 1 2 3 4 5 6 7 8 9

QWT

9 8 7 6 5 4

Distributed in Canada by H.B. Fenn and Company Ltd. A CIP catalogue record for this book is available from the British Library. Microsoft Press books are available through booksellers and distributors worldwide. For further information about international editions, contact your local Microsoft Corporation office or contact Microsoft Press International directly at fax (425) 936-7329. Visit our Web site at www.microsoft.com/learning/. Send comments to [email protected]. Microsoft, Active Desktop, Active Directory, ActiveX, Authenticode, IntelliMirror, MSDN, MS-DOS, MSN, NetMeeting, Outlook, PowerPoint, Visual Basic, Win32, Windows, Windows Media, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Acquisitions Editor: Lori Oviatt Project Editor: Denise Bankaitis Technical Editor: James Causey Copy Editor: Ina Chang Production: Elizabeth Hansford Indexer: Julie Kawabata

SubAssy Part No. X11-03252 Body Part No. X11-03253

CONTENTS AT A GLANCE CHAPTER 1:

Introducing Windows XP Professional . . . . . . . . . . . 1

CHAPTER 2:

Installing Windows XP Professional . . . . . . . . . . . .25

CHAPTER 3:

Managing Disks and File Systems . . . . . . . . . . . . . .75

CHAPTER 4:

Managing Devices and Peripherals. . . . . . . . . . . .119

CHAPTER 5:

Configuring and Managing the User Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . .147

CHAPTER 6:

Configuring and Managing Printers and Fax Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . .183

CHAPTER 7:

Configuring and Managing NTFS Security . . . . .219

CHAPTER 8:

Configuring and Managing Shared Folder Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253

CHAPTER 9:

Supporting Applications in Windows XP Professional. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295

CHAPTER 10:

Connecting Windows XP Professional to a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317

CHAPTER 11:

Configuring TCP/IP Addressing and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353

CHAPTER 12:

Managing Internet Explorer Connections and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381

CHAPTER 13:

Managing Users and Groups . . . . . . . . . . . . . . . . .419

CHAPTER 14:

Configuring and Managing Computer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461

CHAPTER 15:

Backing Up and Restoring Systems and Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .491

CHAPTER 16:

Managing Performance . . . . . . . . . . . . . . . . . . . . .521

Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .551 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .565

iii

CONTENTS About This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi Target Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii The Textbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii The Supplemental Course Materials CD-ROM . . . . . . . . . . . . . . . . . . . . . xix Readiness Review Suite Setup Instructions . . . . . . . . . . . . . . . . . . . . xix eBook Setup Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx The Lab Manual. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx Notational Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi Keyboard Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii Coverage of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii The Microsoft Certified Professional Program . . . . . . . . . . . . . . . . . . . xxvii Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii MCP Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxviii About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix For Microsoft Official Academic Course Support . . . . . . . . . . . . . . . . . xxix Evaulation Edition Software Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxx CHAPTER 1:

Introducing Windows XP Professional . . . . . . . . . . . 1

Overview of Windows XP Professional . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Windows XP Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Intelligent User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Hardware Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Comprehensive Help and Support Options . . . . . . . . . . . . . . . . . . . . . . . . 8 Pick a Help Topic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Ask for Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Pick a Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Searching and Printing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Windows XP Security Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Windows Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Attachment Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Encrypting File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Security Management Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Windows XP Organizational Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Workgroup Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Domain Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Logging On and Off Windows XP Professional . . . . . . . . . . . . . . . . 19 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

v

vi

CONTENTS

Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Scenario 1.1: Securing Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Scenario 1.2: Assisting Remote Users . . . . . . . . . . . . . . . . . . . . . . . . . 24 CHAPTER 2:

Installing Windows XP Professional . . . . . . . . . . . .25

Preinstallation Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Verifying Hardware Compatibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Storage Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 File Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Domain or Workgroup Membership . . . . . . . . . . . . . . . . . . . . . . . . . 31 Performing an Attended Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Windows XP Professional Setup Program . . . . . . . . . . . . . . . . . . . . . 33 Running the Setup Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Running the Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Completing the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Installing over the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Preparing for a Network Installation . . . . . . . . . . . . . . . . . . . . . . . . . 38 Modifying the Setup Process Using Winnt.exe . . . . . . . . . . . . . . . . . 41 Modifying the Setup Process Using Winnt32.exe. . . . . . . . . . . . . . . 42 Automating Installations Using Windows Setup Manager. . . . . . . . . . . 44 Installing Setup Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Using Setup Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Upgrading to Windows XP Professional . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Identifying Client Upgrade Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Generating a Hardware Compatibility Report. . . . . . . . . . . . . . . . . . 48 Upgrading Compatible Windows 98 Computers . . . . . . . . . . . . . . . 49 Upgrading a Windows 2000 Professional Computer. . . . . . . . . . . . 50 Migrating User Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Understanding Remote Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Installing and Configuring RIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Client Requirements for Remote Installation. . . . . . . . . . . . . . . . . . . 55 Creating Boot Floppies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Installing Windows XP Using RIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Using Disk Duplication to Deploy Windows XP Professional. . . . . . . . . 58 Using the System Preparation Tool to Prepare the Master Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Installing Windows XP Professional from a Master Disk Image . . . 60 Applying System Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Windows Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Service Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Slipstreaming Service Packs and Updates . . . . . . . . . . . . . . . . . . . . . . . . . 65 Slipstreaming Service Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Slipstreaming Windows Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

CONTENTS

Using Windows Product Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 How Windows Product Activation Works . . . . . . . . . . . . . . . . . . . . . 66 Activating Windows XP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Automating Windows Product Activation . . . . . . . . . . . . . . . . . . . . . 67 Troubleshooting Windows XP Professional Setup . . . . . . . . . . . . . . . . . . 68 Resolving Common Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Setup Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Scenario 2-1: Dual-Booting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Scenario 2-2: Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 CHAPTER 3:

Managing Disks and File Systems . . . . . . . . . . . . . .75

Understanding Disk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Understanding Basic Storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Understanding Dynamic Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Working with Simple Volumes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Working with Spanned Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Working with Striped Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Adding Disks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Changing the Storage Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Using Refresh and Rescan Disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Managing Disks on a Remote Computer. . . . . . . . . . . . . . . . . . . . . . 84 Managing Removable Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Using the Removable Storage Manager . . . . . . . . . . . . . . . . . . . . . . 85 Managing Compression. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Using Compressed Folders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Using NTFS Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Increasing Security with the EFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Understanding the EFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Using the Cipher Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Using a Recovery Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Managing Recovery Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Disabling the EFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 EFS Best Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Managing Disk Quotas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Understanding Disk Quota Management . . . . . . . . . . . . . . . . . . . . 102 Setting Disk Quotas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Determining the Status of Disk Quotas . . . . . . . . . . . . . . . . . . . . . . 105 Monitoring Disk Quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Best Uses for Disk Quotas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

vii

viii

CONTENTS

Using Disk Defragmenter, Chkdsk, and Disk Cleanup. . . . . . . . . . . . . . 106 Defragmenting Disks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Using Disk Defragmenter Effectively . . . . . . . . . . . . . . . . . . . . . . . . 108 Using Chkdsk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Using Disk Cleanup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Scenario 3-1: Storage Choices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Scenario 3-2: Disk Quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 CHAPTER 4:

Managing Devices and Peripherals. . . . . . . . . . . .119

Using Device Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Configuring and Troubleshooting Devices . . . . . . . . . . . . . . . . . . . 120 Viewing Hidden and Phantom Devices . . . . . . . . . . . . . . . . . . . . . . 122 Managing and Troubleshooting I/O Devices . . . . . . . . . . . . . . . . . . . . . 123 Scanners and Cameras . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Mouse Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Modems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Game Controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 IrDA and Wireless Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Keyboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Understanding Automatic and Manual Hardware Installation . . . . . . 128 Confirming Hardware Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Troubleshooting Device Installation . . . . . . . . . . . . . . . . . . . . . . . . . 131 Installing Hardware Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Viewing and Configuring Hardware Profiles . . . . . . . . . . . . . . . . . . . . . 134 Understanding Hardware Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Creating or Modifying a Hardware Profile. . . . . . . . . . . . . . . . . . . . 135 Activating a Hardware Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Viewing Hardware Profile Properties . . . . . . . . . . . . . . . . . . . . . . . . 136 Driver Signing and File Signature Verification . . . . . . . . . . . . . . . . . . . . 136 Configuring Driver Signing Requirements. . . . . . . . . . . . . . . . . . . . 137 Checking System File Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Using the File Signature Verification Tool . . . . . . . . . . . . . . . . . . . . 138 Configuring Computers with Multiple Processors . . . . . . . . . . . . . . . . . 139 Multiprocessor Scaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Managing ACPI Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Forcing Installation of a Specific HAL . . . . . . . . . . . . . . . . . . . . . . . . 141 Troubleshooting ACPI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Scenario 4-1: Managing a Hardware Upgrade . . . . . . . . . . . . . . . . 144 Scenario 4-2: Troubleshooting Problems with the HAL. . . . . . . . . 145

CONTENTS

CHAPTER 5:

Configuring and Managing the User Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . .147

Configuring and Managing Desktop Components . . . . . . . . . . . . . . . . 148 Configuring Display Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Using Multiple Displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 The Taskbar and Start Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Configuring Power Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Selecting a Power Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Configuring Advanced Power Options. . . . . . . . . . . . . . . . . . . . . . . 166 Enabling Hibernate Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Configuring Advanced Power Management. . . . . . . . . . . . . . . . . . 168 Advanced Configuration and Power Interface (ACPI) . . . . . . . . . . 168 Configuring an Uninterruptible Power Supply . . . . . . . . . . . . . . . . 168 Configuring User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Local and Roaming User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 User Profile Storage Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Configuring Multiple Languages and Locations . . . . . . . . . . . . . . . . . . 172 Configuring Accessibility Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Configuring Keyboard Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Configuring Sound Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Configuring Display Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Configuring Mouse Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Configuring General Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Other Accessibility Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 The Magnifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 The Narrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Scenario 5-1: Time for Hibernation . . . . . . . . . . . . . . . . . . . . . . . . . 182 Scenario 5-2: Power Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 CHAPTER 6:

Configuring and Managing Printers and Fax Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183

Introduction to Windows XP Professional Printing . . . . . . . . . . . . . . . . 184 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Adding a Local Printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Adding a Printer Connected to a Print Server . . . . . . . . . . . . . . . . . . . . 188 Types of Print Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Connecting to a Printer on a Windows Print Server . . . . . . . . . . . 190 Using the Search Assistant to Find a Printer . . . . . . . . . . . . . . . . . . 191 Adding a Network Interface Printer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Standard TCP/IP Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 LPR Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Connecting to an Internet Printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 How Internet Printing Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

ix

x

CONTENTS

Using Windows XP as a Print Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Requirements for Network Print Services . . . . . . . . . . . . . . . . . . . . 198 Sharing Printers During Installation . . . . . . . . . . . . . . . . . . . . . . . . . 199 Sharing an Existing Printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Installing Additional Print Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Creating Printer Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Managing Printer Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Managing Printer Priority. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Scheduling Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Managing Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Assigning Forms to Paper Trays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Setting a Separator Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 Administering Printers with a Web Browser . . . . . . . . . . . . . . . . . . 209 Managing Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Pausing, Restarting, and Canceling a Document . . . . . . . . . . . . . . 210 Troubleshooting Common Printing Problems . . . . . . . . . . . . . . . . . . . . 211 Examining the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Common Troubleshooting Scenarios . . . . . . . . . . . . . . . . . . . . . . . . 212 Printing Troubleshooters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Additional Troubleshooting Options . . . . . . . . . . . . . . . . . . . . . . . . 214 Configuring and Managing Windows XP Fax Support . . . . . . . . . . . . . 214 The Fax Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Fax Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Scenario 6-1: Printing in a Small Office . . . . . . . . . . . . . . . . . . . . . . 218 Scenario 6-2: Printer Wars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 CHAPTER 7:

Configuring and Managing NTFS Security . . . . .219

Understanding the NTFS File System. . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Understanding NTFS Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Components of NTFS Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . 222 NTFS Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 NTFS Permissions Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Managing NTFS Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Best Practices for Assigning Permissions . . . . . . . . . . . . . . . . . . . . . 230 Setting NTFS Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Using Command-Line Tools to View and Modify Permissions . . . 236 Assigning Multiple NTFS Permissions. . . . . . . . . . . . . . . . . . . . . . . . 239 Auditing NTFS Object Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Enabling Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Monitoring Security Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 Troubleshooting NTFS Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 Problems with Effective Permissions. . . . . . . . . . . . . . . . . . . . . . . . . 244 Problems with Denied Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Problems with Permission Inheritance . . . . . . . . . . . . . . . . . . . . . . . 245

CONTENTS

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 CHAPTER 8:

Configuring and Managing Shared Folder Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253

Understanding Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Shared Folder Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Guidelines for Shared Folder Permissions . . . . . . . . . . . . . . . . . . . . 255 How Shared Folder Permissions Are Applied . . . . . . . . . . . . . . . . . 256 Planning Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Requirements for Sharing Folders. . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Shared Application Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Shared Data Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Administrative Shared Folders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Sharing a Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Sharing Folders in Computer Management . . . . . . . . . . . . . . . . . . 261 Sharing Folders in Windows Explorer. . . . . . . . . . . . . . . . . . . . . . . . 264 Using the NET Command to Share Folders . . . . . . . . . . . . . . . . . . . 265 Sharing a Folder on a Remote Computer . . . . . . . . . . . . . . . . . . . . 268 Managing Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Assigning Shared Folder Permissions . . . . . . . . . . . . . . . . . . . . . . . . 268 Creating Multiple Share Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Modifying Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Connecting to Shared Folders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Combining Shared Folder Permissions and NTFS Permissions . . . . . . 273 Monitoring Access to Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Reasons for Monitoring Network Resources . . . . . . . . . . . . . . . . . . 275 Requirements for Monitoring Network Resources . . . . . . . . . . . . . 275 Monitoring Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Using Offline Folders and Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 Understanding Offline Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Configuring Your Computer to Use Offline Folders and Files . . . 280 Managing Internet Information Services . . . . . . . . . . . . . . . . . . . . . . . . 283 Installing IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Using IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Sharing Web Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 NTFS Permissions and Web Folders . . . . . . . . . . . . . . . . . . . . . . . . . 287 Using Web Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Scenario 8-1: Shared Folder Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Scenario 8-2: Command-Line Nirvana . . . . . . . . . . . . . . . . . . . . . . . 292

xi

xii

CONTENTS

CHAPTER 9:

Supporting Applications in Windows XP Professional. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295

Understanding Windows Installer Technologies . . . . . . . . . . . . . . . . . . 296 Windows Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 Windows Installer Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 Deploying Software Using Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . 302 Overview of Group Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 Software Installation Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 Removing Software Installation Policy . . . . . . . . . . . . . . . . . . . . . . . 304 Understanding Application Compatibility . . . . . . . . . . . . . . . . . . . . . . . 305 Windows Logo Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 Causes of Application Incompatibility . . . . . . . . . . . . . . . . . . . . . . . 306 Application Compatibility Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Advanced Compatibility Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Troubleshooting Application Compatibility Issues . . . . . . . . . . . . . 310 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Scenario 9-1: Windows Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Scenario 9-2: Irreconcilable Differences? . . . . . . . . . . . . . . . . . . . . . 315 CHAPTER 10:

Connecting Windows XP Professional to a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317

Configuring TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 The OSI Reference Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 The DARPA Reference Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 The TCP/IP Protocol Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Understanding IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Managing Network Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 Troubleshooting TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 Connecting to a Wireless Ethernet Network. . . . . . . . . . . . . . . . . . . . . . 335 Understanding Wireless Specifications. . . . . . . . . . . . . . . . . . . . . . . 335 Connecting Windows XP to a Wireless Network . . . . . . . . . . . . . . 336 Configuring Other Network Connections . . . . . . . . . . . . . . . . . . . . . . . . 337 Client Service for NetWare. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Installing the NWLink Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Installing Third-Party Clients and Protocols . . . . . . . . . . . . . . . . . . 339 Connecting to Computers UsingDial-Up Networking . . . . . . . . . . . . . 340 Connecting to the Internet Using Dial-Up Networking . . . . . . . . 340 Connecting to a Network at Your Workplace . . . . . . . . . . . . . . . . . 341 Configuring and Troubleshooting Internet Connection Sharing (ICS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Using Remote Desktop and Remote Assistance. . . . . . . . . . . . . . . . . . . 344 Remote Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 Remote Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

CONTENTS

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Scenario 10-1: Small Office Networking . . . . . . . . . . . . . . . . . . . . . 351 Scenario 10-2: Help! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 CHAPTER 11:

Configuring TCP/IP Addressing and Security . . .353

Understanding IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Binary Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Decoding IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Local vs. Remote Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 Using Subnet Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 Subnetting and Supernetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 Securing IP Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 Internet Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 Protective Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 Monitoring Internet Communications Security . . . . . . . . . . . . . . . 375 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 Case Scenario 11-1: A Growing Enterprise . . . . . . . . . . . . . . . . . . . 380 Case Scenario 11-2: Security on a Shoestring . . . . . . . . . . . . . . . . . 380 CHAPTER 12:

Managing Internet Explorer Connections and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381

Managing Internet Explorer Connections . . . . . . . . . . . . . . . . . . . . . . . . 382 Using the New Connection Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . 382 Managing Connection Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 Connecting to Resources Using Internet Explorer . . . . . . . . . . . . . . . . . 387 Uniform Resource Locators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 Connecting to Web Site Resources . . . . . . . . . . . . . . . . . . . . . . . . . . 389 Accessing FTP Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 Accessing Web Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Connecting to Web Server–Based Applications . . . . . . . . . . . . . . . 391 Managing Internet Explorer Security Settings . . . . . . . . . . . . . . . . . . . . 391 Overview of Internet Explorer Security Features. . . . . . . . . . . . . . . 391 Managing URL Actions for Web Content Zones. . . . . . . . . . . . . . . 393 Web Content Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Advanced Internet Security Options. . . . . . . . . . . . . . . . . . . . . . . . . 402 Managing Internet Explorer Privacy Settings . . . . . . . . . . . . . . . . . . . . . 404 Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 Pop-Up Blocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 Managing Internet Cache and History Data . . . . . . . . . . . . . . . . . . 408 AutoComplete and Internet Explorer Password Caching . . . . . . . 411 Using Add-On Manager to Control Add-On Programs . . . . . . . . . . . . 412 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

xiii

xiv

CONTENTS

Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Scenario 12-1: Getting Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Scenario 12-2: Managing Internet Explorer Security and Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 CHAPTER 13:

Managing Users and Groups . . . . . . . . . . . . . . . . .419

Overview of User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Users and Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 User and Group Account Permissions . . . . . . . . . . . . . . . . . . . . . . . 420 User Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 Built-In User Accounts and Groups. . . . . . . . . . . . . . . . . . . . . . . . . . 421 Implicit Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 Service Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423 Domain User Accounts and Groups . . . . . . . . . . . . . . . . . . . . . . . . . 424 Tools for Managing Users and Groups . . . . . . . . . . . . . . . . . . . . . . . 425 Planning User Accounts and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Mapping Out a User and Group Strategy . . . . . . . . . . . . . . . . . . . . 429 User Account Naming Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 430 Setting Requirements for Complex Passwords . . . . . . . . . . . . . . . . 431 Changing the Way Users Log On or Log Off. . . . . . . . . . . . . . . . . . 432 Creating and Managing User Accounts with Local Users and Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 Creating User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 Managing User Account Properties . . . . . . . . . . . . . . . . . . . . . . . . . 434 Managing User Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Managing User Rights Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . 437 Creating and Managing Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Creating and Managing Groups Using Local Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Managing Groups Using Command-Line Tools . . . . . . . . . . . . . . . 441 Creating and Managing User Accounts with the User Accounts Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442 User Account Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442 Creating a New User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443 Changing an Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 Best Practices for User Account Management . . . . . . . . . . . . . . . . . . . . 446 Managing User Account–Related System Policies . . . . . . . . . . . . . . . . . 447 Managing User Rights with Group Policy . . . . . . . . . . . . . . . . . . . . 447 Managing User Account Settings with Group Policy . . . . . . . . . . . 451 Using Cached Credentials in Windows XP . . . . . . . . . . . . . . . . . . . . . . . 454 Understanding Cached Credentials . . . . . . . . . . . . . . . . . . . . . . . . . 454 Managing Cached Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454 Troubleshooting Cached Credentials . . . . . . . . . . . . . . . . . . . . . . . . 455 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456

CONTENTS

Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458 Scenario 13-1: Designing Accounts for a Field Office . . . . . . . . . . 458 Scenario 13-2: Protecting Files on a Military System . . . . . . . . . . . 459 CHAPTER 14:

Configuring and Managing Computer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461

Understanding Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 Local Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 Domain Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Managing Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Predefined Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Creating a Custom Security Policy Management Console . . . . . . 468 Viewing, Modifying, and Creating a Security Template. . . . . . . . . 470 Analyzing and Configuring Security Settings . . . . . . . . . . . . . . . . . 472 Exporting Security Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Managing Security Policy with Secedit.exe . . . . . . . . . . . . . . . . . . . 475 Managing Security Audit Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Actions That Can Be Audited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Planning an Audit Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 Implementing and Managing an Audit Policy . . . . . . . . . . . . . . . . 479 Monitoring Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 Scenario 14-1: Designing a Security Policy . . . . . . . . . . . . . . . . . . . 487 Scenario 14-2: Security Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . 488 CHAPTER 15:

Backing Up and Restoring Systems and Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .491

Understanding the Windows Backup Utility. . . . . . . . . . . . . . . . . . . . . . 492 Features of the Backup Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492 Planning a Backup and Recovery Strategy . . . . . . . . . . . . . . . . . . . . . . . 494 Choosing a Backup Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494 Determining What to Back Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496 Selecting Backup Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496 Choosing a Backup Schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 Planning for Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498 Backing Up the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499 Creating a New Backup Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499 Modifying a Backup Job. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 Executing a Backup Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 Performing an ASR Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 Restoring a System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 Determining Which Backups to Restore . . . . . . . . . . . . . . . . . . . . . 504 Creating a Restore Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 Using ASR to Recover a System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505

xv

xvi

CONTENTS

Using System Restore to Recover Data and Settings. . . . . . . . . . . . . . . 507 Configuring System Restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 Creating a Restore Point Manually . . . . . . . . . . . . . . . . . . . . . . . . . . 508 Restoring Settings and Data from a Restore Point . . . . . . . . . . . . . 510 Using Startup and Recovery Tools to Recover a System . . . . . . . . . . . . 511 Using the Recovery Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 Using the Last Known Good Configuration. . . . . . . . . . . . . . . . . . . 513 Starting a System in Safe Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 Scenario 15-1: Backup Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 Scenario 15-2: Power Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 CHAPTER 16:

Managing Performance . . . . . . . . . . . . . . . . . . . . .521

Designing a System for Performance. . . . . . . . . . . . . . . . . . . . . . . . . . . . 522 Factors Leading to Poor Performance . . . . . . . . . . . . . . . . . . . . . . . 522 Determining Resource Requirements . . . . . . . . . . . . . . . . . . . . . . . . 523 Monitoring Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 The Performance Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525 Viewing Performance Charts with System Monitor . . . . . . . . . . . . 526 Using Histograms and Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530 Using Performance Logs to Spot Trends . . . . . . . . . . . . . . . . . . . . . 532 Using Performance Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534 Monitoring Performance with Task Manager . . . . . . . . . . . . . . . . . 536 Improving Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539 Memory Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540 Disk Performance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540 Adding CPUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545 Mobile System Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548 Scenario 16-1: A Slow Application . . . . . . . . . . . . . . . . . . . . . . . . . . 548 Scenario 16-2: Spotting the Cause of Performance Issues . . . . . . 549 Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .551 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .565

ABOUT THIS BOOK Welcome to Installing, Configuring, and Administering Microsoft Windows XP Professional (70-270), Second Edition, a part of the Microsoft Official Academic Course (MOAC) series. Through lectures, discussions, demonstrations, textbook exercises, and classroom labs, this course teaches the skills and knowledge necessary to plan, install, configure, and support Windows XP in standalone, small network, and corporate network environments. In 16 chapters, students will learn how to install Windows XP Professional, connect to and share network resources, configure Internet services and applications, manage security settings and auditing, and evaluate system performance.

TARGET AUDIENCE This textbook was developed for beginning information technology students who want to learn to configure and manage Windows XP in a variety of environments so that they can provide corporate support and implementation of Windows XP on a direct-hire or consulting basis. Students who continue to study Microsoft server operating systems can go on to earn the Microsoft Certified System Administrator (MCSA) or Microsoft Certified Systems Engineer (MCSE) credential.

PREREQUISITES The prerequisites for taking this course are: ■

Familiarity with the use of Windows XP, including navigation and operation of major features.

■

A fundamental knowledge of computer hardware, network construction, and operating systems.

■

Prerequisite knowledge and course work as defined by the learning institution and the instructor. Completion of the Supporting Users and Troubleshooting Microsoft Windows XP (Microsoft Learning) course or equivalent experience is recommended.

xvii

xviii

INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL

THE TEXTBOOK The textbook content has been crafted to provide a meaningful learning experience to students in an academic classroom setting. Key features of the Microsoft Official Academic Course textbooks include the following: ■

Learning objectives for each chapter that prepare the student for the topic areas covered in that chapter.

■

Chapter introductions that explain why the information is important.

■

An inviting design with screen shots, diagrams, tables, bulleted lists, and other graphical formats that makes the book easy to comprehend and supports a number of different learning styles.

■

Clear explanations of concepts and principles, and frequent exposition of step-by-step procedures.

■

A variety of reader aids that highlight a wealth of additional information, including: ❑

Note—Real-world application tips and alternative procedures, and explanations of complex procedures and concepts

❑

Caution—Warnings about mistakes that can result in loss of data or that are difficult to resolve

❑

Important—Explanations of essential setup steps before a procedure and other instructions

❑

More Info—Cross-references and additional resources for students

■

End-of-chapter review questions that assess knowledge and can serve as homework, quizzes, and review activities before or after lectures. (Answers to the textbook questions are available from your instructor.)

■

Chapter summaries that distill the main ideas in a chapter and reinforce learning.

■

Case scenarios, approximately two per chapter, that provide students with an opportunity to evaluate, analyze, synthesize, and apply information learned during the chapter.

■

Comprehensive glossary that defines key terms introduced in the book.

ABOUT THIS BOOK

THE SUPPLEMENTAL COURSE MATERIALS CD-ROM This book comes with a Supplemental Course Materials CD-ROM, which contains a variety of informational aids to complement the book content: ■

An electronic version of this textbook (eBook). For information about using the eBook, see the section titled “eBook Setup Instructions” later in this introduction.

■

The Microsoft Learning Readiness Review Suite built by MeasureUp. This suite of practice tests and objective reviews contains questions of varying complexity and offers multiple testing modes. You can assess your understanding of the concepts presented in this book and use the results to develop a learning plan that meets your needs.

■

An eBook of the Microsoft Encyclopedia of Networking, Second Edition.

■

Microsoft PowerPoint slides based on textbook chapters, for notetaking.

■

Microsoft Word Viewer and Microsoft PowerPoint Viewer.

A second CD contains a 120-day evaluation edition of Windows XP Professional with Service Pack 2. The 120-day evaluation edition of Windows XP Professional provided with this book is not the full retail product; it is provided only for the purposes of training and evaluation. Microsoft Technical Support does not support evaluation editions.

NOTE

Readiness Review Suite Setup Instructions The Readiness Review Suite includes a practice test of 300 sample exam questions and an objective review with an additional 125 questions. Use these tools to reinforce your learning and to identify areas in which you need to gain more experience before taking your final exam for the course, or the certification exam if you choose to do so.

Installing the Practice Test

1. Insert the Supplemental Course Materials CD into your CD-ROM drive. If AutoRun is disabled on your machine, refer to the Readme.txt file on the Supplemental Course Materials CD.

NOTE

2. On the user interface menu, select Readiness Review Suite and follow the prompts.

xix

xx


eBook Setup Instructions The eBook is in Portable Document Format (PDF) and must be viewed using Adobe Acrobat Reader.

Using the eBooks

1. Insert the Supplemental Course Materials CD into your CD-ROM drive. If AutoRun is disabled on your machine, refer to the Readme.txt file on the CD.

NOTE

2. On the user interface menu, select Textbook eBook and follow the prompts. You also can review any of the other eBooks provided for your use. You must have the Supplemental Course Materials CD in your CD-ROM drive to run the eBook.

NOTE

THE LAB MANUAL The Lab Manual is designed for use in either a combined lecture and lab situation, or in a separate lecture and lab arrangement. The exercises in the Lab Manual correspond to textbook chapters and are for use in a classroom setting supervised by an instructor. The Lab Manual presents a rich, hands-on learning experience that encourages practical solutions and strengthens critical problem-solving skills: ■

Lab Exercises teach procedures by using a step-by-step format. Questions interspersed throughout Lab Exercises encourage reflection and critical thinking about the lab activity.

■

Lab Review Questions appear at the end of each lab and ask questions about the lab. They are designed to promote critical reflection.

■

Lab Challenges are review activities that either cover material in the text or ask students to perform a variation on a task they performed in the Lab Exercises, but without detailed instructions.

■

Troubleshooting Labs appear after a number of regular labs; they consist of medium-length review projects and are based on true-to-life scenarios. These labs challenge students to “think like an expert” to solve complex problems.

ABOUT THIS BOOK

■

Labs are based on realistic business settings and include an opening scenario and a list of learning objectives.

Students who successfully complete the Lab Exercises, Lab Review Questions, Lab Challenges, and Troubleshooting Labs in the Lab Manual will have a richer learning experience and deeper understanding of the concepts and methods covered in the course. They will be better able to answer and understand the test bank questions, especially the knowledge application and knowledge synthesis questions. They will also be much better prepared to pass the associated certification exams if they choose to take them.

NOTATIONAL CONVENTIONS The following conventions are used throughout this textbook and the Lab Manual: ■

Characters or commands that you type appear in bold type.

■

Terms that appear in the glossary also appear in bold type.

■

Italic in syntax statements indicates placeholders for variable information. Italic is also used for book titles and terms defined in the text.

■

Names of files and folders appear in Title caps, except when you are to type them directly. Unless otherwise indicated, you can use all lowercase letters when you type a filename in a dialog box or at a command prompt.

■

Filename extensions appear in all lowercase.

■

Acronyms appear in all uppercase.

■ Monospace

type represents code samples, examples of screen text, or entries that you might type at a command prompt or in initialization files.

■

Square brackets [ ] are used in syntax statements to enclose optional items. For example, [filename] in command syntax indicates that you can type a filename with the command. Type only the information within the brackets, not the brackets themselves.

■

Braces { } are used in syntax statements to enclose required items. Type only the information within the braces, not the braces themselves.

xxi

xxii


KEYBOARD CONVENTIONS ■

A plus sign (+) between two key names means that you must press those keys at the same time. For example, “Press Alt+Tab” means that you hold down Alt while you press Tab.

■

A comma (,) between two or more key names means that you must press the keys consecutively, not at the same time. For example, “Press Alt, F, X” means that you press and release each key in sequence. “Press Alt+W, L” means that you first press Alt and W at the same time, and then you release them and press L.

COVERAGE OF EXAM OBJECTIVES This book is intended to support a course that is structured around concepts and practical knowledge fundamental to this topic area, as well as the tasks that are covered in the objectives for the MCSE 70-270 exam. The following table correlates the exam objectives with the textbook chapters and Lab Manual lab exercises. You might also find this table useful if you decide to take the certification exam. The Microsoft Learning Web site describes the various MCP certification exams and their corresponding courses. It provides up-to-date certification information and explains the certification process and the course options. See http://www.microsoft.com/learning/ for up-to-date information about MCP exam credentials for other certification programs offered by Microsoft. NOTE

Textbook and Lab Manual Coverage of Exam Objectives for MCSE Exam 70-270 Objective Installing Windows XP Professional

Textbook Chapter

Lab Manual Content

Perform and troubleshoot an attended installation of Windows XP Professional. Perform and troubleshoot an unattended installation of Windows XP Professional. ■ Install Windows XP Professional by using Remote Installation Services (RIS).

Chapter 2

Labs 1 and 2

Chapter 2

Lab 2

Chapter 2

Not covered

■

Install Windows XP Professional by using the System Preparation Tool.

Chapter 2

Not Covered

■

Create unattended answer files by using Setup Manager to automate the installation of Windows XP Professional.

Chapter 2

Lab 2

ABOUT THIS BOOK

Textbook and Lab Manual Coverage of Exam Objectives for MCSE Exam 70-270 Objective Installing Windows XP Professional

Textbook Chapter

Lab Manual Content

Upgrade from a previous version of Windows to Windows XP Professional. ■ Prepare a computer to meet upgrade requirements.

Chapter 2

Labs 1 and 2

Chapter 2

Labs 1 and 2

■

Chapter 2

Not Covered

Chapter 2

Lab 2

Chapter 2

Lab 2

Monitor, manage, and troubleshoot access to files and folders. ■ Configure, manage, and troubleshoot file compression.

Chapter 7

Lab 7

Chapter 3

Lab 7

■

Control access to files and folders by using permissions.

Chapter 7

Lab 7

Optimize access to files and folders. Manage and troubleshoot access to shared folders. ■ Create and remove shared folders.

Chapter 7 Chapter 8

Lab 3 Lab 8

Chapter 8

Lab 8

■

Chapter 8

Lab 8

Manage and troubleshoot Web server resources. Connect to local and network print devices. ■ Manage printers and print jobs.

Chapter 8

Lab 8

Chapter 6

Lab 6

Chapter 6

Lab 6

■

Control access to printers by using permissions.

Chapter 6

Lab 6

■

Connect to an Internet printer.

Chapter 6

Lab 6

■

Connect to a local print device. Configure and manage file systems. ■ Convert from one file system to another file system.

Chapter 6 Chapter 3 Chapter 3

Lab 6 Lab 3 Lab 3

■

Chapter 3

Lab 3

Chapter 8

Lab 8

Migrate existing user environments to a new installation. Perform post-installation updates and product activation. Troubleshoot failed installations. Implementing and Conducting Administration of Resources

■

Control access to shared folders by using permissions.

■

Configure NTFS, FAT32, or FAT file systems. Manage and troubleshoot access to and synchronization of offline files.

xxiii

xxiv


Textbook and Lab Manual Coverage of Exam Objectives for MCSE Exam 70-270 Objective Textbook Chapter Lab Manual Content Implementing, Managing, Monitoring, and Troubleshooting Hardware Devices and Drivers

Implement, manage, and troubleshoot disk devices. ■ Install, configure, and manage DVD and CD-ROM devices.

Chapter 3

Lab 3

Chapter 3

Lab 4

■

Monitor and configure disks.

Chapter 3

Lab 3

■

Monitor, configure, and troubleshoot volumes.

Chapter 3

Lab 3

Monitor and configure removable media, such as tape devices. Implement, manage, and troubleshoot display devices. ■ Configure multiple-display support.

Chapter 3

Not Covered

Chapter 5

Lab 5

Chapter 5

Not Covered

■

Install, configure, and troubleshoot a video adapter. Configure Advanced Configuration Power Interface (ACPI). Implement, manage, and troubleshoot input and output (I/O) devices. ■ Monitor, configure, and troubleshoot I/O devices, such as printers, scanners, multimedia devices, mice, keyboards, and smart card readers.

Chapter 5

Labs 4 and 5

Chapter 4

Not Covered

Chapter 4

Lab 4

Chapter 4

Lab 4

■

Monitor, configure, and troubleshoot multimedia hardware, such as cameras.

Chapter 4

Lab 4

■

Install, configure, and manage modems.

Chapter 4

Lab 4

■

Install, configure, and manage Infrared Data Association (IrDA) devices.

Chapter 4

Not Covered

■

Install, configure, and manage wireless devices.

Chapter 4

Not Covered

■

Install, configure, and manage USB devices.

Chapter 4

Lab 4

■

Install, configure, and manage handheld devices.

Chapter 4

Not Covered

■

Install, configure, and manage network adapters.

Chapters 4, 10, and 11

Labs 4, 10, and 11

■

ABOUT THIS BOOK

Textbook and Lab Manual Coverage of Exam Objectives for MCSE Exam 70-270 Objective Textbook Chapter Lab Manual Content Implementing, Managing, Monitoring, and Troubleshooting Hardware Devices and Drivers

Manage and troubleshoot drivers and driver signing. Monitor and configure multiprocessor computers.

Chapter 4

Lab 4

Chapter 4

Not Covered

Monitoring and Optimizing System Performance and Reliability

Monitor, optimize, and troubleshoot performance of the Windows XP Professional desktop. ■ Optimize and troubleshoot memory performance.

Chapter 16

Lab 16

Chapter 16

Lab 16

■

Optimize and troubleshoot processor utilization.

Chapter 16

Lab 16

■

Optimize and troubleshoot disk performance.

Chapter 16

Lab 16

■

Optimize and troubleshoot application performance.

Chapter 16

Lab 16

Configure, manage, and troubleshoot scheduled tasks. Manage, monitor, and optimize system performance for mobile users. Restore and back up the operating system, System State data, and user data. ■ Recover System State data and user data by using Windows Backup.

Chapter 16

Lab 15

Chapter 16

Lab 16

Chapter 15

Lab 15

Chapter 15

Lab 15

■

Troubleshoot system restoration by starting in Safe Mode.

Chapter 15

Lab 15

■

Recover System State data and user data by using the Recovery Console.

Chapter 15

Lab 15

Configure and manage user profiles and desktop settings. Configure support for multiple languages or multiple locations. ■ Enable multiple-language support.

Chapters 5 and 13 Chapter 5

Labs 5 and 13 Lab 5

Chapter 5

Lab 5

■

Configure multiple-language support for users.

Chapter 5

Lab 5

■

Configure local settings.

Chapter 5

Lab 5

■

Configure Windows XP Professional for multiple locations.

Chapter 5

Lab 5

■

Configuring and Troubleshooting the Desktop Environment

xxv

xxvi


Textbook and Lab Manual Coverage of Exam Objectives for MCSE Exam 70-270 Objective Textbook Chapter Configuring and Troubleshooting the Desktop Environment

Lab Manual Content

Manage applications by using Windows Installer packages.

Lab 9

Chapter 9

Implementing, Managing, and Troubleshooting Network Protocols and Services

Configure and troubleshoot the TCP/IP protocol. Connect to computers by using dial-up networking. ■ Connect to computers by using a virtual private network (VPN) connection.

Chapters 10 and 11 Chapter 10

Lab 10

Chapter 10

Lab 10

■

Create a dial-up connection to connect to a remote access server.

Chapter 10

Lab 10

■

Connect to the Internet by using dial-up networking.

Chapter 10

Lab 10

Chapter 10

Lab 10

Chapter 12

Lab 12

Chapter 12

Labs 6, 8, and 12

Chapter 10

Lab 10

Chapter 11

Lab 11

Chapter 3

Lab 3

Chapter 14

Lab 14

■

Configure and troubleshoot Internet Connection Sharing (ICS). Connect to resources by using Internet Explorer. Configure, manage, and implement Internet Information Services (IIS). Configure, manage, and troubleshoot Remote Desktop and Remote Assistance. Configure, manage, and troubleshoot an Internet Connection Firewall (ICF).

Labs 10 and 11

Configuring, Managing, and Troubleshooting Security

Configure, manage, and troubleshoot the Encrypting File System (EFS). Configure, manage, and troubleshoot a security configuration and local security policy.

ABOUT THIS BOOK

Textbook and Lab Manual Coverage of Exam Objectives for MCSE Exam 70-270 Objective Configuring, Managing, and Troubleshooting Security

Textbook Chapter

Lab Manual Content

Configure, manage, and troubleshoot local user and group accounts. ■ Configure, manage, and troubleshoot auditing.

Chapter 13

Lab 13

Chapter 13

Lab 13

■

Configure, manage, and troubleshoot account settings.

Chapter 13

Lab 13

■

Configure, manage, and troubleshoot account policy.

Chapter 13

Lab 13

■

Configure, manage, and troubleshoot user and group rights.

Chapter 13

Lab 13

Chapter 13 Chapter 12

Not Covered Lab 12

■

Troubleshoot cached credentials. Configure, manage, and troubleshoot Internet Explorer security settings.

THE MICROSOFT CERTIFIED PROFESSIONAL PROGRAM The MCP program is one way to prove your proficiency with current Microsoft products and technologies. These exams and corresponding certifications are developed to validate your mastery of critical competencies as you design and develop, or implement and support, solutions using Microsoft products and technologies. Computer professionals who become Microsoft certified are recognized as experts and are sought after industry-wide. Certification brings a variety of benefits to the individual and to employers and organizations. MORE INFO For a full list of MCP benefits, go to http:// www.microsoft.com/learning/itpro/default.asp.

Certifications The MCP program offers multiple certifications, based on specific areas of technical expertise: ■

Microsoft Certified Professional (MCP) In-depth knowledge of at least one Windows operating system or architecturally significant platform. An MCP is qualified to implement a Microsoft product or technology as part of a business solution for an organization.

xxvii

xxviii


■

Microsoft Certified Systems Engineer (MCSE) Qualified to effectively analyze the business requirements for business solutions and design and implement the infrastructure based on the Windows and Windows Server 2003 operating systems.

■

Microsoft Certified Systems Administrator (MCSA) Qualified to manage and troubleshoot existing network and system environments based on the Windows and Windows Server 2003 operating systems.

■

Microsoft Certified Database Administrator (MCDBA) Qualified to design, implement, and administer Microsoft SQL Server databases.

■

Microsoft Certified Desktop Support Technician (MCDST) Qualified to support end users and to troubleshoot desktop environments on the Microsoft Windows operating system.

MCP Requirements Requirements differ for each certification and are specific to the products and job functions addressed by the certification. To become an MCP, you must pass rigorous certification exams that provide a valid and reliable measure of technical proficiency and expertise. These exams are designed to test your expertise and ability to perform a role or task with a product, and they are developed with the input of industry professionals. Exam questions reflect how Microsoft products are used in actual organizations, giving them real-world relevance. ■

Microsoft Certified Professional (MCP) candidates are required to pass one current Microsoft certification exam. Candidates can pass additional Microsoft certification exams to validate their skills with other Microsoft products, development tools, or desktop applications.

■

Microsoft Certified Systems Engineer (MCSE) candidates are required to pass five core exams and two elective exams.

■

Microsoft Certified Systems Administrator (MCSA) candidates are required to pass three core exams and one elective exam.

■

Microsoft Certified Database Administrator (MCDBA) candidates are required to pass three core exams and one elective exam.

■

Microsoft Certified Desktop Support Technician (MCDST) candidates are required to pass two core exams.

ABOUT THIS BOOK

ABOUT THE AUTHORS The textbook, Lab Manual, pretest, testbank, and PowerPoint slides were developed exclusively for an instructor-led classroom environment by two authors, Dave Field and Owen Fowler. Dave Field is an author, trainer, and presenter. An MCSE on Windows NT 4, Windows 2000, and Windows 2003, Dave is an expert on networking technologies and support desk topics. He has written consumer computer books such as How To Do Everything with Windows XP Home Networking (Osborne/McGraw-Hill) and has designed courses for Microsoft and Osborne/McGraw-Hill for the Microsoft MCSE, MCSA, and MCDST certifications. Dave is also the systems engineer at Camp Snoopy, a theme park in the Mall of America in Bloomington, Minnesota. In this role, he has directed the installation of entire network infrastructures using technologies such as Active Directory, Microsoft Exchange, and Microsoft SQL Server. He has been the principal architect of point-of-sale implementations, ERP rollouts, and e-commerce initiatives. Owen Fowler has worked as a Tier II Support Agent for one of the largest electronic tax filing centers in the United States. He has also run his own computer consulting business, covering networking and operating system issues, in Colorado and Washington. In 2003, he assisted Verizon Wireless in consolidating its nationwide network into a single domain. Owen has been an author, technical editor, and development editor on many titles for Microsoft Learning.

FOR MICROSOFT OFFICIAL ACADEMIC COURSE SUPPORT Every effort has been made to ensure the accuracy of the material in this book and the contents of the CD-ROM. Microsoft Learning provides corrections for books through the World Wide Web at the following address: http://www.microsoft.com/learning/support/ If you have comments, questions, or ideas regarding this book or the companion CD-ROM, please send them to Microsoft Learning using either of the following methods:

xxix

xxx


Postal Mail: Microsoft Learning Attn: Installing, Configuring, and Administering Microsoft Windows XP Professional (70-270), Second Edition, Editor One Microsoft Way Redmond, WA 98052-6399 E-mail: [email protected] Please note that product support is not offered through the above addresses.

EVALUATION EDITION SOFTWARE SUPPORT A 120-day software evaluation edition of Windows XP Professional with Service Pack 2 is provided with this textbook. This is not the full retail product and is provided only for training and evaluation purposes. Microsoft and Microsoft Technical Support do not support this evaluation edition. It differs from the retail version only in that Microsoft and Microsoft Technical Support do not support it, and it expires after 120 days. For information about issues relating to the use of evaluation editions, go to the Support section of the Microsoft Learning Web site (http://www.microsoft.com/learning/support/). For online support information relating to the full version of Windows XP Professional that might also apply to the evaluation edition, go to http://support.microsoft.com. For information about ordering the full version of any Microsoft software, call Microsoft Sales at (800) 426-9400 or visit http://www.microsoft.com.

CHAPTER 1

INTRODUCING WINDOWS XP PROFESSIONAL Upon completion of this chapter, you will be able to: ■ Describe the support features of Windows XP Professional ■ Identify security technologies in Windows XP Professional ■ Identify the role of Windows XP Professional in the enterprise ■ Log on to a Windows XP Professional computer

In this course, we introduce you to the installation, configuration, and management of Windows XP Professional. Students in this course are expected to come from all backgrounds and have varying levels of experience with Windows XP Professional. That said, you will get the most from this course if you have a good understanding of the Windows graphical environment. Those who have completed “Supporting Users and Troubleshooting Microsoft Windows XP” (Microsoft Official Academic Curriculum Course 70-271) will have a firm basis for understanding this material. We have a lot of information to cover, but plenty of excellent resources are available to help you understand this technology. Many will be provided with this textbook, and many more are available from your instructor or at Microsoft’s Windows XP Web site at www.microsoft.com/windowsxp.

1

2


OVERVIEW OF WINDOWS XP PROFESSIONAL Windows XP Professional is the Microsoft business-class desktop operating system. It is intended for those who require high performance, security, and reliable computer resources. It differs from the consumer-level Windows XP Home Edition in its support for enterprise computing architectures, multiple processors, advanced security, and manageability. It is found in business, desktop publishing, banking and finance, and manufacturing environments, as well as other areas that require reliable and secure computer performance. In this section, we will examine the features of Windows XP Professional and describe many of the elements of this operating system.

Windows XP Architecture The Windows XP line of operating systems is based on the Windows NT kernel architecture. This architecture was designed to allow the central processes—those processes requiring the most privilege—to operate in a privileged environment, often referred to as the kernel (shown in Figure 1-1). This environment is insulated from direct manipulation by users or hardware resources. The kernel is also separated from the actual system hardware by the hardware abstraction layer (HAL). The HAL is a layer of code designed to interface the specific hardware with the more generic operating system. At one time, HALs existed for PowerPC and DEC Alpha processors, but today HALs mainly exist to support differing power management versions or multiple processors. User-mode applications run with less privilege, protecting the kernel from instabilities caused by failing or faulty applications. This separation of the critical processes allows the operating system to continue operation even when applications or noncritical hardware devices fail. Critical devices—such as disk drives or motherboard components—can still bring a system down, but the system most likely will not fail (for example, if a USB peripheral device fails). In addition, each application can be run in a protected memory space. This prevents a failing application from affecting other applications and the operating system itself.

CHAPTER 1:

32-bit Application

INTRODUCING WINDOWS XP PROFESSIONAL

16-bit Application

32-bit Application

16-bit Application

NTVDM

Logon Process

Security Subsystem

Win32 Subsystem

User Mode Kernel Mode

I/O Manager IPC Manager

Memory Manager

Process Manager

Plug and Play

File Systems

Security Reference Monitor

Windows Manager Power Manager

Graphics Device Drivers

Object Manager

Executive

Microkernel

Device Drivers

Hardware Abstraction Layer (HAL) Hardware

Figure 1-1 The Windows XP architecture FT01HT01.TIF

Intelligent User Interface Windows XP represents Microsoft’s most advanced user interface. Building on the desktop metaphor of earlier Windows operating systems, Windows XP brings together the latest research in intuitive user interface design with new, attractive visual styles. The Start menu The Windows XP Start button (first seen in Windows 95) has been linked to an all-new Start menu that displays a great variety of options within a single space (as shown in Figure 1-2). Users can access frequently used applications, recent documents, favorite applications, system settings, help, and much more within the same menu.

3

4


Figure 1-2 Windows XP Professional Start menu FT01HT02.bmp

The left column in the figure is divided into the pinned items list above and the frequently used programs list below. Initially these lists have a few default programs listed, but as users work with the computer, the frequently used programs list begins to learn which programs are used most frequently and ranks them for quick access. Users also have the option of pinning any program or document to the pinned items list. The right column of the Start menu contains a list of special purpose folders, the Help and Support area, and configuration tools. This list can be customized to hide or expose folders such as My Documents, My Music, and My Recent Documents. The system configuration items can also be customized to show or hide configuration tools, depending on the role of the user who is logged on to the system. Designated administrators can configure and lock down all Start menu settings by using the Group Policy management tools built into Windows XP and Windows Server products. The taskbar The Windows XP taskbar has the ability to group similar applications to reduce clutter. You can then manage these groups together to maximize, minimize, or even close all applications in the group at once. Figure 1-3 shows a user closing a group of Microsoft Office Word 2003 documents.

CHAPTER 1:


Figure 1-3 Closing a group of Microsoft Office Word 2003 documents FT01HT03.bmp

The taskbar can also hold toolbars such as Quick Launch or Media Player to provide quick access to these useful tools. You can copy icons to the Quick Launch bar so you can quickly launch applications or documents without having to open the Start menu. The Media Player toolbar activates a small Media Player control panel when Windows Media Player is minimized. Figure 1-4 shows the Quick Launch toolbar and the Media Player toolbar in use.

Quick Launch Toolbar

Media Player Toolbar

Figure 1-4 Quick Launch and Media Player toolbars FT01HT04.bmp

The right side of the taskbar is known as the notification area. This area—called the system tray in earlier versions of Windows—contains icons that represent operating system alerts, applications, or services that are running in the background on the system. Examples of these include an alert when operating system updates are available from Microsoft or an icon that represents a running antivirus application. Figure 1-5 shows the notification area with several icons displayed.

Figure 1-5 The notification area FT01HT05.bmp

The desktop Many people who are familiar with the previous versions of Microsoft desktop operating systems have found the default Windows XP desktop (the area above the taskbar in Figure 1-6) surprisingly bare.

5

6


Figure 1-6 Windows XP “Bliss” desktop with a lone Recycle Bin icon FT01HT06.bmp

Desktops in previous versions of Windows featured icons for My Computer, My Network Places, Internet Explorer, and other applications. Each application that users installed also offered to add its own icons to the desktop. The result was a desktop with dozens of icons. Windows XP, by default, does not place any icon other than the Recycle Bin on the desktop. You can put your icons back on the desktop by customizing the desktop settings. The Windows Classic desktop When Windows XP was first released, many users were uncomfortable with the new desktop technology (code-named Luna). To accommodate these users, Microsoft created a desktop theme that mimics many of the features of the earlier Windows interfaces. In this way, those who can’t get a handle on the new interface can actually reinstate the entire Windows Classic theme. You get an interface similar to that of Windows 2000 Professional with all the colors and controls familiar to users of the older operating system (Figure 1-7). We will discuss desktop themes and how to configure them in Chapter 5.

NOTE

CHAPTER 1:


Figure 1-7 Selecting the Windows Classic theme FT01HT07.bmp

Hardware Support Windows XP has better hardware installation and configuration support than previous Windows versions. Microsoft has combined the scalability, reliability, and performance of the corporate family of operating systems with the ease of configuration for many tasks of the consumer family of operating systems and formed a comprehensive driver model with the best traits of each. Enhanced device driver support Windows XP fully implements Microsoft’s Plug and Play technology to allow simple configuration of supported hardware devices. Driver signing Windows XP can be configured to require device drivers for new hardware to contain a digital signature from Microsoft’s Windows Hardware Quality Laboratory (WHQL). This ensures that devices and their drivers are tested and approved by an authoritative third party (in this case, Microsoft) before use. Device driver rollback If a driver is installed that causes a problem with the operating system or other hardware, it can be rolled back, effectively uninstalling it and returning the previous driver. This speeds recovery from incorrect driver installation. CD and DVD recording Windows XP natively supports reading and writing to CD-R and CD-RW media. Files and video can be written directly to these media without any third-party burning tools. For example, users can select a folder of images from a digital camera, drag it to the icon representing their CD-R drive, and then create a CD. They can also transfer more and larger files to a single CD instead of copying them to several smaller-capacity floppy disks.

7

8


This feature also provides options for original equipment manufacturers (OEMs) and independent software vendors (ISVs). OEMs can create branded applications that generate emergency boot CDs instead of emergency boot floppy disks and, by using function calls to the CD-ROM-burning features of the operating system, software vendors can offer a “burn to CD” option on their Windows applications. This can be a great feature, for example, in a graphics program that writes many large files to disk. Auto-Configuration for Multiple Network Connectivity The Auto-Configuration for Multiple Network Connectivity feature provides easy access to network devices and the Internet. It also allows a mobile computer user to seamlessly operate both office and home networks without manually reconfiguring Transmission Control Protocol/Internet Protocol (TCP/IP) settings. You can use this feature to specify an alternative configuration for TCP/IP if a Dynamic Host Configuration Protocol (DHCP) server is not found. The alternative configuration is useful when a computer is used on multiple networks, one of which does not have a DHCP server and does not use an automatic private Internet Protocol (IP) addressing configuration.

COMPREHENSIVE HELP AND SUPPORT OPTIONS Windows XP has an extensive collection of user assistance features. Among these are a new Help and Support Center found on the Start menu, Remote Assistance, and support Troubleshooters. Figure 1-8 shows the user assistance items we will introduce next.

Figure 1-8 Help and Support Center FT01HT08.bmp

CHAPTER 1:


Microsoft also allows manufacturers of computer systems to create their own custom-branded versions of the Help and Support Center (Figure 1-9). This helps them to promote their brand identity while providing their customers with integrated support options.

Figure 1-9 Custom-branded Help and Support FT01HT09.BMP

Pick a Help Topic This area of Help and Support contains topical advice on system usage, configuration, and troubleshooting issues. Users are directed to information on system features, instructions on setting up system components, and wizards to guide more advanced processes.

Ask for Assistance The Ask for Assistance feature allows users to ask another user for help via the Remote Assistance feature or to communicate directly with Microsoft Product Support Services to resolve an issue. Remote Assistance The Remote Assistance feature allows a helper to remotely view and control a computer for any support task. It also enables chat and file transfers. If a user has a computer problem, another person can be invited to help over the Internet. The remote assistant can accept the invitation, chat with the user about the problem,

9

10


and view the desktop. With permission, the remote assistant can also get full control of the computer to perform any complex steps needed to fix the problem. The remote assistant can also transfer any files required to fix the problem. Do not confuse Remote Assistance with Remote Desktop. Remote Desktop allows one to connect to, and control, a computer remotely. It does not allow the user at the computer being controlled to see what is happening on the screen. We will present more information on Remote Desktop in Chapter 10.

IMPORTANT

Microsoft Incident Submission and Management The Microsoft Incident Submission and Management feature allows a user to submit electronic support incidents to Microsoft, collaborate with support engineers, and manage submitted incidents.

Pick a Task This area of Help and Support contains links to Windows Updates, links for locating compatible hardware and recovering from system problems with System Restore, and a menu of system support tools. Windows Update Microsoft maintains a collection of patches and updates for each recent Windows operating system on the Windows Update Web site. This option connects the user to this site to scan for available updates. Compatible Hardware and Software The Compatible Hardware and Software feature provides up-to-date, comprehensive, user-friendly hardware and software compatibility information to aid users in upgrading equipment, making purchasing decisions, and troubleshooting problems. For example, if you purchase an application that requires a 3-D accelerator card, you might not know which cards are compatible with your computer. You can use Help and Support to run a comprehensive query and find compatible 3-D accelerator cards. You can run queries based on manufacturer, product type, software, or hardware. The Microsoft compatibility teams use data from user interactions, independent hardware vendors (IHVs), and ISVs to improve their products.

CHAPTER 1:


My Computer Information My Computer Information provides an easily understood, highly accessible view of personalized software and hardware information about your computer or another computer for which you have administrative permissions. You can view information in five categories, as described in the following sections. View General System Information About This Computer The My Computer Information – General category allows you to view information about your computer such as the computer manufacturer, model, basic input/output system (BIOS) version, processor version and speed, operating system, amount of memory, and amount of available disk space. View The Status Of My System Hardware And Software The My Computer Information – Status category allows you to examine diagnostic information about your computer, including the following: ■

Obsolete applications and device drivers

■

System software

■

Hardware: video card, network card, sound card, and universal serial bus (USB) controller

■

Hard disks

■

Random access memory (RAM)

Find Information About The Hardware Installed On This Computer The Computer Information – Hardware category allows you to examine descriptive information about your computer’s hardware, including the local disk, display, video card, modem, sound card, USB controller, network cards, CD-ROM drives, floppy drives, memory, and printers. View A List Of Microsoft Software Installed On This Computer The Software category allows you to view a list of Microsoft products that are installed and registered by product identification (PID) number on your computer, including products that run automatically from Startup. It also shows you the Windows Dr. Watson Crash Information about any software that crashed while running on your computer. View Advanced System Information Advanced System Information allows you to choose from the following options:

11

12


■

FT01HT10.bmp

View Detailed System Information (MSINFO32.exe) This option allows you to view detailed information about hardware resources, components (multimedia, input, network, ports, and storage), software environment, and Internet settings, as shown in Figure 1-10.

Figure 1-10 The System Information window

■

View Running Services This option lets you view the system service processes running on your computer.

■

View Group Policy Settings Applied This option lets you view which settings on your computer are the result of Group Policy control.

■

View The Error Log View errors and messages from the operating system, its services, and installed applications.

■

View Information For Another Computer If you have administrative permissions on a remote computer, you can view My Computer Information on that remote computer. If you click View Computer Information For Another Computer, the Web Page dialog box appears, prompting you to enter the name of the remote computer you want to view. Enter the remote computer name, and then click Open to view the remote computer information.

CHAPTER 1:


Searching and Printing Options Help and Support also supports a full-text search function and gives users the ability to print applicable sections for offline reference. Full-Text Search The Windows Help system uses Hypertext Markup Language (HTML) to format and display information. If you have an Internet connection, you can search for every occurrence of a word or phrase across all Windows-compiled HTML Help files. Because the Windows Help System is also extensible, multiple search engines can plug into the Help and Support Center application using a set of standard interfaces. Users can search for content across multiple remote and online providers. For example, you can search for information resident on your computer or located remotely in the Microsoft Knowledge Base or in a participating OEM’s knowledge base. The Microsoft Knowledge Base is a comprehensive database containing detailed articles with technical information about Microsoft products, fix lists, documentation errors, and answers to commonly asked technical support questions. To access the Knowledge Base directly, instead of using the Help And Support application, go to http:// search.support.microsoft.com/kb/c.asp.

NOTE

Printing The Help and Support Center application allows you to print an entire chapter of Help content with one print command—that is, it can iteratively print all available topics in a specified node. If some topics are not available because of network connection problems, Windows XP Professional prints only the available content. After you have located the information you want to print, click Print.

WINDOWS XP SECURITY TECHNOLOGIES Windows XP supports many technologies for securing communications and data. Among these are the Windows Firewall, Security Center, Attachment Manager, Encrypting File System, and policy-based security management.

Windows Firewall Known prior to Windows XP Service Pack 2 (SP2) as the Internet Connection Firewall, Windows XP SP2 provides the improved Internet firewall known as the Windows Firewall. SP2 enables the Windows Firewall by default to protect

13

14


Internet-connected computers from malicious access from the Internet. The Windows XP Firewall blocks nearly all incoming TCP/IP traffic by default. It automatically responds to requests by Windows applications for Internet data by opening a port to allow return traffic only from the remote host. When the connection is dropped, the port is closed again to outside traffic. Unless a user chooses to configure service definitions, the Windows Firewall does not respond to any outside connection attempt. This prevents any access from an outside system that is not specifically invited, thus thwarting attempts to hack the system from the Internet.

Security Center Released with SP2, the Security Center (Figure 1-11) is a centralized, Internet security monitoring center. It has links to maintenance and configuration activities for Internet Firewall, Virus Protection, and Automatic Updates.

Figure 1-11 Windows XP Security Center FT01HT11.BMP

NOTE The Security Center will be discussed in more depth in Chapter 14.

Attachment Manager The Attachment Manager, also released in SP2, provides security by controlling which e-mail attachments can be opened from within installed e-mail clients.

CHAPTER 1:


Encrypting File System The Encrypting File System (EFS) stores folders and files in encrypted form, generating file encryption keys for each encrypted file stored on the system. The keys are then encrypted with a key belonging to the file’s owner and one belonging to a designated recovery agent. Encryption prevents people from getting access to data in these files even if they somehow gain access to the system. Without the user’s key or the recovery agent’s key, the data is inaccessible to all other users. We will discuss the EFS in more depth in Chapter 3 and Chapter 14.

NOTE

Security Management Policies Windows XP uses security management policies to define security settings on the local computer. These settings can be applied directly to the computer using the Local Security Policy console (as shown in Figure 1-12) or remotely using Group Policy management tools.

Figure 1-12 The Local Security Policy console FT01HT12.bmp

Using policies, you can devise a standard group of security settings and apply them to multiple computers at once, ensuring consistent security settings throughout the enterprise.

WINDOWS XP ORGANIZATIONAL ROLES Windows XP Professional is at home both in small offices and international enterprises. With its enormously flexible configuration options, Windows XP can be configured for standalone use, for sharing files with a small network workgroup, or for working in a large network in which files are accessed from servers in a faroff datacenter.

15

16


Workgroup Networks A workgroup is a logical collection of computers that share resources with each other, as shown in Figure 1-13. These resources might be files, printers, or applications. A workgroup is also called a peer-to-peer network because all computers in the workgroup can share resources as equals (peers) without a dedicated server. Security in a workgroup is defined by a series of local security databases residing on each of the computers that are sharing resources. Windows Server 2003 Windows 2000 Server

Accounts Accounts

Accounts Windows XP Professional

Accounts Windows XP Professional Accounts

Windows Server 2003 Printer

Figure 1-13 A workgroup network FT01HT13.eps

NOTE Logical vs. Physical Network Structures A logical network structure such as a workgroup or a domain is basically a management tool used by administrators to classify, configure, and support the computers in that network.

A physical network structure is the actual hardware design, including such items as routers, switches, cables, and connectors that make up the actual network. Users of computers in workgroups are given access to resources on each computer by the person in charge of that computer. They have a username and a password for each computer on which they access resources. It is not uncommon for a user to have to keep track of several different usernames and passwords. A workgroup provides the following advantages: ■

It does not require inclusion of a domain controller in the configuration to hold centralized security information.

CHAPTER 1:


■

It is simple to design and implement. It does not require the extensive planning and administration that a domain requires.

■

It is a convenient networking environment for a limited number of computers in close proximity.

Some disadvantages of workgroups include: ■

A workgroup becomes impractical in environments with more than 10 computers because each computer has its own security authority and must maintain its own set of usernames and passwords. This greatly increases administrative overhead as the workgroup grows.

■

Workgroups do not provide for centralized management of systems or resources.

■

Workgroups require users to remember and use different usernames and passwords for each resource they need to access.

■

Workgroups usually struggle with computer name resolution across IP subnets and switched networks.

Domain Networks A domain is a logical grouping of network computers that share a central directory database (as shown in Figure 1-14). A directory database contains user accounts and security information for the domain. This database is known as the directory and is a major portion of Active Directory, the Windows 2000 and Windows Server 2003 directory service. Active Directory can manage much more than just user security, however. It can publish shared data folders, printers, applications, and other resources for ease of location and configuration. Users can be consolidated into organizational units (OUs) based on their roles within the organization. Management responsibilities can be delegated to junior administrators without compromising the security of the entire directory.

17

18


Windows 2000 Server (Domain Controller)

Windows 2000 Server (Domain Controller) Replication Active Directory

Active Directory Domain

Windows XP Professional

Windows XP Professional

Windows Server 2003 (Member Server) Printer

Figure 1-14 A domain network FT01HT14.eps

In a domain, the directory resides on computers that are configured as domain controllers. A domain controller is a server that manages all security-related aspects of user and domain interactions, centralizing security and administration. You can designate only a computer running one of the Microsoft Windows Server products as a domain controller. If all computers on the network are running Windows XP Professional, the only type of network available is a workgroup.

NOTE

Users of computers in domains are given access to resources on each computer by a central administration team. Each user has only one username and password to access resources throughout the domain. This method of control greatly simplifies management of user accounts. The benefits of a domain include the following: ■

Centralized administration, because all user information is stored centrally.

■

A single logon process for users to gain access to network resources (such as file, print, and application resources) for which they have permissions. In other words, you can log on to one computer and use resources on another computer in the network as long as you have appropriate permissions to access the resource.

■

Scalability, so that you can create very large networks.

CHAPTER 1:


A typical Windows domain includes the following types of computers: ■

Domain controllers running Windows 2000 Server or Windows Server 2003. Each domain controller stores and maintains a copy of the directory. In a domain, you create a user account once, which is recorded in the directory. When a user logs on to a computer in the domain, a domain controller authenticates the user by checking the directory for the username, password, and logon restrictions. When there are multiple domain controllers in a domain, they periodically replicate their directory information.

■

Member servers running Windows 2000 Server or Windows Server 2003. A member server is a server that is not configured as a domain controller. A member server does not store directory information and cannot authenticate users. Member servers provide shared resources such as shared folders or printers.

■

Client computers running Windows XP Professional, Windows 2000 Professional, or another Windows client operating system. Client computers run a user’s desktop environment and allow the user to gain access to resources in the domain.

Logging On and Off Windows XP Professional The procedure used to log on to Windows XP differs depending on the operating system’s role in the network. Users in a workgroup environment might use the Welcome screen or the Log On To Windows dialog box. Domain users are restricted to the Log On To Windows dialog box. The Welcome screen By default, Windows XP Professional uses the Welcome screen to allow users to log on locally (as shown in Figure 1-15). To log on, click the icon for the user account you want to use. If the account requires a password, you are prompted to enter it. If the account is not password protected, you are logged on to the computer. In addition to the Welcome screen, you can also use Fast User Switching (which is on by default). This feature allows you to quickly log another user on to the system while the originally logged on user is placed on standby status. The original user’s applications are kept running, and they return to the screen when you switch back to the original user.

19

20


Figure 1-15 Windows XP Welcome screen FT01HT15.bmp

NOTE If your computer is a member of a domain, the Welcome screen and Fast User Switching will not be available.

You can also use Ctrl+Alt+Delete at the Welcome screen to get the Log On To Windows dialog box. This enables you to log on to the Administrator account, which is not displayed on the Welcome screen when other user accounts have been created. To use Ctrl+Alt+Delete, you must enter the sequence twice to get the logon prompt. A user can log on locally to either of the following: ■

A computer that is a member of a workgroup

■

A computer that is a member of a domain but is not a domain controller

The User Accounts program in Control Panel includes a Change The Way Users Log On Or Off task, which allows you to configure Windows XP Professional to use the Log On To Windows dialog box instead of the Welcome screen.

CHAPTER 1:


The Log On To Windows dialog box To use the Log On To Windows dialog box (shown in Figure 1-16) to log on locally to a computer running Windows XP Professional, you must supply a valid username; if the username is password protected, you must also supply the password. Windows XP Professional authenticates the user’s identity during the logon process. Only valid users can access resources and data on a computer or a network. Windows XP Professional authenticates users who log on locally to the computer at which they are seated, and one of the domain controllers in a Windows 2000 or Windows Server 2003 domain authenticates users who log on to a domain.

Figure 1-16 Windows XP Log On To Windows dialog box FT01HT16.bmp

When a user starts a computer running Windows XP Professional that is configured to use the Log On To Windows dialog box, an Options button also appears. This allows the user to expose or hide options such as logging on to a domain instead of the local system, or connecting to the network using dial-up networking. If your computer is not part of a domain, you will not get the Log On To option.

NOTE

21

22

INSTALLING, CONFIGURING, AND ADMINISTRATING MICROSOFT WINDOWS XP PROFESSIONAL

SUMMARY ■

Windows XP includes the most advanced Microsoft user interface to date. It uses an intuitive user interface and high-resolution graphics to present users with an attractive and useful environment.

■

Windows XP has many hardware interface design features that make using peripheral devices easier; among these are driver signing and device driver rollback.

■

Help and Support is a comprehensive collection of support tools and technologies that make it easier to locate help and assistance.

■

Windows XP supports many security technologies to protect users and their data from malicious programs and hack attempts.

■

Windows XP supports a wide range of uses, including standalone, workgroup, and domain environments.

■

Windows XP provides logon security to ensure that access to the desktop is authenticated.

REVIEW QUESTIONS 1. Which feature of Windows XP Professional allows you to prevent people who gain access to a computer’s files from reading the contents of the files? (Choose all that apply.) a. Windows Firewall b. Encrypting File System (EFS) c. Group Policy d. Local Security Policy 2. Which feature of Windows XP Professional allows you to recover from installing the incorrect driver for a device? (Choose all that apply.) a. Driver Signing b. Driver Rollback c. Plug and Play d. Windows Hardware Quality Laboratory (WHQL)

CHAPTER 1:


3. Which feature in Help and Support allows a user to receive help from another user over a network connection? (Choose all that apply.) a. System Restore b. Microsoft Incident Submission c. Remote Assistance d. Remote Desktop 4. Which of the following statements best describes Windows Firewall? (Choose all that apply.) a. Windows Firewall prevents unauthorized users from accessing system files. b. Windows Firewall protects a computer from high temperatures by shutting it down when it gets too warm. c. Windows Firewall protects a computer from attacks by malicious users or programs on the Internet. d. Windows Firewall encrypts data files on a computer’s disk drives. 5. Which of the following scenarios depict a workgroup network? (Choose all that apply.) a. A small collection of computers that share files with each other. Each computer has a list of authorized users. b. A large corporate network with hundreds of computers and a central accounts database. c. One computer connected to the Internet via modem. d. A laptop on the hood of a car on a construction site.

23

24

INSTALLING, CONFIGURING, AND ADMINISTRATING MICROSOFT WINDOWS XP PROFESSIONAL

CASE SCENARIOS Scenario 1.1: Securing Data You have been hired by a large pharmaceutical company to support its research department. Many of the users in the department use laptop computers and travel extensively. The company wants to prevent unauthorized access to the contents of the disk on each laptop and is concerned about what will happen to the company’s trade secrets if a laptop is stolen. What feature of Windows XP helps you address these two concerns? 1. Encrypting File System (EFS) 2. Remote Assistance 3. User accounts 4. Windows Firewall

Scenario 1.2: Assisting Remote Users Your boss is staying in a hotel while at a conference. He is logged on to your domain over an Internet connection and is having a problem with his e-mail configuration. You have tried to visualize the error message he is describing, but it would be much simpler to troubleshoot the problem if you could just see his screen. How can you get a view of his screen to help him troubleshoot his problem?

CHAPTER 2

INSTALLING WINDOWS XP PROFESSIONAL Upon completion of this chapter, you will be able to: ■ Perform and troubleshoot an unattended installation of Windows XP

Professional ■ Install Windows XP Professional by using Remote Installation Services (RIS) ■ Install Windows XP Professional by using the System Preparation tool ■ Create unattended answer files by using Setup Manager to automate the

installation of Windows XP Professional ■ Upgrade from a previous version of Windows to Windows XP Professional ■ Prepare a computer to meet upgrade requirements ■ Migrate existing user environments to a new installation ■ Perform post-installation updates and product activation ■ Troubleshoot failed installations

In this chapter we will discuss the installation of Microsoft Windows XP Professional. We’ll present the hardware requirements for supporting Windows XP Professional, how to verify hardware compatibility, and how to test your hardware for compatibility before installation. You will learn how to perform attended and unattended installations. We will introduce advanced installation techniques such as Remote Installation Services (RIS) and the System Preparation tool (Sysprep). Finally, you’ll learn critical post-installation steps such as activation and applying operating system updates.

25

26


PREINSTALLATION TASKS Before you install Windows XP Professional on a computer, you must perform several steps to ensure a successful installation. Among these are verifying that your hardware will be compatible with the operating system, determining how the system will be configured, and deciding which installation method to use.

Verifying Hardware Compatibility Although the Windows XP Professional Setup Wizard checks your hardware and software for potential conflicts, before you install Windows XP Professional you should verify that your hardware is listed in the Windows Catalog. Microsoft provides tested drivers for the listed devices only. Using hardware not listed in the catalog can cause problems during and after installation. The most recent version of the Windows Catalog for released operating systems is on the Microsoft Web site at http://www.microsoft.com/windows/catalog. The Windows Catalog only includes hardware that has been tested and certified by the Windows Hardware Quality Laboratory (WHQL). Your hardware might support Windows XP but not be WHQL certified. If this is the case, Windows XP will not include device drivers for your device, but drivers and support should be available directly from the manufacturer, usually on its Web site. This step might be necessary if you want to use the latest and greatest hardware, but using these drivers bypasses an important quality-control certification step and can introduce instability into your system.

NOTE

Hardware Requirements You must determine whether your hardware meets or exceeds the minimum requirements for installing and operating Windows XP Professional, as shown in Table 2-1. Table 2-1

Windows XP Professional Hardware Requirements

Component

Minimum Requirements

Central processing unit (CPU)

Pentium (or compatible) 233-megahertz (MHz) or higher; a Pentium II (or compatible) 300-MHz or higher processor is recommended 64 megabytes (MB) minimum; 128 MB recommended; 4 gigabytes (GB) of random access memory (RAM) maximum

Memory

CHAPTER 2:

Table 2-1

INSTALLING WINDOWS XP PROFESSIONAL

Windows XP Professional Hardware Requirements

Component

Minimum Requirements

Hard disk space

650 MB free space on a 2-GB hard disk; 2-GB free disk space is recommended Network adapter card and related cable Video display adapter and monitor with Video Graphics Adapter (VGA) resolution or higher; Super VGA and a Plug and Play monitor are recommended CD-ROM drive, 12X or faster recommended (not required for installing Windows XP Professional over a network), or DVD drive A high-density 3.5-inch disk drive as drive A, unless the computer supports starting the Setup program from a CD-ROM or DVD drive Keyboard and mouse or other pointing device

Networking Display

Other drives

Accessories

Older systems might require a BIOS update to support the sophisticated power management features of Windows XP. Check with the manufacturer of your system to see if an updated BIOS is available.

NOTE

Storage Requirements The Windows XP Professional Setup program examines the hard disk to determine its existing configuration. Setup then allows you to install Windows XP Professional on an existing partition or to create a new partition on which to install it. New Partition or Existing Partition Depending on the hard disk configuration, you might need to do one of the following during installation: ■

If the hard disk is new or has not previously stored data, you can create a new, appropriately sized partition for Windows XP Professional.

■

If the hard disk is already partitioned and contains enough unpartitioned disk space, you can use the unpartitioned space to create a Windows XP Professional partition.

■

If an existing partition is large enough, you can install Windows XP Professional on that partition. Installing on an existing partition might require you to reformat the partition to create sufficient clean space for the installation.

27

28


■

If an existing partition is not large enough, you can delete it to provide more unpartitioned disk space for the creation of the Windows XP Professional partition. Reformatting or deleting a disk partition destroys the data contained on the partition. Be sure you have backed up any data in the partition before performing either of these two actions.

CAUTION

Microsoft recommends installing Windows XP Professional on a 2-GB or larger partition. Although Windows XP Professional does not require that much disk space for installation, using a larger installation partition provides the flexibility to install Windows XP Professional updates, operating system tools, or other necessary files in the future. Remaining Free Hard Disk Space Although you can use Setup to create other partitions, you should create and size only the partition on which you will install Windows XP Professional. After you install Windows XP Professional, you can use more advanced tools such as the Disk Management administrative tool to partition any remaining space on the hard disk. Managing disks and partitions is discussed in more detail in Chapter 3.

NOTE

File Systems After you create the installation partition, Setup prompts you to select the file system with which to format the partition. Like Microsoft Windows NT and Microsoft Windows 2000 Professional, Windows XP Professional supports both the NT file system (NTFS) and the file allocation table (FAT) file system. Both Windows 2000 Professional and Windows XP Professional also support FAT32. Figure 2-1 summarizes some of the features of these file systems. We will examine the differences between NTFS and FAT file systems more closely in Chapter 3.

NOTE

CHAPTER 2:


FAT

· DOS and Windows · 2 or 4 GB max size1 · No file- or folder-level security

FAT32

· Windows 95 R2 and later · 32 GB max size2 · No file- or folder-level security

· Windows NT 4.0 and later3 · 16 EB max size · File- and folder-level security · Compression · Encryption · Disk quotas · Mounted volumes

NTFS

1 Depending on OS version 2 OS limit imposed by Microsoft 3 Windows NT family operating systems

Figure 2-1 A file system comparison FT02HT01.VSD

NTFS supports the following features: ■

File- and folder-level security files and folders.

NTFS allows you to control access to

There are many reasons to choose NTFS over FAT for Windows XP installations, but security is by far the most important. Chapter 7 is dedicated to understanding and managing NTFS security.

NOTE

■

Disk compression partition.

■

Disk quotas NTFS allows you to control disk usage on a per-user basis.

■

Encryption NTFS allows you to encrypt file data on the physical hard disk, using the Microsoft Encrypting File System (EFS). See Chapter 14 for additional information about EFS.

NTFS compresses files to store more data on the

The version of NTFS (NTFS 5) in Windows XP Professional supports remote storage, dynamic volumes, and mounting volumes to folders. Windows Server 2003, Windows XP, and Windows 2000 are the only operating systems that can natively access data on a local hard disk formatted with NTFS 5.

29

30


FAT and FAT32 FAT and FAT32 file systems offer backward compatibility with older Windows operating systems. If you plan to dual boot between Windows XP Professional and another operating system that requires FAT or FAT32, you must format the system partition with FAT or FAT32. The terms system partition and boot partition might appear to be switched at birth. After all, the computer boots from the system partition and loads the operating system from the boot partition. You can think of the terms in this way: When a system starts, it makes its operating system selection from configuration files in the system partition. As the chosen operating system loads (boots), it loads from the boot partition.

NOTE

The FAT and FAT32 file systems do not offer many of the features (for example, file-level security, compression, and encryption) that NTFS supports. Therefore, in most situations, you should format the hard disk with NTFS. The only reason to use FAT or FAT32 is to support dual booting with another operating system that does not support NTFS. If you are setting up a computer for dual booting, you must format only the system partition as FAT or FAT32. For example, if drive C is the system partition, you can format it as FAT or FAT32 and format drive D as NTFS. Keep in mind that formatting a drive with NTFS makes the data it contains inaccessible to operating systems that are not NTFS compatible.

CAUTION

Converting a FAT or FAT32 Volume to NTFS Windows XP Professional provides the Convert command for converting a partition to NTFS without reformatting the partition and losing all the information on it. The Convert command runs from the Windows XP command prompt and manages the file system conversion. The following example demonstrates the syntax for the Convert command: Convert volume /FS:NTFS [/V] [/CvtArea:filename] [/Nosecurity] [/X]

After a partition has been converted to NTFS, you cannot convert the partition back to a FAT partition without reformatting it (erasing all data from the partition). After reformatting with FAT, data must be restored from backup.

IMPORTANT

Table 2-2 describes the options available with the Convert command.

CHAPTER 2:

Table 2-2


Convert Command Options

Switch

Function

Required

Volume

Specifies the drive letter (followed by a colon), volume mount point, or volume name that you want to convert Specifies converting the volume to NTFS Runs the Convert command in verbose mode Specifies a contiguous file in the root directory to be the placeholder for NTFS system files Sets the security settings to make converted files and directories accessible to everyone Forces the volume to dismount first if necessary; all open handles to the volume are thereby invalid

Yes

/FS:NTFS /V /CvtArea:filename

/NoSecurity /X

Yes No No

No No

For help with any command-line program, at the command prompt type the command followed by /? and press ENTER. For example, to receive help on the Convert command, type Convert /? and press ENTER.

NOTE

Domain or Workgroup Membership During installation, you must choose whether the computer will join a domain or a workgroup. Figure 2-2 shows the requirements for joining a domain or a workgroup.

tailspintoys.com

Domain

Joining a domain requires: · A domain name · A computer account · An available domain controller and a DNS server

Workgroup

Joining a workgroup requires: · A new or an existing workgroup name

Figure 2-2 Domain or workgroup membership requirements FT02HT02.FH10

31

32


Joining a Domain When you install Windows XP Professional on a computer, you can add that computer to an existing domain. This process is referred to as joining a domain. A computer can join a domain during or after installation. Joining a domain during installation requires the following: ■

A domain name Ask the domain administrator for the Domain Name System (DNS) name for the domain that the computer will join. An example of a DNS-compatible domain name is microsoft.com, in which microsoft is the name of the organization’s DNS identity. You can join a domain using the NetBIOS name of the domain if your network is still supporting NetBIOS name resolution. Examples of a NetBIOS name are “MICROSOFT” or “CONTOSO.” Ask your administrator to make sure.

NOTE

■

A computer account Before a computer can join a domain, you must create a computer account in the domain. If you create the computer account during installation, Setup prompts you for the name and password of a user account with authority to add domain computer accounts. You can ask a domain administrator to create the computer account before installation or, if you have been given permission, you can create the computer account yourself during installation.

■

An available domain controller and a server running the DNS service (called the DNS server) At least one domain controller in the domain that you are joining and one Active Directory–compatible DNS server must be online when you install a computer in the domain.

Joining a Workgroup When you install Windows XP Professional on a computer, you can add that computer to an existing workgroup or create a new workgroup. This process is referred to as joining a workgroup. If you are not using the default workgroup name WORKGROUP during installation, you must assign a workgroup name to the computer. The workgroup name you assign can be the name of an existing workgroup or the name of a new workgroup that you create during installation. The act of assigning a workgroup name that did not previously exist on the network is all that is required to create a new workgroup. The computer browser service that maintains lists of computers in My Network Places will group computers by their workgroup affiliations.

CHAPTER 2:


Being in a workgroup does not confer any security or administrative control to a computer that joins. Workgroups are merely collections of computers. Chapter 1 discusses the difference between domains and workgroups in more detail.

NOTE

PERFORMING AN ATTENDED INSTALLATION In this section we will examine attended installations using the Windows XP Professional product CD-ROM and also installing from a network location. You will learn the steps in the installation process and ways to control the eventual configuration of the system.

Windows XP Professional Setup Program The installation process for Windows XP Professional combines the Setup program with wizards and informational screens. Installing Windows XP Professional from a CD-ROM to a clean hard disk consists of four stages: ■

Running the Setup program Setup prepares the hard disk for the later installation stages and copies the files necessary to run the Setup Wizard.

■

Running the Setup Wizard The Setup Wizard requests setup information about the computer, such as names and passwords.

■

Installing Windows XP Professional networking components After gathering information about the computer, the Setup Wizard prompts you for networking information and then installs the networking components that allow the computer to communicate with other computers on the network.

■

Completing the installation Setup copies files to the hard disk and configures the computer. It also cleans up installation files not required to operate the computer. The system restarts after installation is complete.

The following sections cover the four stages in more detail.

Running the Setup Program To start the Setup program, insert the Windows XP Professional installation CDROM in your CD-ROM drive and start your computer. If your system cannot boot from the CD-ROM, you can make setup boot disks. Microsoft Knowledge Base article 310994 describes how to download and use a program that is used to create these disks.

NOTE

33

34


Figure 2-3 shows the six steps involved in running the Setup program. Boot 1

Load Setup program into memory 2

Start text-based Setup program 3

Create the Windows XP Professional partition 4

Format the Windows XP Professional partition 5

Copy setup files to the hard disk 6

Restart the computer Setup Wizard

Figure 2-3 Steps in running the Setup program F02HT03.FH10

After the computer starts, a minimal version of Windows XP Professional is copied into memory. This version of Windows XP Professional starts the text-mode portion of the setup process. You are then prompted by the Setup program to perform the following steps: ■

Read and accept a licensing agreement.

■

Select the partition on which to install Windows XP Professional. You can select an existing partition, delete an existing partition on the hard disk, or create a new partition by using unpartitioned space on the hard disk.

■

Select a file system for the new partition. The Setup program then formats the partition with the selected file system. Setup provides the option to perform a “quick” format of the partition. A quick format is essentially a standard format that does not scan the disk for bad sectors. If you are certain the disk is not damaged, you can speed your installation using this option. If the disk has never been formatted or if you want to be sure the scan for bad sectors is performed, use the standard NTFS format option.

NOTE

Setup copies files to the hard disk and saves configuration information. After that, Setup restarts the computer. Following the restart, the Windows XP Professional Setup Wizard is launched and installation continues.

Running the Setup Wizard The GUI-based Windows XP Professional Setup Wizard leads you through the next stage of the installation process. It gathers data about you, your organization, and your computer, including the following information:

CHAPTER 2:

■


Regional settings Customize language, locale, and keyboard settings. You can configure Windows XP Professional to use multiple languages and regional settings. MORE INFO You can add another language or change the locale and keyboard settings after installation is complete. See Chapter 5 for more information.

■

Name and organization Enter the name of the person and the organization to which this copy of Windows XP Professional is licensed.

■

Computer name Enter a computer name of up to 15 characters. The computer name must be different from all other computer, workgroup, or domain names on the network. The Setup Wizard displays a default name (a hash of the organization name you entered earlier in the process). To change the computer name after installation is complete, right-click My Computer and select Properties. In the System Properties dialog box, select the Computer Name tab, and then click Change. Take care when changing a computer name. Changing the name creates a new computer account in the domain with that name, possibly requiring an administrator to manage permissions that were previously given to the original computer name.

NOTE

■

Product key You will be prompted to enter the product key from the Windows XP packaging.

■

Password for Administrator account Specify a password for the Administrator user account, which the Setup Wizard creates during installation. The Administrator account provides the administrative privileges required to manage the computer. Be sure to choose a complex password for the Administrator account. Using combinations of letters, numbers, and special symbols and making the password long can defeat attempts to guess the password.

IMPORTANT

■

Time and date Select the time zone, adjust the date and time settings if necessary, and determine whether you want Windows XP Professional to automatically adjust for daylight savings time.

35

36


Installing Windows XP Professional Networking Components After gathering information about your computer, the Setup Wizard guides you through installing the Windows XP Professional networking components (Figure 2-4). Networking 1

Detect network adapter cards 2

Select networking components 3

Join a workgroup or domain 4

Install components Complete setup

Figure 2-4 Installing Windows networking components F02HT04.FH10

■

Detect network adapter cards The Windows XP Professional Setup Wizard detects and configures any network adapter cards installed on the computer.

■

Select networking components The Setup Wizard prompts you to choose typical or customized settings for the networking components it installs. Custom allows you to specify any settings and optional clients or protocols you desire. You can install other clients, services, and network protocols at this time, or you can wait until after the installation has completed. The typical installation includes the following options:

■

❑

Client For Microsoft Networks Allows your computer to access network resources such as shared folders and printers on a Microsoft Windows network.

❑

File And Printer Sharing For Microsoft Networks Allows other computers to access file and print resources on your computer.

❑

QoS Packet Scheduler QoS Packet Scheduler manages bandwidth usage on the network, giving priority to traffic requiring constant bandwidth.

❑

Internet Protocol (TCP/IP) Allows your computer to communicate over local area networks (LANs) and wide area networks (WANs). Transmission Control Protocol/Internet Protocol (TCP/IP) is the default networking protocol used in Windows networking.

Join a workgroup or domain If you choose to join a domain for which you have administrative privileges, you can create the computer account during installation. The Setup Wizard prompts you for the name and password of a user account with authority to add domain computer accounts.

CHAPTER 2:

■


Install components The Setup Wizard installs and configures the Windows networking components you selected.

Completing the Installation After installing the networking components, the Setup Wizard starts the final step in the installation process (Figure 2-5). Complete setup 1

Copy files 2

Configure the computer 3

Save the configuration 4

Remove temporary files 5

Restart the computer

Setup complete

Figure 2-5 The final steps to complete the installation F02HT05.FH10

To complete the installation, the Setup Wizard performs the following tasks: ■

Installs Start Menu items The Setup Wizard sets up shortcuts that will appear on the Start Menu.

■

Registers components The Setup Wizard applies the configuration settings that you specified earlier.

■

Saves configuration settings The Setup Wizard saves your configuration settings to the local hard disk. The next time you start Windows XP Professional, the computer uses this configuration automatically.

■

Removes temporary files To save hard disk space, the Setup Wizard deletes any files used for installation only.

■

Restarts the computer The Setup Wizard restarts the computer. This finishes the installation. After the installation has completed, be sure to apply any system updates currently available. This is critical for system security because unpatched systems contain known security vulnerabilities and can be exploited by hackers. Unpatched systems should not be connected to any public networks until they have been patched. See the section titled “Applying System Updates” later in this chapter.

IMPORTANT

37

38


INSTALLING OVER THE NETWORK In this section, you will learn how to install Windows XP Professional across a network connection. This process is similar to the CD-ROM installation, except that the installation media is located on a networked computer and must be accessed over the network. This means you must have some level of connectivity between the computer installing Windows XP and the server hosting the installation files.

Preparing for a Network Installation In a network installation, the Windows XP Professional installation files are found in a shared location on a network file server called a distribution server. From the computer on which you want to install Windows XP Professional (the target computer), connect to the distribution server and then run the Setup program. Figure 2-6 shows the requirements for a network installation. Installation files

Distribution server

Target computer

Requirements for a network installation: · Distribution server · FAT partition on the target computer · Network client

Figure 2-6 Requirements for a network installation F02HT06.FH10

Performing a Windows XP Professional network installation requires you to do the following: ■

Locate a distribution server. The distribution server contains the installation files from the i386 folder on the Windows XP Professional CD-ROM. These files reside in a common network location in a shared folder that allows computers on the network to access the installation files. Contact a network administrator to obtain the path to the installation files on the distribution server. After you have created or located a distribution server, you can use the over-the-network method to concurrently install Windows XP Professional on multiple computers.

NOTE

CHAPTER 2:


■

Create a FAT partition on the target computer. The target computer requires a formatted partition to which to copy the installation files. Create a partition containing at least 1.5 GB of disk space, and format it with the FAT file system.

■

Install a network client. A network client is software that allows the target computer to connect to the distribution server. On a computer without an operating system, you must boot from a client disk that includes a network client that enables the target computer to connect to the distribution server.

Installing Windows XP Professional over the network differs from a CD-ROM installation in that the Setup program copies the installation files to the target computer and begins to run the installation. From this point, you install Windows XP Professional as you would from a CD-ROM. The process for installing Windows XP Professional over the network (shown in Figure 2-7) is as follows: Boot 1

Boot the network client 2

Connect to the distribution server 3

Run Winnt.exe or Winnt32.exe 4

Install Windows XP Professional

Setup

Figure 2-7 Installing Windows XP Professional over the network F02HT07.FH10

1. Boot the network client. On the target computer, boot from a floppy disk that includes a network client or start another operating system that can be used to connect to the distribution server. Network boot disks are complex to create and require the use of real-mode network card drivers. Windows NT 4 includes a utility for creating client boot disks, but no utility currently exists for this purpose in Windows XP Professional. Other third-party utilities exist for boot disk creation, but they are not supported by Microsoft for creating network installation boot disks. Microsoft Enterprise customers can make use of the Windows Preinstallation Environment (WinPE) to manage network installations, but WinPE is available only to subscribers of the Select or OEM licensing programs. Many organizations, preferring to use network installation points for upgrades, use Windows Server Remote Installation Services (RIS), other deployment tools such as Altiris’s Deployment Solution, or disk imaging tools such as Ghost or DriveImage to perform installations.

NOTE

39

40


2. Connect to the distribution server. After you start the network client on the target computer, connect to the shared folder on the distribution server that contains the Windows XP Professional installation files. 3. Run Winnt.exe or Winnt32.exe to start the Setup. Winnt.exe and Winnt32.exe reside in the shared folder on the distribution server. ❑

Use Winnt.exe for an installation using MS-DOS or Windows 3 or later versions on the source system.

❑

Use Winnt32.exe when upgrading from Windows 95, Windows 98, Windows Me, Windows NT 4, or Windows 2000 Professional. Winnt32.exe is a 32-bit Windows application. As such, it makes full use of 32-bit multithreading and multitasking. This allows it to both copy and execute setup tasks simultaneously. The end result is a quicker installation than can be achieved using Winnt.exe. NOTE

Running Winnt.exe or Winnt32.exe from the shared folder does the following: ❑

Creates the $Win_nt$.~ls temporary folder on the target computer

❑

Copies the Windows XP Professional installation files from the shared folder on the distribution server to the $Win_nt$.~ls folder on the target computer

4. Install Windows XP Professional. Setup restarts the local computer and begins the actual process of installing Windows XP Professional. The rest of the installation progresses in the same way as the attended installation discussed earlier. After the installation is complete, be sure to apply any available system updates. See the section titled “Applying System Updates” later in this chapter.

IMPORTANT

CHAPTER 2:


Modifying the Setup Process Using Winnt.exe You can modify an over-the-network installation by changing how Winnt.exe runs Setup. Table 2-3 describes the switches you can use with Winnt.exe. Table 2-3

Winnt.exe Switches

Switch

Function

/a /r[:folder]

Causes Winnt.exe to install accessibility options. Specifies an optional folder to be copied and saved. The folder remains after Setup finishes. Specifies an optional folder to be copied. This folder can be used to deliver other applications or data to the system for use during the installation. The folder is deleted after Setup finishes. Specifies the source location of Windows XP Professional files. This must be a full path in the form x:\[path] or \\server\share\[path]. The default is the current folder location. Specifies a drive to contain temporary setup files and directs Setup to install Windows XP Professional on that drive. If you do not specify a drive, Setup attempts to locate the drive with the most available space. Performs an unattended installation by using an optional script file. Unattended installations also require using the /s switch. The answer file provides answers to some or all of the prompts that the end user normally responds to during Setup. Indicates an identifier (id) that Setup uses to specify how a Uniqueness Database File (UDF) modifies an answer file. The /udf parameter overrides values in the answer file, and the identifier determines which values in the UDF are used. If you do not specify a UDF_file, Setup prompts you to insert a disk that contains the $UNIQUE$.UDB file. UDFs are used only during an unattended installation.

/rx[:folder]

/s[:sourcepath]

/t[:tempdrive]

/u[:script_file]

/udf:id[,UDF_file]

41

42


Modifying the Setup Process Using Winnt32.exe You can modify an over-the-network installation by changing how Winnt32.exe runs Setup. Table 2-4 describes the switches you can use with Winnt32.exe. Table 2-4

Winnt32.exe Switches

Switch

Function

/checkupgradeonly

■

Checks your computer for upgrade compatibility with Windows XP Professional. If you use this option with the /unattend option, no user input is required. Otherwise, the results are displayed on the screen and you can save them under the file name you specify.

■

For Windows 98 or Windows Me upgrades, the default report file name is Upgrade.txt in the %systemroot% folder (the folder that contains the Windows XP Professional system files).

■

For Windows NT 4 or Windows 2000 upgrades, the default report file name is Ntcompat.txt in the %systemroot% folder.

■

/cmd:command_line

/cmdcons

/copydir:foldername

/copysource:foldername

For more information about generating a compatibility report, see “Upgrading to Windows XP Professional” later in this chapter. Specifies a specific command that Setup is to run. This command is run after the computer restarts and after Setup collects the necessary configuration information. This option is useful for running a configuration script or other command as part of the installation. Copies to the hard disk the additional files necessary to load a command-line interface, the Recovery console, which is used for repair and recovery. The Recovery console is installed as a Startup option. You can use the Recovery console to stop and start services and to access the local drive, including drives formatted with NTFS. You can use this option only after you install Windows XP Professional. Creates an additional folder within the %systemroot% folder, which contains the Windows XP Professional system files. For example, if your source folder contains a folder called My_drivers, type /copydir:My_drivers to copy the My_drivers folder to your system folder. You can use the /copydir switch to create as many additional folders as you want. Creates an additional folder within the %systemroot% folder. Setup deletes folders created with /copysource after installation is complete.

CHAPTER 2:

Table 2-4



Switch

Function

/debug[level] [:file_name]

Creates a debug log at the specified level. The log includes the following levels: 4 (detailed information for debugging) 3 (information) 2 (warnings) 1 (errors) 0 (severe errors only) Each level includes the level below it. By default, the debug log file is C:\Winnt32.log and the default level is 2. Prevents Dynamic Update from running. Without Dynamic Update, Setup runs only with the original Setup files. This option disables Dynamic Update even if you use an answer file and specify Dynamic Update options in that file. Specifies a share on which you previously downloaded Dynamic Update files (updated files for use with Setup) from the Windows Update Web site. When run from your installation share and used with /duprepare, it prepares the updated files for use in networkbased client installations. When used without /duprepare and run on a client, it specifies that the client installation will use the updated files on the share specified in pathname. Prepares an installation share for use with Dynamic Update files that you downloaded from the Windows Update Web site. You can use this share for installing Windows XP Professional for multiple clients (used only with /dushare). Instructs Setup to copy replacement files from an alternative location. Directs Setup to look in the alternative location first and, if files are present, to use them instead of the files from the default location. Instructs Setup to copy all installation source files to the local hard disk. Use this switch when installing from a CD-ROM to provide installation files when the CD-ROM is not available later in the installation. Prevents Setup from restarting the computer after completing the file-copy phase. This allows you to execute another command.

/dudisable

/dushare: pathname

/duprepare: pathname

/m:foldername

/makelocalsource

/noreboot

43

44


Table 2-4


Switch

Function

/s:sourcepath

Specifies the source location of Windows XP Professional installation files. To simultaneously copy files from multiple paths, use a separate /s switch for each source path. If you type multiple /s switches, the first location specified must be available or the installation will fail. You can use a maximum of eight /s switches. Copies Setup startup files to a hard disk and marks the drive as active. You can then install the drive in another computer. When you start that computer, Setup starts at the next phase. Using /syspart requires the /tempdrive switch. You can use /syspart on computers running Windows NT 4, Windows 2000, Windows XP Professional, or Windows 2000 Server. You cannot use it on computers running Windows 95, Windows 98, or Windows Me. Places temporary files on the specified drive and installs Windows XP Professional on that drive. Performs an unattended installation. The answer file provides your custom specifications to Setup. If you don’t specify an answer file, all user settings are taken from the previous installation if you are performing a reinstallation. You can specify the number of seconds between the time that Setup finishes copying the files and when it restarts with number. You can specify the number of seconds only on computers running Windows 98, Windows Me, Windows NT 4, or Windows 2000 that are upgrading to a newer version of Windows XP Professional. Indicates an identifier (id) that Setup uses to specify how a UDF modifies an answer file. The UDF overrides values in the answer file, and the identifier determines which values in the UDF are used. For example, /udf:RAS_user, OUR_COMPANY.UDF overrides settings that are specified for the RAS_user identifier in the OUR_COMPANY.UDF file. If you do not specify a UDF, Setup prompts you to insert a disk that contains the $UNIQUE$.UDF file.

/syspart:[drive_letter]

/tempdrive:drive_letter /unattend[number]: [answer_file]

/udf:id[,udb_file]

AUTOMATING INSTALLATIONS USING WINDOWS SETUP MANAGER Businesses and other organizations that maintain dozens, hundreds, or even thousands of computers need a way to automate the Windows XP installation process to save time and expense. One way to do this is by creating an answer file to provide the answers to the installation dialog boxes. The setup process is run—

CHAPTER 2:


specifying the answer file—and the installation process continues unattended by reading the answers from the file. Using answer files also allows the organization to send installations out to remote offices to be installed by less experienced personnel, eliminating travel expenses and giving senior IT staff time for other projects. Windows Setup Manager allows you to quickly create a script for a customized installation of Windows XP Professional without concern for cryptic text file syntax. Windows Setup Manager enables you to create scripts to perform customized installations on workstations and servers that meet the specific hardware and network requirements of your organization. MORE INFO Answer files and UDFs use a special syntax to direct the unattended installation process. Examples of this are displayed in the slides accompanying this chapter, and an example Unattend.txt file can be found in the i386 folder on the Windows XP CD-ROM. A more complete reference to the Unattend.txt syntax is available in the Windows XP preinstallation reference (ref.chm) located in the Windows XP deployment tools package (described in the next section).

Installing Setup Manager Windows Setup Manager is part of the deployment tools package that ships with Windows XP. This toolkit assists with corporate deployment issues such as largescale deployment and mass configuration. You use it as follows: 1. Start Windows Explorer, and create the folder C:\Deploy. The C:\Deploy folder is used to contain the files extracted from DEPLOY.CAB on the Windows XP Professional CD-ROM.

NOTE

2. Navigate to the Support\Tools\Deploy folder on the Windows XP CD-ROM. Windows XP Professional displays the contents of DEPLOY.CAB. 3. Select all of the files listed in DEPLOY.CAB by selecting any file in the window and pressing CTRL+A. 4. Choose Extract from the shortcut menu. The Select A Destination dialog box appears. 5. Go to My Computer, select Local Disk (C:), select Deploy, and then click the Extract button. 6. Select C:\Deploy to view its contents. The files in C:\Deploy should include the following:

45

46


❑

Deploy.chm Compiled Hypertext Markup Language (HTML) help file containing the Microsoft Windows Corporate Deployment Tools User’s Guide.

❑

Readme.txt Text document containing late-breaking information about the deployment tools.

❑

Ref.chm Compiled HTML help file containing the Windows XP preinstallation reference. This is an excellent resource for understanding unattended installations.

❑

Setupmgr.exe

❑

Sysprep.exe

Microsoft Setup Manager Wizard. The Sysprep tool (discussed later in this chapter).

7. Double-click Readme. Take a moment to view the topics covered in the Readme.txt file, and then close Notepad.

Using Setup Manager You can create or modify an answer file, typically named Unattend.txt, by using Windows Setup Manager. You could create Unattend.txt files with a simple text editor such as Notepad, but using Setup Manager reduces errors in syntax. Setup Manager does the following: ■

Provides a wizard with an easy-to-use graphical interface with which you can create and modify answer files (Unattend.txt).

■

Makes it easy to create UDFs (Unattend.udb). A UDF contains the configuration settings that make each computer installation unique. The UDF modifies a standard answer file by overriding values in the answer file. When you run Setup with Winnt.exe or Winnt32.exe, you use the /udf:id[,UDB_file] switch. Entries in the UDF override values in the answer file, and the identifier (id) determines which values in the UDF are used. NOTE

■

Makes it easy to specify computer-specific or user-specific information.

■

Simplifies the inclusion of application setup scripts in the answer file.

■

Creates the distribution folder that you use for the installation files. If you are upgrading systems to Windows XP Professional, you can add any application upgrades or update packs to the distribution folder and enter the appropriate commands in the Additional Commands page of the Windows Setup Manager Wizard. These upgrades or update packs are then applied to the application as part of the upgrade.

NOTE

CHAPTER 2:


When you start Setup Manager, it displays the Welcome To The Windows Setup Manager Wizard page. When you click Next, you are presented with two options: ■

Create A New Answer File Build a new unattended installation answer file based on settings you provide. This creates a new Unattend.txt file.

■

Modify An Existing Answer File answer file.

Edit the contents of an existing

If you select Create A New Answer File, you then must choose the type of answer file you want to create. Setup Manager can create the following types of answer files: ■

Windows Unattended Installation Builds an unattended installation package consisting of an Unattend.txt file and possibly a UDF.

■

Sysprep Install Builds a file that controls the mini-installation that follows the installation of Windows XP Professional from a Sysprep disk image.

■

Remote Installation Services (RIS) Provides a way to automate the answer file for completing an installation using Remote Installation Services (RIS) with Windows 2000 Server or Windows Server 2003 to install Windows XP Professional. Sysprep is discussed in more detail in the section titled “Using Disk Duplication to Deploy Windows XP Professional” later in this chapter. RIS is discussed later in this chapter in the section titled “Understanding Remote Installation.”

NOTE

The remaining steps of the Windows Setup Manager Wizard allow you to specify the level of user interaction with the Setup program and to enter all the information required to complete the setup.

UPGRADING TO WINDOWS XP PROFESSIONAL You can upgrade many earlier versions of Windows operating systems directly to Windows XP Professional. Before upgrading, however, you must ensure that the computer hardware meets the minimum Windows XP Professional hardware requirements. Check the Windows Catalog or test the computer for hardware compatibility using the Windows XP Professional Compatibility tool. Using compatible hardware prevents problems with driver incompatibility and results in a more stable system.

47

48


Older systems might require a BIOS update to support the sophisticated power management features of Windows XP. Check with the manufacturer of your system to see if an updated BIOS is available for your system.

NOTE

Identifying Client Upgrade Paths You can upgrade most client computers running earlier versions of Windows directly to Windows XP Professional. However, computers running some earlier versions of Windows (including Windows 95, Microsoft Windows NT 3.1, and Microsoft Windows NT 3.5) require an additional step. Table 2-5 lists the Windows XP Professional upgrade paths for various client operating systems. Table 2-5

Upgrade Paths for Client Operating Systems

Upgrade from

Upgrade to

Windows 98 Windows Me Windows NT Workstation 4 Windows 2000 Professional Windows 95

Windows XP Professional Windows XP Professional Windows XP Professional Windows XP Professional Windows 98 and then Windows XP Professional Windows NT 4 Workstation and then Windows XP Professional

Windows NT 3.1, 3.5, or 3.51

Generating a Hardware Compatibility Report Before you upgrade a client computer to Windows XP Professional, make sure that it meets the minimum hardware requirements by using the Windows XP Compatibility tool to generate a hardware and software compatibility report. This tool runs automatically during system upgrades, but running it before beginning the upgrade should identify any hardware and software problems and allow you to fix compatibility problems ahead of time. To run the Windows XP Compatibility tool and generate a compatibility report, perform the following steps: 1. Insert the Windows XP Professional CD-ROM into the CD-ROM drive. 2. At the command prompt, type d:\i386\winnt32 /checkupgradeonly. d:\ represents the drive letter of the CD-ROM drive. If your drive letter differs, use that letter instead.

NOTE

CHAPTER 2:


3. Press ENTER. Generating the upgrade report can take several minutes. The tool checks only for compatible hardware and software and generates a report that you can analyze to determine the system components that are compatible with Windows XP Professional.

NOTE

Reviewing the Report Winnt32 /checkupgradeonly generates a report that appears as a text document, which you can view in the tool or save as a text file. The report documents the system hardware and software that are incompatible with Windows XP Professional. It also specifies whether you need to obtain an upgrade pack for software installed on the system and recommends additional system changes or modifications to maintain functionality in Windows XP Professional.

Upgrading Compatible Windows 98 Computers For client systems that test as compatible with Windows XP Professional, run Winnt32.exe to complete the upgrade. To upgrade a Windows 98 computer, complete the following procedure: 1. Insert the Windows XP Professional CD-ROM in the CD-ROM drive. 2. The Autorun program on the Windows XP Professional CD-ROM displays the Welcome To Microsoft Windows XP screen. To customize how the installation runs, exit the Welcome screen and run the Winnt32.exe Setup program (discussed earlier) with any appropriate switches.

NOTE

3. Click Install Windows XP. 4. Accept the license agreement. 5. Enter your 25-character product key, which is located on the back of the Windows XP Professional CD-ROM case. 6. If the computer is to be a member of a domain, create a computer account in that domain. 7. Provide upgrade packs for applications that need them. (Upgrade packs update the software to work with Windows XP Professional; they are available from the software vendor and would be identified as a result of the compatibility check.)

49

50


8. Upgrade to NTFS when prompted. Select the upgrade if you do not plan to set up the client computer to dual boot. 9. Continue with the upgrade if the Windows XP Professional Compatibility tool generates a report showing that the computer is compatible with Windows XP Professional. The upgrade finishes without further intervention and adds your computer to a domain or workgroup. After the installation, be sure to apply any currently available system updates. See the section titled “Applying System Updates” later in this chapter.

IMPORTANT

Upgrading a Windows 2000 Professional Computer The upgrade process for computers running Windows 2000 Professional is similar to the upgrade process for computers running Windows 98, except that the computers should already be members of a domain. Before you perform the upgrade, use the Windows XP Professional Compatibility tool to verify that the system is compatible with Windows XP Professional and to identify any potential problems. Windows 2000 Professional computers that meet the hardware compatibility requirements can upgrade directly to Windows XP Professional. To start the upgrade process, complete the following procedure. 1. Insert the Windows XP Professional CD-ROM in the CD-ROM drive. The Autorun program on the Windows XP Professional CD-ROM displays the Welcome To Microsoft Windows XP screen. If you do not want to use any switches with Winnt32.exe, click Install Windows XP and follow the prompts on your screen. These steps are the same as for Windows 98, skipping the computer account creation.

NOTE

2. Click Exit to close the Welcome To Microsoft Windows XP screen. 3. Click Start, and then click Run. 4. Type d:\i386\winnt32 /switch (where d is the drive letter for your CD-ROM and /switch represents one or more switches that you want to use with the Winnt32 command), and then press ENTER. The Welcome To Windows page appears. 5. In the Installation Type drop-down list, select Upgrade, and then click Next. The License Agreement page is displayed.

CHAPTER 2:


6. Read the license agreement, click I Accept This Agreement, and then click Next. Setup displays the Product Key page. 7. Enter your 25-character product key, which is located on the back of the Windows XP Professional CD-ROM case. 8. After copying installation files, the Restarting The Computer page appears and the computer restarts. The upgrade finishes without further intervention. After the installation, be sure to apply any currently available system updates. See the section titled “Applying System Updates” later in this chapter.

IMPORTANT

Migrating User Settings Windows XP Professional provides the Files And Settings Transfer Wizard to simplify the task of moving data files and personal settings from your old computer to your new one. You don’t have to configure all of your personal settings on your new computer because you can move your old settings—including display settings, Microsoft Internet Explorer and Microsoft Outlook Express options, dialup connections, and your folder and taskbar options—to your new computer. The wizard also helps you move specific files and folders to your new computer. The Files And Settings Transfer Wizard has three options for transferring files and/or settings. They are listed in Table 2-6. Table 2-6

Files And Settings Wizard Transfer Options

Option

Files and Settings That Will Be Transferred

Settings Only

Settings: Accessibility Command Prompt Settings Display Properties Internet Explorer Settings Microsoft Messenger Microsoft NetMeeting Mouse And Keyboard MSN Explorer Network Printer And Drives Outlook Express Regional Settings Sounds And Multimedia Taskbar Options Windows Media Player Windows Movie Maker

51

52

Table 2-6


Files And Settings Wizard Transfer Options

Option

Files and Settings That Will Be Transferred

Files Only

Folders: Desktop Fonts My Documents My Pictures Shared Desktop Shared Documents Files: Media and document files with the following extensions will be migrated: .asf (Windows Media Audio/Video file) .asx (Windows Media Audio/Video shortcut) .au (AU format sound) .avi (video clip) .cov (fax cover page file) .cpe (fax cover page file) .doc (WordPad document) .eml (Internet e-mail message) .m3u (M3U file) .mid (MIDI sequence) .midi (MIDI sequence) .mp2 (Movie File MPEG) .mp3 (MP3 Format Sound) .mpa (Movie File MPEG) .mpeg (Movie File MPEG) .mswmm (Windows Movie Maker Project) .nws (Internet News Message) .rft (Rich Text Format) .snd (AU Sound Format) .wav (Wave Sound) .wm (Windows Media Audio/Video file) .wma (Windows Media Audio file) .wri (Write document) You can select the Let Me Select A Custom List Of Files And Settings When I Click Next check box if you don’t want all the default folders, file types, and settings to be transferred.

Both Files And Settings

CHAPTER 2:


UNDERSTANDING REMOTE INSTALLATION Remote installation is the process of connecting to a server running Remote Installation Services (RIS), called the RIS server, and starting an automated installation of Windows XP Professional on a local computer. Remote installation enables administrators to install Windows XP Professional on client computers throughout a network from a central location. This reduces the time spent by administrators visiting all the computers in a network, thereby reducing the cost of deploying Windows XP Professional. RIS provides several benefits: ■

It enables remote installation of Windows XP Professional. An installation image is placed on the RIS server and is provided to clients that connect to the server using the Preboot Execution Environment (PXE) boot process supported by certain network adapters. The server is able to recognize clients by their globally unique identifier (GUID), which is unique to each computer, can be preset for certain configurations in the Active Directory, and can be configured to provide additional configuration information (such as computer name) to the client during the installation process. Clients that are not PXE-compatible can be started with boot disks that include the necessary programs and settings to locate the server and begin the installation.

■

It simplifies system image management. This is accomplished by eliminating hardware-specific images and by detecting Plug and Play hardware during setup. After the installation of the client, it performs a full Plug and Play analysis of its hardware, installing the appropriate drivers.

■

It supports recovery of the operating system and computer in the event of computer failure. A failed client can boot from the RIS server again and restore the exact installation image it received the first time.

■

It reduces total cost of ownership (TCO). It accomplishes this by allowing either users or technical staff to install the operating system on individual computers. The PXE boot process and subsequent installation of Windows XP Professional is scripted and requires no direct intervention.

53

54


Installing and Configuring RIS Before beginning a rollout of Windows XP Professional using RIS, you should become familiar with the prerequisites for the service and you must install the service using the Remote Installation Services Setup Wizard. Examining the Prerequisites The ability to act as a RIS server is available only on computers running Windows 2000 Server or Windows Server 2003. The RIS server can be a domain controller or a member server. Table 2-7 lists the network services required for RIS and their RIS function. These network services do not have to be installed on the same computer as RIS, but they must be available somewhere on the network. Table 2-7

Network Services Requirements for RIS

Network Service

RIS Function

DNS service

RIS relies on the DNS server for locating the directory service (for the purpose of looking up client computer accounts). Client computers that can perform a network boot receive an IP address from the DHCP server. RIS relies on the Active Directory service in Windows XP Professional for locating existing client computers as well as existing RIS servers.

DHCP service Active Directory

Remote installation requires that RIS (included on the Windows 2000 Server or Windows Server 2003 CD-ROM) be installed on a volume that is shared over the network. This shared volume must meet the following criteria: ■

It cannot be on the same drive that is running Windows Server. RIS installs its installation images in a Single Instance Store (SIS) on an NTFS partition. This formatting is not compatible with other types of storage and therefore cannot be used on a partition containing any other data.

■

It must be large enough to hold the RIS software and the various Windows XP Professional images. The space required by several different installation images can be considerable. Some care must be taken to ensure sufficient disk space for all the images that are planned for deployment.

■

It must be formatted with the Windows NTFS file system version 5 or later. Only NTFS version 5 or later supports SIS data structures.

CHAPTER 2:


Using the Remote Installation Services Setup Wizard When your network meets the prerequisites for RIS, you can run the Remote Installation Services Setup Wizard, which does the following: ■

Installs the RIS software

■

Creates the remote installation folder and copies the Windows XP Professional installation files to the server

■

Adds .sif files, which are a variation of an Unattend.txt file

■

Configures the Client Installation Wizard screens that appear during a remote installation

■

Updates the registry

■

Creates the SIS volume

■

Starts the required RIS services MORE INFO Managing RIS on a server is beyond the scope of this course. More information on installing and managing RIS is available in the Microsoft Windows Server 2003 Resource Kit (ISBN 0-7356-1471-7) from Microsoft Learning.

Client Requirements for Remote Installation Client computers that support remote installation must have one of the following configurations: ■

A configuration meeting the Net PC or PC98 specification These configurations are specified by Intel and Microsoft for their “Wired for Management” initiative and are designed to simplify the installation and management of business desktop computers.

■

A network adapter card with a PXE boot ROM This is the configuration that allows the computer to start without an operating system by retrieving a basic operating system from the RIS server. The computer’s motherboard and BIOS must also support starting from the PXE boot ROM.

■

A supported network adapter card and a remote installation boot disk As a last resort, you can create a boot disk for certain supported network adapters that will locate the RIS server and begin the installation. These disks are created by the Remote Boot Disk Generator (covered later in this chapter).

55

56


Net PCs The Net PC is a highly manageable platform with the ability to perform a network boot, manage upgrades, and prevent users from changing the hardware or operating system configuration. Additional requirements for the Net PC are as follows: ■

The network adapter must be set as the primary boot device within the system BIOS.

■

The user account that will be used to perform the installation must be assigned the user right Log On As A Batch Job. See Chapter 13 for more information on assigning user rights.

■

Users must be assigned permission to create computer accounts in the domain they are joining. Even the Administrator group does not have the right to log on to a batch job by default; it must be assigned this right before attempting a remote installation. Best practices for security dictate that you set up an installation user account to manage installations. This prevents the need to give regular user accounts privileges that they do not require for daily use. These user account requirements apply to any RIS installation, including those using the non–Net PC and boot disk installation methods detailed in the next section.

NOTE

Computers That Do Not Meet the Net PC Specification Computers that do not directly meet the Net PC specification can still interact with the RIS server. To enable remote installation on a computer that does not meet the Net PC specification, perform the following steps: 1. Install a network adapter card with a PXE boot ROM. 2. Set the motherboard’s BIOS to start from the PXE boot ROM.

Creating Boot Floppies If the network adapter card in a client is not equipped with a PXE boot ROM or the BIOS does not allow starting from the network adapter card, create a remote installation boot disk. The boot disk simulates the PXE boot process. Windows 2000 and Windows Server 2003 ship with the Remote Boot Disk Generator (Figure 2-8), which allows you to create a boot disk easily.

CHAPTER 2:


Figure 2-8 Windows Server Remote Boot Disk Generator FT02HT08TR.BMP

Run Rbfg.exe to start the Windows 2000 Remote Boot Disk Generator. The Rbfg.exe file is located in the \RemoteInstall\Admin\i386 folder on the RIS server. These boot floppies support only the Peripheral Component Interconnect (PCI)-based network adapters listed in the Adapter List. To see the list of the supported network adapters, select Adapter List, as shown earlier in Figure 2-8.

Installing Windows XP Using RIS RIS pre-setup is accomplished in advance by a network administrator and might include a standard operating system (OS) image or a specific system image created using the Riprep.exe utility included with RIS to copy the configuration of a fully customized system. The steps at the client-level include: ■

PXE boot The target system is booted using the PXE boot features of the system BIOS or by using the remote boot disks generated with Rbfg.exe.

■

System installation RIS automatically installs the operating system according to the setup requirements stored in the RIS server for the client system. Two options are available: ❑

Risetup Installs the client as an unattended installation using an answer file created using Setup Manager

❑

Riprep Installs a system image created using the Riprep.exe utility

57

58


USING DISK DUPLICATION TO DEPLOY WINDOWS XP PROFESSIONAL When you install Windows XP Professional on several computers with identical hardware configurations, the most efficient installation method to use is disk duplication. By creating a disk image of a Windows XP Professional installation and copying that image onto multiple destination computers, you save time in the rollout of Windows XP Professional. This method also creates a convenient baseline that you can easily recopy onto a computer that is experiencing significant problems. One tool you will use for disk duplication is the System Preparation tool (Sysprep.exe). This utility is part of the deployment tools that ship with Windows XP Professional. Knowing how to use the System Preparation tool can help you prepare master disk images for efficient mass installations. A number of thirdparty disk-imaging tools are available for copying the image to other computers. In this section, you will learn how to use the System Preparation tool to prepare the master image. To install Windows XP Professional using disk duplication, you first need to install and configure Windows XP Professional on a test computer. You must then install and configure any applications and application update packs on the test computer. Finally, you use the System Preparation tool to prepare the master image for copying.

Using the System Preparation Tool to Prepare the Master Image The System Preparation tool (Sysprep) was developed to eliminate problems encountered in disk copying. To support unique permission structures and computer identification in Active Directory, every computer in a domain network must have a unique security identifier (SID). If you were to copy an existing disk image to other computers, all of those computers would have the same SID. To prevent this problem, Sysprep adds a system service to the master image that creates a unique local domain SID the first time the computer to which the master image is copied is started. Sysprep also allows you to add a Mini-Setup Wizard to the master copy. This wizard runs the first time the computer to which the master image is copied is started. The wizard guides the user through entering the user-specific information such as the following:

CHAPTER 2:


■

End-user license agreement

■

Product ID

■

Regional settings

■

User name

■

Company name

■

Network configuration

■

Whether the computer is joining a workgroup or domain

■

Time zone selection The Mini-Setup Wizard can be scripted using Windows Setup Manager (discussed earlier) so this user-specific information can be entered automatically.

NOTE

The hard drive controller device driver and the hardware abstraction layer (HAL) on the computer on which the disk image was generated and on the computer to which the disk image was copied must be identical. The other peripherals, such as the network adapter, the video adapter, and sound cards on the computer on which the disk image was copied, need not be identical to the ones on the computer on which the image was generated. Any other variations between systems, beyond which disk controller driver and HAL to use, will be discovered and configured during the Plug and Play phase of the installation.

NOTE

Sysprep can also be customized. Table 2-8 describes some of the switches you can use to customize Sysprep.exe. Table 2-8

Switches for Sysprep.exe

Switch

Description

/quiet

Runs with no user interaction because it does not show the user confirmation dialog boxes. Does not regenerate SID on reboot. Use this when you want to run Sysprep without removing the original SID (useful when packaging a system with a mini-setup to allow customization by an end user but retaining the existing SID for security settings already in place on the domain).

/nosidgen

59

60


Table 2-8

Switches for Sysprep.exe

Switch

Description

/pnp

/noreboot

Forces Setup to detect Plug and Play devices on the destination computers on the next reboot. Restarts the source computer after Sysprep.exe has completed. Shuts down without a reboot.

/forceshutdown

Forces a shutdown instead of powering off.

/reboot

For a complete list of the switches for Sysprep.exe, start a command prompt, change to the Deploy folder or the folder where you installed Sysprep.exe, type sysprep.exe /?, and press ENTER.

NOTE

Installing Windows XP Professional from a Master Disk Image After running Sysprep on your test computer, you are ready to run a third-party disk image copying tool to create a master disk image. Save the new disk image on a shared folder or CD-ROM, and then copy this image to the multiple destination computers. End users can then start the destination computers. The Mini-Setup Wizard prompts the user for computer-specific variables, such as the administrator password for the computer and the computer name. If a Sysprep.inf file was provided, the Mini-Setup Wizard is bypassed and the system loads Windows XP Professional without user intervention.

APPLYING SYSTEM UPDATES The first step to be accomplished after initial installation of Windows XP is the application of system updates and patches. The vast majority of these updates and patches relate to security vulnerabilities discovered in the system of its associated applications. Systems being connected to the Internet without first being patched can be penetrated and infected or controlled by malicious users and applications within minutes. Make sure these updates are applied before you connect the system to any public network. System updates are supplied in two ways: updates and service packs.

CHAPTER 2:


Windows Updates Updates to the operating system and its associated applications are made available to Microsoft customers for free via the Windows Update service. This is a browser-based scanning and delivery system designed to scan a system for uninstalled updates and make them available for download. Figure 2-9 shows the Windows Update Welcome screen.

Figure 2-9 Windows Update Web site FT02HT09TR.BMP

Users can connect to Windows Update in one of three ways: ■

From the Start menu, choose All Programs, and then click Windows Update from near the top of the list of available applications.

■

In Internet Explorer, choose Windows Update from the Tools menu.

■

Navigate to www.windowsupdate.com or windowsupdate.microsoft.com. Windows Update undergoes continuous improvements and might appear different from the screens depicted in this book. The basic design and functionality remain unchanged.

NOTE

Using Windows Update

When you connect to Windows Update, an ActiveX control is loaded by Internet Explorer. This control scans the system and reports on the available patches. Users can then choose which patches to install. Figure 2-10 shows an Optional Software Update selected for installation.

61

62


FT02HT10TR.BMP

Figure 2-10

Windows Update with an Optional Software Update selected for

installation

Patches come in three types: ■

High Priority Updates Security updates and patches for critical system components

■

Optional Software Updates and associated applications

■

Optional Hardware Updates Updated drivers for hardware detected by the system

Recommended updates for Windows

Installing updates from Windows Update requires the user to have permission to install software on the local machine. This typically requires the user to be a member of the Administrators or Power Users local security group.

IMPORTANT

After scanning the computer, Windows Update displays the available updates. Critical fixes are preselected for installation and should be installed first. The Windows Update application manages the download and application of the fixes and might ask to restart the computer when the application is complete. Figure 2-11 shows a download in progress.

CHAPTER 2:


Figure 2-11 Windows Update download in progress FT02HT11TR.BMP

Following any restart, you can return to the Windows Update site and scan for Windows XP or Driver Updates. These are not as critical and can be installed at your leisure. They usually offer enhanced functionality or stability.

Service Packs Service packs are available from Windows Update or via CD-ROM from Microsoft’s Web site. Installing a service pack is akin to installing a cumulative collection of all updates and patches released for the operating system to date. Service packs should be installed at your earliest convenience. Their effect on your systems and applications should be tested on a representative computer and, when found to be safe, rolled out to the rest of your computers. Subscribers to Microsoft’s TechNet CD-ROM or DVD-ROM subscription service receive these disks as part of their subscription.

NOTE

Applying a Service Pack from Download or CD-ROM

Applying a service pack takes some time. Plan for at least an hour. If you are downloading it, you will have an express installation option. This downloads only the parts needed to update your system. 1. After identifying an available service pack, either download it or obtain the CD-ROM.

63

64


2. Execute the downloaded service pack file to run the extraction and installation program. CD-ROM versions have an Autorun program that guides you through the service pack installation.

NOTE

3. Choose whether to create an uninstallation folder. If you have a concern about the stability of the service pack, you can choose to retain the ability to uninstall it. 4. The service pack will install and restart the computer. Installing a Service Pack from Windows Update Downloading a service pack from Windows Update works in much the same way as installing a Windows Update patch. Much of the procedure is automated, as with Windows fixes. The downloaded file launches the Service Pack Installation Wizard, which queries the system. It then downloads the files required to update the system. Microsoft made a change to service pack distribution with Windows XP Service Pack 2, allowing the entire service pack to be downloaded via Automatic Updates and applied after the download is complete.

NOTE

Automatic Updates Automatic Updates are configured in the System Properties dialog box. From the Start menu, right-click on My Computer and select Properties. Select the Automatic Updates tab to display the Configuration dialog box (Figure 2-12).

Figure 2-12 Configuring automatic updates in Windows XP FT02HT12TR.BMP

CHAPTER 2:


If your Automatic Updates settings appear different, you most likely do not have Windows XP Service Pack 2 (SP2) installed. This update includes several improvements to Automatic Updates and other security-related technologies. Installing SP2 at your earliest opportunity will help protect your computer and make this material more understandable.

NOTE

1. After locating System Properties, locate and select the Automatic Updates tab. Note that Automatic Updates should already be activated. (This is new with SP2.) 2. Select from the options displayed in Table 2-9. Table 2-9

Automatic Update Options

Option

Setting

Automatic (recommended)

This setting uses the Background Intelligent Transfer Service (BITS) to download the updates using your unused Internet bandwidth. You will be notified when they are available. If you choose not to install them at that time, they will be applied at the time you specify in the dialog box. This setting downloads the updates using BITS. When they are downloaded, you will receive a notification bubble telling you they are ready. You can install, defer, or reject them at that time. This setting causes Automatic Updates to notify you only of the existence of updates. When you choose to install them, they will be downloaded and installed in the foreground. Disables Automatic Updates.

Download updates for me, but let me choose when to install them Notify me but don’t automatically download or install them Turn off Automatic Updates

SLIPSTREAMING SERVICE PACKS AND UPDATES Organizations that use a network installation process for Windows XP can apply updates and service packs to their network installation point to reduce the amount of time it takes to update clients after they are installed. This is accomplished through a process called slipstreaming.

Slipstreaming Service Packs Service packs can be slipstreamed into an installation point. This is accomplished in two steps. First the service pack is extracted to a temporary folder, and then the

65

66


Update.exe program within the service pack folder is run to update the installation point. After downloading the service pack, execute it with the /x command-line switch. C:\ WindowsXP-KB835935-SP2-ENU.exe /x:c:\

After the files are extracted, use the update.exe command with the /s switch. (c:\i386 is the folder containing the Windows XP installation files.) This updates the installation files. C:\\update\update.exe /s:c:\i386

Slipstreaming Windows Updates Many Windows updates can be slipstreamed into an installation point using a command-line switch. The /integrate switch causes the update to integrate with the installation point. (c:\i386 is the folder containing the Windows XP installation files.) KB123456.EXE /integrate:C:\i386

MORE INFO For more information on slipstreaming updates, see Microsoft Knowledge Base article 828930, “How to Integrate Software Updates into Your Windows Installation Source Files.”

USING WINDOWS PRODUCT ACTIVATION Microsoft Windows Product Activation is an anti-piracy technology designed to prevent copying and hard-disk loading of Windows XP. It applies to all retail versions of Windows XP. OEM and volume-licensed versions of Windows XP are either preactivated (OEM) or do not require activation (volume).

How Windows Product Activation Works Users must activate Windows XP with their unique product keys within the defined grace period. For the retail version, this is 30 days from the time the system is installed. After expiration, Windows does not allow interactive logons until the system is activated. The activation program, however, still functions so that the activation can be performed. After activation, the system is returned to interactive status. During activation, Windows XP scans the systems hardware and uses the results of the scan to create a hash value. This scan is repeated during each system startup

CHAPTER 2:


after activation. Each hardware component that is replaced changes the hash, some (motherboards, for example) more than others (mice). If excessive changes are made to the hardware configuration of the computer, the hash value falls outside the allowable limits and Windows Product Activation requires you to reactivate your system. This prevents people from making copies of a Windows XP installation and giving or selling them to others for use with different system hardware.

Activating Windows XP Windows XP can be activated in two ways. It can be activated online over the Internet, and it can be activated via telephone. Both methods use the same application. Telephone activation is provided as a fallback for online activation or when the user prefers for privacy reasons to conduct the activation offline. The Windows Product Activation Wizard launches when you click on the activation reminder balloon that pops up every few days or when you click Activate Windows at the top of All Programs on the Start menu. Online Activation Within 30 days of installation, you can activate Windows XP using the Internet. Windows XP combines your product key with an arithmetic hash created from the results of a hardware scan to create an Installation ID. This is sent to Microsoft, and Windows XP is activated. Telephone Activation If you cannot access the Internet or do not wish to transmit the product information over the Internet, you can use telephone activation. Windows XP provides you with a telephone number to dial and shows the Installation ID on the screen. After providing the Installation ID to the Microsoft activation line, you receive a confirmation ID. Key this into the Activation dialog box, and click Next. Windows XP is activated.

Automating Windows Product Activation Most mass installations of Windows XP use volume or OEM licensing and do not require activation. However, for retail versions, activation can be automated as a step in the unattended installation answer file. The unattended installation file can cause the system to launch the Activation Wizard and perform an online activation. Settings for an Internet proxy can be configured into this file as well.

67

68


TROUBLESHOOTING WINDOWS XP PROFESSIONAL SETUP Your installation of Windows XP Professional should complete without any problems. However, this section covers some common issues you might encounter during installation.

Resolving Common Problems Table 2-10 lists some common installation problems and offers solutions. Table 2-10

Troubleshooting Tips

Problem

Solution

CD-ROM drive is not supported

Replace the CD-ROM drive with a supported drive. If replacement is impossible, try another installation method, such as installing over the network. After you complete the installation, add the adapter card driver for the CD-ROM drive, if it is available. You can do one of the following: ■ Use the Setup program to create a partition by using existing free space on the hard disk.

Insufficient disk space

■ ■

Dependency service fails to start

Delete and create partitions as needed to create a partition that is large enough for installation.

Reformat an existing partition to create more space or install a larger hard drive. In the Windows XP Professional Setup Wizard, return to the Network Settings dialog box and verify that you installed the correct protocol and network adapter. Verify that the network adapter has the proper configuration settings, such as transceiver type, and that the local computer name is unique on the network.

CHAPTER 2:

Table 2-10


Troubleshooting Tips

Problem

Solution

Setup cannot connect to the domain controller

Do the following: ■ Verify that the domain name is correct. ■

Verify that the server running the DNS service and the domain controller are both running and online. If you cannot locate a domain controller, install Windows XP Professional into a workgroup and then join the domain after installation.

■

Verify that the network adapter card and protocol settings are set correctly.

■

Verify that there is a computer account on the domain.

■

If you are reinstalling Windows XP Professional and are using the same computer name, delete the computer account and re-create it.

■

Windows XP Professional fails to install or start

Make sure you are using an account with rights to add computer accounts to the domain. Verify the following: ■ Windows XP Professional is detecting all of the hardware. ■

Computer is unable to copy files from the CD-ROM (media errors occur)

All of the hardware is in the Windows Catalog. If upgrading, try running Winnt32 /checkupgradeonly to verify that the hardware is compatible with Windows XP Professional. Test the CD-ROM on another computer. If you can copy the files using a different CD-ROM drive on a different computer, use the CD-ROM to copy the files to a network share or to the hard drive of the computer on which you want to install Windows XP Professional.

Setup Logs During Setup, Windows XP Professional generates a number of log files containing installation information that can help you resolve any problems that occur after setup is completed. The action log and the error log are especially useful for troubleshooting.

69

70


Action Log The action log records in chronological order the actions that the Setup program performs. It includes actions such as copying files and creating registry entries. It also contains entries that are written to the Setup error log. The action log is stored in Setupact.log. This file is placed in the %Windir% folder (usually C:\Windows). Error Log The error log describes errors that occur during setup and their severity. If errors occur, the log viewer displays the error log at the end of setup. The error log is stored in Setuperr.log. This file is placed in the %Windir% folder (usually C:\Windows). Additional Logs Setup creates a number of additional logs, including the following: ■

% windir%\comsetup.log Outlines installation for Optional Component Manager and COM+ components.

■

% windir%\setupapi.log Receives an entry each time a line from an .inf file is implemented. If an error occurs, this log describes the failure.

■

% windir%\debug\NetSetup.log join domains or workgroups.

■

% windir%\repair\setup.log Provides information that is used by the Recovery console. (In Windows NT 4, this is used by the Emergency Repair Process.) For more information about the Recovery console, see Chapter 15.

Logs activity when computers

CHAPTER 2:


SUMMARY ■

Preinstallation tasks include verifying hardware requirements and compatibility, determining file system type and partition size, and domain or workgroup membership. The Windows Catalog lists all systems and hardware that have been certified to be compatible with Windows XP.

■

Methods to set up Windows XP include CD-ROM, network-based, Remote Installation Services (RIS), and installation from disk images. Disk image installations are accomplished with the help of the Sysprep utility, which prepares a system for imaging. Installation via CD-ROM and RIS can be automated to reduce administration costs. This automation is accomplished through the use of answer files and Uniqueness Database Files (UDFs) that control the installation process.

■

Most configuration settings can be reconfigured after setup is completed.

■

Several switches for Winnt.exe and Winnt32.exe allow you to modify the installation process. Some of these control unattended setup or the inclusion of additional folders to be copied to the system during the installation.

■

Before you upgrade a client computer to Windows XP Professional, you should ensure that it meets the minimum hardware requirements.

■

User settings and files can be migrated to a new system by using the Files And Settings Transfer Wizard. This tool copies files and settings into a file for transport to a new system.

■

Updates to Windows XP can be installed manually via Windows Update, slipstreamed into a network installation point, or installed by Automatic Updates.

■

Use setup logs to determine the cause of installation failures.

71

72

PART 1:

PART TITLE [BOOK TITLE IF NO PARTS]

REVIEW QUESTIONS 1. List the client requirements for using Remote Installation Services (RIS), and explain why they are important. 2. Which of the following statements about file systems are correct? (Choose all that apply.) a. File- and folder-level security are available only with NTFS. b. Disk compression is available with FAT, FAT32, and NTFS. c. Dual-booting between Windows 98 and Windows XP Professional is available only with NTFS. d. Encryption is available only with NTFS. 3. Which of the following statements about joining a workgroup or a domain are correct? (Choose all that apply.) a. You can add your computer to a workgroup or a domain only during installation. b. If you add your computer to a workgroup during installation, you can join the computer to a domain later. c. If you add your computer to a domain during installation, you can join the computer to a workgroup later. d. You cannot add your computer to a workgroup or a domain during installation. 4. Which of the following configurations can you change after installing Windows XP Professional? (Choose all that apply.) a. Language b. Locale c. Keyboard settings d. All of the above

CHAPTER 2:


5. Describe how the /unattend and /UDF command-line switches for Winnt32.exe work together to automate an installation. 6. Which of the following operating systems can be upgraded directly to Windows XP Professional? (Choose all that apply.) a. Windows NT Workstation 4 b. Windows NT 3.51 c. Windows 2000 Professional d. Windows NT Server 4 7. Automatic Updates are used to apply which of the following types of updates? a. Optional Hardware Updates b. Optional Software Updates c. High Priority Updates d. Application Updates 8. If you encounter an error during setup, which of the following log files should you check, and why? (Choose all that apply.) a. Setuperr.log b. W3svc.log c. Setup.log d. Setupact.log

73

74

PART 1:

PART TITLE [BOOK TITLE IF NO PARTS]

CASE SCENARIOS Scenario 2-1: Dual-Booting You are planning to dual-boot a computer with Windows 2000 Professional and Windows XP Professional. You have determined that there is plenty of disk space for a partition for each operating system. You are running the setup program and deciding which file system to use to format the partitions. Answer the following questions regarding this dual-boot setup: 1. Which of the following file systems can you use for the system partition of this computer? a. CDFS b. NTFS c. FAT32 d. UFS 2. Which file system is the best choice for a secure installation? a. CDFS b. NTFS c. FAT32 d. UFS

Scenario 2-2: Automatic Updates You are setting up Automatic Updates for a computer that will run unattended for long periods of time. You are concerned that no users will be around to manually install updates. Which of the available options for applying automatic updates is the best choice for this scenario, and how can you manage the application of service packs to this system?

CHAPTER 3

MANAGING DISKS AND FILE SYSTEMS Upon completion of this chapter, you will be able to: ■ Monitor and configure disks ■ Monitor, configure, and troubleshoot volumes ■ Monitor and configure removable media such as tape devices ■ Install, configure, and manage DVD and CD-ROM devices ■ Configure NTFS, FAT, and FAT32 file systems ■ Convert from one file system to another ■ Use disk optimization utilities: Disk Defragmenter, Chkdsk, and Disk Cleanup

This chapter deals with management and operation of storage technologies in Microsoft Windows XP. You will learn about installation and management of disks and removable media devices such as CD-ROMs, DVD-ROMs, and tape drives. We will explore management of basic and dynamic disks, volume management, and configuration and management of file systems. You will also use Disk Management to manage partitions and volumes on hard disks, mount volumes to NTFS folders, and manage remote systems. This chapter also shows you other disk management tools such as Disk Defragmenter and Chkdsk. You will learn how to use Disk Cleanup to reclaim disk space and learn best practices for disk management and optimization of storage.

75

76


UNDERSTANDING DISK MANAGEMENT Whether you are setting up unused free space on a hard disk on which you installed Windows XP Professional or configuring a new hard disk, you must perform certain tasks. Before you can store data on a new hard disk, you must perform the following tasks to prepare the disk: ■

Initialize the disk with a storage type. Initialization defines the fundamental structure of a hard disk. Windows XP Professional supports basic storage and dynamic storage. A physical disk can be either basic or dynamic; you can’t use both storage types on one disk.

■

Divide the disk into partitions or volumes. Basic disks are divided into partitions, or discrete storage sections. Similar divisions of dynamic disks are called volumes.

■

Format the disk. After you create a partition or volume, you must format it with a file system, either file allocation table (FAT), FAT32, or NTFS.

Understanding Basic Storage The traditional industry standard is basic storage. All versions of MS-DOS, Windows, Windows NT, Windows 2000, and Windows XP support basic storage. For Windows XP Professional, basic storage is the default storage type. Basic storage dictates the division of a hard disk into partitions. A partition is a portion of the disk that functions as a physically separate unit of storage. Windows XP Professional recognizes primary and extended partitions. A disk that is initialized for basic storage is called a basic disk. A basic disk can contain primary partitions, extended partitions, and logical drives (as shown in Figure 3-1). Primary Partitions C:

C:

Primary Partitions D:

D:

Primary Partitions E:

E:

Primary Partition F:

Extended Partition

F: G: H:

Figure 3-1 Basic and dynamic storage types FT03HT01.VSD

Logical Drives

CHAPTER 3:

MANAGING DISKS AND FILE SYSTEMS

Table 3-1 compares some of the characteristics of primary partitions and extended partitions. Table 3-1

Primary and Extended Partitions

Primary Partitions

Extended Partitions

A basic disk can contain a maximum of four primary partitions, or up to three primary partitions if there is also an extended partition. Can be marked as the active partition. The system BIOS looks to the active partition for the boot files to start the operating system (only one active partition per hard disk). Each primary partition can be formatted and assigned a drive letter.

A basic disk can contain only one extended partition.

An extended partition can’t be marked as the active partition.

Divided into logical drives, each of which can be formatted and assigned a drive letter.

The Windows XP Professional system partition is the active partition that contains the hardware-specific files required to load the operating system. The Windows XP Professional boot partition is the primary partition or logical drive where the operating system files are installed. The boot partition and the system partition can be the same partition. However, the system partition must be on the active partition, typically drive C, whereas the boot partition can be on another primary partition or an extended partition.

NOTE

Understanding Dynamic Storage Windows 2000 and Windows XP Professional support dynamic storage, which is a standard that creates a single partition encompassing the entire disk. A disk that you initialize for dynamic storage is a dynamic disk. You divide dynamic disks into volumes, which can consist of a portion, or portions, of one or more physical disks. When you have converted a basic disk to dynamic storage, you can create Windows XP Professional volumes. Consider which of the following volume types (Figure 3-2) best suit your needs for efficient use of disk space and performance. ■

Simple volume fault tolerant.

■

Spanned volume Includes disk space from multiple disks (up to 32). Windows XP Professional writes data to a spanned volume on the first disk, completely filling the space, and continues in this manner through each disk that you include in the spanned volume. These volumes are not fault tolerant. If any disk in a spanned volume fails, the data in the entire volume is lost.

Contains disk space from a single disk and is not

77

78


Or

Single hard disk

C: D: E:

Multiple System Volumes

Simple Volume (C:)

2–32 hard disks or portions of disks

Spanned Volume (C:)

2–32 disks or portions of disks Striped Volume (C:)

Figure 3-2 Dynamic disks in Windows XP FT03HT02.VSD

■

Striped volume Combines areas of free space from multiple hard disks (up to 32) into one logical volume. In a striped volume, Windows XP Professional optimizes performance by adding data to all disks at the same rate. If a disk in a striped volume fails, the data in the entire volume is lost. Windows 2000 Server and Windows Server 2003 provide fault tolerance on dynamic disks. Fault tolerance is the ability of a computer or an operating system to respond to some catastrophic events without loss of data. The server products provide mirrored volumes and RAID-5 volumes that are fault tolerant. Windows XP Professional does not provide fault tolerance.

NOTE

Creating multiple volumes on a single hard disk allows you to efficiently organize data for such tasks as backing up data. For example, you can create a volume for the operating system, one for applications, and one for data. When you back up your data, you can back up the entire data volume on a daily basis and back up the application and operating system volumes on only a monthly or quarterly basis.

CHAPTER 3:


Working with Simple Volumes A simple volume contains disk space from a single disk. You can extend a simple volume to include unallocated space on the same disk. You can create a simple volume and format it with NTFS, FAT, or FAT32. You can extend a simple volume only if it is formatted with NTFS. Simple volumes can be designated with a drive letter, left disconnected, or mounted as a folder on any existing NTFS volume. Mounting makes the volume’s space available as part of the normal file system. You can disconnect the mounted volume at any time and reconnect it elsewhere, all without losing the data on the mounted volume. A volume mounted to an NTFS folder must itself be formatted as NTFS.

NOTE

Working with Spanned Volumes A spanned volume consists of disk space from multiple dynamic disks. Spanned volumes enable you to combine the available free space on these disks. They can’t be part of a striped volume and are not fault tolerant. Only NTFS-spanned volumes can be extended, and deleting any part of a spanned volume deletes the entire volume. You can combine various-sized areas of free space from 2 to 32 dynamic disks into one large logical volume. Windows XP Professional organizes spanned volumes so data is stored in the space on one disk until it is full, and then, starting at the beginning of the next disk, data is stored in the space on the second disk, and so forth. You can extend existing spanned volumes formatted with NTFS by adding free space. Disk Management formats the new area without affecting any existing files on the original volume. You can’t extend volumes formatted with FAT or FAT32, and you can’t extend the system volume or a boot volume. Windows NT and Windows 2000 support a technology similar to XP spanned volumes called volume sets. You cannot import volume sets into Windows XP without first upgrading the basic disks to dynamic disks. You must do this before upgrading the operating system to Windows XP.

NOTE

Windows NT systems do not support dynamic disks, so they must be upgraded first to Windows 2000 Professional and then to Windows XP. Alternatively, you can back up the disks and then restore them after the upgrade.

79

80


Working with Striped Volumes Striped volumes offer the best performance of all the Windows XP Professional disk management strategies. In a striped volume, data is written evenly across all physical disks in 64-KB units. Because all the hard disks that belong to the striped volume perform the same functions as a single hard disk, Windows XP can issue and process concurrent I/O commands simultaneously on all hard disks. In this way, striped volumes can increase system I/O speed. You create striped volumes by combining areas of free space from multiple disks (from 2 to 32) into one logical volume. With a striped volume, Windows writes data to multiple disks, similar to spanned volumes. However, on a striped volume, Windows XP writes files across all disks so data is added to all disks at the same rate. Like spanned volumes, striped volumes don’t provide fault tolerance. If a disk in a striped volume fails, the data in the entire volume is lost. You cannot extend striped volumes. Windows NT and Windows 2000, which use basic disks, support an equivalent technology called stripe sets. You cannot import stripe sets into Windows XP without first upgrading the basic disks to dynamic disks. You must do this before upgrading the operating system to Windows XP. NOTE

Windows NT systems do not support dynamic disks, so they must be upgraded first to Windows 2000 Professional and then to Windows XP. Alternatively, you can back up the disks and then restore them after the upgrade.

Adding Disks When you install new disks in a computer running Windows XP Professional, they are added as basic storage. To add a new disk, install or attach the new physical disk (or disks), and then choose Rescan Disks from the Action menu of the Disk Management snap-in in Computer Management (Figure 3-3). You must use Rescan Disks every time you remove or add a disk to a computer. You shouldn’t need to restart the computer when you add a new disk. However, you might need to restart the computer if Disk Management doesn’t detect the new disk after you run Rescan Disks. Viewing Disk Properties By right-clicking the physical disk in the lower pane of Disk Management and selecting Properties, you can view and configure properties and settings for the physical disk.

CHAPTER 3:


Figure 3-3 The Disk Management snap-in in Computer Management FT03HT03.BMP

These are the tabs of the disk Properties dialog box: ■

General Lists the device type, manufacturer, and physical location of the device, including the bus number or the Small Computer System Interface (SCSI) identifier. Lists the device status and provides access to the troubleshooter for the device.

■

Policies Allows you to set the following options for write caching and safe removal: ❑

Optimize For Quick Removal and in Windows

❑

Optimize For Performance Enables write caching in Windows to improve disk performance

❑

Enable Write Caching On This Disk Enables write caching to improve disk performance, but a power outage or equipment failure might result in data loss or corruption

Disables write caching on the disk

■

Volumes Lists the volumes contained in this disk.

■

Driver Allows you to get detailed information about the driver, update the driver, roll back the driver, and uninstall the driver.

Disks are separated into partitions (basic disks) or volumes (dynamic disks). You can view or configure properties for a volume or partition by right-clicking the volume or partition in Disk Management and selecting Properties.

81

82


Viewing Volume or Partition Properties By right-clicking the partition or volume (sometimes called the logical disk) in the upper pane of Disk Management and selecting Properties, you can view and configure properties and settings for the volume or partition. The tabs of the volume Properties dialog box are: ■

General Lists the volume label, type, file system, used space, free space, and total disk capacity. It also allows you to run Disk Cleanup, and on NTFS volumes it allows you to compress the drive and choose to have the Indexing Service index the disk for fast file searching.

■

Tools Allows you to check the partition or volume for errors, defragment it, and back it up.

■

Hardware Shows you all drives on the computer and allows you to view the properties of each device, including the manufacturer, location, and status of the device. It also allows you to access the troubleshooter for the device.

■

Sharing Allows you to share the drive, set permissions on the share, and determine the type of caching for the share.

■

Security Allows you to set the NTFS permissions. This tab is available only if the partition or volume is formatted with the NTFS file system.

■

Quota Allows you to enable and configure quota management. This tab is available only if the partition or volume is formatted with the NTFS file system. Dynamic disks store information about their configuration in a small space at the end of the disk. As a result, you can take a disk that might be part of a spanned volume and import it into another system. Disk Management on the new system will actually recognize the imported disk as part of a spanned volume and ask for the rest of the disks! Users can thus move storage from one system to another system without losing their data.

NOTE

Changing the Storage Type You can upgrade a disk from basic storage to dynamic storage at any time without loss of data. However, any disk to be upgraded must contain at least 1 MB of unallocated space for the upgrade to succeed. Before you upgrade disks, close any programs that are running on those disks. IMPORTANT

storage type.

Always back up the data on a disk before converting the

CHAPTER 3:


Table 3-2 shows the results of converting a disk from basic storage to dynamic storage. Partitions and volumes are converted to their equivalent under the dynamic storage architecture. Table 3-2

Basic Disk and Dynamic Disk Organization

Basic Disk Organization

Dynamic Disk Organization

System partition Boot partition Primary partition Extended partition

Simple volume Simple volume Simple volume Simple volume for each logical drive and an additional simple volume for remaining unallocated space Simple volume Spanned volume Striped volume

Logical drive Volume set Stripe set

To upgrade a basic disk to a dynamic disk, in the Disk Management snap-in, right-click the basic disk that you want to upgrade, and then choose Upgrade To Dynamic Disk (Figure 3-4). The system will verify your intentions and begin the upgrade. The upgrade process requires that you restart your computer afterward.

Figure 3-4 Initiating an upgrade from basic to dynamic disk FT03HT04NEW.BMP

If you find it necessary to convert a dynamic disk to a basic disk, you must remove all volumes from the dynamic disk before you can change it to a basic disk. To convert a dynamic disk to a basic disk, right-click the dynamic disk, and then choose Revert To Basic Disk. CAUTION

basic disk.

All data on a dynamic disk will be lost when you revert it to a

83

84


Using Refresh and Rescan Disks If you need to update the information displayed in Disk Management, you can use the Refresh and Rescan commands. The Refresh command updates the drive letter, file system, volume, and removable media information, and it determines whether unreadable volumes are now readable. It does not scan for new disk hardware. To refresh disk information, choose Refresh from the Action menu. Rescan Disks updates hardware information. When Disk Management rescans disks, it scans all attached disks for disk configuration changes. It then performs the Refresh command. Rescanning disks can take several minutes, depending on the number of hardware devices installed. To rescan disks, choose Rescan Disks from the Action menu.

Managing Disks on a Remote Computer In a domain environment, users with local administrator privileges, such as members of the Domain Admins group or the Server Operators group, can manage disks on remote computers. In a workgroup environment, you can manage disks on a remote computer running Windows XP Professional if you have an account with the same username and password set up on both the local and remote computer (as shown in Figure 3-5).

Figure 3-5 The Computer Management console connecting to a remote computer FT03HT05.BMP

To manage disks on a remote computer, take the following steps: 1. Open Computer Management and focus it on the remote computer by right-clicking Computer Management (Local) and selecting Connect To Another Computer.

CHAPTER 3:


2. Type the name of the other computer, and click OK. If you have permissions to manage the remote system, you can use Computer Management to manage it. If you do not, you can view only limited information. 3. Locate Disk Management under the Storage section.

MANAGING REMOVABLE STORAGE Removable Storage is a simple way to manage and access all removable storage media on a system. It is a set of device and media management application programming interfaces (APIs) that together form a structure for managing media allocation, tracking, and utilization. Some functions that are supported by removable storage are: ■

Injecting and ejecting media

■

Maintaining media pools and media libraries to consolidate media tracking

■

Brokering application access to media

■

Providing a storage management interface for administrators

Using the Removable Storage Manager The Removable Storage Manager (RSM) interface is located inside the Computer Management console. In this application, an administrator or operator can view media pools, media allocation, and work queues. Figure 3-6 shows a CD-ROM and a smart media card mounted in the RSM.

Figure 3-6 The RSM showing a CD-ROM and a smart media card FT03HT06.BMP

85

86


Managing Media Pools A media pool manages a collection of media. The media in the pool must be of the same type and configuration. An example of a media pool is a collection of tapes used for a backup rotation, which are assigned on successive days to back up system files. By organizing them into pools, you can protect them from use by other applications. This protects their data from accidental deletion. Media pools can be created and managed in the RSM. A media pool serves as a container for the media allocated to a specific application. It is not available for another application until it is released to the Free media pool or moved to the media pool belonging to the other application. There are four default media pool types: ■

Free Contains all media that have been detected by the system but not allocated to any application.

■

Import Contains media that are recognized but known to contain data from another application. They are placed here for protection until they can be placed in an appropriate media pool.

■

Unrecognized Contains media that the system does not recognize. Typically these are media of a type not known to the system, but they can also be corrupted media of a known type.

■

Application-Specific Applications such as Backup create media pools to manage their own media. If you open the RSM and do not see your media pools, select Removable Storage and, from the View menu, select Full. This provides the full view of all removable storage resources.

NOTE

Managing the Work Queue During a backup it might be necessary to insert additional media or respond to media errors to allow a backup to be completed. When this happens, you may receive a message to check the RSM console. Figure 3-7 shows Removable Storage displaying work queues. If you select Work Queue in the RSM, you will see a list of completed, active, and pending requests. If you are having problems with media allocation or are troubleshooting a failure of your CD-ROM to eject, check here to see if there is an active request on your media. Working with Mounted Media When you are using the RSM, you can find your mounted media by clicking the library that contains the media or by selecting the media folder. Once your media is selected, if it supports Eject commands you can eject it right from the RSM. This comes in handy when you must eject media on a remote system.

CHAPTER 3:


Figure 3-7 Removable Storage Manager displaying work queues FT03HT07.BMP

Working with Media on a Remote Computer To work with media on a remote computer, right-click the root folder in Computer Management and choose to connect to a remote computer. Working with Libraries All media devices are classified as libraries in the RSM. This allows all applications on the system that communicate with the removable storage APIs to access data on any media that is visible to Removable Storage. The APIs built into Removable Storage make device differences transparent to the applications. All the application has to know is how to work with Removable Storage. Removable Storage then manages the device and media, providing data storage to the application (as shown in Figure 3-8).

Backup

Windows Explorer

Media Player

Photo Editing Application

Removable Storage Service

Tape

USB

DVD

Diskette

Figure 3-8 Removable Storage service providing access to data on various media types FT03HT08.VSD

87

88


MANAGING COMPRESSION Windows XP Professional supports two types of compression: NTFS compression and compressed folders. NTFS compression enables you to compress files, folders, or an entire drive. NTFS compressed files and folders occupy less space on an NTFS-formatted volume, which enables you to store more data. Each file and folder on an NTFS volume has a compression state, which is either compressed or uncompressed. The Compressed Folders feature allows you to create a compressed folder so that all files you store in that folder are automatically compressed.

Using Compressed Folders The Compressed Folders feature, which is new in Windows XP Professional, allows you to create compressed folders and view their contents. It also allows you to compress large files so that you can store more files on a floppy disk or a hard drive. The compressed “folders” are in reality Zip-compatible archives and can be read by any operating system or application that can read .zip files. To create a compressed folder, start Windows Explorer and then choose File | New | Compressed Folder. This creates a compressed folder in the current folder. You can drag and drop files into the compressed folder, and the files will be compressed automatically. If you copy a file from the compressed folder to another folder that is not compressed, that file will no longer be compressed. A zipper icon denotes a compressed folder (as shown in Figure 3-9), and these folders are labeled Compressed Folder.

Figure 3-9 A compressed folder showing the zipper icon FT03HT09.BMP

CHAPTER 3:


Benefits of using compressed folders generated with the Compressed Folders feature include the following: ■

You can create and use compressed files and folders on both FAT and NTFS volumes.

■

You can open files directly from the compressed folders, and you can run some programs directly from compressed folders.

■

You can move these compressed files and folders to any drive or folder on your computer, the Internet, or your network, and they will be compatible with any program that can read Zip archiv,es.

■

You can encrypt compressed folders that you created using this feature. You can compress individual files only by storing them in a compressed folder. If you move or extract the files into an uncompressed folder, they will be uncompressed.

NOTE

Using NTFS Compression NTFS compressed files can be read and written to by any application. When an application (such as Microsoft Word or Excel) or an operating system command (such as Copy) requests access to a compressed file, NTFS uncompresses the file before making it available. When you close or explicitly save a file, NTFS compresses it again. Some benefits of NTFS compression include: ■

You can open files and run applications directly from the compressed folders.

■

NTFS compression is integrated directly with NTFS and can be applied by modifying the compression attribute on files and folders.

■

NTFS handles all compression and decompression “on the fly.”

■

NTFS compressed files can be made to appear in an alternative text color to indicate their compressed status.

NTFS allocates disk space based on uncompressed file size. If you copy a compressed file to an NTFS volume with enough space for the compressed file but not enough space for the uncompressed file, you might get an error message stating that there is not enough disk space for the file, and the file will not be copied to the volume. Compressing Files and Folders Using NTFS Compression You can set the compression state of folders and files, and you can change the color that is used to display compressed files and folders in Windows Explorer.

89

90


If you want to set the compression state of a folder or file, right-click the folder or file in Windows Explorer, choose Properties, and then click Advanced. In the Advanced Attributes dialog box, shown in Figure 3-10, select the Compress Contents To Save Disk Space check box. Click OK, and then, in the Properties dialog box, click Apply. NTFS encryption and compression are mutually exclusive. For that reason, if you select the Encrypt Contents To Secure Data check box, you cannot compress the folder or file.

NOTE

Figure 3-10 The Advanced Attributes dialog box FT03HT10.BMP

IMPORTANT To change the compression state for a file or a folder, you must have Write permission for that file or folder.

The compression state for a folder does not reflect the compression state of the files and subfolders in that folder. A folder can be compressed while all of the files in that folder are uncompressed. Alternatively, an uncompressed folder can contain compressed files. When you compress a folder that contains one or more files, folders, or both, Windows XP Professional displays the Confirm Attribute Changes dialog box, shown in Figure 3-11.

Figure 3-11 The Confirm Attribute Changes dialog box FT03HT11.BMP

CHAPTER 3:


The Confirm Attribute Changes dialog box has two additional options: ■

Apply Changes To This Folder Only that you have selected

■

Apply Changes To This Folder, Subfolders, And Files Compresses the folder and all subfolders and files that are contained within it and are subsequently added to it

Compresses only the folder

Compressing a Drive or Volume Using NTFS Compression You can set the compression state of an entire NTFS drive or volume. To do so, in Windows Explorer, right-click the drive or volume, and then choose Properties. In the Properties dialog box, select the Compress Drive To Save Disk Space check box, as shown in Figure 3-12, and then click OK.

Figure 3-12 The Local Disk (C:) Properties dialog box FT03HT12.BMP

Displaying NTFS compressed files and folders in a different color Windows Explorer makes it easy for you to quickly determine whether a file or folder is compressed. By default, it displays the names of compressed files and folders in a different color to distinguish them from those that are uncompressed. To display compressed files and folders in a different color: 1. In Windows Explorer, choose Tools | Folder Options. 2. On the View tab, clear the Show Encrypted Or Compressed Files In Color check box to turn off displaying the names of compressed files and folders in a different color or select it to display the names in a different color. Copying and Moving NTFS Compressed Files and Folders There are rules that determine whether the compression state of files and folders is retained when you copy or move them within and between NTFS and FAT volumes. The following list describes how Windows XP Professional treats the

91

92


compression state of a file or folder when you copy or move a compressed file or folder within or between NTFS volumes or between NTFS and FAT volumes. ■

Copying a file within an NTFS volume When you copy a file within an NTFS volume (shown as A in Figure 3-13), the file inherits the compression state of the target folder. For example, if you copy a compressed file to an uncompressed folder, the file is uncompressed.

■

Moving a file or folder within an NTFS volume When you move a file or folder within an NTFS volume (shown as B in Figure 3-13), the file or folder retains its original compression state. For example, if you move a compressed file to an uncompressed folder, the file remains compressed.

■

Copying a file or folder between NTFS volumes When you copy a file or folder between NTFS volumes (shown as C in Figure 3-13), the file or folder inherits the compression state of the target folder.

■

Moving a file or folder between NTFS volumes When you move a file or folder between NTFS volumes (shown as C in Figure 3-13), the file or folder inherits the compression state of the target folder. Because Windows XP Professional treats a move as a copy and a delete, the files inherit the compression state of the target folder.

■

Moving or copying a file or folder to a FAT volume Windows XP Professional supports compression only for NTFS files. When you move or copy a compressed NTFS file or folder to a FAT volume, Windows XP Professional uncompresses the file or folder.

■

Moving or copying a compressed file or folder to a floppy disk When you move or copy a compressed NTFS file or folder to a floppy disk, Windows XP Professional uncompresses the file or folder. A

B

Move

Copy

Retains

Inherits NTFS Volume

NTFS Volume C

Move or Inherits Copy NTFS Volume

NTFS Volume

Figure 3-13 The effects of copying and moving compressed folders and files FT03HT13.FH10

CHAPTER 3:


NOTE When you copy a compressed NTFS file, Windows XP Professional uncompresses the file, copies the file, and then compresses the file again as a new file. This might cause performance degradation when many large files are copied at once.

NTFS Compression Guidelines The following list provides best practices for using compression on NTFS volumes: ■

Because some file types compress more than others, select file types to compress based on the anticipated resulting file size. For example, because Windows bitmap files contain more redundant data than application executable files, this file type compresses to a smaller size. Bitmaps often compress to less than 50 percent of the original file size, whereas application files rarely compress to less than 75 percent of the original size.

■

Do not store compressed files, such as PKZip files, in a compressed folder. Windows XP Professional will attempt to compress the file, wasting system time and yielding no additional disk space.

■

Compress static data rather than data that changes frequently. Compressing and uncompressing files incurs some system overhead. By choosing to compress files that are infrequently accessed, you minimize the amount of system time dedicated to compression and uncompression activities.

■

NTFS compression can cause performance degradation when you copy and move files. When a compressed file is copied, it is uncompressed, copied, and then compressed again as a new file. You should compress data that is not copied or moved frequently.

INCREASING SECURITY WITH THE EFS Encryption is the process of making information indecipherable to protect it from unauthorized viewing or use. The Encrypting File System (EFS) provides encryption for data in NTFS files stored on disk. This encryption is public key–based and runs as an integrated system service, making it easy to manage, difficult to attack, and transparent to the file owner. If a user who attempts to access an encrypted NTFS file has the private key to that file, the file can be decrypted so that the user can open the file and work with it transparently as a normal document. A user without the private key is denied access. Windows XP Professional also includes the Cipher command, which provides the ability to encrypt and decrypt files and folders from a command prompt. Windows XP Professional also let you specify a recovery agent. If the owner loses

93

94


the private key, the person designated as the recovery agent can still recover the encrypted file.

Understanding the EFS The EFS allows users to encrypt NTFS files by using a strong public key–based cryptographic scheme that encrypts all files in a folder. Users with roaming profiles can use the same key with trusted remote systems. No administrative effort is needed to begin, and most operations are transparent. Backups and copies of encrypted files are also encrypted if they are in NTFS volumes. Files remain encrypted if you move or rename them, and temporary files created during editing and left unencrypted in the paging file or in a temporary file do not defeat encryption. You can set policies to recover EFS-encrypted data when necessary. The recovery policy is integrated with overall Windows XP Professional security policy. Control of this policy can be delegated to individuals with recovery authority, and you can configure different recovery policies for different parts of the enterprise. Data recovery discloses only the recovered data, not the key that was used to encrypt the file. Several protections ensure that data recovery is possible and that no data is lost in the case of total system failure. The EFS is implemented from Windows Explorer or from the command line. You can enable or disable it for a computer, domain, or organizational unit (OU) by setting recovery policy in the Group Policy console in the Microsoft Management Console (MMC). To be subject to Group Policy for the domain or for an OU, your computer must be part of an Active Directory domain.

NOTE

You can use EFS to encrypt and decrypt files on remote file servers but not to encrypt data that is transferred over the network. Windows XP Professional supports secure network protocols, such as Internet Protocol Security (IPSec), to encrypt data over the network. Here are the key features provided by the EFS: ■

Transparent encryption In the EFS, file encryption does not require the file owner to decrypt and re-encrypt the file on each use. Decryption and encryption happen transparently on file reads and writes to disk.

■

Strong protection of encryption keys Public key encryption resists all but the most sophisticated methods of attack. Therefore, in the EFS, the file encryption keys are encrypted using a public key from

CHAPTER 3:


the user’s certificate (X.509 v3 certificates in the case of Windows XP Professional and Windows 2000). The list of encrypted file encryption keys is stored with the encrypted file and is unique to it. To decrypt the file encryption keys, the file owner supplies a private key, which only he or she has. ■

Integral data-recovery system If the owner’s private key is unavailable, the recovery agent can open the file using the agent’s private key. You can have more than one recovery agent, each with a different public key, but at least one public recovery key must be present on the system to encrypt a file.

■

Secure temporary and paging files Many applications create temporary files while you edit a document, and these temporary files can be left unencrypted on the disk. On computers running Windows XP Professional, the EFS can be implemented at the folder level, so any temporary copies of an encrypted file are also encrypted, provided that all files are on NTFS volumes. The EFS resides in the Windows operating system kernel and uses the nonpaged pool to store file encryption keys, ensuring that they are never copied to the paging file.

Encrypting The recommended method for encrypting files is to create an NTFS folder and then encrypt the folder. To encrypt a folder, in the Properties dialog box for the folder, click the General tab. On the General tab, click Advanced, and then select the Encrypt Contents To Secure Data check box (Figure 3-14). All files placed in the folder are encrypted, and the folder is marked for encryption. Folders that are marked for encryption are not actually encrypted; only the files within the folder are encrypted. Compressed files cannot be encrypted, and encrypted files cannot be compressed with NTFS compression.

NOTE

Figure 3-14 Encrypting files FT03HT14.BMP

95

96


After you encrypt the folder, when you save a file in that folder, the file is encrypted using file encryption keys, which are fast symmetric keys designed for bulk encryption. The file is encrypted in blocks, with a different file encryption key for each block. All of the file encryption keys are stored and encrypted in the Data Decryption Field (DDF) and the Data Recovery Field (DRF) in the file header. If an administrator removes the password on a user account, the user account loses all EFS-encrypted files, personal certificates, and stored passwords for Web sites or network resources. Each user should make a password reset disk to avoid this situation. To create a password floppy disk, open User Accounts and, under Related Tasks, click Prevent A Forgotten Password. The Forgotten Password Wizard steps you through creating the password reset disk. Store the password reset disk in a secure location to prevent fraudulent use.

CAUTION

Decrypting To decrypt a folder or file, you clear the Encrypt Contents To Secure Data check box in a folder or file’s Advanced Attributes dialog box, which you access from that folder or file’s Properties dialog box. Once decrypted, the file remains unencrypted until you select the Encrypt Contents To Secure Data check box (Figure 3-15).

Figure 3-15 Decrypting files FT03HT15.BMP

Using the Cipher Command The Cipher command lets you encrypt and decrypt files and folders from a command prompt. The following example shows the available switches for the Cipher command, described in Table 3-3: cipher [/e | /d] [/s:folder_name] [/a] [/i] [/f] [/q] [/h] [/k] [file_name [...]]

CHAPTER 3:

Table 3-3


Cipher Command Options

Switch

Description

/e

Encrypts the specified folders. Folders are marked so any files that are added later are encrypted. Decrypts the specified folders. Folders are marked so any files that are added later are not encrypted. Performs the specified operation on files in the given folder and all subfolders. Performs the specified operation on files as well as folders. Encrypted files can be decrypted when modified, if the parent folder is not encrypted. To avoid this, encrypt the file and the parent folder. Continues performing the specified operation even after errors have occurred. By default, Cipher stops when an error is encountered. Forces the encryption operation on all specified files, even those that are already encrypted. Files that are already encrypted are skipped by default. Reports only the most essential information. Displays files with the hidden or system attributes, which are not shown by default. Creates a new file encryption key for the user running the Cipher command. Using this option causes the Cipher command to ignore all other options. Specifies a pattern, file, or folder.

/d /s /a

/i

/f

/q /h /k

file_name

If you run the Cipher command without parameters, it displays the encryption state of the current folder and any files that it contains. You can specify multiple file names and use wildcards. You must put spaces between multiple parameters.

Using a Recovery Agent If you lose your file encryption certificate and associated private key through disk failure or any other reason, a person designated as the recovery agent can open the file using her own certificate and associated private key. If the recovery agent is on another computer in the network, send the file to her for recovery on her system. She can bring her private key to the owner’s computer, but it is not good security practice to copy a private key onto another computer.

97

98


NOTE The default recovery agent is the administrator of the local computer, unless the computer is part of a domain. In a domain, the domain administrator is the default recovery agent. You can designate alternative EFS recovery accounts for computers grouped by OUs. Before you can designate accounts to other recovery agents in a Windows 2000 or Windows Server 2003 domain, you must deploy Certificate Services to issue recovery agent certificates. For more information about Certificate Services, see Chapter 16 in the Microsoft Windows 2000 Server Resource Kit Distributed System Guide.

It is good security practice to rotate recovery agents. However, if the agent designation changes and the original agent’s recovery keys are deleted without files having been decrypted and then re-encrypted with the new keys, access to the files is denied to all users. For this reason, you should keep the recovery agent’s certificates and private keys until all files that are encrypted with them have been decrypted and re-encrypted with the new recovery agent’s keys.

To recover an encrypted file:

1. If the file was lost due to disk failure, use Backup or another backup tool to restore a backup version of the encrypted file or folder to the computer where the recovery agent’s file recovery certificate is located. If the user key was lost due to the user clearing his password but the file is otherwise intact, proceed to step 2. 2. The recovery agent should log on to the system and locate the restored file. 3. In Windows Explorer, the recovery agent should open the Properties dialog box for the file or folder. On the General tab, click Advanced. 4. Clear the Encrypt Contents To Secure Data check box. 5. Return the decrypted file or folder to the user.

Managing Recovery Agents To ensure that an agent is available to decrypt files when the user’s key is lost, you must designate a recovery agent before using EFS. This involves generating the recovery agent’s key and importing it into her certificate store. After designating a recovery agent, you have other management tasks to perform. This section lists a series of procedures you can use to manage recovery agents and recovery keys.

To generate a recovery agent certificate:

1. Log on as an administrator. 2. At a command prompt, type cipher /r:filename. This creates a recovery agent certificate and decryption key.

CHAPTER 3:


To designate a recovery agent:

1. Log on as the person who will be the recovery agent. 2. Open an empty Microsoft Management Console (MMC) session by typing mmc at a command prompt. 3. On the File menu, choose Add/Remove Snap-in to open the Add/ Remove Snap-in dialog box (Figure 3-16).

FT03HT16.BMP

Figure 3-16 Adding a snap-in to an empty MMC session.

4. Click Add to open the Add Standalone Snap-in dialog box. 5. Select the Certificates snap-in, and click Add. 6. When you are asked to specify which account this snap-in will manage, select My User Account. 7. Close the Add Standalone Snap-in dialog box, and click OK to close the Add/Remove Snap-in dialog box. 8. Right-click the Personal folder in the Certificates snap-in, and choose Import from the All Tasks menu. This starts the Certificate Import Wizard. (You can also start the Certificate Import Wizard by doubleclicking a certificate file.) Enter the name of your certificate file (generated earlier with Cipher), and complete the wizard to import the .cer file containing the recovery agent certificate. 1. Log on as a local administrator, and launch the Group Policy console by typing gpedit.msc at a command prompt. 2. Expand Computer Configuration, Windows Settings, Security Settings, and Public Key Policies.

99

100


3. Right-click Encrypting File System, select Add Data Recovery Agent (Figure 3-17), and complete the Add Data Recovery Agent Wizard, selecting the new recovery agent.

FT03HT17.BMP

Figure 3-17 Adding a data recovery agent

To remove a recovery agent:

1. In the Group Policy console, expand Computer Configuration, Windows Settings, Security Settings, Public Key Policies, and Encrypting File System. 2. Select the recovery agent to remove and delete the certificate. Managing Recovery Keys You can use the Certificate Export Wizard to export the recovery agent’s certificate and recovery key to a disk.

To export a certificate:

1. Open the Certificates snap-in, and then expand the Personal folder. 2. Double-click Certificates, and then right-click the recovery agent’s certificate. 3. Select All Tasks, and then select Export. 4. Select Yes, Export The Private Key. You have the option of exporting and then deleting the recovery key; if you delete it, you will be required to import it to decrypt any files that require the recovery agent’s services.

CHAPTER 3:


5. Select an option, and then click Next. 6. Enter a strong password to protect your exported key. 7. Click Next, and enter a file name for the exported certificate and private key. 8. Click Next, review the final information, and then click Finish. The exported key will have a .pfx extension.

To import recovery certificates and keys:

1. Start the Certificate Import Wizard by double-clicking a certificate file. 2. Enter the password that protects the private key. 3. Designate a location for the certificate. The default location is the personal certificate store.

Disabling the EFS You can disable EFS for a domain, OU, or computer by applying an empty Encrypted Data Recovery Agent policy setting. Until Encrypted Data Recovery Agent settings are configured and applied through Group Policy, there is no policy, so the EFS uses the default recovery agents. The EFS must use the recovery agents listed in the Encrypted Data Recovery Agents Group Policy agent if the settings have been configured and applied. If the policy that is applied is empty, the EFS does not operate.

EFS Best Practices ■

Teach users to export their certificates and private keys to removable media and store the media securely when it is not in use. This protects against attackers who physically obtain the computer and try to access the private key.

■

Teach users to encrypt folders rather than files. Encrypting files at the folder level helps ensure that files are not unexpectedly decrypted.

■

The private keys that are associated with recovery certificates are extremely sensitive. These keys must be exported and stored in a secure location when they are not in use.

■

Do not destroy recovery keys when recovery agents are changed. Keep them until all files that might have been encrypted with them have been encrypted with new keys.

■

Designate two or more recovery agents. This provides redundancy for file recovery.

101

102


MANAGING DISK QUOTAS You use disk quotas to manage storage growth in distributed environments. Disk quotas allow you to allocate disk space to users based on the files and folders they own. You can set disk quotas, quota thresholds, and quota limits for all users and for individual users. You can also monitor the amount of hard disk space that users have used and the amount that they have left against their quota.

Understanding Disk Quota Management Windows XP Professional disk quotas track and control disk usage on a per-user, per-volume basis. Windows XP Professional tracks disk quotas for each volume, even if the volumes are on the same hard disk. Because quotas are tracked on a per-user basis, every user’s disk space is tracked regardless of the folder in which he stores files. Some characteristics of disk quotas: ■

Disk usage is based on file and folder ownership. Windows XP Professional calculates disk space usage for users based on the files and folders they own. When a user copies or saves a new file to an NTFS volume or takes ownership of a file on an NTFS volume, Windows XP Professional charges the disk space for the file against the user’s quota limit.

■

Disk quotas do not use compression. Windows XP Professional ignores compression when it calculates hard disk space usage. Users are charged for each uncompressed byte, regardless of how much hard disk space is actually used. This is done partially because file compression produces different degrees of compression for different types of files. Different uncompressed file types that are the same size might end up being very different sizes when they are compressed.

■

Free space for applications is based on a quota limit. When you enable disk quotas, the free space that Windows XP Professional reports to applications for the volume is the amount of space remaining within the user’s disk quota limit. Disk quotas can be applied only to NTFS 5 volumes (Windows 2000, Windows XP, and Windows Server 2003).

NOTE

You use disk quotas to monitor and control hard disk space usage. System administrators can do the following: ■

Set a disk quota limit to specify the amount of disk space for each user.

CHAPTER 3:


■

Set a disk quota warning to specify when Windows XP Professional should log an event, indicating that the user is nearing his limit.

■

Enforce disk quota limits and deny users access if they exceed their limit, or allow them continued access.

■

Log an event when a user exceeds a specified disk space threshold. The threshold can be when the user exceeds his quota limit or when he exceeds his warning level.

After you enable disk quotas for a volume, Windows XP Professional collects disk usage data for all users who own files and folders on the volume. This allows you to monitor volume usage on a per-user basis. By default, only members of the Administrators group can view and change quota settings. However, you can allow users to view quota settings.

Setting Disk Quotas You can enable disk quotas and enforce disk quota warnings and limits for all users or for individual users. To enable disk quotas, in Disk Management open the Properties dialog box for a partition or volume, click the Quota tab, and configure the options that are described in the following list and displayed in Figure 3-18: ■

Enable Quota Management Select this check box to enable disk quota management.

■

Deny Disk Space To Users Exceeding Quota Limit Select this check box so that when users exceed their hard disk space allocation, they receive an “out of disk space” message and cannot write to the volume.

■

Do Not Limit Disk Usage Select this option when you do not want to limit the amount of hard disk space for users.

■

Limit Disk Space To Configures the amount of disk space that users can use.

■

Set Warning Level To Configures the amount of disk space that users can fill before Windows XP Professional logs an event, indicating that a user is nearing his limit.

■

Log Event When A User Exceeds Their Quota Limit Select this option if you want Windows XP Professional to log an event in the Security log every time a user exceeds his quota limit.

■

Log Event When A User Exceeds Their Warning Level Select this option if you want Windows XP Professional to log an event in the Security log every time a user exceeds the warning level.

103

104


■

Quota Entries Click this button to open the Quota Entries For dialog box, where you can add a new entry, delete an entry, and view the per-user quota information.

Figure 3-18 The Quota tab of the Properties dialog box for a disk FT03HT18.BMP

To enforce identical quota limits for all users:

1. In the Limit Disk Space To text box and the Set Warning Level To text box, enter the values for the limit and warning levels, respectively, that you want to set. 2. Select the Deny Disk Space To Users Exceeding Quota Limit check box. Windows XP Professional will monitor usage and will not allow users to create files or folders on the volume when they exceed the limit.

To enforce different quota limits for one or more specific users:

1. In Computer Management, open the Properties dialog box for a volume or partition, click the Quota tab, and then click Quota Entries. 2. In the Quota Entries dialog box, shown in Figure 3-19, double-click the user account for which you want to set a disk quota limit or create an entry by choosing New Quota Entry from the Quota menu.

FT03HT19.BMP

Figure 3-19 The Quota Entries dialog box

3. Configure the disk space limit and the warning level for each individual user.

CHAPTER 3:


Determining the Status of Disk Quotas You can determine the status of disk quotas in the Quota Entries dialog box for a disk by checking the traffic-light icon and reading the status message to its right (Figure 3-19). The color shown on the traffic light icon indicates the status of disk quotas: ■

A red traffic light indicates that disk quotas are disabled.

■

A yellow traffic light indicates that Windows XP Professional is rebuilding disk quota information.

■

A green traffic light indicates that the disk quota system is active.

Monitoring Disk Quotas You use the Quota Entries dialog box (shown earlier in Figure 3-19) to monitor usage for all users who have copied, saved, or taken ownership of files and folders on the volume. Windows XP Professional scans the volume and monitors the amount of disk space in use by each user. You can use the Quota Entries dialog box to view the following: ■

The amount of hard disk space that each user uses

■

Users who are over their quota warning threshold, signified by a yellow triangle

■

Users who are over their quota limit, signified by a red circle

■

The warning threshold and the disk quota limit for each user

Best Uses for Disk Quotas Use the following guidelines for using disk quotas: ■

If you enable disk quota settings on the volume where Windows XP Professional is installed and your user account has a disk quota limit, log on as Administrator to install additional Windows XP Professional components and applications. In this way, Windows XP Professional will not charge the disk space that you use to install applications against the disk quota allowance for your user account.

■

You can monitor hard disk usage and generate hard disk usage information without preventing users from saving data. To do so, clear the Deny Disk Space To Users Exceeding Quota Limit check box when you enable disk quotas.

105

106


■

Set more restrictive default limits for all user accounts, and then modify the limits to allow more disk space to users who work with large files.

■

If multiple users share computers running Windows XP Professional, set disk quota limits on computer volumes so that disk space is shared by all users who share the computer.

■

Generally, you should set disk quotas on shared volumes to limit storage for users. Set disk quotas on public folders and network servers to ensure that users share hard disk space appropriately. When storage resources are scarce, you might want to set disk quotas on all shared hard disk space.

■

Delete disk quota entries for users who no longer store files on a volume. You can delete quota entries for a user account only after all files that the user owns have been removed from the volume or another user has taken ownership of the files.

USING DISK DEFRAGMENTER, CHKDSK, AND DISK CLEANUP Windows XP Professional saves files and folders in the first available space on a hard disk and not necessarily in an area of contiguous space. The parts of the files and folders are scattered over the hard disk rather than being in a contiguous area. This scattering of files and folders across a hard disk is known as fragmentation. When your hard disk contains numerous fragmented files and folders, your computer takes longer to access them because it requires several additional reads to collect the various pieces. Creating new files and folders also takes longer because the available free space on the hard disk is scattered. Your computer must save a new file or folder in various locations on the hard disk. Temporary files, Internet cache files, and unnecessary programs also take up space on your computer’s hard drive. Sometimes file system errors occur, and sometimes sectors on your hard disk go bad; these events can cause you to lose data stored on your hard disk. This section introduces three Windows XP Professional tools—Disk Defragmenter, Chkdsk, and Disk Cleanup—that help you organize your hard disks, recover readable information from damaged areas on your hard disk, mark bad sectors to prevent future data loss, and clean up any temporary files and unnecessary programs that are taking up space on your hard drive.

Defragmenting Disks The process of finding and consolidating fragmented files and folders is called defragmenting. Disk Defragmenter locates fragmented files and folders and defragments

CHAPTER 3:


them by moving the pieces of each file or folder to one location so they occupy a single, contiguous space on the hard disk. Your system can thus access and save files and folders more efficiently. By consolidating files and folders, Disk Defragmenter also consolidates free space, making it less likely that new files will be fragmented. Disk Defragmenter can defragment FAT, FAT32, and NTFS volumes. You access Disk Defragmenter by choosing Start | All Programs | Accessories | System Tools | Disk Defragmenter. The Disk Defragmenter window has three areas, as shown in Figure 3-20.

Figure 3-20 The Disk Defragmenter window FT03HT20.BMP

The upper pane of the window lists the volumes that you can analyze and defragment. The middle pane provides a graphic representation of how fragmented the selected volume is. The lower pane provides a dynamic representation of the volume that continuously updates during defragmentation. The display colors indicate the condition of the volume: ■

Red indicates fragmented files.

■

Blue indicates contiguous (nonfragmented) files.

■

Green indicates system files, which Disk Defragmenter cannot move.

■

White indicates free space on the volume.

By comparing the Analysis Display band to the Defragmentation Display band during and after defragmentation, you can easily see the improvement in the volume. You can also open Disk Defragmenter by selecting a drive you want to defragment in Windows Explorer or My Computer. Choose File | Properties, click the Tools tab, and click Defragment Now. Then select one of these options: ■

Analyze Analyzes the disk for fragmentation. After the analysis, the Analysis Display band provides a graphic representation of how fragmented the volume is.

107

108


■

Defragment Defragments the disk. After defragmentation, the Defragmentation Display band provides a graphic representation of the defragmented volume.

Figure 3-21 shows the Disk Defragmenter window after you have analyzed drive C. Windows XP Professional displays a message dialog box indicating that you need to defragment the volume. You can view a report showing more details about the fragmentation on your volume, close the dialog box and run the defragmenter at a later time, or defragment the volume right then.

Figure 3-21 The Disk Defragmenter window showing a completed analysis FT03HT21.BMP

If there is not enough fragmentation to require you to defragment the volume, Windows XP Professional displays a Disk Defragmenter dialog box indicating that there is currently no need to defragment the volume.

Using Disk Defragmenter Effectively The following list provides some guidelines for using Disk Defragmenter: ■

Run Disk Defragmenter when the computer will receive the least usage. During defragmentation, data is moved around on the hard disk, and that process is disk intensive. The defragmentation process adversely affects access time to other disk-based resources.

■

Educate users to defragment their local hard disks at least once a month to prevent accumulation of fragmented files. Third-party disk defragmenter tools allow remote management and scheduling to ensure that monthly defragmentation takes place.

■

Analyze the target volume before you install large applications, and defragment the volume if necessary. Installations complete more

CHAPTER 3:


quickly when the target volume has adequate contiguous free space. Also, accessing the application after installation is faster. ■

When you delete a large number of files or folders, your hard disk might become excessively fragmented; be sure to analyze it afterward.

Using Chkdsk Chkdsk attempts to repair file system errors, locate bad sectors, and recover readable information from those bad sectors and mark them to prevent their future use. All files on the volume or partition must be closed for this program to run. To access Chkdsk, select the drive you want to check in Windows Explorer or My Computer. Choose File | Properties, click the Tools tab, and click Check Now. Select one of the options in the Chkdsk dialog box (shown in Figure 3-22).

Figure 3-22 The Chkdsk dialog box FT03HT22.BMP

Here are the execution options for Chkdsk: ■

Automatically Fix File System Errors Select this check box to have Windows XP Professional attempt to repair file system errors found during disk checking. All files must be closed for this program to run. If the drive is currently in use, a message asks if you would like to reschedule the disk checking for the next time you restart your computer. Your drive is not available to run other tasks while the disk is being checked.

■

Scan For And Attempt Recovery Of Bad Sectors Select this check box to have Windows XP Professional attempt to repair file system errors found during disk checking, locate bad sectors, and recover any readable information located in those bad sectors. All files must be closed for this program to run. If the drive is currently in use, a message asks if you would like to reschedule the disk checking for the next time you restart your computer. Your drive is not available to run other tasks while the disk is being checked. If you select this check box, you do not need to select Automatically Fix File System Errors because Windows XP Professional attempts to fix any errors on the disk.

109

110


Chkdsk runs in five phases: file verification, index verification, security descriptor verification, file data verification, and free space verification.

NOTE

You can also use the command-line version of Chkdsk. The command-line syntax for Chkdsk is as follows: Chkdsk [volume[[path]filename]]] [/f] [/v] [/r] [/x] [/i] [/c] [/l[:size]]

The switches used by Chkdsk are described in Table 3-4. Table 3-4

Chkdsk Options

Switch

Description

filename

Specifies the file or set of files to check for fragmentation. You can use the wildcards * and ?. This switch is valid only on volumes formatted with FAT12, FAT16, and FAT32 file systems. Specifies the location of a file or set of files within the folder structure of the volume. This switch is valid only on volumes formatted with FAT12, FAT16, and FAT32 file systems. Changes the log file size. You must use the /l switch with this switch. This switch is valid only on volumes formatted with NTFS. Specifies the drive letter (followed by a colon), mount point, or volume name. This switch is valid only on volumes formatted with FAT12, FAT16, and FAT32 file systems. Skips the checking of cycles within the folder structure. This switch is only valid on volumes formatted with NTFS. Fixes errors on the volume. If Chkdsk cannot lock the volume, you are prompted to have Chkdsk check it the next time the computer starts. Performs a less vigorous check of index entries. This switch is valid only on volumes formatted with NTFS. Displays the current size of the log file. This switch is valid only on volumes formatted with NTFS. Locates bad sectors and recovers readable information. If Chkdsk cannot lock the volume, you are prompted to have Chkdsk check it the next time the computer starts. On volumes formatted with FAT12, FAT16, or FAT32, displays the full path and name of every file on the volume. On volumes formatted with NTFS, displays any cleanup messages. Forces the volume to dismount first, if necessary. Displays this list of switches.

path

size

volume

/c /f

/i /l /r

/v

/s /?

CHAPTER 3:


Used without parameters, Chkdsk displays the status of the disk in the current volume.

Using Disk Cleanup You can use Disk Cleanup to free up disk space by deleting temporary files and uninstalling programs. Disk Cleanup lists the temporary files, Internet cache files, and unnecessary programs that you can safely delete. To access Disk Cleanup, select the drive you want to check in Windows Explorer or My Computer. Choose File | Properties, click the General tab, and click Disk Cleanup. The Disk Cleanup dialog box (shown in Figure 3-23) has the following options.

Figure 3-23 The Disk Cleanup dialog box FT03HT23.BMP

■

Downloaded Program Files Select this check box to delete the ActiveX controls and Java applets that were downloaded automatically from the Internet when users viewed certain pages. These files are temporarily stored in the Downloaded Program Files folder on the computer’s hard disk.

■

Temporary Internet Files Select this check box to delete the files in the Temporary Internet Files folder on the computer’s hard drive. These files are Web pages stored on the hard disk for quick viewing. Users’ personalized settings for Web pages are not deleted.

■

Recycle Bin Select this check box to delete the files in the Recycle Bin. When you delete a file from your computer, it is not permanently removed from the computer until the Recycle Bin is emptied (when the files in the Recycle Bin are deleted).

111

112


■

Temporary Files Select this check box to delete any Temporary files on this volume. Programs sometimes store temporary information in a Temp folder. Before a program closes, it usually deletes this information. You can safely delete temporary files that have not been modified in more than a week.

■

WebClient/Publisher Temporary Files Select this check box to delete any temporary WebClient/Publisher files. The WebClient/ Publisher service maintains a cache of accessed files on this disk. These files are kept locally for performance reasons only and can be safely deleted.

■

Compress Old Files Select this check box to compress files that have not been accessed in a while. No files are deleted, and all files are still accessible. Because files compress at different rates, the value displayed for the amount of space you will recover is an approximation.

■

Catalog Files For The Content Indexer Select this check box to delete any old catalog files left over from previous indexing operations. The Indexing Service speeds up and enriches file searches by maintaining an index of the files on this disk.

For additional ways to free up space on your hard disk using Disk Cleanup, click the More Options tab in the Disk Cleanup dialog box (shown in Figure 3-24).

Figure 3-24 The More Options tab of the Disk Cleanup dialog box FT03HT24.BMP

CHAPTER 3:


The other options for Disk Cleanup are: ■

Windows Components Click Clean Up under Windows Components to launch the Windows Components Wizard, which allows you to add and remove Windows components from your installation. These components include Accessories and Utilities, Fax Services, Indexing Services, Microsoft Internet Explorer, Internet Information Services (IIS), Management and Monitoring Tools, Message Queuing, MSN Explorer, Networking Services, Other Network File and Print Services, and Update Root Certificates.

■

Installed Programs Click Clean Up under Installed Programs to launch Add Or Remove Programs, which allows you to install programs and to uninstall programs that are no longer in use. The list of programs available to be uninstalled depends on what programs are installed on your computer.

■

System Restore Click Clean Up under System Restore to delete all but the most recent restore points. For more information about restore points and System Restore, see Chapter 15.

113

114


SUMMARY ■

The Disk Management snap-in provides a central location for disk information and management tasks, such as creating and deleting partitions and volumes; formatting them with the FAT, FAT32, or NTFS file systems; and assigning them drive letters.

■

The Disk Management snap-in provides a way to manage disks locally and on remote computers.

■

A disk that is initialized for basic storage is called a basic disk; it can contain primary partitions, extended partitions, and logical drives.

■

A disk that is initialized for dynamic storage is called a dynamic disk; dynamic storage allows for greater flexibility with regard to configuration. It can be divided into volumes, which can consist of a portion, or portions, of one or more physical disks.

■

In Windows XP Professional, NTFS compression allows you to compress files, folders, or an entire volume.

■

NTFS encryption and compression are mutually exclusive.

■

To create a compressed folder using the Compressed Folders feature, start Windows Explorer, choose File | New, and then click Compressed Folder.

■

Use Windows XP Professional disk quotas to allocate disk space usage to users.

■

You can set disk quotas, quota thresholds, and quota limits for all users and for individual users.

■

You can apply disk quotas only to NTFS 5 volumes.

■

The EFS allows users to encrypt NTFS files by using a strong public key–based cryptographic scheme that encrypts all files in a folder.

■

Disk Defragmenter, a Windows XP Professional system tool, locates fragmented files and folders and defragments them, enabling your system to access and save files and folders more efficiently.

■

Chkdsk attempts to repair file system errors, locate bad sectors, and recover readable information from those bad sectors.

■

Disk Cleanup frees up disk space by locating temporary files, Internet cache files, and unnecessary programs that you can safely delete, and it also deletes temporary files and uninstalls programs.

CHAPTER 3:


REVIEW QUESTIONS 1. Which of the following statements are true for a disk that uses dynamic storage? (Choose all correct answers.) a. The system partition for Windows NT is never on a dynamic disk. b. A dynamic disk can be partitioned into four primary partitions or three primary partitions and one extended partition. c. The Convert command allows you to convert a basic disk into a dynamic disk. d. A dynamic disk has a single partition that includes the entire disk. 2. Which of the following does Windows XP Professional allow you to compress using NTFS compression? (Choose all correct answers.) a. A FAT volume b. An NTFS volume c. A bitmap stored on a floppy disk d. A folder on an NTFS volume 3. Which of the following types of files or data are good candidates for NTFS compression? (Choose all correct answers.) a. Encrypted data b. Frequently updated data c. Bitmaps d. Static data 4. Which of the following statements about disk quotas in Windows XP Professional is correct? a. Disk quotas track and control disk usage on a per-user, per-disk basis. b. Disk quotas track and control disk usage on a per-group, per-volume basis. c. Disk quotas track and control disk usage on a per-user, per-volume basis. d. Disk quotas track and control disk usage on a per-group, per-disk basis.

115

116


5. Which of the following files and folders does Windows XP Professional allow you to encrypt? (Choose all correct answers.) a. A file on an NTFS volume b. A folder on a FAT volume c. A file stored on a floppy disk d. A folder on an NTFS volume 6. Which of the following functions does Chkdsk perform? (Choose all correct answers.) a. Locate fragmented files and folders and arrange them contiguously. b. Locate and attempt to repair file system errors. c. Locate bad sectors and recover readable information from those bad sectors. d. Delete temporary files and offline files.

CASE SCENARIOS Scenario 3-1: Storage Choices You are configuring a computer that will be used as a graphics workstation. You have specified the fastest processor available, 4 GB of RAM, a top-of-the-line graphics processor, and a very fast network adapter. You are deciding what disk configuration to specify for data storage. Of the following available configurations, which offers the fastest read/write performance with this computer? a. Four disks using dynamic storage, configured as a spanned volume b. Four disks using basic storage, configured as separate volumes c. Four disks using dynamic storage, configured as a striped volume d. Four disks using dynamic storage, configured as separate volumes

CHAPTER 3:


Scenario 3-2: Disk Quotas You have configured a computer for your accounting department with the following settings: ■

Two NTFS volumes (one system, one data).

■

Disk quotas on the data volume permit 1GB per user.

■

Users each have a personal folder for their own files, and all users share a folder for community projects.

A user reports that she cannot save a file to her disk and that she received an insufficient disk space error. She is puzzled by this because she has only 457 MB used in her My Documents folder. After investigating, you learn that she is also responsible for maintaining the community files and that several are owned by her user account. The total files under her ownership, according to the Quota Entries dialog box, is 998.57 MB. What is the best way to allow her to continue saving files on this system? a. Tell her to delete some files to make more space available. b. Increase the disk quota available to her account. c. Take ownership of some files yourself to give her more free quota space. d. Increase the disk quota available to all users of this computer.

117

CHAPTER 4

MANAGING DEVICES AND PERIPHERALS Upon completion of this chapter, you will be able to: ■ Implement, manage, and troubleshoot input and output (I/O) devices ■ Manage and troubleshoot drivers and driver signing ■ Configure and monitor multiprocessor computers ■ Configure Advanced Configuration and Power Interface (ACPI) settings

and support

In this chapter, we begin to work with system hardware and how to install, configure, and troubleshoot it. We will discuss many types of I/O devices, configure settings for driver signing, and cover multiprocessor and ACPI configuration. To get the most from this chapter, you should be familiar enough with PC hardware to be able to identify different types of hardware and perform basic installation of I/O cards and peripherals.

119

120


USING DEVICE MANAGER Device Manager provides you with a graphical view of the hardware installed on your computer and helps you manage and troubleshoot it. You can use Device Manager to disable, uninstall, and update device drivers. Device Manager also helps you determine whether the hardware on your computer is working properly. It lists devices with problems, and each device that is flagged is displayed with the corresponding status information. Windows XP Professional also provides the Hardware Troubleshooter to troubleshoot hardware problems. To access the Hardware Troubleshooter, choose Start | Help And Support. In the Help and Support Center, under Pick A Help Topic, click Hardware. In the Hardware list, click Fixing A Hardware Problem. Under Fixing A Hardware Problem, click Hardware Troubleshooter.

NOTE

Configuring and Troubleshooting Devices When you change device configurations manually, Device Manager can help you avoid problems by allowing you to identify free resources and assign a device to that resource, disable devices to free resources, and reallocate resources used by devices to free a required resource. You must be logged on as a member of the Administrators group to change resource settings. Even if you are logged on as Administrator, if your computer is connected to a network, policy settings on the network might prevent you from changing resources. Improperly changing resource settings on devices can disable your hardware and cause your computer to stop working.

CAUTION

The Plug and Play (PnP) basic input/output system (BIOS) automatically identifies PnP devices and arbitrates their resource requests. However, the resource allocation among PnP devices is not permanent. If another PnP device requests a resource that has already been allocated, the BIOS again arbitrates the requests to satisfy all of them. After startup, Windows XP takes over management of devices and might again change one or more assignments to suit its own requirements. You should not manually change resource settings for a PnP device because Windows XP Professional will then be unable to arbitrate the assigned resources if they are requested by another PnP device. In Device Manager, PnP devices have a Resources tab in their Properties dialog box. To free the resource settings you manually assigned and allow Windows XP Professional to again arbitrate the resources, select the Use Automatic Settings check box on the Resources tab.

CHAPTER 4:

MANAGING DEVICES AND PERIPHERALS

Devices supported by Windows NT 4 have fixed resource settings. These are usually defined during an upgrade from Windows NT 4 to Windows XP Professional, but you can also define them by using the Add New Hardware Wizard in Control Panel.

NOTE

To configure or troubleshoot a device using Device Manager:

1. Click Start, right-click My Computer, and then click Manage. The Computer Management console opens (Figure 4-1).

FT04HT01.bmp

Figure 4-1 The Computer Management console

2. Under System Tools, click Device Manager. 3. In the Details pane, double-click the device type, and then double-click the device you want to configure. A Properties dialog box for the device appears (Figure 4-2).

FT04HT02.bmp

Figure 4-2 A Properties dialog box for the Netelligent 10/100TX PCI UTP

Controller

4. To configure a device, click the appropriate tab. To troubleshoot, on the General tab, click the Troubleshoot button.

121

122


The tabs in the Properties dialog box will vary depending on the device selected, but they should include some of the ones listed here: ■

Advanced or Advanced Properties depending on the device selected.

■

General Displays the device type, manufacturer, and location. It also displays the device status and provides a troubleshooter to help you troubleshoot any problems you are having with the device. The troubleshooter steps you through a series of questions to determine the problem and provide a solution.

■

Device Properties device selected.

■

Driver Displays the driver provider, driver date, driver version, and digital signer. This tab also provides the Driver Details, Uninstall, and Driver Update buttons, which allow you to get additional information on the driver, uninstall the driver, or update the driver with a newer version, respectively.

■

Port Settings Available in a communications port (COM1) Properties dialog box, this tab allows you to configure settings for bits per second, data bits, parity, stop bits, and flow control.

■

Properties Determines how Windows uses the device. For example, for a CD-ROM, these settings determine how Windows uses the CDROM for playing CD music (for example, volume and enabling digital CD playback instead of analog playback).

■

Resources Displays the resource type and setting, whether there are any resource conflicts, and whether you can change the resource settings.

The properties listed vary

The properties listed vary depending on the

Viewing Hidden and Phantom Devices By default, Device Manager does not display all devices. The devices that are not displayed include hidden (non-PnP) devices and phantom (disconnected) devices. Non-PnP devices are fixed system devices that have drivers installed; they typically are not managed—they are permanently installed as part of the system’s hardware.

To display hidden devices:

1. In Device Manager, choose View | Show Hidden Devices. Phantom devices are devices that have been installed but are not currently connected. Examples of phantom devices are disconnected USB keychain drives, PC Card devices, and Bluetooth peripherals. When these devices are disconnected, they usually disappear from Device Manager.

CHAPTER 4:


To display phantom devices:

1. Click Start | Run. In the Open text box, type cmd, and click OK. 2. At the command prompt, type set DEVMGR_SHOW_NONPRESENT_DEVICES=1. 3. Press ENTER. 4. Open Device Manager. It will display phantom devices. The command set DEVMGR_SHOW_NONPRESENT_DEVICES=1 is an example of an environment variable. You can set an environment variable for the active session by using this command, or you can set it globally by using the Environment Variables dialog box (accessed via the Advanced tab of the System Properties dialog box). We will expand on the discussion of environment variables in Chapter 13.

NOTE

MANAGING AND TROUBLESHOOTING I/O DEVICES The list of devices that can be installed is too long to include here. This section describes some of the most common devices and how they are installed, configured, and managed.

Scanners and Cameras Most digital cameras, scanners, and other imaging devices are PnP devices that Windows XP Professional installs automatically when you connect them to your computer. If your imaging device is not installed automatically when you connect it, or if it does not support PnP, use the Scanner and Camera Installation Wizard to install it.

To manually install a scanner or camera or other imaging device:

1. In Control Panel, click Printers And Other Hardware, and then click Scanners And Cameras. 2. In the Scanners And Cameras window, double-click Add An Imaging Device to start the Scanners And Camera Installation Wizard. 3. Click Next, and follow the on-screen instructions to install your imaging device. 4. In Device Manager, select the appropriate device, and then click Properties. The standard color profile for Image Color Management (ICM 2.0) is sRGB, but you can add, remove, or select a different color profile for a device. To change the color profile, click the Color Management tab of the device’s Properties dialog box.

123

124


Image Color Management (ICM) is a framework that allows scanners, cameras, printers, and monitors to share data about color values. This ensures the colors scanned by the scanner are reliably displayed on the monitor and properly depicted when printed. ICM uses color space profiles to control its color management functions. Examples of color space profiles are sRGB (Red, Green, and Blue), and CMYK (Cyan, Magenta, Yellow, and Black). The profile you choose depends on the type of devices you are using and the type of output you are generating. More information on color space profiles is available from the International Color Consortium at http://www.color.org.

NOTE

5. If you have any problems with your scanner or camera, click Troubleshoot in the Scanners And Cameras Properties dialog box.

Mouse Devices Click the Mouse icon in the Printers And Other Hardware window of Control Panel to configure and troubleshoot your mouse. The following list describes the options available: ■

FT04HT03.bmp

Buttons Allows you to configure your mouse for a left-handed or righthanded user. It also allows you to set a single mouse click to select or open, and it allows you to control the double-click speed. (See Figure 4-3.)

Figure 4-3 The Buttons tab of the Mouse Properties dialog box

■

Pointers Allows you to select or create a custom scheme for your pointer. You can adjust the speed and acceleration of your pointer and set the Snap To Default option, which moves the pointer to the default button in dialog boxes.

■

Hardware Allows you to access the Troubleshooter if you are having problems with your mouse. This tab also has a Properties button that allows you to perform advanced configuration of your mouse. This includes uninstalling or updating your mouse driver, viewing or changing

CHAPTER 4:


the resources allocated to your mouse, and increasing or decreasing the sensitivity of your mouse by varying the sample rate, which defines how often Windows XP Professional determines the position of your mouse.

Modems Click Phone And Modem Options in the Printers And Other Hardware window of Control Panel to install, configure, or troubleshoot your modem.

To install a new modem:

1. Click Add on the Modems tab. The Add Hardware Wizard steps you through the installation process. 2. To configure an installed modem, click the Modems tab, select the modem from the list of installed modems, and click Properties. 3. Click the appropriate tab for the configuration changes you want to make. For example: a. Click the Modem tab (Figure 4-4) to set the maximum port speed and whether to wait for a dial tone before dialing. b. The Diagnostics tab allows you to query the modem and to view the modem log. c. If you need additional help in troubleshooting the modem, you can use the General tab to access the Troubleshooter.

FT04HT04.bmp

Figure 4-4 Configuring modem settings

The Phone and Modem Options dialog box has two other tabs: ■

Dialing Rules tab Lists all the locations you have configured on the computer. Click Add on this tab to add a new location, or click Edit to edit an existing location.

125

126


■

FT04HT05.bmp

Advanced tab Shows the telephony providers installed on this computer (Figure 4-5). It also allows you to add or remove telephony providers and to configure those already installed.

Figure 4-5 Configuring modem settings

We will cover modem configuration as it pertains to dialing and communications in Chapter 10.

MORE INFO

Game Controllers Click Game Controllers in the Printers And Other Hardware window of Control Panel to install, configure, or troubleshoot your game controller.

To install a game controller:

1. Attach the game controller to the computer (for example, if it is a universal serial bus [USB] game controller, attach it to a USB port). 2. If the game controller does not install properly, in Device Manager, look under Human Interface Devices. If you do not see an icon for your game controller, check to make sure your system has detected its USB controllers and root hubs (Figure 4-6). 3. Missing USB controllers may be an indication that your USB ports are not activated in the BIOS. If the USB host controller is not listed, check to make sure USB is enabled in the BIOS. When prompted during system startup, enter BIOS setup and enable USB. 4. If USB is enabled in the BIOS, contact the manufacturer or vendor for your computer and obtain the current version of the BIOS.

CHAPTER 4:

FT04HT06.BMP


Figure 4-6 Viewing installed USB controllers and root hubs

IrDA and Wireless Devices Most internal Infrared Data Association (IrDA) devices should be installed during Windows XP Professional setup or when you start Windows XP Professional after adding one of these devices. If you attach an IrDA transceiver to a serial port, you must install it using the Add Hardware Wizard.

To configure an IrDA device:

1. In Control Panel, click Wireless Link. 2. On the Hardware tab, click the device you want to configure, and then click Properties. The Properties dialog box (Figure 4-7) shows the status of the device, driver files, and any power management settings.

FT04HT07.BMP

Figure 4-7 Configuring IrDA device settings

The Wireless Link icon appears in Control Panel only if you have already installed an infrared device on your computer.

NOTE

127

128


Keyboards Click Keyboard in the Printers And Other Hardware window of Control Panel to configure or troubleshoot a keyboard. ■

On the Speed tab (Figure 4-8), you can configure the character repeat delay and the character repeat rate. You can also control the cursor blink rate.

■

The Hardware tab shows you the device properties for the installed keyboard and allows you to access the Troubleshooter if you are having problems with your keyboard. You can also install a device driver, roll back to a previous device driver, or uninstall a device driver.

FT04HT08.BMP

Figure 4-8 Configuring keyboard speed settings

UNDERSTANDING AUTOMATIC AND MANUAL HARDWARE INSTALLATION Windows XP Professional supports PnP devices. For most devices that are PnP-compliant, if the appropriate driver is available and the BIOS on the computer is a PnP BIOS or an ACPI BIOS, Windows XP Professional automatically detects, installs, and configures the device. When Windows XP Professional detects a new piece of hardware that cannot be installed automatically, it displays the Found New Hardware Wizard (Figure 4-9). When a hardware device is not detected, you must initiate installation manually. You can also use the Add Hardware Wizard to do this.

CHAPTER 4:


Figure 4-9 The Found New Hardware Wizard FT04HT09.bmp

To install hardware using the Add Hardware Wizard:

1. Click Start | Control Panel | Printers And Other Hardware. 2. Click Add Hardware to start the Add Hardware Wizard. 3. On the Welcome To The Add Hardware Wizard page, click Next. Windows XP Professional searches for new devices and does one of the following: ❑

If it detects any new PnP hardware, it installs the new hardware.

❑

If it detects new hardware but cannot locate the correct drivers, it starts the Found New Hardware Wizard (Figure 4-9).

❑

If it cannot find a new device, you’ll see the wizard’s Is The Hardware Connected? page. If you have already connected the new device, click Yes, I Have Already Connected The Hardware, and then click Next. The wizard displays the The Following Hardware Is Already Installed On Your Computer page (Figure 4-10). To add hardware that is not in the list, click Add A New Hardware Device. To use the Add Hardware Wizard to troubleshoot a hardware device, click the device in the list of installed hardware devices, and then click Next. The Completing The Add Hardware Wizard page appears. Click Finish to launch a troubleshooter to help solve any problems you might be having with that hardware device. For more on troubleshooting devices, see the “Troubleshooting Device Installation” section later in this chapter.

NOTE

129

130


FT04HT10.bmp

Figure 4-10 Adding hardware or troubleshooting with the Add Hardware

Wizard

Confirming Hardware Installation After installing hardware, you should confirm the installation using Device Manager. To start Device Manager, do the following: 1. Right-click My Computer, and select Properties. 2. Click the Hardware tab, and then click Device Manager, where you can view the installed hardware (Figure 4-11). You can also launch Device Manager from the Computer Management console. It is a snap-in located under System Tools.

NOTE

FT04HT11.bmp

Figure 4-11 Device Manager, showing devices listed by type

CHAPTER 4:


Windows XP Professional uses icons in the Device Manager window to identify each installed hardware device. If Windows XP Professional does not have an icon for the device type or cannot identify a device, it displays a question mark. Expand the device tree to locate the newly installed hardware device. The device icon indicates whether the hardware device is operating properly. Three icons display the hardware status: ■

Normal

■

Stop sign Windows XP Professional disabled the hardware device because of hardware conflicts. To correct this, right-click the device icon and then choose Properties. Research the actual settings configured on the device and set the hardware resources in the system manually to match the actual device settings.

Hardware is operating properly.

To get the actual device settings, you might need to physically view the device and look at its settings, or review its configuration in your system BIOS. This may involve examining switches or jumpers (groups of pins that can be electrically connected to alter hardware configuration).

NOTE

■

Exclamation point The hardware device is configured incorrectly or its drivers are missing.

Troubleshooting Device Installation Plenty of things can go wrong when you install a hardware device. Be sure to carefully follow the manufacturer’s instructions to ensure a trouble-free installation. If you do see any of the icons that indicate an abnormally functioning hardware device, try the following: ■

Open the Properties dialog box for the device. The General tab lists the status of the device and lets you launch a device troubleshooter.

■

Consult the manufacturer’s instructions to verify that you have performed all necessary steps to configure the device.

■

Right-click the device and select Uninstall. Restart Windows, and allow it to detect the device again.

■

Double-check the device’s resource settings (if non-PnP) and ensure that they match those configured on the Resources tab.

131

132


Installing Hardware Manually To manually install hardware, first determine which hardware resource is required by the hardware device. Next you must determine the available hardware resources. In some cases, you will have to modify hardware resource settings on other devices to free up an I/O port or interrupt request (IRQ). Finally, you might have to troubleshoot any problems you encounter. NOTE Windows XP installed on an ACPI system with the ACPI hardware abstraction layer (HAL) will not allow you to change resource settings. It might appear to accept your changes, but it will revert to its prior settings, even if you attempt to change the settings using the system BIOS configuration tools. To permit manual configuration of device resource settings, you must have installed a Standard PC HAL during installation. For more information, see the section titled “Managing ACPI Support” later in this chapter.

Determining which hardware resources are required When installing new hardware, you need to know what resources the hardware can use. You can check the product documentation to determine the resources that a hardware device requires. Here are the resources that hardware devices use to communicate with an operating system: ■

Interrupts Hardware devices must get the processor’s attention to send messages. The microprocessor knows this process as an interrupt request (IRQ). The microprocessor uses this information to determine which device needs its attention and the type of attention that it needs. Modern computers have a minimum of 15 IRQs, numbered 0 to 15, that are assigned to devices. For example, most computers assign IRQ 1 to the keyboard. Computers with Advanced Programmable Interrupt Controllers (APICs) can have up to 24 IRQs, which can be controlled by Windows XP. The computer’s BIOS manages IRQ assignment on the Peripheral Component Interconnect (PCI) bus during the boot process. During startup, Windows XP takes over management of IRQs. Older bus designs such as the 16-bit Industry Standard Architecture (ISA) bus require users to manually set I/O cards to nonconflicting IRQs.

NOTE

■

Input/output (I/O) ports I/O ports are a section of memory that a hardware device uses to communicate with the operating system. When a microprocessor receives an interrupt request via an IRQ, the operating system checks the I/O port address to retrieve additional information about what the hardware device wants it to do. An I/O

CHAPTER 4:


port is represented as a hexadecimal number. Windows XP device drivers use I/O port settings to locate and access hardware resources. Do not confuse I/O ports with communication ports such as COM ports or USB ports. The latter are physical ports that accept data from peripheral devices but are not directly addressed by the CPU.

NOTE

■

Direct memory access (DMA) channels DMA channels allow a hardware device, such as a floppy disk drive, to access memory directly, without interrupting the microprocessor. DMA channels speed up access to memory. Modern computers have eight DMA channels, numbered 0 through 7. DMA channels are managed by the motherboard’s chipset or by devices that have their own DMA controller.

Determining available hardware resources After you determine which resources a hardware device requires, you can look for an available resource. Device Manager provides a list of all hardware resources and their availability (Figure 4-12).

Figure 4-12 Device Manager showing resources listed by connection FT04HT12.bmp

To view the hardware resource lists, do the following: 1. In the System Properties dialog box, click the Hardware tab, and then click Device Manager. 2. On the View menu, choose Resources By Connection. Device Manager displays the resources that are currently in use (for example, IRQs). 3. To view a list of resources for another type of hardware resource, click the type of hardware resource you want to see on the View menu.

133

134


When you know which hardware resources are available, you can install the hardware manually by using the Add Hardware Wizard. If you select a hardware resource during manual installation, you might need to configure the hardware device so that it can use the resource. For example, for a network adapter to use IRQ 5, you might have to set a jumper, change a firmware setting on the adapter, or change a setting in the system BIOS and configure Windows XP Professional so that it recognizes that the adapter now uses IRQ 5.

NOTE

Changing hardware resource assignments You might need to change hardware resource assignments. For example, a hardware device might require a specific resource presently in use by another device. You might also encounter two hardware devices requesting the same hardware resource, resulting in a conflict. To change a resource setting: 1. On the Hardware tab of the System Properties dialog box, click Device Manager. 2. Expand the device list, right-click the specific device, and then choose Properties. 3. In the Properties dialog box for the device, click the Resources tab. When you change a hardware resource, you can print the content of Device Manager. This provides you with a record of the hardware configuration. If you encounter problems, you can use the printout to verify the hardware resource assignments.

NOTE

From this point, follow the same procedures that you used to choose a hardware resource during a manual installation. Changing the resource assignments for non-PnP devices in Device Manager does not change the resources used by that device. You use Device Manager only to instruct the operating system on device configuration. To change the resources used by a non-PnP device, consult the device documentation to see how to configure the device.

NOTE

VIEWING AND CONFIGURING HARDWARE PROFILES Control Panel contains applications that you can use to customize selected aspects of the hardware and software configuration for a computer. You can configure hardware settings by creating and configuring hardware profiles. Windows XP Professional uses these hardware profiles to determine which drivers to load when system hardware changes.

CHAPTER 4:


Understanding Hardware Profiles A hardware profile stores configuration settings for a set of devices and services. Windows XP Professional can store different hardware profiles to meet a user’s various needs. Hardware profiles are used primarily for portable computers. For example, a portable computer can use different hardware configurations depending on whether it is docked or undocked. The user can create a hardware profile for each state (docked and undocked) and choose the appropriate profile when starting Windows XP Professional.

Creating or Modifying a Hardware Profile To create or modify a hardware profile, in Control Panel, click Performance And Maintenance. In the Performance And Maintenance window, click System, and in the System Properties dialog box, click the Hardware tab. Click Hardware Profiles to view the Available Hardware Profiles list (Figure 4-13).

Figure 4-13 Available Hardware Profiles list in the Hardware Profiles dialog box FT04HT13.bmp

Windows XP Professional creates an initial profile during installation, listed as Profile 1 (Current). You can create a new profile with the same configuration as another profile. To create a new profile, in the Available Hardware Profiles list, select the profile that you want to copy, and then click Copy. The order of the profiles in the Available Hardware Profiles list determines the default order at startup. The first profile in the list becomes the default profile. To change the order of the profiles, use the Up and Down arrow buttons.

135

136


Activating a Hardware Profile If the Available Hardware Profiles list contains two or more profiles, Windows XP Professional prompts the user to make a selection during startup. You can configure how long the computer waits before starting the default configuration. Some items to consider as you configure these settings: ■

To adjust this time delay, click the Select The First Profile Listed If I Don’t Select A Profile In option and then specify the number of seconds in the Seconds text box in the Hardware Profiles Selection group.

■

To configure Windows XP Professional to automatically choose the default profile without prompting the user, you set the number of seconds to 0. To override the default during startup, press SPACEBAR during the operating system selection prompt (on multiboot systems) or just after the BIOS screens disappear and before you see the Windows XP logo screen.

NOTE

■

You can also select the Wait Until I Select A Hardware Profile option to have Windows XP Professional wait for you to select a profile.

When you use hardware profiles, be careful not to disable one of the boot devices using the Devices program in Control Panel. If you disable a required boot device, Windows XP Professional might not start. It is a good idea to make a copy of the default profile and then make changes to the new profile. Then you can use the default profile again if a problem occurs.

Viewing Hardware Profile Properties To view the properties for a hardware profile, in the Available Hardware Profiles list, select a profile, and then click Properties. This displays the Properties dialog box for the profile. If Windows XP Professional identifies your computer as a portable unit, the This Is A Portable Computer check box is selected. If Windows XP Professional determines that your portable computer is docked, it selects that option. You cannot change this docked option setting after Windows XP Professional selects it.

DRIVER SIGNING AND FILE SIGNATURE VERIFICATION Windows XP Professional drivers and operating system files have been digitally signed by Microsoft to ensure their quality. In Device Manager, you can look on the Driver tab of a device’s Properties dialog box to verify that the digital signer of the installed driver is correct.

CHAPTER 4:


Some applications overwrite existing operating files as part of their installation process, which can cause system errors that are difficult to troubleshoot. Microsoft has greatly simplified the tracking and troubleshooting of altered files by signing the original operating system files and allowing you to easily verify these signatures.

Configuring Driver Signing Requirements The Microsoft Windows Hardware Quality Laboratory (WHQL) tests and certifies devices and drivers for compatibility with Windows XP. The approved drivers are signed with a digital certificate. Drivers provided by third-party developers might not have passed this process. Handle unsigned drivers at your own risk. They have not passed Microsoft quality testing.

CAUTION

To configure how the system responds to unsigned files, in Control Panel click System in the Performance And Maintenance section, and then click the Hardware tab. On the Hardware tab, in the Device Manager box, click Driver Signing (Figure 4-14).

Figure 4-14 Configuring driver signing in the Driver Signing Options dialog box FT04HT14.bmp

The following three settings are available to configure driver signing: ■

Ignore Allows any files to be installed regardless of their digital signature or lack thereof. Users are not alerted to the existence of an unsigned driver, and the driver is installed without delay. Setting Ignore causes Windows XP to silently accept third-party drivers. Do not use this setting lightly. It poses a risk that a user can accept an unsuitable driver. It is almost always better to be alerted to the fact that a driver has not passed certification testing so you can make an informed decision about the driver’s suitability before proceeding with the installation.

CAUTION

137

138


■

Warn This option, the default, displays a warning message before allowing the installation of an unsigned file. The user has to option to continue installing the driver or to cancel the installation.

■

Block Prevents the installation of unsigned files. Organizations for whom system reliability must be assured will want to set this option to prevent installation of any driver that had not been fully tested.

If you are logged on as Administrator or as a member of the Administrators group, you can select the Make This Action The System Default check box to apply the driver signing configuration to all users who log on to the computer.

Checking System File Signatures Windows XP Professional also provides System File Checker (SFC), a commandline tool that you can use to check the digital signature of files. The syntax of the SFC tool is as follows: Sfc [/scannow] [/scanonce] [/scanboot] [/revert] [/purgecache] [/cachesize=x]

Table 4-1 explains the SFC optional parameters. Table 4-1

System File Checker Optional Parameters

Parameter

Description

/scannow

Causes the SFC tool to scan all protected system files immediately Causes the SFC tool to scan all protected system files once at the next system restart Causes the SFC tool to scan all protected system files every time the system restarts Causes the SFC settings to be returned to the default settings Purges the file cache Sets the file cache size

/scanonce /scanboot /revert /purgecache /cachesize=x

Using the File Signature Verification Tool The File Signature Verification tool (Figure 4-15) allows you to view the file’s name, location, modification date, file type, and version number. To use it, click Start, click Run, type sigverif, and then press ENTER. Once the File Signature Verification tool begins, you can click Advanced to configure it (Figure 4-16).

CHAPTER 4:


Figure 4-15 File signature verification FT04HT15.bmp

Figure 4-16 Configuring advanced file signature verification settings FT04HT16.bmp

CONFIGURING COMPUTERS WITH MULTIPLE PROCESSORS This section explains how to configure a system with multiple processors. It covers scaling and upgrading your computer from a single processor to a multiprocessor system. During installation, Windows XP detects the type and number of processors on the system board and installs the appropriate HAL to support the system’s processor(s). In addition, each processor has a device driver just like any other hardware device on the system. This allows the replacement of processors with models that have different speeds and capabilities.

Multiprocessor Scaling Adding processors to your system is one way to improve performance. This is more of an issue for Windows Server products than it is for Windows XP

139

140


Professional because multiprocessor configurations are typically used for processor-intensive applications, such as those found on database servers or Web servers. However, any application that performs heavy computation and is designed for multiple processors, such as certain scientific or financial applications or applications that do complex graphic rendering (like computer-aided design programs), will benefit from multiprocessor systems (although most applications will get a boost). Upgrading to multiple processors can increase the load on other system resources. You might need to increase other resources such as disks, memory, and network components to get the maximum benefit from adding a second CPU. In addition, to make full use of multiple processors, applications must be designed to support multi-threaded operation. Most 32-bit applications use multiple threads to some extent but have not been optimized for multiple CPUs.

NOTE

To add a second processor:

1. Shut down the system. 2. Install the second CPU according to the CPU manufacturer’s instructions. 3. Start the system. Windows XP detects the second CPU and forces a Found New Hardware installation routine. The HAL is changed to support multiple processors.

MANAGING ACPI SUPPORT Advanced Configuration and Power Interface (ACPI) is a computer industry specification that defines how motherboards, operating systems, and programs interface with power components and peripheral devices. It consolidates features of PnP with features of Advanced Power Management (APM) to allow the operating system to control system power, processor performance states, and power to peripheral devices. ACPI supersedes PnP and APM and is designed to control devices that are built to those standards as well as newer devices that support ACPI.

NOTE

When Windows XP is installed on a computer, it checks the version of the system BIOS against a list of known good ACPI BIOS releases. If it finds the BIOS in the list, it installs an ACPI HAL. If the BIOS cannot be verified to be a known good version, Windows XP installs a non-ACPI HAL to enable basic power management and PnP operation.

CHAPTER 4:


In future versions of ACPI, the system hardware will be able to negotiate ACPI settings with the operating system during installation to provide the most comprehensive feature set possible under the circumstances. Microsoft does not support changing from an ACPI HAL to a non-ACPI HAL, or vice versa, because of the great differences in how each specification detects and installs devices. Changing the HAL will likely cause system instability and failure to start, requiring a reinstallation of Windows XP to restore proper operation.

CAUTION

To see which HAL is loaded on your system:

1. Open the System Properties dialog box. 2. Click the Hardware tab. 3. Click Device Manager to launch the Device Manager console. 4. Expand the Computer object. The HAL installed on your system will be displayed as shown in Figure 4-17.

FT04HT17.bmp

Figure 4-17 Device Manager displaying the HAL version

Forcing Installation of a Specific HAL You can force Windows XP to install a specific HAL during operating system installation. You should do this only under the advice of a representative of the hardware manufacturer or Microsoft Product Support Services (PSS).

To force Windows XP to install a specific HAL:

1. Just after booting from the Windows CD-ROM or soon after starting the Windows XP setup program, you are presented with the option to press F6 if you need to install a SCSI or RAID controller (Figure 4-18). Press F5 instead.

141

142


FT04HT18.tif

Figure 4-18 Press F5 here to install an alternative HAL.

2. On the screen that appears, shown in Figure 4-19, select the appropriate hardware abstraction layer.

FT04HT19.tif

Figure 4-19 Selecting a HAL

You can skip HAL selection and force use of a non-ACPI HAL by pressing F7 in step 1 above instead of F5.

NOTE

TROUBLESHOOTING ACPI Most ACPI problems stem from not having the correct HAL for the system experiencing trouble. Using an ACPI HAL with a non-ACPI compliant system can result in resource arbitration issues. This can manifest itself as problems with shutting down properly, I/O errors during operation, and problems with hibernation or standby operation. To use a different HAL, you must reinstall Windows XP, forcing the installation of the correct HAL if necessary. You should do this only under the advice of a representative of the hardware manufacturer or Microsoft PSS.

CHAPTER 4:


SUMMARY ■

Windows XP can install and manage hardware devices automatically using the PnP and ACPI specifications.

■

Manually configuring a device prevents Windows XP from managing its settings and hinders automatic resource arbitration.

■

Hardware profiles allow Windows XP to maintain more than one configuration to support systems that experience repetitive hardware changes such as docking and undocking a notebook computer.

■

The Microsoft Windows Hardware Quality Laboratory (WHQL) tests and certifies devices and drivers for compatibility with Windows XP. The approved drivers are signed with a digital certificate.

■

Windows XP can prohibit installation of unsigned device drivers.

■

Windows XP is provided with digitally signed system files and can verify and restore these files if they are overwritten by applications.

■

Adding a second CPU in Windows XP causes Windows XP to install a multiprocessor HAL to enable multiprocessor support.

■

Advanced Configuration and Power Interface (ACPI) controls device and power management in Windows XP.

■

Changing between ACPI and non-ACPI hardware abstraction layers (HALs) will cause system instability and can result in failure to start.

■

You can select a version of the HAL during system installation and reinstallation.

REVIEW QUESTIONS 1. Which of the following settings does Windows XP configure on Plug and Play peripheral devices? (Choose all correct answers.) a. IRQ b. I/O address c. voltage d. performance level

143

144


2. Which of the following settings does Windows XP configure on ACPI peripheral devices? (Choose all correct answers.) (knowledge application) a. IRQ b. I/O address c. bus type d. bandwidth 3. To make full use of a second CPU, an application must support __________ operation. (knowledge demonstration) 4. Device drivers that are tested and accepted by the Microsoft Hardware Quality Laboratory (WHQL) are digitally __________. (knowledge demonstration) a. approved b. accepted c. signed d. encrypted 5. Which of the following technologies do you use to block the installation of unsigned device drivers? (knowledge application) a. File Signature Verification b. Driver signing c. System File Checker d. Sigverif

CASE SCENARIOS Scenario 4-1: Managing a Hardware Upgrade You are upgrading a graphics workstation to improve performance. You are adding a second CPU and additional memory. Which of the following choices provides for correct installation of both new components? a. Install a multiprocessor HAL for the processor, and take no action for the memory. b. Take no action for the processor or for the memory.

CHAPTER 4:


c. Reinstall Windows XP to support the processor, and take no action for the memory. d. Take no action for the processor, and run the Add New Hardware Wizard for the memory.

Scenario 4-2: Troubleshooting Problems with the HAL You are troubleshooting a system that will not boot. The user of the system says that he replaced the ACPI HAL with a non-ACPI HAL. How do you solve this problem? a. Run System Restore to replace the original HAL b. Change the HAL back to the original c. Reinstall Windows XP d. Restore the original HAL from a backup

145

CHAPTER 5

CONFIGURING AND MANAGING THE USER EXPERIENCE Upon completion of this chapter, you will be able to: ■ Configure and manage desktop components ■ Configure display options ■ Configure multiple displays ■ Configure power management options ■ Manage users’ profiles and data ■ Configure regional and language settings ■ Manage accessibility settings

In this chapter, you will learn how to manage the Microsoft Windows XP user experience. We will explore desktop components and their settings; configure power management options; manage user profiles, user profile folders, and data folders; and configure accessibility options. We will also discuss regional settings and language options, and how to configure and manage multiple displays in Windows XP.

147

148


CONFIGURING AND MANAGING DESKTOP COMPONENTS The desktop environment is the workspace of the Windows XP user. It offers a metaphor for organization that allows users to personalize their work area to suit their requirements and offers a space to store documents, frequently used program shortcuts, and links to Web sites. You can even embed Web site views directly into the background wallpaper. In this section, we will explore desktop configuration, including the configuration of components such as the taskbar, the Start menu, and the notification area. We will explore display settings such as wallpaper selection, screen savers, screen resolution, and color settings. We will conclude by discussing multiple monitor support and troubleshooting.

Configuring Display Settings Windows XP supports a wide range of display options and an amazing array of hardware and configurations. To view or modify the display, open Control Panel, click Appearance And Themes, and then click Display to open the Display Properties dialog box. Alternatively, you can access the dialog box by right-clicking the desktop and selecting Properties. The Windows XP Control Panel supports two modes of operation: Category view (the default) and Classic view. In Classic view, the Display icon is typically in plain view. We present the Category view navigation path here because it is the default experience for most users.

NOTE

The Display Properties dialog box has five tabs: Themes, Desktop, Screen Saver, Appearance, and Settings. We will examine them in turn. You can enable Group Policy settings that restrict access to display options. For example, in the Display Properties dialog box, you can choose to remove the Appearance tab or the Settings tab. For more information about Group Policy, see Chapter 13 and Chapter 14.

IMPORTANT

Themes tab On the Themes tab (Figure 5-1), you can select a complete set of configuration settings to set a theme for colors, wallpapers, sounds, icons, and other elements. You can choose from included themes such as Windows Classic or Windows XP, or you can choose themes published online or as part of Microsoft Plus! For Windows XP.

CHAPTER 5:

CONFIGURING AND MANAGING THE USER EXPERIENCE

Figure 5-1 The Themes tab of the Display Properties dialog box FT05HT01.BMP

Desktop tab The Desktop tab is where you select desktop wallpaper and background colors (Figure 5-2). You can select one of the available wallpaper options or a solid background color, or you can browse for a graphic image in a folder on your hard drive.

Figure 5-2 The Desktop tab of the Display Properties dialog box FT05HT02.BMP

You can also use this tab to access settings that control which default icons are displayed on the desktop and their appearance. Click Customize Desktop to open the Desktop Items dialog box (Figure 5-3). You can choose to include or exclude an icon for My Documents, My Computer, My Network Places, and Microsoft Internet Explorer on your desktop, as well as customize the icons used to represent these items. You can also configure the frequency with which the Desktop Cleanup Wizard (Figure 5-4) is run. The default setting for running the wizard is every 60 days. Click Clean Desktop Now to run the Desktop Cleanup Wizard immediately.

149

150


Figure 5-3 Managing desktop icons in the Desktop Items dialog box FT05HT03.BMP

Figure 5-4 Removing unused icons with the Desktop Cleanup Wizard FT05HT04.BMP

The wizard removes icons from the desktop that have not been used in the last 60 days and places them in the Unused Desktop Shortcuts folder, which is placed on the user’s desktop; it does not remove any programs from your computer. You can also embed Web site content in your desktop. To include Web content on your desktop, in the Desktop Items dialog box, click the Web tab (Figure 5-5). You are presented with a list of Web pages. You can add any Web page to your desktop by checking the box next to it or by clicking New and entering the URL. You can also click Delete to remove a Web page from the list. Click Properties to view the Properties dialog box for the embedded Web page. This dialog box (Figure 5-6) allows you to make the Web page available offline, to synchronize immediately or schedule the synchronization of this offline Web page

CHAPTER 5:


with the content on the Internet, and to specify whether you want Microsoft Internet Explorer to download more than just the top-level page of this Web site.

Figure 5-5 Managing desktop Web content FT05HT05.BMP

Figure 5-6 Viewing settings for an embedded Web page FT05HT06.BMP

If you want Internet Explorer to download more than just the top-level page, you can configure the Web component to include all of the content linked up to three levels deep when synchronizing the page.

NOTE

Screen Saver tab The Screen Saver tab (Figure 5-7) allows you to choose a screen saver. Screen savers prevent damage to monitors by preventing an image from getting burned into the screen. Newer monitors are not as likely to burn in as early monitors, but long-term display of fixed objects can still cause some damage. You can select the time the system will remain idle before the screen saver appears. The default is 15 minutes. You can use even use a picture of your own as a screen

151

152


saver by uploading it from a digital camera or scanner, copying it from the Internet, or copying it from an e-mail attachment.

Figure 5-7 Configuring screen saver settings FT05HT07.BMP

The Screen Saver tab also lets you configure the system to prompt you for a password before clearing the screen saver. This is a great security feature that essentially locks your system if you get called away and cannot return to your system in a timely manner. Finally, on this tab you can adjust system power profiles and settings to help save energy. We will discuss power management in more detail in the next section. Appearance tab The Appearance tab (Figure 5-8) allows you to configure the style of windows and buttons, the color scheme, and font size.

Figure 5-8 The Appearance tab of the Display Properties dialog box FT05HT08.BMP

CHAPTER 5:


Click Effects to configure the following options (Figure 5-9): ■

Use The Following Transition Effect For Menus And Tooltips

■

Use The Following Method To Smooth Edges For Screen Fonts

■

Use Large Icons

■

Show Shadows Under Menus

■

Show Windows Contents While Dragging

■

Hide Underlined Letters For Keyboard Navigation Until I Press The Alt Key

Figure 5-9 Configuring menu and text effects FT05HT09.BMP

Settings tab The Settings tab allows you to configure display options, including the number of colors, video resolution, font size, and refresh frequency (Figure 5-10).

Figure 5-10 Settings tab of the Display Properties dialog box FT05HT10.BMP

153

154


Let’s explore the options on the Settings tab for configuring display settings. ■

Color Quality Displays the current color settings for the monitor attached to the display adapter listed under Display. This option allows you to change the color quality for the display adapter.

■

Screen Resolution Displays the current screen resolution settings for the monitor attached to the display adapter listed under Display. This option allows you to set the resolution for the display adapter. As you increase the number of pixels, you display more information on the screen, but you decrease the size of the information.

■

Troubleshoot Opens the Video Display Troubleshooter to help you diagnose display problems.

■

Advanced Opens the Properties dialog box for the display adapter, as described in Table 5-1.

Table 5-1

Display Adapter Advanced Options

Tab

Option

Description

General

Display (DPI Setting)

Provides Normal, Large, or Other display font options. Use the Other option to choose a custom font size. Determines the action that Windows should take when you make changes to display settings. After you change the color settings, you must choose one of the following options:

Compatibility

■

Restart The Computer Before Applying The New Display Settings

■

Apply The New Display Settings Without Restarting

■

Ask Me Before Applying The New Display Settings

Some display adapter drivers install their own custom tabs for this dialog box. If you see additional manufacturer-specific tabs, check your manufacturer’s documentation for details on configuring options in those tabs.

NOTE

CHAPTER 5:

Table 5-1


Display Adapter Advanced Options (Continued)

Tab

Option

Description

Adapter

Adapter Type

Provides the manufacturer and model number of the installed adapter. Clicking Properties displays the Properties dialog box for your adapter (Figure 5-11): ■

The General tab of the Properties dialog box provides additional information, including device status, resource settings, and any conflicting devices.

■

The Driver tab of the Properties dialog box provides details about the display adapter’s device driver and allows you to update the driver, roll back to the previously installed driver, or uninstall the driver.

■

Adapter Information

List All Modes

The Resources tab of the Properties dialog box displays the hardware resources (such as IRQs or device I/O ports) being used by the adapter. Provides additional information about the display adapter, such as video chip type, digital-to-analog converter (DAC) type, memory size, and BIOS version. Displays all compatible modes for your display adapter and lets you select resolution, color depth, and refresh frequency in one step.

Figure 5-11 The Properties dialog box for a display adapter FT05HT11.BMP

155

156


Table 5-1

Display Adapter Advanced Options (Continued)

Tab

Option

Description

Monitor

Monitor Type

Provides the manufacturer and model number of the currently installed monitor. The Properties button opens the hardware Properties dialog box for your monitor, which lists device and driver information and allows you to manage the device drivers for your monitor. It also gives access to the Video Display Troubleshooter to help resolve problems with this device. Configures the refresh rate frequency. This option applies only to high-resolution drivers. Do not select a refresh rate and screen resolution combination that is unsupported by the monitor. If you are unsure, refer to your monitor documentation or select the lowest refresh rate option.

Monitor Settings

When you use a Plug and Play display, unsupported settings are unavailable. You would have to actually clear the Hide Modes This Monitor Cannot Display check box to see unsupported settings.

Troubleshoot Hardware Acceleration

Color Management

If you select an unsupported refresh rate, your monitor will most likely go blank for 15 seconds as Windows displays a confirmation dialog box. By waiting for the dialog box to expire, you can decline to apply the settings permanently, and the prior settings will be returned. Lets you progressively decrease your display hardware’s acceleration features to help you isolate and eliminate display problems. Lets you select whether to use write combining, which improves video performance by collecting video display writes in the CPU and then bursting them to the video display memory in large blocks. Write combining on unsupported hardware can lead to screen corruption, however. If you experience trouble with your display, try clearing the Enable Write Combining check box. Specifies the color profile for your monitor.

CHAPTER 5:


Using Multiple Displays Windows XP Professional supports multiple display configurations. Multiple displays allow you to extend your desktop across more than one monitor (Figure 5-12). Windows XP Professional supports the extension of your display across a maximum of 10 monitors.

ALF

ALF

Figure 5-12 A document viewed on multiple displays FT05HT12.TIF

IMPORTANT You must use Peripheral Component Interconnect (PCI) or Accelerated Graphics Port (AGP) display adapters when configuring multiple displays.

If one of the display adapters is built into the motherboard, note these additional considerations: ■

The motherboard adapter always becomes the secondary adapter. It must be multiple-display compatible.

■

You must set up Windows XP Professional before installing another display adapter. Windows XP Professional Setup disables the motherboard adapter if it detects another display adapter. In some systems, the BIOS completely disables the on-board adapter on detecting an add-in adapter. If you are unable to override this detection in the BIOS, you cannot use the motherboard adapter with multiple displays.

■

Typically, the system BIOS selects the primary display based on PCI slot order. However, on some computers, the BIOS allows the user to select the primary display device.

157

158


■

You cannot disable the primary display. This is an important consideration for laptop computers with docking stations. For example, some docking stations contain a display adapter; these often disable, or turn off, a laptop’s built-in display. Multiple-display support does not function in these configurations unless you attach multiple adapters to the docking station.

Configuring Multiple Displays Before you can configure multiple displays, you must install additional display adapters in your PC. Then you must enable each one for operation in a multipledisplay environment. To install multiple monitors, complete the following steps: 1. Turn off your computer, and insert one or more additional PCI or AGP display adapters into available slots on your computer. Follow the instructions provided by the adapter manufacturer(s). 2. Plug an additional monitor into each PCI or AGP display adapter that you installed. 3. Turn on your computer and allow Windows XP Professional to detect the new adapters and install the appropriate device drivers. You might be required to insert driver disks and configure additional settings as specified in the manufacturer’s installation instructions. To configure your display in a multiple-display environment, complete the following steps: 1. In Control Panel, click Appearance And Themes, and then click Display. 2. In the Display Properties dialog box, click the Settings tab (Figure 5-13).

FT05HT13.BMP

Figure 5-13 Configuring multiple-display support

CHAPTER 5:


3. Click the monitor icon for the primary display device. 4. Select the display adapter for the primary display, and then select the color depth and resolution. 5. Click the monitor icon for the secondary display device. 6. Select the display adapter for the secondary display, and then select the Extend My Windows Desktop Onto This Monitor check box. 7. Select the color depth and resolution for the secondary display. 8. Repeat steps 5 through 7 for each additional display. Windows XP Professional uses the virtual desktop concept to determine the relationship of each display. The virtual desktop uses coordinates to track the position of each individual display desktop. The coordinates of the top-left corner of the primary display always remain 0, 0. Windows XP Professional sets secondary display coordinates so that all the displays adjoin each other on the virtual desktop. This allows the system to maintain the illusion of a single, large desktop where users can cross from one monitor to another without losing track of the mouse. To change the display positions on the virtual desktop, select the Settings tab and click Identify, and drag the display representations to the desired position. The positions of the icons dictate the coordinates and the relative positions of the displays. Troubleshooting Multiple Displays If you encounter problems with multiple displays, follow the troubleshooting guidelines in Table 5-2. Table 5-2

Troubleshooting Tips for Multiple Displays

Problem

Possible Solutions

You cannot see any output on the secondary displays.

■

Activate the device in the Display Properties dialog box. Confirm that you chose the correct video driver.

■

Restart the computer to confirm that the secondary display initialized. If it didn’t, check the status of the display adapter in Device Manager.

■

Check that both display adapters are compatible with multiple-monitor support. If the primary adapter is not compatible, multiple-display support will not be activated.

159

160


Table 5-2

Troubleshooting Tips for Multiple Displays (Continued)

Problem

Possible Solutions

The Extend My Windows Desktop Onto This Monitor check box is unavailable.

■

In the Display Properties dialog box, select the display onto which you want to extend your desktop.

■

Confirm that the secondary display adapter is supported.

■

An application fails to display on the secondary display.

Confirm that Windows XP Professional can detect the secondary display. ■ Run the application on the primary display. ■

Run the application in full-screen mode (MS-DOS) or maximized (Windows).

■

Disable the secondary display to determine whether the problem is specific to multiple-display support.

The Taskbar and Start Menu In addition to modifying your display settings, you can customize the behavior of the taskbar and the Start menu. In this section, we will explore the settings for these two desktop components. Configuring the taskbar The taskbar allows you to tell at a glance which applications are loaded and access these applications even if another application has the focus on the desktop or is maximized. When the taskbar icons start to get too crowded, they can group themselves into stacks based on the type of application. You can control this behavior (and other settings) in the Taskbar And Start Menu Properties dialog box (Figure 5-14), which you open by right-clicking on the taskbar or the Start menu and then selecting Properties.

Figure 5-14 The Taskbar And Start Menu Properties dialog box FT05HT14.BMP

CHAPTER 5:


The Taskbar And Start Menu Properties dialog box previews the appearance of changes you specify. If you want to see what some of these settings look like, just watch the picture of the taskbar in the dialog box as you choose them. You will see how the taskbar would look with these settings applied.

NOTE

Let’s explore the settings in this dialog box: ■

Lock The Taskbar This setting locks the position and size of the taskbar, preventing you from inadvertently moving it to another edge of the screen or resizing docked toolbars (such as Quick Launch or Media Player) or the taskbar itself.

■

Auto-Hide The Taskbar This setting causes the taskbar to retreat to the edge of the screen whenever it is not the focus of an operation. This gives an additional portion of screen space to other applications.

■

Keep The Taskbar On Top Of Other Windows This setting prevents other application windows from covering the taskbar. (Covering the taskbar prevents the user from accessing other applications by clicking their taskbar icons.)

■

Group Similar Taskbar Icons This option causes the icons for similar applications to stack themselves into groups when the taskbar starts to get too cluttered. Disabling this option causes the icons to get smaller and smaller as more are added, until they can no longer be read. If you are running many different types of applications at once, it is still possible to overcrowd the taskbar.

NOTE

■

Show Quick Launch This option displays the Quick Launch toolbar on the taskbar. This toolbar allows you to add icons to quickly launch applications without searching for them on the Start menu.

Configuring the notification area The notification area (formerly known as the system tray in earlier versions of Windows) includes the system clock display and notification icons for any background applications running on your system. The notification area has two options: ■

Show The Clock

■

Hide Inactive Icons Allows you to hide notification icons that are not currently active. You can also designate certain icons that will always show by using the Customize button (Figure 5-15).

Enables or disables the clock display.

161

162


Figure 5-15 Customizing the notification area FT05HT15.BMP

Configuring the Start menu The Start menu is the most-used menu in Windows XP. It contains program shortcuts, configuration settings, recently used document lists, frequently used programs, and pinned programs, which are programs that are fixed to the Start menu for rapid access. You can customize the Start menu through the Taskbar And Start Menu Properties dialog box (Figure 5-16).

Figure 5-16 Customizing the Start menu FT05HT16.BMP

You can click the Customize button to open the Customize Start Menu dialog box (Figure 5-17), where you can customize several features of the Start menu. The dialog box has two tabs: General and Advanced.

CHAPTER 5:


Figure 5-17 Customizing the Windows XP Start menu FT05HT17.BMP

Options on the General tab of the Customize Start Menu dialog box are as follows: ■

Select An Icon Size For Programs Specifies large or small icons on the Start menu. You can use this option to prevent the Start menu from getting too large when there are too many icons.

■

Programs Controls the number of recent programs that are displayed. You can also clear the list here.

■

Show On Start Menu Specifies which programs to display on the Start Menu as the default tools for accessing the Internet via the World Wide Web and communicating via e-mail. You can also disable the display of applications for these categories by clearing the selection box next to each program.

The following options are available on the Advanced tab of the Customize Start Menu dialog box (Figure 5-18): ■

Start Menu Settings This portion of the dialog box controls the behavior of two aspects of Start menu operation: ❑

Open Submenus When I Pause On Them With My Mouse Controls navigation of the Start menu. If you disable this setting, you must click each submenu to expand it.

❑

Highlight Newly Installed Programs Causes the Start menu to draw attention to new applications by highlighting their submenus and shortcuts.

163

164


■

Start Menu Items Controls which submenus are displayed on the Start menu and their appearance. This selection include options to display Control Panel, the My Documents folder, and My Computer.

■

Recent documents Activates the display of the My Recent Documents list. Clicking the Clear list button clears the contents of this list.

Figure 5-18 Configuring Start menu advanced items FT05HT18.BMP

Restoring the Classic Start menu You can choose the Classic Start Menu option in the Taskbar And Start Menu Properties dialog box to configure Windows XP with the appearance of Windows 2000 Professional. Clicking Customize opens the Customize Classic Start Menu dialog box (Figure 5-19), where you can add or remove items from the Classic Start menu and enable or disable optional submenus.

Figure 5-19 Customizing the Classic Start menu FT05HT19.BMP

CHAPTER 5:


CONFIGURING POWER OPTIONS You can configure Windows XP Professional to turn off the power to your monitor and your hard disk or put the computer in hibernate mode. In Control Panel, click Performance And Maintenance, and then click Power Options. Alternatively, you can use the Screen Saver tab of the Display Properties dialog box.

Selecting a Power Scheme Power schemes allow you to configure the conservation settings for your system. In the Power Options Properties dialog box (Figure 5-20), click the Power Schemes tab.

Figure 5-20 The Power Schemes tab of the Power Options Properties dialog FT05HT20.BMP

box for a notebook computer

Windows XP Professional provides the following six built-in power schemes: ■

Home/Office Desk Designed for a desktop computer. After 20 minutes of inactivity, the monitor is turned off, but the hard disks are never turned off.

■

Portable/Laptop Optimized for portable computers that run on batteries. After 15 minutes of inactivity, the monitor is turned off; after 30 minutes of inactivity, the hard disks are turned off. The system will go on standby (low power) after 20 minutes and hibernate (if enabled) after 1 hour. When notebook computers are running on batteries, the settings for power schemes change. In the Portable/Laptop scheme, for example, the time drops to 5 minutes for monitor, hard disk, and system standby, with hibernation in 10 minutes. This section presents the “on battery” settings for Portable/Laptop and Maximize Battery. The rest are for a desktop computer or a laptop on AC power.

NOTE

165

166


■

Presentation Designed for use with presentations for which the computer display must always remain on. The monitor and the hard disks are never turned off.

■

Always On Designed for use with personal servers. After 20 minutes of inactivity, the monitor is turned off, but the hard disks are never turned off.

■

Minimal Power Management Disables some power management features, such as timed hibernation. After 15 minutes of inactivity, the monitor is turned off, but the hard disks are never turned off.

■

Max Battery Designed to conserve as much battery power as possible. After 1 minute of inactivity, the monitor is turned off; the hard disks are turned off after 3 minutes. The system goes on standby after 2 minutes and hibernates after 5 minutes.

Configuring Advanced Power Options To configure your computer to use advanced power options, you use the Advanced tab of the Power Options Properties dialog box (Figure 5-21).

Figure 5-21 Advanced power options on a notebook computer FT05HT21.BMP

This tab offers the following options: ■

Select the Always Show Icon On The Taskbar check box to add an icon to the taskbar for quick access to Power Management.

■

Select the second check box, Prompt For Password When Computer Resumes From Standby, to be prompted for your Windows password when your computer comes out of standby mode. (On older systems, this check box might not appear unless the system is set to hibernate.)

CHAPTER 5:


The lower half of this tab configures actions the system will take if the power button is pressed, or (for laptops only) when the lid is closed or the sleep button is pressed. Options for these settings include: Shut Down, Stand By, Hibernate, Do Nothing, and Ask Me What To Do.

Enabling Hibernate Mode When your computer hibernates, it saves the current system state to your hard disk, and then your computer shuts down. When you start the computer after it has been hibernating, it returns to its previous state, which includes any programs that were running when it went into hibernate mode, and even any local network connections that were active at the time. NOTE Dial-up and VPN connections are not preserved during a hibernate

action.

To configure your computer to use Hibernate mode:

1. Select the Hibernate tab in the Power Options Properties dialog box (Figure 5-22). 2. Select the Enable Hibernation check box.

FT05HT22.BMP

Figure 5-22 Enabling hibernation on a Windows XP system

You must have free disk space equivalent to the amount of RAM on your system to allow the system’s state to be written to disk during hibernation. If the Hibernate tab is unavailable, your computer does not support this mode.

IMPORTANT

167

168


Configuring Advanced Power Management Windows XP Professional supports Advanced Power Management (APM), which helps reduce the power consumption of your system. To configure your computer to use APM, you use the APM tab of the Power Options Properties dialog box. If the APM tab is unavailable, your computer is compliant with Advanced Configuration and Power Interface (ACPI), a specification that supersedes APM support. To enable APM, select the Enable Advanced Power Management Support check box on the APM tab. You must be logged on as a member of the Administrators group to configure APM.

NOTE

Advanced Configuration and Power Interface (ACPI) If your laptop has an ACPI-based BIOS, you can insert and remove PC cards on the fly, and Windows XP Professional will detect and configure them without requiring you to restart your machine. This is known as dynamic configuration of PC cards. There are two other important features for mobile computers: ■

Hot and warm docking/undocking Hot and warm docking/ undocking means you can dock and undock from the Windows XP Professional Start menu without turning off your computer. Windows XP Professional automatically creates two hardware profiles for laptop computers: one for the docked state and one for the undocked state. (For more information about hardware profiles, see Chapter 4.)

■

Hot swapping of Integrated Device Electronics (IDE) and floppy devices Hot swapping of IDE and floppy devices means you can remove and swap devices such as floppy drives, DVD/CD drives, and hard drives without shutting down your system or restarting your system; Windows XP Professional automatically detects and configures these devices.

Configuring an Uninterruptible Power Supply An uninterruptible power supply (UPS) is a device connected between a computer or another piece of electronic equipment and a power source, such as an electrical outlet. The UPS ensures that the electrical flow to the computer is not interrupted because of a blackout and, in most cases, it protects the computer from potentially damaging events such as power surges and brownouts. Different UPS models offer different levels of protection.

CHAPTER 5:


To configure your UPS, click the UPS tab of the Power Options Properties dialog box, which shows the current power source, the estimated UPS run time, the estimated UPS capacity, and the UPS battery condition. Click Details to display the UPS Selection dialog box, which lists manufacturers so you can select the manufacturer of your UPS. Unlike desktop systems, notebook computers do not enable the UPS tab in the Power Options Properties dialog box (because they don’t need it).

NOTE

NOTE Check the Windows Catalog to make sure the UPS you are consid-

ering is compatible with Windows XP Professional before you purchase it. If you want to configure a UPS not listed by manufacturer and model: 1. In the Select Manufacturer list box, select Generic. 2. In the Select Model list box, select Generic, and then click Next. You can configure the conditions that trigger the UPS device to send a signal in the UPS Interface Configuration dialog box (Figure 5-23). These conditions include power failures, a low battery, and the UPS shutting down. You should select Positive if your UPS sends a signal with positive polarity when the power fails and the UPS is running on battery. Select Negative if your UPS sends a signal with negative polarity. CAUTION Be sure to check your UPS documentation before you configure

signal polarity.

FT05HT23.BMP

Figure 5-23 The UPS Interface Configuration dialog box

After you have configured the UPS service for your computer, you should test the configuration to ensure that your computer is protected from power failures. Disconnect the main power supply to simulate a power failure. During your test,

169

170


the computer and the devices connected to the computer should remain operational. You should let the test run long enough for the UPS battery to reach a low level so that you can verify that an orderly shutdown occurs. Do not test your UPS on a production computer. You could lose valuable data. Use a spare computer for the test.

CAUTION

CONFIGURING USER PROFILES Typically, the use of user profiles is considered part of user account management and does not extend beyond defining the user’s profile folder. We will cover user account management in Chapter 13, but here we will discuss how user profiles configure the user experience, including how roaming user profiles enable IntelliMirror technologies. IntelliMirror is a set of technologies that, taken together, provide a framework for managing the user experience. IntelliMirror technologies provide three main functions: ■

User data management A user profile contains files and folders that are stored locally on a computer (local user profiles) or remotely on the network (roaming user profiles). These files include the user’s Start menu, My Documents folder, desktop, and any registry settings that are specific to the user. Other folders and files might also be part of a user’s profile, as required by applications managed for the user.

■

User settings management Also stored in the user’s profile is a set of registry entries that configure user-specific settings for the user’s applications and system configuration preferences.

■

Software installation and maintenance Software installation and settings are managed by policies such as Active Directory Group Policy Objects or local computer policies that define which applications are installed for the user and the configuration settings those applications will have.

User profiles in IntelliMirror are specific to the user.

Local and Roaming User Profiles There are two types of user profiles: ■

Local profile Windows XP Professional creates a local user profile the first time a user logs on to a computer and stores the profile on that computer.

CHAPTER 5:

■


Roaming profile If the domain administrator designates a user profile folder for a user, that user’s local profile is copied to the specified folder, making it available wherever she logs on. A roaming user profile is especially helpful because it follows the user around, setting up the same desktop environment no matter which computer the user logs on to in the domain.

The portability of the roaming user profile is the basis for the IntelliMirror experience. A read-only roaming user profile is called a mandatory user profile. When the user logs off, Windows XP Professional does not save any changes made to the desktop environment during the session, so the next time the user logs on, the profile is exactly the same as the last time she logged on.

NOTE

User Profile Storage Locations On the local computer, user profiles are stored in the Documents And Settings folder tree on the boot partition (usually drive C). If you browse this folder hierarchy, you will see a folder for each user that contains such subfolders as Desktop, Start Menu, Favorites, and My Documents. If you save a file to one of these folders, it should show up on the appropriate menu or desktop for the user whose profile you are working with (Figure 5-24).

Figure 5-24 User profile folders FT05HT24.BMP

In addition to the user-specific folders, there is a folder for All Users. Placing a program shortcut in All Users\Desktop makes it available to all users of the computer you are working with. Similarly, an icon in All Users\Start Menu makes it available to each user on her Start menu.

171

172


CONFIGURING MULTIPLE LANGUAGES AND LOCATIONS Windows XP can support many different language styles and regional options for currency, time, and even punctuation. To access regional options and language settings, in Control Panel click the Date, Time, Language, And Regional Options icon (Figure 5-25).

Figure 5-25 The Date, Time, Language, And Regional Options icon in Control Panel FT05HT25.BMP

You can manage date and time settings and number and date formats or add other languages. Choosing any option to format date and time or manage regional or language options launches the Regional And Language Options dialog box (Figure 5-26).

Figure 5-26 Configuring regional and language options FT05HT26.BMP

The Regional Options tab allows you to configure standards and formats for each language. For example, you can configure the format for displaying numbers, currency, time, and dates. If you have configured multiple locations, you can also

CHAPTER 5:


choose your preferred location. Windows XP Professional has support for many locales including Galician, Gujarati, Kannada, Kyrgyz, Mongolian (Cyrillic), Punjabi, Divehi, Arabic (Syrian), and Telugu. If some of the languages mentioned here do not appear on your system, you might need to add support for that type of language. Two check boxes are available in the Text Services And Input Languages dialog box. The first is Install Files For Complex Script And Right-To-Left Languages. These files are required for Arabic, Armenian, Georgian, Hebrew, Indic, Thai, and Vietnamese. The second is Install Files For East Asian Languages. These files are required for Chinese, Japanese, and Korean.

NOTE

To configure multiple languages:

1. On the Languages tab of the Regional And Languages Options dialog box, click Details. The Text Services And Input Languages dialog box appears. 2. Click Add to open the Add Input Language dialog box (Figure 5-27).

FT05HT27.BMP

Figure 5-27 The Text Services And Input Languages dialog box and the

Add Input Language dialog box

3. To configure additional languages, scroll through the list of languages and select the one you want to add. If you added at least one language to the one already installed on your computer, your computer now supports multiple languages. If you experience any problems with the way multiple languages or locales are working, double-check your settings. You can also try uninstalling the multiplelanguage support or multiple-locale support. Make sure everything is working correctly with only one language or locale, and then reconfigure and reinstall the multiple-language or multiple-locale support.

173

174


CONFIGURING ACCESSIBILITY OPTIONS Windows XP Professional lets you configure accessibility options through the Accessibility Options icon in Control Panel.

Configuring Keyboard Options To configure keyboard options, in Control Panel, click Accessibility Options. In the Accessibility Options window, click Accessibility Options to display the Accessibility Options dialog box. The Keyboard tab of the dialog box, shown in Figure 5-28, allows you to configure the keyboard options StickyKeys, FilterKeys, and ToggleKeys.

Figure 5-28 The Keyboard tab of the Accessibility Options dialog box FT05HT28.BMP

StickyKeys Turning on StickyKeys allows you to press a multiple-key combination, such as CTRL+ALT+DELETE, one key at a time. This option is useful for people who have difficulty pushing more than one key at a time. This is a check box selection, so it is either on or off. You can configure StickyKeys by clicking Settings to open the Settings For StickyKeys dialog box (Figure 5-29). You can configure a shortcut key for StickyKeys. The default shortcut for turning on StickyKeys is pressing SHIFT five times. Two other options can also be configured for StickyKeys: Press Modifier Key Twice To Lock and Turn StickyKeys Off If Two Keys Are Pressed At Once. The modifier

CHAPTER 5:


keys are CTRL, ALT, SHIFT, and the Windows logo key. If you select the modifier key option, pressing one of the modifier keys twice will cause that key to remain active until you press it again. If you choose to use the second option, StickyKeys is disabled if two keys are pressed simultaneously.

Figure 5-29 The Settings For StickyKeys dialog box FT05HT29.BMP

You can configure two notification settings for StickyKeys: Make Sounds When Modifier Key Is Pressed and Show StickyKeys Status On Screen. The first setting causes a sound to be made when any of the modifier keys—CTRL, ALT, SHIFT, or the Windows logo key—is pressed. The second notification setting causes a StickyKeys icon to be displayed in the taskbar when StickyKeys is turned on. FilterKeys The Keyboard tab also allows you to configure FilterKeys. Turning on FilterKeys causes the keyboard to ignore brief or repeated keystrokes. This option also allows you to configure the keyboard repeat rate, which is the rate at which a key continuously held down repeats the keystroke. This is a check box selection, so it is either on or off. You can configure FilterKeys by clicking Settings to open the Settings For FilterKeys dialog box (Figure 5-30). You can configure a shortcut key for FilterKeys. The default shortcut for turning on FilterKeys is holding down the RIGHT SHIFT key for eight seconds. Two other Filter options can also be configured for FilterKeys: Ignore Repeated Keystrokes and Ignore Quick Keystrokes And Slow Down The Repeat Rate. Ignore Repeated Keystrokes is inactive by default, and Ignore Quick Keystrokes And Slow Down The Repeat Rate is active by default. Only one of these two filter options can be active at a time. You configure them by clicking Settings.

175

176


Figure 5-30 The Settings For FilterKeys dialog box FT05HT30.BMP

Two Notification settings can be configured for FilterKeys: Beep When Keys Pressed Or Accepted and Show FilterKey Status On Screen. The first setting causes a beep when you press a key and another beep when the keystroke is accepted. The second option causes a FilterKeys icon to be displayed on the taskbar when FilterKeys is turned on. These settings are check boxes, so one of the settings, both of the settings (the default), or neither of the settings can be selected. ToggleKeys You can also configure ToggleKeys on the Keyboard tab. Turning on ToggleKeys causes the computer to make a high-pitched sound each time the CAPS LOCK, NUM LOCK, or SCROLL LOCK options are activated (with the appropriate key). Enabling ToggleKeys also causes the computer to make a low-pitched sound each time any of these options is deactivated. You can configure a shortcut key for ToggleKeys by clicking Settings. The default shortcut for turning on ToggleKeys is to hold down NUM LOCK for five seconds. There is one more check box on the Keyboard tab: Show Extra Keyboard Help In Programs. When selected, it causes other Windowsbased programs to display additional keyboard help if it is available.

NOTE

Configuring Sound Options The Sound tab of the Accessibility Options dialog box provides the Use Sound Sentry check box, which allows you to generate visual warnings when your computer makes a sound. The Sound tab also provides the Use ShowSounds check

CHAPTER 5:


box, which allows you to configure Windows XP Professional programs to display captions for the speech and sounds they produce.

Configuring Display Options The Display tab of the Accessibility Options dialog box provides a High Contrast check box, which allows you to use color and fonts designed for easy reading. You can click Settings to specify whether to use a shortcut, LEFT ALT+LEFT SHIFT+PRINT SCREEN, which is enabled by default. Clicking Settings also allows you to select a high-contrast appearance scheme. The Display tab also provides cursor options that allow you to set the blink rate and the width of the cursor.

Configuring Mouse Options The Mouse tab of the Accessibility Options dialog box provides the Use MouseKeys check box, which allows you to control the pointer with the numeric keypad on your keyboard. You can click Settings to configure MouseKeys in the Settings For MouseKeys dialog box (Figure 5-31).

Figure 5-31 The Settings For MouseKeys dialog box FT05HT31.BMP

MouseKeys uses a shortcut, LEFT ALT+LEFT SHIFT+NUM LOCK, which is enabled by default. You can also configure the pointer speed and acceleration speed. There is even a check box, Hold Down Ctrl To Speed Up And Shift To Slow Down, that allows you to temporarily increase or decrease the mouse pointer speed when you are using MouseKeys. To speed up the mouse pointer movement, hold down CTRL while you press the numeric keypad directional keys. To slow down the mouse pointer movement, hold down SHIFT while you press the numeric keypad directional keys.

177

178


Configuring General Tab Options The General tab of the Accessibility Options dialog box (Figure 5-32) allows you to configure Automatic Reset. This feature turns off all the accessibility features except the SerialKey devices after the computer has been idle for a specified amount of time.

Figure 5-32 The General tab of the Accessibility Options dialog box FT05HT32.BMP

The General tab includes the Notification feature, which allows you to produce a warning message when a feature is activated and to make a sound when turning a feature on or off. The General tab also allows you to activate the SerialKey Devices feature, which configures Windows XP Professional to support an alternative input device (also called an augmentative communication device) to your computer’s serial port. The Administrative Options feature provides two check boxes, Apply All Settings To Logon Desktop and Apply All Settings To Defaults For New Users, that allow you to apply all configured accessibility options to this user at logon and to apply all configured accessibility options to all new users.

OTHER ACCESSIBILITY TOOLS In addition to display and sound options, two utilities are available that assist users who have visual impairments: the Magnifier and the Narrator.

CHAPTER 5:


The Magnifier The Magnifier magnifies a portion of the screen to make it easier to read. It follows the mouse pointer and allows the user to control which text is magnified. Settings control the level of magnification.

The Narrator The Narrator feature reads aloud system menus and dialog boxes. It can be used to help with system dialog box navigation and control. Many of these accessibility options are limited in functionality but give you an idea of what is possible. More sophisticated tools exist, and you can get more information about them at the Microsoft Accessibility Web site at www.microsoft.com/enable.

NOTE

179

180


SUMMARY ■

Windows XP supports a vast array of display technologies.

■

The Windows XP user experience can be tailored to support the preferences and needs of most users. Key to this is the ability to configure desktop preferences, the taskbar and Start menu, roaming user profiles, and accessibility options.

■

Windows XP includes sophisticated power management capabilities, including the ability to adapt power management preferences from a dedicated desktop PC to a low-power notebook computer. It includes support for low-power standby and hibernation and also includes the ability to communicate with uninterruptible power supplies for powerloss notification.

■

Windows XP supports roaming user profiles as part of its support for Microsoft’s IntelliMirror technologies. This support allows administrators to provide a consistent user experience on all configured desktops in an enterprise.

■

Windows XP includes accessibility settings to assist physically challenged users with system and application operation. Capabilities include keystroke assistance with StickyKeys, FilterKeys, and MouseKeys, text-to-speech functions such as the Narrator, and visual aids such as high-contrast colors and the Magnifier.

REVIEW QUESTIONS 1. A user is familiar with the layout of the Windows 2000 Start menu. How can you configure Windows XP to enable this user to be more at home in Windows XP? (Choose two answers.) a. Enable Windows 95 application compatibility mode b. Enable the Windows Classic desktop theme c. Enable the Windows Classic Start menu setting d. Enable the legacy menu setting in Windows Explorer 2. You are configuring multiple-monitor support on a laptop computer with a docking station. The computer has an internal AGP display adapter and a PCI display adapter in the docking station. When you dock the computer, it does not enable multiple-monitor support. How do you enable multiple monitors for this computer?

CHAPTER 5:


a. Configure the laptop’s BIOS to enable the on-board display. b. Click Extend The Desktop Onto This Display on the Settings tab of the Display Properties dialog box. c. Add an additional display adapter to the docking station. d. Switch the laptop to its outboard display port. 3. You are attempting to add an icon to the desktop for all users of a computer. How do you do this? a. Add the icon to C:\Documents and Settings\All Users\Start Menu. b. Add the icon to C:\Documents and Settings\\Start Menu for each user. c. Add the icon to C:\Documents and Settings\All Users\Desktop. d. Add the icon to C:\Documents and Settings\\Desktop for each user. 4. You have sustained an injury to your right arm, which will be in a sling for a time. How can you perform keystroke combinations such as CTRL+ALT+DEL without the use of your right hand? a. Enable FilterKeys b. Enable MouseKeys c. Enable OptionKeys d. Enable StickyKeys 5. You are attempting to configure Advanced Power Management settings on your computer, but you cannot locate the Configuration tab. What is the problem? a. You must log on as Administrator. b. APM is not enabled. On the View tab of the Folder Options dialog box (available from the Tools menu in Windows Explorer), select the checkbox next to Enable APM Configuration Settings. c. You are looking in the wrong place. Locate the Advanced Power Management icon in Control Panel. d. Your system may support Advanced Configuration and Power Interface (ACPI). Check to see whether your system supports ACPI.

181

182


6. You are configuring a system for a bilingual text newsletter, which is published in English and Punjabi (an Indic language). How do you enable these two languages to be used? (Choose all correct answers.) a. In the Text Services And Input Languages dialog box, add Punjabi. b. In the Regional And Language Options dialog box, select English. c. On the Languages tab of the Regional And Language Options dialog box, select the Install Files For Complex Script And RightTo-Left Languages (Including Thai) check box. d. On the Languages tab of the Regional And Language Options dialog box, select the Install Files For East Asian Languages check box.

CASE SCENARIOS Scenario 5-1: Time for Hibernation You are configuring a computer to hibernate when it has been idle for an extended period of time. The computer has the following features and statistics: ■

Supports Advanced Configuration and Power Interface (ACPI)

■

768 MB of free disk space

■

Windows XP Professional with Service Pack 2

■

Uninterruptible power supply with capacity to operate computer for 25 minutes

■

1 GB of physical RAM

Can this computer be configured to hibernate? If not, how can you enable it to hibernate?

Scenario 5-2: Power Problems A user is attempting to connect the signal cable from a new uninterruptible power supply to a computer that was previously connected to a UPS. He reports that the computer immediately initiates a shutdown whenever the cable is connected. What is most likely causing this behavior? How can you configure Windows XP to eliminate this problem?

CHAPTER 6

CONFIGURING AND MANAGING PRINTERS AND FAX DEVICES Upon completion of this chapter, you will be able to: ■ Connect to local and network print devices ■ Manage printers and fax devices ■ Manage print jobs ■ Control access to printers ■ Connect to an Internet printer

In Chapter 4, you learned how to install and manage hardware devices. In this chapter, we will focus on two specific types of devices: printers and fax devices. Desktop publishing has long been a principal use of personal computers. Programs such as Aldus (now Adobe) PageMaker and Quark XPress set type for newspapers and magazines, books, and newsletters. The PostScript printing language allowed these programs to produce output similar, if not identical, in quality to standard typography. As adoption of personal computers increased, businesses began to use them to produce daily reports and colorful charts. Laser and inkjet printers, rather than expensive typesetting equipment, now produce the vast majority of today’s printed material. In this chapter, you will learn how to connect, configure, and manage printers and fax devices. You’ll learn how to manage print jobs and control access to printers using permissions. Finally, we’ll discuss connecting to remote printers using the Internet.

183

184


INTRODUCTION TO WINDOWS XP PROFESSIONAL PRINTING With Microsoft Windows XP Professional, you can share printing resources across an entire network and administer printing from a central location. You can easily set up printing on client computers running Windows XP, Windows 2000 Professional, Windows NT 4, Windows Me, Windows 98, and Windows 95.

Terminology Before you set up printing, you should be familiar with Windows XP Professional printing terminology to understand how the different components fit together (Figure 6-1). Printer driver

Local print device Network interface print device Print server

Figure 6-1 Printing terminology FT06HT01.VSD

■

■

Print Device A hardware device that puts text or images on paper or on other print media. Windows XP Professional supports the following print devices: ❑

Local print devices, which are connected to a physical port on the local computer.

❑

Network interface print devices, which are connected to a print server through the network instead of a physical port. Network interface print devices require their own network interface cards and have their own network address or else they are attached to an external network adapter.

Printer The software interface through which a computer communicates with a print device. Windows XP Professional supports the following interfaces: line printer (LPT), COM, universal serial bus (USB), IEEE 1394 (FireWire), Infrared Data Access (IrDA), Bluetooth, and network-attached devices such as the HP JetDirect and Intel NetPort or network printing services such as LPR, standard TCP ports, and Internet Printing Protocol (IPP). Windows XP Professional treats a FireWire card as a network connectivity device as well as a peripheral connectivity device. FireWire is used to connect digital camcorders, scanners, and other high-bandwidth devices to computers.

NOTE

CHAPTER 6:

CONFIGURING AND MANAGING PRINTERS AND FAX DEVICES

■

Print server The computer that manages one or more printers on a network. The print server receives and processes documents from client computers, and prints them on locally attached or network print devices.

■

Printer driver One file or a set of files containing information that Windows XP Professional requires to convert print commands into a specific printer language, such as Adobe PostScript. This conversion makes it possible for a print device to print a document. A printer driver is specific to each print device model and can support printing to that print device over a wide variety of port types.

ADDING A LOCAL PRINTER Many Windows XP systems use print devices connected directly to the system. These print devices use a variety of interfaces: parallel ports, USB ports, FireWire ports, and most recently Bluetooth. The Add Printer Wizard progresses through the following steps to help you add a printer: You must be a member of the local Administrators or Power Users security group to install and manage printers.

NOTE

■

FT06HT02.BMP

Local or Network Printer Specify whether the printer you are installing is locally attached to a hardware port on your system or attached to a point on the network. Locally attached printers can also be detected through Plug and Play (PnP). Your system scans its ports for a print device and helps automate device driver selection (Figure 6-2).

Figure 6-2 Local or Network printer page of the Add Printer Wizard

185

186


NOTE If you have a PnP-compatible print device that connects through

a USB port, an IEEE 1394 interface, or any other port (such as IrDA or Bluetooth) that supports automatic detection of devices, you do not need to use the Add Printer Wizard. Simply plug the printer cable into your computer and bring the device within range, or point the printer toward your computer’s infrared port and turn on the print device. Windows then installs the printer for you. ■

FT06HT03.BMP

■

FT06HT04.BMP

Select a Printer Port If you do not choose to use PnP, the Select A Printer Port page is presented (Figure 6-3). Choose the port to which you have connected your print device.

Figure 6-3 The Select A Printer Port page

Install Printer Software Select the printer driver software (Figure 6-4). If the driver for your print device is not listed, you can provide a manufacturer’s driver by selecting Have Disk.

Figure 6-4 Install Printer Software page

CHAPTER 6:


NOTE If you use PnP to detect your print device, the wizard will usually

skip the Select A Printer Port page and Install Printer Software page. The exception to this is when PnP fails to detect the device or cannot find the driver software. ■

FT06HT05.BMP

■

FT06HT06.BMP

Name Your Printer Enter a descriptive name for your printer (Figure 6-5). You can also specify whether the printer is to be the default printer for applications on your system.

Figure 6-5 The Name Your Printer page

Printer Sharing Specify whether to share this printer with other systems on the network (Figure 6-6). Doing so makes your system a print server. If you choose to share the printer, you can enter information about the printer in the Location And Comment page.

Figure 6-6 The Printer Sharing page configured to share a printer

187

188


■

FT06HT07.BMP

■

FT06HT08.BMP

Print Test Page Specify whether to print a Windows test page from your newly installed print device to verify that the printer is properly configured (Figure 6-7).

Figure 6-7 The Print Test Page page

Completing The Add Printer Wizard This page (Figure 6-8) details all the configuration settings you have chosen for this printer. If everything is correct, you can click Finish and the printer will be installed. Windows will copy the chosen printer driver to your system, share the printer (if directed), and print the test page (if selected).

Figure 6-8 Completing The Add Printer Wizard page

ADDING A PRINTER CONNECTED TO A PRINT SERVER Most organizations use print servers to manage printing. Print servers allow you to control who prints to which device and manage documents sent to the server. Documents can be spooled to a print queue, which allows management of

CHAPTER 6:


printing priority, queuing of large documents on the server instead of the client to improve performance, and reprinting of failed documents. We will discuss using Windows XP as a print server later in this chapter; for now, we will concentrate on configuring Windows XP as a client.

Types of Print Servers In addition to Windows Server operating systems, an organization can use Novell NetWare or UNIX/Linux to manage printing or use a dedicated print serving device to manage print spools. We will discuss these in turn, beginning with Windows servers. Windows Server Operating Systems The most widely used print servers today are based on Windows Server operating systems. Windows 2000 Server and Windows Server 2003 can manage many print devices simultaneously and manage hundreds of print jobs on different printers attached to these devices. Pay close attention to the terminology in use here. A printer is actually a print queue attached to a print device. With Windows Server, you can create multiple printers that use the same device. Thus administrators can control access to the device by specifying groups of users, giving different groups different priority, and even allowing access at different times of day.

IMPORTANT

Windows 2000 Server and Windows Server 2003 can also advertise their printers in Active Directory. Users can then browse or search for a device that can print their particular job. They can search by location, speed, resolution, type of paper, duplexing or stapling capability, or even whether the device can print color output. They can simply connect to the desired printer, and it becomes available for their use (assuming, of course, that they have permission to use it!). NetWare Print Servers Novell NetWare can also provide print server functionality. This network operating system can manage print devices in queues and can provide access to Windows XP systems either as an LPD server or through the use of Client Services for NetWare (an optional Windows XP networking client). Novell also provides its own Windows XP client, but its setup and configuration are beyond the scope of this course. MORE INFO To learn more about installing and using Client Services for NetWare, see the Windows XP Professional Resource Kit, Second Edition (ISBN 0-7356-1974-3) from Microsoft Learning.

189

190


UNIX/Linux Print Servers Printers that are on print servers running on UNIX or Linux and running the Samba server service can be advertised in Active Directory. Samba allows these servers to function as member servers in the Active Directory domain. Clients can browse and connect to these printers as if the printers were on Windows servers.

Connecting to a Printer on a Windows Print Server There are many ways to connect to a printer on a Windows Server: ■

FT06HT09.BMP

Add Printer Wizard You can use this wizard to connect to a network printer on a Windows Server. On the Select A Printer Port page, select A Network Printer, Or A Printer Attached To Another Computer to get to the Specify A Printer page (Figure 6-9).

Figure 6-9 The Specify A Printer page of the Add Printer Wizard

This page allows you to enter the printer address, if you know it, or browse for it in Active Directory (as shown later in Figure 6-10). By selecting criteria for your search, you can find printers that have the features you require for your job. If you are using a computer that is not a member of an Active Directory domain, the Specify A Printer page will show Browse For A Printer instead of Find A Printer In The Directory.

NOTE

■

Connect option In My Network Places, you can locate a printer, right-click its icon, and select Connect. If you have permission to use the printer, it will be installed on your system.

CHAPTER 6:

■


NET USE command Windows computers can use the following command to connect to a network printer, where x is the number of the printer port you want to designate for this printer, server_name is the name of the print server hosting the printer, and printer_name is the name of the printer you want to use. Net use lptx: \\server_name\printer_name

Using the Search Assistant to Find a Printer You can search for printers in Active Directory when you are logged on to an Active Directory domain by using the Search Assistant. On the Start menu, click Search. In the Search Assistant, click Printers, Computers, Or People and then choose Find Printers to open the Find Printers dialog box. The dialog box has three tabs to help you locate a printer (Figure 6-10).

Figure 6-10 Finding a printer in Active Directory FT06HT10.BMP

■

Printers tab Allows you to search for specific information, such as the name, location, and model of the printer.

■

Features tab Allows you to select from a prepared list of additional search options, such as whether the printer can print double-sided copies or print at a specific resolution.

■

Advanced tab Allows you to use custom fields and Boolean operators to define complex searches, such as searches on printers that support collation and a specific printer language (such as PostScript).

If you want to search for all available printers, you can leave all search criteria blank and click Find Now. All of the printers in the domain are listed. You can then connect to the printer of your choice. Locate a printer and make a connection to it by double-clicking it or by right-clicking it and then selecting Connect.

191

192


The Find Printers feature is not available in the Search Assistant unless you are logged on to an Active Directory domain. If you are using a standalone computer that is in a workgroup, the Find Printers feature is not available.

NOTE

ADDING A NETWORK INTERFACE PRINTER Connecting to and installing a network interface printer is similar to installing a local printer. The principal difference is in the selection of the port. A network interface printer uses a network interface device to provide connectivity and is accessed as if it were locally attached.

Standard TCP/IP Port You can access a network interface printer as a local port by selecting Standard TCP/IP Port or (if Print Services for UNIX is installed) LPR Port. Selecting Standard TCP/IP Port launches the Standard TCP/IP Printer Port Wizard, which guides you through the steps necessary to connect to a TCP/IP print server. You enter the name or IP address of the print device (Figure 6-11). The wizard scans the address and attempts to determine what type of device it is communicating with. If it cannot determine the device type or the device is not responding, the wizard presents the Additional Port Information Required page (Figure 6-12), where you can manually select the device type from a drop-down list. In addition, you can configure a custom device if you know its settings.

Figure 6-11 Selecting a standard TCP/IP port FT06HT11.BMP

If the device has more than one available port, the wizard prompts you to select the correct port on the device.

CHAPTER 6:


Figure 6-12 The Additional Port Information Required page FT06HT12.BMP

The wizard completes and exits. If the port was installed as part of the Add Printer Wizard, you are presented with the Install Printer Software window and installation proceeds as for a local printer.

LPR Port If Print Services for UNIX is installed on your system (discussed in more detail later), you can connect to UNIX LPD servers as a client, using the LPR port. UNIX and Linux systems traditionally use the Line Printer Daemon (LPD) service to share printers with other UNIX/Linux systems. This service opens a port to the network and listens for print commands. The Line Printer Remote (LPR) service is the client portion of the LPD/LPR service pair. It connects to the LPD service over the network and sends the print commands to the print device attached to the LPD system.

NOTE

Microsoft’s Print Services for UNIX allows you to make your computer an LPD server and also an LPR client.

To connect to an LPR port:

1. On the Select A Printer Port page of the Add Printer Wizard (Figure 6-13), select the LPR port. This opens a dialog box that asks for the name or address of the LPD server and the name of the printer queue on the remote system (Figure 6-14).

193

194


FT06HT13.BMP

Figure 6-13 Selecting an LPR port

FT06HT14.BMP

Figure 6-14 Configuring an LPR port

If the LPR Port selection is not available, you must install Print Services for UNIX. This is an additional network service available in Add/ Remove Programs under Windows Components.

NOTE

2. Enter the address and queue name, and click OK. The dialog box is closed, and installation of the printer continues as a local printer with the Install Printer Software page. It is technically possible to use the Standard TCP/IP Printer Port Wizard to configure an LPR port, but it is recommended that you use Print Services for UNIX and its LPR port option when connecting to an actual LPD server.

NOTE

CONNECTING TO AN INTERNET PRINTER Windows XP can also connect to printers using Internet Printing Protocol (IPP). This protocol transmits print commands to IPP-enabled Web servers by encapsulating them within Hypertext Transfer Protocol (HTTP). All that is required to print in this manner is the Uniform Resource Locator (URL) of the Internet print

CHAPTER 6:


server and permission to print there. For an example of a Internet printer URL, see Figure 6-15.

How Internet Printing Works Windows Internet printing relies on the services of a Microsoft Internet Information Services (IIS) server. This server can authenticate clients, accept print jobs from them, and print the jobs locally using one of its connected print devices. When IIS is installed on a Windows XP Web server, it creates the /printers virtual folder to manage the IPP feature. You can manage this folder like any other in IIS; the site administrator can also require authentication before allowing access to it. Microsoft’s IIS Lockdown tool for securing Web servers disables Internet printing by default. If you intend to use Internet printing, you must configure IIS Lockdown to override this disabling action. For more information, see Microsoft Knowledge Base article 325864, “How to Install and Use the IIS Lockdown Tool.”

NOTE

To add an Internet printer using the Add Printer Wizard: 1. Enter the URL for the server in the Add Printer Wizard (Figure 6-15). The server authenticates the client in accordance with the authentication type defined for the /printers folder. This can be anonymous access, Integrated Windows authentication, or Basic (clear text) authentication.

FT06HT15.BMP

Figure 6-15 Entering the URL for Internet printing

195

196


2. If you have permission to print, the server packages a driver into a cabinet (.cab) file and sends it to you. Windows automatically installs the driver as it completes the Add Printers Wizard. You can now print to the Internet printing server. Windows computers that have Internet printing enabled provide access to the printers via a Web page on the server. You can access this page by entering http:// /printers in your Web browser address bar. On this page, you can browse printers, view their properties, select a printer that supports the type of print job you want to send, and manage print jobs.

To connect to a printer using the /printers Web page:

1. Connect to the /printers site (Figure 6-16) and select a printer.

FT06HT16.BMP

Figure 6-16 Connecting to /printers

2. Click Connect to install the printer. Windows verifies that you intend to install this printer (Figure 6-17).

FT06HT17.BMP

Figure 6-17 Confirming installation of an Internet printer

3. The server packages a driver and sends it to the client (Figure 6-18).

CHAPTER 6:

FT06HT18.BMP


Figure 6-18 Installing an Internet printer

4. After installation, the printer appears in Printers and Faxes as an Internet printer. Note the address in Figure 6-19.

FT06HT19.BMP

Figure 6-19 An installed Internet printer

USING WINDOWS XP AS A PRINT SERVER Windows XP can operate as a print server by simply sharing printers with network users. Using the full power of the print-sharing features, however, requires careful planning and implementation. In this section, we will discuss planning and configuring print serving, including managing permissions, schedules, and printer priorities. You will learn how to manage print jobs and troubleshoot printing problems.

197

198


Requirements for Network Print Services Careful planning is required before you share printers on the network. The requirements for setting up print serving on a network include: ■

At least one computer to operate as the print server If the print server will manage many heavily used printers, Microsoft recommends a dedicated print server. The computer can run either of the following: ❑

Windows 2000 Server or Windows Server 2003; these operating systems can handle a large number of connections and support Apple Macintosh, UNIX/Linux, and Novell NetWare clients.

❑

Windows XP Professional, which is limited to 10 concurrent connections from other computers for file and print services. It does not support Macintosh computers or NetWare clients but does support UNIX computers.

■

Sufficient random access memory (RAM) If a print server will manage a large number of printers or many large documents, the server might require additional RAM beyond what Windows XP Professional or Windows Server 2003 requires for other tasks. If a print server does not have sufficient RAM for its workload, printing performance will deteriorate.

■

Sufficient disk space on the print server Enough disk space on the print server is required to ensure that the print server can store documents sent to it until it sends the documents to the print device. This is critical when documents are large or likely to accumulate. For example, if 10 users send large documents to print at the same time, the print server must have enough disk space to hold all of the documents until it can send them to the print device. If there is not enough space to hold all of the documents, users will get error messages and will be unable to print until the printing load subsides.

Planning for Print Serving Before you set up network printing, develop a network-wide printing strategy to meet users’ printing needs without unnecessary duplication of resources or delays in printing. Some items to consider while planning a print server installation include: ■

Determine users’ printing requirements Determine the number of users who will print, the printer features they will need, and the printing workload. For example, people in a billing department who continually print invoices and envelopes will have a larger printing

CHAPTER 6:


workload and might require more printers with more paper options and more print servers than software developers who do all their work on the Internet and rarely print. ■

Determine the company’s printing requirements The printing needs of your company will include the number and types of printers required. Consider the type of output that each printer will handle. What print speed or special features will be required to support all your users? Also consider the reliability of the printer you are considering. Can it handle the workload? Don’t use a personal printer for network printing.

■

Determine the number of print servers required This will be the number of print servers needed to handle the number and types of printers that your network will employ. Print servers can spool a certain number of documents before performance degrades. You might have to consider the size and quantity of documents your users produce. Will one server be up to the task, or do you need additional servers?

■

Determine where to locate printers Printers should be in a location where users can easily pick up their printed documents.

Sharing Printers During Installation You can share printers during installation by choosing the appropriate configuration setting in the Add Printers Wizard: 1. On the Printer Sharing page of the Add Printer Wizard, enter a Share Name and click Next. You can assign a shared printer name even though you already supplied a printer name. The shared printer name identifies a printer on the network and must conform to a naming convention. This name can differ from the printer name that you entered previously. 2. The wizard displays the Location And Comment page. Enter descriptive information about the printer and its location. This information provides a more detailed description of the printer. If the computer running Windows XP Professional is part of a domain, Windows displays the values that you enter on the Location And Comment page when a user searches Active Directory for a printer. Entering this information is optional, but it can help users locate the printer more easily.

NOTE

199

200


3. The rest of the installation proceeds normally. When you complete the wizard, the printer is installed and shared. Sharing printers using the Add Printers Wizard makes them available to all network users. To manage permissions on the printer, you must use the printer’s Properties dialog box. (Right-click the printer in the Printers folder, and select Properties.)

IMPORTANT

Sharing an Existing Printer If the printing demands on your network increase and your system has an existing, nonshared printer, you can share that printer so users can use it. When you share a printer, you assign the printer a share name, which appears in My Network Places. Use an intuitive name to help users when they browse for a printer. You can also add printer drivers for other versions of Windows XP, Windows 2000, Windows NT, Windows 98, and Windows 95. To share an existing printer, take the following steps: 1. In Printers and Faxes, right-click the icon for the printer you want to share, and then choose Sharing. 2. On the Sharing tab of the printer’s Properties dialog box (Figure 6-20), click Share This Printer.

FT06HT20.BMP

Figure 6-20 Sharing an existing printer

3. In the Share Name text box, type a share name and then click OK. Windows XP Professional puts an open hand under the printer icon, indicating that the printer is shared.

CHAPTER 6:


Installing Additional Print Drivers After you share a printer, you can install additional print drivers to allow users of other operating systems to access and print to the print device. You do this by using the Additional Drivers dialog box, which is accessed via the Sharing tab of the printer’s Properties dialog box (Figure 6-21).

Figure 6-21 Installing additional drivers FT06HT21.BMP

When you specify additional drivers, Windows XP asks for a disk containing the drivers. These drivers must be native Windows drivers. They do not have to be the ones packaged with Windows (although that helps), but they should conform to the Windows driver model. These drivers will include an .inf file that contains specific information about the driver. Third-party drivers that install from executable programs will not be recognized or installed. After installation, the new drivers are stored on the print server computer and, when a client specified under Alternate Drivers connects to the server, the driver is automatically provided to the client instead of the Windows XP driver. Windows 95, Windows 98, and Windows Me systems do not automatically download drivers. When a user connects to a printer with one of these systems, the client operating system launches its Add Printers Wizard to manage the installation of drivers.

NOTE

Creating Printer Pools A printer pool consists of two or more printers that are connected to one print server and act as a single printer. The printers can be local or network interface printers. Although the printers should be identical, you can use printers that are not identical but use the same printer driver. In this scenario, you can only

201

202


support print features that are supported by the common print driver. After you install a printer, you can create a printer pool using the Ports tab of the Properties dialog box for that printer. Select the Enable Printer Pooling check box, and select additional ports on the printer server (Figure 6-22).

Figure 6-22 Enabling printer pooling FT06HT22.BMP

When you create a printer pool, users can print documents without checking which printer is available. The document prints to the first available printer in the printing pool. A printing pool offers the following advantages: ■

In a network with a high volume of printing, it decreases the time that documents wait on the print server.

■

It simplifies administration because you can administer multiple printers simultaneously.

Before you create a printer pool, be sure to connect the printers to the print server. Then take the following steps: 1. On the Ports tab of the printer’s Properties dialog box, select the Enable Printer Pooling check box. This enables to pooling of the printers and allows you to select multiple printer ports. 2. Select the check box for each port to which a printer that you want to add to the pool is connected. When you set up a printer pool, place the printers in the same physical area so users can easily retrieve their documents.

IMPORTANT

CHAPTER 6:


Managing Printer Permissions Windows XP Professional allows you to control printer usage and administration by assigning permissions. With printer permissions, you can control who can use a printer. You can also assign printer permissions to control who can administer a printer and the level of administration, which can include managing printers and managing documents. For security reasons, you might need to limit user access to certain printers. You can also use printer permissions to delegate responsibility for specific printers to users who are not administrators. Windows XP Professional provides three levels of printer permissions: Print, Manage Documents, and Manage Printers. Table 6-1 lists the capabilities of each level of permission. Table 6-1

Printing Capabilities of Windows XP Professional Printer Permissions

Capabilities

Print documents Pause, resume, restart, and cancel the user’s own document Connect to a printer Control job settings for all documents Pause, resume, restart, and cancel all other users’ documents Cancel all documents Share a printer Change printer properties Delete a printer Change printer permissions

Print Permission

Manage Documents Permission

Manage Printers Permission

✓ ✓

✓ ✓

✓ ✓

✓

✓ ✓

✓ ✓

✓

✓

✓ ✓ ✓ ✓ ✓

You can allow or deny these levels of printer permissions. Denied permissions always override allowed permissions. For example, if you select the Deny check box next to Manage Documents for the Everyone group, no one can manage documents, even if you grant this permission to another user account or group. This is because all user accounts (including Administrators) are members of the Everyone group.

203

204


Assigning Printer Permissions By default, Windows XP Professional assigns Print permission for each printer to the built-in Everyone group, allowing all users to send documents to the printer. You can also assign printer permissions to users or groups. (See Figure 6-23.)

Figure 6-23 Assigning printer permissions FT06HT23.BMP

To assign printer permissions, take the following steps: 1. In the Printers and Faxes window, right-click the appropriate printer icon, and then choose Properties to open the printer’s Properties dialog box. 2. Click the Security tab, and then click Add. If the computer running Windows XP Professional is in a workgroup environment and you do not have a Security tab in your printer’s Properties dialog box, close the Properties dialog box. In Explorer, on the Tool menu, click Folder Options and click the View tab. Clear the Use Simple File Sharing (Recommended) check box, and then display your Printer’s Properties dialog box.

NOTE

3. In the Select Users, Groups, Or Computers dialog box, enter the appropriate user account or group, and then click Add. Repeat this step for all users or groups you want to add. Click OK. If you do not remember the exact user or group name, you can use the Advanced button to launch an advanced version of the Select Users, Groups, Or Computers dialog box. This dialog box allows you to search Active Directory for users and groups that meet certain criteria. 4. Select the new user account or group. In the bottom part of the dialog box, click the permissions you want to assign.

CHAPTER 6:


It might occasionally be necessary to assign advanced permissions to a user. To do this, click Advanced and assign additional printer permissions that do not fit into the predefined permissions on the Security tab. This is not normally required and is done only for very specific purposes by an experienced administrator.

NOTE

5. Click OK to close the Properties dialog box. Modifying Printer Permissions You can change the default printer permissions in Windows XP Professional or the printer permissions that you previously assigned for any user or group. To do this, simply make the appropriate changes on the Security tab in the printer’s Properties dialog box.

Managing Printer Priority Let’s say you are in an organization where some users (such as executives or members of a high-priority support team) need to have their documents print before those of other users. Whatever the reason, you need to find a way to ensure that their documents move to the head of the line. By assigning priorities to printers, you can ensure that some users’ documents print before those of users with lower priority. To make this work, you need to add two or more printers for each print device. Each printer receives a priority relative to the others, with users requiring the higher priority using the high-priority printer. Printer priorities range from 1 (the lowest) to 99 (the highest). Users’ ability to print to the high-priority printer is controlled through the use of permissions.

To set priorities among printers:

1. Add a printer and share it. 2. Add a second printer and point it to the same print device or port. The port can be a physical port on the print server or a port that points to a network interface print device. 3. Set a different priority for each printer pointing to the print device. Have different groups of users print to different printers, or have users send different types of documents to each printer. For example, User1 sends documents to a printer with the lowest priority, 1, and User2 sends documents to a printer with the highest priority, 99. In this example, User2’s documents always print before User1’s. Printer priority is managed on the Advanced tab of the printer’s Properties dialog box (Figure 6-24).

205

206


Figure 6-24 Managing printer priority FT06HT24.BMP

Scheduling Printers Suppose you have a user who prints many large documents that require other users to wait for extended periods for their own documents to print. If there is no urgency for these documents to be printed during business hours, you can create a printer that directs documents to the same print device but restricts the times the device is available to the printer. The user can send large documents to the printer all day long, but they will begin to print only after business hours.

To create a scheduled printer:

1. Create a second printer connected to the same print device. 2. On the Advanced tab of the printer’s Properties dialog box, configure a schedule for when the printer will be available (Figure 6-25).

FT06HT25.BMP

Figure 6-25 Creating a printer schedule

CHAPTER 6:


MANAGING PRINTERS In addition to adding and removing printers and print devices for your systems, managing printers also involves assigning forms to paper trays and setting separator pages. Also, you can pause, resume, and cancel a document if a problem occurs on a printer. If a print device is faulty or you add printers to your network, you might need to redirect documents to a different printer. You might also need to change which users have administrative responsibility for printers, which involves changing ownership.

Assigning Forms to Paper Trays If a printer has multiple trays that regularly hold different paper sizes, you can assign a form to a specific tray. A form defines a paper size. Users can then select the paper size from within their application. When the user prints, Windows XP Professional routes the print job to the tray that holds the correct form. Examples of forms include Legal, A4, Envelopes #10, and Letter Small. You make paper tray assignments by selecting the appropriate form for each paper tray on the Device Settings tab of the printer’s Properties dialog box (Figure 6-26).

Figure 6-26 Assigning forms to paper trays FT06HT26.BMP

After you set up a paper tray, users specify the paper size from within their Windows-based applications. Windows XP Professional then uses the paper tray configurations to determine which paper tray holds the form.

207

208


Setting a Separator Page A separator page is a file that contains print device commands. Separator pages have two functions: ■

To identify and separate printed documents Users might be better able to identify their own documents if they are separated from others by a distinguishable page.

■

To switch print devices between print modes Some print devices can switch between print modes that take advantage of different device features. You can use separator pages to specify the correct page description language. For example, you can specify PostScript or Printer Control Language (PCL) for a print device that can switch between different print modes but cannot automatically detect which language a print job uses.

Windows XP Professional includes four separator page files, which are located in the %systemroot%\System32 folder. ■

Sysprint.sep Prints a page before each document; compatible with PostScript print devices

■

Pcl.sep Switches the print mode to PCL for HP-series print devices and prints a page before each document

■

Pscript.sep Switches the print mode to PostScript for HP-series print devices but does not print a page before each document

■

Sysprtj.sep

A version of Sysprint.sep that uses Japanese characters

If you want to use a separator page, choose one and then use the Separator Page dialog box (Figure 6-27), which is accessible from the Advanced tab of the printer’s Properties dialog box, to specify that the separator page should be printed at the beginning of each print job.

Figure 6-27 Configuring a separator page FT06HT27.BMP

CHAPTER 6:


Administering Printers with a Web Browser Windows XP Professional enables you to manage printers from any computer running a Web browser, regardless of whether the computer is running Windows XP Professional or has the correct printer driver installed. All management tasks that you perform with Windows XP Professional management tools are the same when you use a Web browser. The difference is the interface, which is a Webbased interface. To access a printer using a Web browser, a print server running Windows 2000 Server, Windows Server 2003, or Windows XP Professional must have Microsoft Internet Information Services (IIS) installed. The following are the advantages of using a Web browser, such as Microsoft Internet Explorer, to manage printers: ■

It allows you to administer printers from any computer running any Web browser, regardless of whether the computer is running Windows XP Professional or has the correct printer driver installed. This allows administration using HTTP, which can pass most firewalls.

■

It allows you to customize the interface. For example, you can create your own Web page containing a floor plan with the locations of the printers and the links to the printers.

■

It provides a summary page listing the status of all printers on a print server.

■

It can report real-time print device data, such as whether the print device is in power-saving mode, if the printer driver makes such information available. This information is not available in the Printers and Faxes window. As with any other administrative tool, security considerations should govern how you use this tool. Do not make this tool available to users you do not trust, and control access to this tool from the Internet.

CAUTION

Accessing Printers Using a Web Browser You can access all printers on a print server by using a Web browser (Figure 6-28). In the Address text box, type http://print_server_name/printers. This command displays a page listing all the printers on the print server. Click the name of the printer you want to manage. If you know the share name of the printer, you can enter it directly in the browser. Type http://server_name/printer_share_ name in the Address box. From the printer’s URL page, you can view information about the printer, such as its model, its location, and the number of documents

209

210


waiting to print. You can manage any document you have sent to the printer, and if you have Manage Printers permission for the printer, you can also pause or resume operation of the printer.

Figure 6-28 Using Internet Explorer to access all printers on a print server FT06HT28.BMP

MANAGING DOCUMENTS In addition to managing printers, Windows XP Professional allows you to manage documents. Managing documents includes pausing, resuming, restarting, and canceling documents. In addition, you can set a specific document to notify the user when it has finished printing, adjust document priority to allow a critical document to print before other documents, or specify a specific time for a document to print.

Pausing, Restarting, and Canceling a Document If there is a printing problem with a specific document, you can pause and resume printing of that document. You can also restart or cancel a document. You must have Manage Documents permission for the appropriate printer to perform these actions. Because the creator of a document has the default permissions to manage that document, users can perform any of these actions on their own documents. To manage a document, right-click the icon representing the printer for the document in the Printers and Faxes window, and then click Open. Select the appropriate documents, click the Document menu, and then click the appropriate command (Figure 6-29).

CHAPTER 6:


Figure 6-29 Managing documents FT06HT29.BMP

Here are some of the document management tasks and how to perform them: ■

Pause printing of a document Select the documents for which you want to pause printing, and then click Pause. (The status changes to Paused.)

■

Resume printing a document Select the documents you want to resume printing, and then click Resume. (The status changes to Printing.)

■

Restart printing of a document Select the documents for which you want to restart printing, and then click Restart. Restart causes printing to start from the beginning of the document.

■

Cancel printing of a document Select the documents for which you want to cancel printing, and then click Cancel. You can also cancel printing of a document by pressing the DELETE key.

TROUBLESHOOTING COMMON PRINTING PROBLEMS During setup and configuration of a printer, problems can occur. This section introduces a few common problems that you might encounter and suggests some solutions. You will also learn about the built-in Printer Troubleshooter and some of the other troubleshooting features included in Windows XP Professional.

Examining the Problem When you detect a printing problem, always verify that the printer is plugged in, turned on, and connected to the print server. For a network interface printer, verify that there is a network connection between the printer and the print server. To determine the cause of a problem, first try printing from a different program to verify that the problem is with the printer and not with the program. If the problem is with the printer, ask the following questions: ■

Can other users print normally? If so, the problem is most likely caused by insufficient permissions, no network connection, or client computer problems.

211

212


■

Does the print server use the correct printer driver for the printer?

■

Is the print server operational and is there enough disk space for spooling?

■

Does the client computer have the correct printer driver?

Common Troubleshooting Scenarios Table 6-2 lists some of the common setup and configuration problems that you might encounter. It also gives probable causes of the problems and possible solutions. Table 6-2

Common Printer Problems and Possible Solutions

Problem

Probable Cause

Possible Solution

Test page does not print. You have confirmed that the printer is connected and turned on. Test page or documents print incorrectly as garbled text. Pages are only partially printing.

The selected port is not correct.

Configure the printer for the correct port. For a printer that uses a network interface printer, make sure that the network address is correct. Reinstall the printer with the correct printer driver.

The installed printer driver is not correct.

There is not enough memory to print the document. The printer does not have enough toner. Printer drivers for Users report an error the client computers message that asks them to install a printer are not installed on driver when they print the print server. to a print server running Windows XP Professional. The client computer Documents from one client computer do not is connected to the wrong printer. print, but documents from other client computers do.

Add memory to the print server. Replace the printer’s toner cartridge. On the print server, add the appropriate printer drivers for the client computers. Use the client computer operating system CD-ROM or a printer driver from the vendor. On the client computer, remove the printer, and then add the correct printer.

CHAPTER 6:

Table 6-2


Common Printer Problems and Possible Solutions (Continued)

Problem

Probable Cause

Possible Solution

Documents print correctly on some printers in a printer pool, but not all of them.

The printers in the printer pool are not identical.

Printing is slow because the print server is taking a long time to render the job. Printing is slow, and print jobs are taking a long time to reach the top of the queue.

The print server’s disk needs defragmenting or is getting close to capacity. If you are using a printing pool, you might not have enough printers in the pool. The printing priorities among printers are set incorrectly.

Verify that all printers in the printer pool are identical or that they use the same printer driver. Remove inappropriate devices. Defragment the print server’s disk and check whether there is adequate space for temporary files on the hard disk. Add printers to the printing pool.

Documents do not print in the right priority.

Adjust the printing priorities for the printer device associated with the printers.

Printing Troubleshooters Windows XP Professional helps you interactively troubleshoot problems you encounter. To troubleshoot problems with a printer, choose Start | Control Panel | Printers And Other Hardware. In the Printers And Other Hardware window, under Troubleshooters, click Printing. The Help and Support Center window appears, with the Printing Troubleshooter displayed (Figure 6-30).

Figure 6-30 Printing Troubleshooter FT06HT30.BMP

213

214


Notice the series of questions on the page. As you respond to these questions, the troubleshooter asks additional questions and makes suggestions to resolve your problem based on the answers you provide.

Additional Troubleshooting Options Check Event Viewer for system or application events related to a document’s failure to print. You can look up these events in the Microsoft Knowledge Base to get more information on the potential cause. Windows XP Professional provides a number of ways to help you resolve problems with your computer. On the Start menu, click Help And Support. If your problem is a printing problem, click Printing And Faxing to enter the help section on Printing and Faxing (Figure 6-31).

Figure 6-31 The Printers and Faxing area in the Help and Support Center FT06HT31.BMP

The Help and Support Center also allows you to use Remote Assistance to invite another person to help you over the Internet. The expert can accept this invitation, chat with you, and view your desktop. She can also transfer any files required to fix the issue or perform any complex procedures that need to be performed. You can also visit the Windows XP newsgroups or try Microsoft Online Assisted Support, which is accessible from the Help and Support Center.

CONFIGURING AND MANAGING WINDOWS XP FAX SUPPORT Windows XP Professional can provide complete fax services from your computer. You can send and receive faxes using a locally attached fax device or using a remote fax device connected to your network. You can track and monitor fax

CHAPTER 6:


activity as well. However, the fax component of Windows XP Professional is not installed by default. You install it by installing Fax Services in the Windows Components section of Add/Remove Programs (Figure 6-32).

Figure 6-32 Installing Fax Services FT06HT32.BMP

If you have a fax device (such as a fax modem) installed when you install the Fax Service, a Fax icon is added to Control Panel. You use the Fax icon to add, monitor, and troubleshoot fax devices, including fax modems and fax printers.

The Fax Console Installing Windows XP’s fax support installs the Fax console as well. The Fax console manages the sending and receiving of faxes. The console has tools for designing cover pages and for viewing or printing received faxes. To access this utility, choose Start | All Programs | Accessories. Select Fax Console to launch the Fax console.

Fax Printers Windows XP fax support installs the fax device to operate as a printer. This enables you to print to the fax device and send the results as a fax. Once printing is complete, the Fax service asks for addressing information to direct the fax to its destination. You are also prompted to select a cover page, and you can edit information on the cover page before sending the fax. The fax can be sent immediately or scheduled for a later time.

215

216


SUMMARY ■

Local printers are connected to a physical port on the print server, and network interface printers are connected to a printer through the network.

■

Network interface printers require their own network interface cards and have their own network address, or else they are attached to an external network adapter.

■

Windows XP Professional supports the following printer ports (software interfaces): LPT, COM, USB, and network-attached devices such as the HP JetDirect and Intel NetPort.

■

Sharing a local printer makes it possible for multiple users on the network to use it.

■

To set up and share a printer for a local print device or for a network interface print device, use the Add Printer Wizard.

■

To share an existing printer, use the Sharing tab of the Properties dialog box for the printer and select Share This Printer.

■

Windows XP Professional allows you to control printer use and administration by assigning permissions.

■

On client computers running Windows XP Professional, Windows 2000, or Windows Server 2003 that are members of an Active Directory domain, you can find a printer using Active Directory search capabilities.

■

On client computers running Windows NT 4, Windows 95, or Windows 98, the Add Printer Wizard allows you only to enter a UNC name or to browse Network Neighborhood to locate the printer.

■

A printer pool consists of two or more identical printers that are connected to one print server and act as a single printer.

■

You can set priorities on virtual printers so users can send critical documents to a high-priority printer and noncritical documents to a lowerpriority printer, even when there is only one physical printer.

■

Setting a specific time for a document to print allows large documents to print only during off hours, such as late at night.

■

Windows XP Professional enables you to manage printers from any computer running a Web browser, regardless of whether the computer is running Windows XP Professional or has the correct printer driver installed.

CHAPTER 6:

■


Windows XP Professional helps you interactively troubleshoot problems you encounter. To troubleshoot printing problems, use the Printing Troubleshooter.

REVIEW QUESTIONS 1. To have a print server on your network, do you have to have a computer running one of the Windows Server products? Why? 2. Windows XP Professional printing supports which of the following types of computers? (Choose all correct answers.) a. Macintosh computers b. UNIX computers c. NetWare clients d. Windows 98 computers 3. Which of the following operating systems running on a client computer allow you to connect to a network printer by using Active Directory search capabilities? (Choose all correct answers.) a. Windows Server 2003 b. Windows Me c. Windows NT 4 d. Windows XP Professional 4. Which of the following tabs do you use to assign printer permissions to users and groups? a. Security tab of the Properties dialog box for the printer b. Security tab of the Properties dialog box for the user or group c. Permissions tab of the Properties dialog box for the printer d. Permissions tab of the Properties dialog box for the user or group 5. If a printer has multiple trays that regularly hold different paper sizes, how do you assign a form to a paper tray? 6. Briefly describe how to enable Internet printing on a print server.

217

218


CASE SCENARIOS Scenario 6-1: Printing in a Small Office You are the system administrator in a small architectural drafting office that uses four UNIX and six Windows XP Professional workstations. You are asked to establish printing to two wide-format plotters from all systems. The plotters do not have any network connectivity, but you have print drivers for both Windows XP and UNIX. What is the best way to establish printing in this scenario?

Scenario 6-2: Printer Wars You are the network analyst for a trading office. The office has only one printer. Users are complaining to you about printing conflicts. The traders need their print jobs printed immediately, but these jobs often wait behind large reports being printed by the accountants. The office staff and accountants also need to print e-mails and spreadsheets, but these are not urgent jobs. Using a combination of printing schedules, printer priorities, and permissions, how can you make everyone happy?

CHAPTER 7

CONFIGURING AND MANAGING NTFS SECURITY Upon completion of this chapter, you will be able to: ■ Understand the structure of NTFS security ■ Control access to files and folders by using permissions ■ Optimize access to files and folders by using NTFS best practices ■ Audit NTFS security ■ Troubleshoot access to files and folders

In this chapter, we’ll explore the configuration and management of security in the NTFS file system. You will learn how NTFS manages users’ access to resources and how to analyze and configure access control lists (ACLs). You’ll see how user group membership controls access to resources and how individual permissions are grouped into standard permissions. Finally, we will discuss how you can combine security groups and permissions to control access.

219

220


UNDERSTANDING THE NTFS FILE SYSTEM To understand how the NTFS file system controls access to files, folders, and other objects, you need to understand the basic workings of the NTFS file system. In this course, you have already learned how the hard disk is divided into volumes or partitions. The file system’s job is to provide some structure to the volume or partition to allow it to store, track, and secure data that is stored on it. The NTFS file system can be described as a collection of files. The files are classified into two types, normal files (data files) and metadata files (files that contain data that describes data). The Master File Table (MFT), itself a metadata file, points to each of the other files, both normal and metadata, while including pointers to the appropriate entry in the $Secure file to control who has access to the files. Let’s look more closely at the metadata files: ■

Master File Table (MFT) A metadata repository containing pointers to the actual storage sites of data on the physical disk. The MFT (Figure 7-1) also contains directory indexes and stores attributes of files and folders in MFT records. The MFT can expand as more data is stored, allowing for the storage of vast amounts of data. In addition, a mirror copy of a portion of the MFT is maintained on each NTFS volume to ensure recoverability of the file system if the main MFT is damaged. $Boot MFT

Data1

Data2

ta NTFS-formatted Disk

M $Secure Data4

MFT Records Data1 Abc.doc Timestamps NTFSSID1 LCN Data1 123.doc Timestamps NTFSSID1 LCN Data1

Xyz.xls

Timestamps NTFSSID1 LCN

Data1

987.txt

Timestamps NTFSSID1 LCN

MFT record header

FT07HT01.vsd

File name attribute

Figure 7-1 MFT structure

Standard Location information on disk attributes Security index reference ($SII)

CHAPTER 7:

CONFIGURING AND MANAGING NTFS SECURITY

NOTE The MFT is placed in an area on disk called the MFT zone, which is an area of disk set aside for expansion of the MFT. As the disk fills, this zone is reduced in size as required. If the zone gets small enough that the MFT no longer fits, the MFT can become fragmented because it has to be recorded in other areas of the disk. MFT fragmentation severely reduces file system performance and is one of the deleterious effects of filling up an NTFS volume. ■

Consolidated security NTFS maintains another metadata repository for tracking security information. Replacing the individual security descriptors (lists of users and groups with access to the file or folder stored separately for each file or folder) of earlier versions of NTFS, the $Secure metadata file (Figure 7-2) contains a set of common security descriptors that can be referenced over and over again by a single index attribute stored in the MFT for a file or folder. As each file or folder is assigned security settings, these settings are compared against settings assigned to other files and folders. If they match, both resources are assigned the same security entry in the $Secure metadata file. This reduces the amount of resources devoted to maintaining what could be thousands of separate security descriptor attributes on files and folders. Instead, a fairly small number (by comparison) of unique security descriptors are stored in the $Secure metadata file with index pointers to these entries stored in the file or folder’s MFT record. $Boot MFT

Data1

Data2

NTFS-formatted Disk

M $Secure ta

MFT Records NTFSSID1

S-1-5-21-646518322-1873620750Permissions for Data1 619646970-1110

NTFSSID2


NTFSSID3


NTFSSID4


User or group security IDs (SIDs) NTFS security ID index ($SII) attribute from MFT FT07HT02.vsd

Figure 7-2 Security organization in NTFS

221

222


■

Transaction logging By logging changes to files, NTFS ensures data consistency by reversing unfinished transactions when recovering from a crash.

■

Quota tracking NTFS has the ability, through quota tracking, to keep track of the amount of data each user has stored on a volume and to limit further disk writes to prevent exceeding the limit. NOTE

Quota management is covered in Chapter 3.

UNDERSTANDING NTFS PERMISSIONS The NTFS security descriptors described above contain access control lists (ACLs) which are, in essence, a list of user or group security IDs (SIDs) matched up with permission settings for each SID. These individual entries are called access control entries (ACEs).

Components of NTFS Permissions NTFS permission assignment involves three components: ACLs, ACEs, and users or groups. Access control lists (ACLs) The ACL is the fundamental construct of security in the Microsoft Windows NT family of operating systems. Objects from files and folders all the way up to group policy objects in Active Directory are secured by using ACLs. ACLs come in two types: ■

System access control lists (SACLs) SACLs are defined by the operating system and are controlled administratively, either by policies or by system administrators. They control auditing of access to objects.

■

Discretionary access control lists (DACLs) DACLs are commonly referred to simply as ACLs. These are the lists of users or groups that have been granted access to an object. Because access is granted at the discretion of the object’s owner, this type of ACL is classified as discretionary.

Each object’s security descriptor contains a DACL that defines the users and groups that have access permissions to the object. NTFS stores this DACL in the $Secure metadata file and records the descriptor’s index attribute in the object’s standard information attributes in the MFT.

CHAPTER 7:


Access control entries (ACEs) ACLs consist of one or more access control entries (ACEs). These entries consist of a user or group security identifier (SID) paired with permissions assigned to this SID. ACEs can be one of three types: ■

Allow ACE An ACE that allows access to the listed SID for the listed operations (Read, Write, Modify, etc.).

■

Deny ACE listed SID.

■

System Audit ACE A component of a SACL, a System Audit ACE lists the operations to be audited for an object.

An ACE designed to deny the specified operation to the

When more than one ACE exists on an ACL, the cumulative effects of all the ACEs are taken into account to determine what operations are permitted for a specific user. The rule governing this can be stated in the following way: Permission assigned to a user who has more than one ACE for an object is the most lenient of the accumulated permissions, unless one of the permissions is Deny, which overrides all other permissions for the specified operation. An example of this rule is the case where a user might be a member of more than one security group with access to a file. If one group has Allow Read permission and the other has Allow Modify, the user has permission to modify the file. If the permissions are Allow Modify and Deny Read, the user cannot open the file, thereby negating the Modify permission. We will discuss permissions in more detail in the upcoming section titled “NTFS Permissions.”

NOTE

Users and groups Users and groups, which are identified by the SID in the ACE, are the final part of the NTFS permissions scheme. By placing users into security groups and assigning the groups access to NTFS objects, you can easily control object access. Simply by placing a user into a security group, you confer all permissions granted to the group. This chapter discusses both built-in security groups and administratively created security groups, which differ in a few important ways: ■

Built-in security groups Groups that are included with the operating system by default. Examples of these groups are the Users group, Power Users group, and Administrators group. By default, Administrators have Full Control access to NTFS folders and files so they can administer permissions.

223

224


■

Assigned security groups Groups created by administrators to make it easier to manage access to resources. An example of an assigned group is an Applications group that you might create to manage access to executable applications.

■

Special groups Also referred to as implicit groups, these are groups whose membership changes based on the circumstances of a user’s access to a file. Examples of special groups are: ❑

CREATOR OWNER group A group made up of the creator or owner(s) of a resource. We will pay special attention to the CREATOR OWNER group in this chapter. As you will see, you can use this group to manage access to public data.

NOTE

❑

INTERACTIVE group A group of users who access an object while logged on to a system’s console.

❑

NETWORK group A group of users who access a resource over a network connection.

❑

Everyone group Any user identifiable by username who attempts to access resources on a system. This group includes users who have not authenticated themselves to any authority recognized by the system.

❑

Authenticated Users group Users who have been authenticated by an authority recognized and trusted by the system. This is an important consideration for security because members of the Authenticated Users group are more trusted than users belonging only to the Everyone group.

NTFS Permissions You use NTFS permissions to specify which users and groups can access files and folders and what they can do with the contents of the files or folders. NTFS permissions are available only on NTFS volumes. They are not available on volumes formatted with file allocation table (FAT) or FAT32 file systems. NTFS security applies whether a user accesses the file or folder at the local computer or over the network. The permissions you assign for folders are different from the permissions you assign for files. Administrators, the owners of files or folders, and users with Full Control permission can assign NTFS permissions to users and groups to control access to files and folders.

CHAPTER 7:


NTFS folder permissions You assign folder permissions to control the access that users have to folders and to the files and subfolders within the folders. Folder permissions differ from file permissions in that some folder-level operations, such as listing folder contents, do not apply directly to files. The standard folder permissions are: ■

Read See files and subfolders in the folder and view folder ownership, permissions, and attributes (such as Read-Only, Hidden, Archive, and System)

■

Write Create new files and subfolders within the folder, change folder attributes, and view folder ownership and permissions

■

List Folder Contents See the names of files and subfolders in the folder

■

Read & Execute Move through folders to reach other files and folders, even if you don’t have permission for those folders, and perform actions permitted by the Read permission and the List Folder Contents permission

■

Modify Delete the folder plus perform actions permitted by the Write permission and the Read & Execute permission

■

Full Control Change permissions, take ownership, and delete subfolders and files, plus perform actions permitted by all other NTFS folder permissions

You can deny any individual permission to a user account or group. To deny all access to a user account or group for a folder, deny the Full Control permission. Take care when denying permissions. This action, if not properly documented, can cause hard-to-trace permission issues when users are members of more than one group or change group membership later on.

CAUTION

NTFS file permissions You assign file permissions to control the access that users have to files. The standard file permissions are: ■

Read Read the file and view file attributes, ownership, and permissions

■

Write Overwrite the file, change file attributes, and view file ownership and permissions

■

Read & Execute Run applications, plus perform the actions permitted by the Read permission

225

226


■

Modify Modify and delete the file, plus perform the actions permitted by the Write permission and the Read & Execute permission

■

Full Control Change permissions and take ownership, plus perform the actions permitted by all other NTFS file permissions

Special permissions The previous section mentioned standard permissions. NTFS actually has 14 discrete permissions that apply to folders and 13 that apply to files. These permissions are grouped together into standard permissions for convenience, but you can assign them separately to provide very granular control of access permission for objects stored in the file system. These discrete permissions are called NTFS special permissions. The NTFS special permissions are as follows: ■

Full Control

■

Traverse Folder/Execute File Traverse Folder applies only to folders. It allows or denies moving through folders to access other files or folders, even when the user has no permissions for the traversed folder (the folder that the user is moving through).

Applies all permissions to the user or group.

Traverse Folder is not applied if the user or group has the Bypass Traverse Checking user right granted in Group Policy (discussed in Chapter 13). By default, the Everyone group has Bypass Traverse Checking granted, so you must modify the Group Policy if you want to use the Traverse Folder permission. Execute File applies only to files. It allows or denies running executable files (application files). ■

List Folder/Read Data List Folder applies only to folders. It allows or denies viewing file names and subfolder names within the folder. Read Data applies only to files. It allows or denies viewing the contents of a file.

■

Read Attributes Allows or denies the viewing of the attributes of a file or folder. These attributes are defined by NTFS. Attributes are items such as time stamps, compression, or encryption.

■

Read Extended Attributes Allows or denies the viewing of extended attributes of a file or a folder. These attributes are defined by programs. These can be items such as Author, Subject, and Source.

■

Create Files/Write Data Create Files applies only to folders. It allows or denies the creation of files within a folder.

CHAPTER 7:


Write Data applies only to files. It allows or denies the making of changes to a file and the overwriting of existing content. ■

Create Folders/Append Data Create Folders applies only to folders. It allows or denies the creation of folders within the folder. Append Data applies only to files. It allows or denies making changes to the end of the file, but not changing, deleting, or overwriting existing data.

■

Write Attributes Allows or denies the changing of the NTFS attributes (such as time stamps and compression attributes) of a file or folder.

■

Write Extended Attributes Allows or denies the changing of the extended attributes (such as Author, Subject, and Source) of a file or a folder.

■

Delete Subfolders and Files Allows or denies the deletion of subfolders or files within a folder, even if the Delete permission has not been granted on the particular subfolder or file.

■

Delete Allows or denies the deletion of a file or folder. A user can delete a file or folder even without having the Delete permission granted on that file or folder if the Delete Subfolder and Files permission has been granted to the user on the parent folder.

■

Read Permissions Allows or denies the reading of the permissions assigned to the file or folder.

■

Change Permissions Allows or denies the changing of the permissions assigned to the file or folder. You can give other administrators and users the ability to change permissions for a file or folder without giving them Full Control permission over the file or folder. In this way, the administrator or user can’t delete or write to the file or folder but can assign permissions to the file or folder.

■

Take Ownership Allows or denies taking ownership of the file or folder. The owner of a file can always change permissions on a file or folder, regardless of the permissions set to protect the file or folder. There is one other special permission that you will not see very often: Synchronize. Synchronize allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that might signal it. This permission applies only to multithreaded, multiprocess programs.

NOTE

Mapping NTFS special permissions to standard permissions Figure 7-3 shows how the NTFS special permissions combine to make up the NTFS standard permissions.

227

228


READ ✗ ✗ ✗ ✗

List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions

WRITE ✗ ✗ ✗ ✗

Create Files/Write Data Create Folders/Append Data Write Attributes Write Extended Attributes

MODIFY ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗

Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions Create Files/Write Data Create Folders/Append Data Write Attributes Write Extended Attributes Delete

FULL CONTROL LIST FOLDER CONTENTS ✗ ✗ ✗ ✗ ✗

Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions

READ & EXECUTE ✗ ✗ ✗ ✗ ✗

Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions

✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗

Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions Create Files/Write Data Create Folders/Append Data Write Attributes Write Extended Attributes Delete Change Permissions Take ownership

Figure 7-3 Mapping NTFS special permissions to NTFS standard permissions FT07HT03.VSD

NTFS Permissions Inheritance By default, permissions that you assign to the parent folder are inherited by and propagated to the subfolders and files contained in the parent folder, as well as for any new files and subfolders that are created in the folder. However, you can prevent permissions inheritance. You can prevent permissions assigned to a parent folder from being inherited by subfolders and files that are contained within the folder. You might want to do this if a certain subfolder needs permissions that differ from the rest of the subfolders—for instance, if you have a parent folder called Data but want the Engineering Data subfolder to have slightly different permissions.

To block permissions inheritance:

1. In the Advanced Security Settings dialog box, clear the Inherit From Parent The Permission Entries That Apply To Child Objects check box. 2. Windows XP prompts you to copy existing permissions, remove all permissions and start with an empty ACL, or cancel.

CHAPTER 7:


The folder for which you prevent permissions inheritance becomes the new parent folder. The subfolders and files contained within this new parent folder inherit the permissions assigned to it. Copying or moving NTFS objects When you copy or move an object on an NTFS volume or between NTFS volumes (Figure 7-4), it might inherit permissions from its new parent folder, depending on the type of operation performed. An object moved within an NTFS volume retains its permissions All other operations, move or copy, inherit permissions from destination folder XCOPY.EXE with the /O or /X option will copy permissions to the new location Permissions

NTFS

NTFS Move or Copy

Folder A

Folder C XCOPY.EXE

COPY XCOPY.EXE MOVE

Folder B

FAT

Folder D

Figure 7-4 Copying and moving NTFS objects FT07HT04.VSD

■

Moving NTFS objects within an NTFS volume The only situation in which permissions are retained (ACLs copied with objects) is when an object such as a file or folder is moved within an NTFS partition.

■

Moving NTFS objects between NTFS volumes When objects are moved between volumes, they inherit the permissions of whichever target folder they are placed in on the target volume.

■

Moving NTFS objects to a non-NTFS volume Moving an object to a volume that does not support NTFS permissions removes all permissions from the object.

■

Copying NTFS objects within an NTFS volume When you copy an object within an NTFS volume, it inherits the permissions of the target folder.

229

230


■

Copying NTFS objects to another NTFS volume When you copy an object to another NTFS volume, it inherits the permissions of the target folder.

■

Copying NTFS objects to a non-NTFS volume Copying an object to a volume without NTFS security removes all permissions from the object.

There are two ways to cause Windows XP to retain permissions even when an object is copied or moved to another NTFS volume: ■

Using Xcopy.exe with the /O or the /X command-line switch copies permissions to the new destination.

■

Modifying the HKEY_CURRENT_USER\SOFTWARE\Microsoft\ Windows\CurrentVersion\Policies\Explorer registry key. Adding the DWORD value ForceCopyAclwithFile with a value of 1 causes Windows XP to always copy the ACL with the object. MORE INFO For more on these methods of copying permissions, see Microsoft Knowledge Base article 310316.

MANAGING NTFS PERMISSIONS To assign NTFS permissions, you must fully understand the use and consequences of each permission. It is also important to understand how permissions from multiple group memberships work together to create effective permissions. In this section, you will learn how to plan for NTFS permission assignment and how to assign permissions. We will also explore how to determine effective permissions and how the system uses this determination to grant or deny access to objects.

Best Practices for Assigning Permissions The following are best practices for implementing NTFS permissions. These guidelines will help you avoid permission problems. ■

Assign the most restrictive NTFS permissions that still enable users and groups to accomplish necessary tasks. Observe the principle of least privilege.

■

Assign all permissions at the folder level, not at the file level. Group files for which you want to restrict user access in a separate folder, and then assign restricted access to that folder.

CHAPTER 7:


■

Assign permissions to groups whenever possible, not to individual users. You can manage permissions for a group once, and then make users members of that group to give them access to the files or folders.

■

Avoid changing the default permissions on system files and folders. This can cause unexpected and difficult-to-diagnose problems.

■

Do not deny access to the Everyone group. Administrators are members of Everyone as well, and they would also be restricted. Instead, remove the Everyone group from the ACL and replace it with appropriate groups requiring access. If all users require access, use the Authenticated Users group.

■

For all application executable files, assign Read & Execute and Change Permissions to the Administrators group and assign Read & Execute to the Users group. Damage to application files usually results from accidents and viruses. By assigning Read & Execute to Users and Read & Execute and Change Permissions to Administrators, you can prevent users or viruses from modifying or deleting executable files. To update files, members of the Administrators group can assign Full Control to their user account to make changes and then reassign Read & Execute and Change Permissions.

■

For public folders, assign Full Control to CREATOR OWNER and Read and Write to the Authenticated Users group. This gives users full access to the files that they create, but members of the Authenticated Users group can only read files in the folder and add files to the folder.

■

If you don’t want a user or group to access a particular folder or file, don’t assign permissions. If you do not grant permission, the user will not have access to the object. You should deny permissions only in the following special cases (which should be very well documented): ❑

To exclude a person (or persons) who belongs to a group with Allowed permissions. For example, in a department where users have full control over files, you can deny permission to modify data to new employees who are in a probationary period.

❑

To exclude one special permission from a standard permission group. For example, you can deny the Delete special permission to users who have the Modify standard permission.

Setting NTFS Permissions Administrators, users with the Full Control permission, and the owners of files and folders can assign permissions to user accounts and groups.

231

232


To assign or modify NTFS permissions for a file or folder, on the Security tab of the Properties dialog box for the file or folder, configure the options shown in Figure 7-5.

Figure 7-5 Assigning NTFS permissions FT07HT05.BMP

Here are the options on the Security tab: ■

Group Or User Names Allows you to select the user account or group for which you want to change permissions or that you want to remove from the list.

■

Permissions For Administrators Allows or denies permissions. Select the Allow check box to allow a permission. Select the Deny check box to deny a permission. This selection creates an Allow or Deny ACE in the ACL for the object.

■

Add Opens the Select Users Or Groups dialog box, which you use to select user accounts and groups to add to the Group Or User Names list (shown in Figure 7-6).

■

Remove Removes the selected user account or group and the associated permissions for the file or folder. This removes the ACE for this user or group from the associated ACL for the object.

■

Advanced Opens the Advanced Security Settings dialog box for the selected folder so that you can grant or deny special permissions (shown in Figure 7-7).

Adding users or groups Click Add to display the Select Users Or Groups dialog box (Figure 7-6), where you can add users or groups so that you can assign them permissions for accessing a folder or file.

CHAPTER 7:


Figure 7-6 The Select Users Or Groups dialog box for a folder FT07HT06.BMP

The options in the Select Users Or Groups dialog box are: ■

Select This Object Type Allows you to select the types of objects you want to look for, such as built-in security principals (users, groups, and computer accounts), user accounts, or groups.

■

From This Location Indicates where you are currently looking—for example, in the domain or on the local computer.

■

Locations Allows you to select where you want to look—for example, in the domain or on the local computer.

■

Enter The Object Names To Select Allows you to type in a list of built-in security principals, users, or groups to be added.

■

Check Names Verifies the selected list of built-in security principals, users, or groups to be added against the location selected in the From This Location field.

■

Advanced Allows you access to advanced search features, including the ability to search for deleted accounts, accounts with passwords that do not expire, and accounts that have not logged on for a certain number of days.

Granting or denying special permissions On the Security tab of the Properties dialog box, click Advanced to display the Advanced Security Settings dialog box (Figure 7-7), which lists the users and groups and the permissions they have on this object. The Permissions Entries box also shows where the permissions were inherited from and where they are applied. You can use the Advanced Security Settings dialog box to change the special permissions set for a user or group. To change the permissions set for a user or group, select a user and click Edit to display the Permission Entry For dialog box (Figure 7-8). You can then select or clear the specific permissions that you want to change.

233

234


Figure 7-7 The Permissions tab of the Advanced Security Settings dialog box for a folder FT07HT07.BMP

Figure 7-8 The Permission Entry dialog box for a folder FT07HT08.BMP

For more information on each of the NTFS special permissions, see the “NTFS Permissions” section earlier in the chapter.

NOTE

Taking ownership of files and folders You can transfer ownership of files and folders from one user account or group to another. You can give someone the ability to take ownership and, as an administrator, you can take ownership of a file or folder (Figure 7-9). The following rules apply for taking ownership of a file or folder: ■

The current owner or any user with Full Control permission can assign the Full Control standard permission or the Take Ownership special access permission to another user account or group, allowing the user account or any member of the group to take ownership.

CHAPTER 7:

■


An administrator can take ownership of a folder or file, regardless of assigned permissions. If an administrator takes ownership, the Administrators group becomes the owner and any member of the Administrators group can change the permissions for the file or folder and assign the Take Ownership permission to another user account or group.

Figure 7-9 Taking ownership of a folder FT07HT09.BMP

For example, if an employee leaves the company, an administrator can take ownership of the employee’s files and assign the Take Ownership permission to another employee, and then that employee can take ownership of the former employee’s files. You cannot assign anyone ownership of a file or folder. The owner of a file, an administrator, or anyone with Full Control permission can assign Take Ownership permission to a user account or group, allowing them to take ownership. To become the owner of a file or folder, a user or group member with Take Ownership permission must explicitly take ownership of the file or folder.

NOTE

To take ownership of a file or folder:

1. On the Security tab of the Properties dialog box for the file or folder, click Advanced. 2. In the Advanced Security Settings dialog box, on the Owner tab, select your name in the Change Owner To list. 3. Select the Replace Owner On Subcontainers And Objects check box to take ownership of all subfolders and files that are contained within the folder, and then click OK.

235

236


Preventing permissions inheritance As we discussed earlier, subfolders and files inherit permissions that you assign to their parent folder. This is indicated in the Advanced Security Settings dialog box (shown earlier in Figure 7-7) when the Inherit From Parent The Permission Entries That Apply To Child Objects check box is selected. To prevent a subfolder or file from inheriting permissions from a parent folder, clear the check box. You are then prompted to select one of the following options: ■

Copy Copy the permission entries that were previously applied from the parent to the child, and then deny subsequent permissions inheritance from the parent folder.

■

Remove Remove the permission entries that were previously applied from the parent to the child, and retain only the permissions that you explicitly assign here.

■

Cancel

Cancel the dialog box.

Using Command-Line Tools to View and Modify Permissions Microsoft offers two command-line tools for viewing and setting NTFS permissions in Windows XP: CACLS.exe (for “Change ACLs”) and XCACLS.exe (for “Extended CACLs”). CACLS is included in Windows XP, and XCACLS is available for download from Microsoft. The principal difference is that CACLS can set only standard NTFS permissions—Read, Write, Change (Modify), and Full Control—while XCACLS offers more (but not full) control over special permissions such as Delete, Change permissions, and Take Ownership. In this section, we will discuss viewing and setting permissions with CACLS. MORE INFO For more information on using XCACLS, see Microsoft Knowledge Base article 318754.

Understanding CACLS CACLS has the following command-line switches: ■

/T Changes the ACLs of specified files in the current directory and all subdirectories.

■

/E Edits existing ACLs instead of replacing them.

■

/C Causes CACLS to continue on access denied errors. The default behavior is to stop when the first error is encountered.

CHAPTER 7:


■

/G user:perm Grants permissions to the specified user. The permissions you grant can be one of the following: Read, Write, Change (the same as Modify), or Full Control.

■

/R user Actually removes the ACE for the specified user. If this is the only ACE the user’s access token is a match with, access is denied to the specified user. If the user belongs to a group with access, the user continues to have access based on the group’s permissions. This switch can be used only in conjunction with the /E switch.

■

/P user:perm Replaces the specified user’s access permissions with the new permissions given. This has the same effect as revoking the user’s permissions and granting new permissions. The permissions you grant can be one of the following: None (the same as Deny Full Control), Read, Write, Change (the same as Modify), or Full Control.

■

/D user The same as setting Deny Full Control for the specified user. This switch has the same effect as /P used with the N permission.

Using CACLS to view and change permissions CACLS used without any switches displays permissions assigned to the specified resource (Figure 7-10).

Figure 7-10 CACLS showing permissions for a folder FT07HT10.BMP

NOTE In Figure 7-10, the CACLS display shows Special Access permissions FILE_APPEND_DATA and FILE_WRITE_DATA. Even though CACLS cannot modify these permissions, it reports on their use.

To change permissions, you must first decide whether you are changing permissions for one user, a group, or all users at once. The /E switch allows you to manipulate existing ACEs, add new ones, and remove individual ACEs. If you do not specify the /E switch, all ACEs are removed and replaced by the new ACE you have defined with CACLS.

237

238


CAUTION Failure to use the /E switch with CACLS results in the removal of all previously existing ACEs.

If you want to add permission for a user or group, you can do so by simply using the /G switch. The following command grants Jack the Full Control permission to the Syllabi folder: CACLS.EXE Syllabi /E /G Jack:F

To revoke the ACE for Jack, issue the CACLS command with the /R switch: CACLS.EXE Syllabi /E /R Jack

In the Revoke ACE scenario above, the user will still have any access granted by group memberships.

NOTE

To deny access to Jack, in spite of any other permissions he might have: CACLS.EXE Syllabi /E /D Jack

Finally, to grant the built-in Users group permission to modify files in the folder: CACLS.EXE Syllabi /E /G Users:C

CACLS power play The true power of a tool such as CACLS is the ability to use it in batch files to change permissions for many users or folders at once. By issuing a series of CACLS commands in a batch file, you can automate changes to lock users out of data folders during backup operations and let them back in afterward. You can also use CACLS to dump permission listings into a file by using the > commandline redirect: CACLS.EXE Syllabi > permissions.txt

Doing this daily allows you to analyze changes being made to permissions over a long period of time. You can use a program such as Windiff.exe to spot changed lines in the files. It might therefore be possible to spot nefarious activity by other administrators or users of the system. Windiff.exe is one of more than 100 support tools included with Windows XP. You can install them by running the Setup program in the \Support\Tools folder on the Windows XP Professional CD-ROM. For more information on installing support tools, see Microsoft Knowledge Base article 306794 at http://support.microsoft.com.

NOTE

CHAPTER 7:


Assigning Multiple NTFS Permissions You can assign multiple permissions to a user account and to each group the user belongs to. To assign permissions, you must understand the rules and priorities by which NTFS assigns and combines multiple permissions and assigns NTFS permissions inheritance. When a user attempts to access an object, the user’s application initiates an access request and attaches the user’s access token, which is generated when the user logs on. The access token contains the user’s SID and the SIDs of any security groups the user belongs to. It is compared with ACEs on the object’s DACL. If a SID in the access token matches the SID listed in an ACE, the permissions in the ACE are evaluated to see if access can be granted. If all the ACEs are evaluated and at least one grants access (and none are found that explicitly deny access), the object is opened. If no ACEs are found referencing any of the user’s SIDs or one is found that denies the operation, access is denied. Example A User A wants to access a folder to read a file (Figure 7-11). The user’s SID and the SIDs for the groups the user is a member of are part of the access token that is created when the user logs on. Each SID is evaluated to see if it matches an ACE on the DACL for the object. User A is a member of Groups A, B, and D. The user’s SID does not match any ACE on the DACL. Group B and Group D each match an ACE on the folder’s DACL. Membership in Group B grants the user Modify access to the folder. Membership in Group D grants the user Full Control access to the folder. The user’s effective access level is Full Control. The Read operation requested by the user succeeds. A User A requests access to read file

SIDs

Access Token

Folder DACL

User A

No ACE

User B (Allow Read) Group A (Allow Modify)

Group A Group B

No ACE

Group D (Allow Full Control)

Group D Effective Permission is Full Control

Figure 7-11 User A opens a file to read. FT07HT11.VSD

Group C (Deny Read)

239

240


Example B User B wants to access the same folder to read a file (Figure 7-12). The user’s SID and the SIDs for the groups the user is a member of are part of the access token that is created when the user logs on. Each SID is evaluated to see if it matches an ACE on the DACL for the object. User B is a member of Groups A, C, and D. The user’s SID matches a Read ACE on the DACL. Groups B, C and D also match an ACE on the folder’s DACL. Membership in Group B grants the user Modify access to the folder. Membership in Group D grants the user Full Control access to the folder. Membership in Group C denies the user Read access to the folder. The user’s effective access level is Deny Read. The Read operation requested by the user fails. B User B requests access to read file

SIDs

Access Token

Folder DACL

User B

User B (Allow Read)

Group A

Group A (Allow Modify)

Group C

Group C (Deny Read)

Group D

Group D (Allow Full Control) Effective Permission is Deny Read

Figure 7-12 User B fails to open a file to read. FT07HT12.VSD

Effective permissions A user’s effective permissions for a resource are the sum of the NTFS permissions that you assign to the individual user account and that you assign to all of the groups to which the user belongs. If a user has Read permission for a folder and is a member of a group with Write permission for the same folder, the user has both Read and Write permissions for that folder. If the application a user is using wants to open a file to modify it, it requests Append Data access to the object. If any ACEs match the user’s access token, they are examined to see if the required permission is allowed. If it is not explicitly allowed, access is denied. If no ACEs match the user’s access token, access is denied.

To view effective permissions for an object:

1. In the object’s Properties dialog box, on the Security tab, click Advanced to access the Advanced Security Settings dialog box.

CHAPTER 7:


2. Click the Effective Permissions tab, and use the Select button to browse for and select a user or group. 3. View the effective permissions on the object for the selected user or group (Figure 7-13).

FT07HT13.BMP

Figure 7-13 Effective permissions for user group

Overriding folder permissions with file permissions NTFS file permissions take priority over NTFS folder permissions. If you have access to a file, you can access the file if you have the Bypass Traverse Checking user right (granted by an administrator via Group Policy) even if you don’t have access to the folder containing the file. You can access the files for which you have permissions by using the full Universal Naming Convention (UNC) path or local path to open the file from its respective application. Using “Deny Access” to Override Permissions You can deny permission to a user account or group for a specific file, although this is not the recommended method of controlling access to resources. Denying permission overrides all instances in which that permission is allowed. Even if a user has permission to access a file or folder as a member of a group, denying permission to the user blocks any other permissions the user might have.

AUDITING NTFS OBJECT ACCESS Auditing allows you to track user activities on a computer. You can specify that Windows XP Professional write a record of an event to the security log, which maintains a record of valid and invalid logon attempts and events related to

241

242


creating, opening, or deleting files or other objects. An audit entry in the security log contains the following information: ■

The action that was performed

■

The user who performed the action

■

The success or failure of the event and when the event occurred

Enabling Auditing To track the activities of individuals responsible for security breaches, you can set up auditing for files and folders on NTFS partitions. To audit user access to files and folders, you must first set your audit policy to audit object access, which includes files and folders. We will discuss this in more detail in Chapter 13. When you set your audit policy to audit object access, you enable auditing for specific files and folders and specify which types of access to audit and by which users or groups. NTFS object access auditing is configured on the Auditing tab of the Advanced Security Settings dialog box (Figure 7-14), where you can add, remove, or change audit events.

Figure 7-14 Audit Settings tab of the Advanced Security Settings dialog box FT07HT14.BMP

Events can be described for both success and failure of the audited action. If you choose to add or edit an audited event, the Auditing Entry dialog box opens (Figure 7-15).

CHAPTER 7:


Figure 7-15 Auditing Entry dialog box FT07HT15.BMP

These are the actions you can audit for success and failure: ■

Traverse Folder/Execute File Running a program or gaining access to a folder to change directories

■

List Folder/Read Data

■

Read Attributes Reading the attributes of a file or folder

■

Read Extended Attributes or folder

■

Create Files/Write Data Changing the contents of a file or creating new files in a folder

■

Create Folders/Append Data

■

Write Attributes

■

Write Extended Attributes Changing extended attributes of a file or folder

■

Delete Subfolders And Files Deleting a file or subfolder in a folder (applies to folders only)

■

Delete Deleting a file or folder

■

Read Permissions Viewing permissions for the file owner for a file or folder

■

Change Permissions Changing permissions for a file or folder

■

Take Ownership Taking ownership of a file or folder

Displaying the contents of a file or folder

Reading the extended attributes of a file

Creating folders in a folder

Changing attributes of a file or folder

243

244


Enabling auditing of a folder or file creates an SACL in the object’s security descriptor. This SACL is used by the system when the object is accessed to determine which operations are audited and whether the operations should be recorded for success or failure.

NOTE

Monitoring Security Event Logs Once auditing is enabled for NTFS objects, the results of the auditing can be monitored in the security event log for the system being audited. This log is visible in the Event Viewer console either in Computer Management or by executing eventvwr.msc from the command line. We will cover the use and administration of auditing in more detail in Chapter 13.

TROUBLESHOOTING NTFS PERMISSIONS Occasionally you will have a user who cannot access files that should be allowed, or who is found to have access that he shouldn’t have. These problems can almost always be traced to improper effective permissions, either from membership in an incorrect security group or from incorrectly assigned permissions to one or more groups of which the user is a member.

Problems with Effective Permissions To locate improper effective permissions, you can use the Effective Permissions tab of the Advanced Security Settings dialog box (Figure 7-16) for the resource in question. Select the user to list the permissions calculated from the user’s own permissions and those of any groups the user belongs to. If you find a discrepancy, select each of the user’s groups in turn to locate the one that is contributing the discrepancy to the effective permissions.

Figure 7-16 Displaying effective permissions for a user FT07HT16.BMP

CHAPTER 7:


Problems with Denied Permissions When you use the Deny permission ACEs, it is easy to lose track of them. Their use is more the exception than the rule, so administrators will rarely suspect a denied permission at first. You can analyze effective permissions to see whether a checkmark is missing from one or more special permissions that should be checked. Locate the Deny access ACE and remove it to restore access to the affected user(s).

Problems with Permissions Inheritance Blocking permissions inheritance can cause unintended consequences for effective permissions. Suppose a user is a member of a group with access to a folder through inheritance from a parent folder. If an administrator removes inheritance without copying the permissions from the parent and sets new permissions that do not give the original user access, the user will be denied access. You can analyze effective permissions to see whether you need to add the appropriate security group(s) with the appropriate permissions.

245

246


SUMMARY ■

NTFS permissions are available only on NTFS volumes and are used to specify which users and groups can access files and folders and what these users can do with the contents of those files or folders.

■

NTFS folder permissions are Read, Write, List Folder Contents, Read & Execute, Modify, and Full Control.

■

The NTFS file permissions are Read, Write, Read & Execute, Modify, and Full Control.

■

Administrators, the owners of files or folders, and users with Full Control permission can assign NTFS permissions to users and groups to control access to files and folders.

■

The command-line tools CACLS.exe and XCACLS.exe can be used to automate permission changes.

■

NTFS stores security descriptors (which include ACLs) for all files in a central metadata file. An index attribute is stored in the file’s MFT record to identify the security descriptor. Multiple files can designate the same security descriptor, optimizing use of space.

■

A user attempting to gain access to a resource must have permission for that type of access. This access type is requested by the user’s application and compared with ACEs in the object’s ACL. If the requested access is not allowed, access to the file or folder is denied.

■

You can assign multiple permissions to a user account by assigning permissions to her individual user account and to each group she belongs to.

■

A user’s effective permissions for a resource are based on the NTFS permissions that you assign to the individual user account and to all of the groups the user belongs to.

■

NTFS file permissions take priority over NTFS folder permissions.

■

By default, when you format a volume with NTFS, the Full Control permission is assigned to the Everyone group.

■

To assign or modify NTFS permissions for a file or a folder, you use the Security tab of the Properties dialog box for the file or folder.

■

By default, subfolders and files inherit permissions that you assign to their parent folder.

■

To stop subfolders and files from inheriting permissions that you assign to their parent folder, clear the Inherit From Parent The

CHAPTER 7:


Permission Entries That Apply To Child Objects check box in the Advanced Security Settings dialog box. ■

The current owner or any user with Full Control permission can assign the Full Control standard permission or the Take Ownership special access permission to another user account or group, allowing the user account or a member of the group to take ownership.

■

You cannot assign (give) anyone ownership of a file or folder.

■

When you move a file or folder within a single NTFS volume, the file or folder retains its original permissions.

■

When you move a file or folder between NTFS volumes, the file or folder inherits the permissions of the destination folder.

■

When you copy files or folders from one folder to another or from one volume to another, Windows XP Professional treats the copied file or folder as a new file or folder. It therefore takes on the permissions of the destination folder.

■

You should assign the most restrictive NTFS permissions that still enable users and groups to accomplish necessary tasks.

■

You should assign permissions at the folder level, not the file level.

■

You should assign Full Control to CREATOR OWNER for public folders and Read and Write to the Authenticated Users group.

■

Allow permissions wherever possible rather than deny permissions. The only exceptions should be to except users who belong to an assigned group, or to except permissions from a standard permission group.

REVIEW QUESTIONS 1. Which of the following statements correctly describe NTFS file and folder permissions? (Choose all correct answers.) a. NTFS security is effective only when a user gains access to the file or folder over the network. b. NTFS security is effective when a user gains access to the file or folder on the local computer. c. NTFS permissions specify which users and groups can gain access to files and folders and what they can do with the contents of the file or folder. d. NTFS permissions can be used on all file systems available with Windows XP Professional.

247

248


2. Which of the following NTFS folder permissions allows you to delete the folder? a. Read b. Read & Execute c. Modify d. Change 3. Which of the following users can assign permissions to user accounts and groups? (Choose all correct answers.) a. Administrators b. Power Users c. Users with the Full Control permission d. Owners of files and folders 4. What is an access control list (ACL) and what is the difference between an ACL and an access control entry (ACE)? 5. What are a user’s effective permissions for a resource? 6. By default, what inherits the permissions that you assign to the parent folder? 7. Which of the following tabs of the Properties dialog box for the file or folder do you use to assign or modify NTFS permissions for a file or a folder? a. Advanced b. Permissions c. Security d. General 8. Which of the following statements about copying a file or folder are correct? (Choose all correct answers.) a. When you copy a file from one folder to another folder on the same volume, the permissions on the file do not change. b. When you copy a file from a folder on an NTFS volume to a folder on a FAT volume, the permissions on the file do not change. c. When you copy a file from a folder on an NTFS volume to a folder on another NTFS volume, the permissions on the file match those of the destination folder. d. When you copy a file from a folder on an NTFS volume to a folder on a FAT volume, the permissions are lost.

CHAPTER 7:


9. Which of the following statements about moving a file or folder are correct? (Choose all correct answers.) a. When you move a file from one folder to another folder on the same volume, the permissions on the file do not change. b. When you move a file from a folder on an NTFS volume to a folder on a FAT volume, the permissions on the file do not change. c. When you move a file from a folder on an NTFS volume to a folder on another NTFS volume, the permissions on the file match those of the destination folder. d. When you move a file from a folder on an NTFS volume to a folder on the same volume, the permissions on the file match those of the destination folder. 10. You are attempting to copy a large number of files from one NTFS volume to another and want to avoid having to re-create all the original permissions once the copy operation is completed. How can you accomplish this with minimal effort?

CASE SCENARIOS Scenario 7-1: Permission Soup You are designing NTFS security for a system that will store public data and applications for users to share. Users will access all files locally from the system you are configuring. You have been presented with the following requirements: ■

Create a place for all users to place public files. They should be able to add files and maintain their own files, but they should not be able to do more than read any other user’s files.

■

Set up a place for users from the HR department to place personnel policies. Only HR personnel should be able to modify these files, but all users should be able to read them.

■

Provide a place for executable application files for users from the Accounting department. Only users from Accounting should be able to see these files.

■

Create a folder for personnel reviews. Only managers should be able to access this folder, and each manager should be able to create and modify her own files only. Besides the manager who creates each file,

249

250


only HR personnel should be able to read these files, and administrators should not have access to any of these files. In addition, provide a way for managers to know if an administrator has accessed any file in this folder. Answer the following questions about this scenario: 1. What user groups should be defined to support this scenario? 2. What folders should you create to support this scenario? 3. Which NTFS standard permissions should you give to the Users group for the Public folder? How can you ensure that the creators of files can modify and delete them? 4. What permissions should the HR users have for the personnel policy files? Where should this permission be assigned? 5. How do you ensure that only Accounting has permission to access the accounting applications? 6. Detail the steps to take to secure the personnel review folders. How will you report on access to any of these files by administrators?

Scenario 7-2: Effective Permissions You are newly employed by a small distillery. One of your first tasks is to straighten out permission issues that have left some users unable to access files containing mash recipes. The previous administrator attempted to restrict some users from accessing these recipes but ended up locking out the blending crew (group name Blenders). Answer the following questions about this scenario: 1. How can you determine what the blending crew’s effective permissions are? a. Use the Effective Permissions tab of the Sharing Permissions dialog box for the Mash Recipes folder. Display effective permissions for the Blenders group. b. Use the Effective Permissions tab of the Advanced Security Settings dialog box for the Mash Recipes folder. Display effective permissions for the Blenders group. c. Use the CACLS command-line program with the /E:Blenders switch to display permissions for the Mash Recipes folder. d. Use the CACLS command-line program without any switches to view all permissions for the folder. Determine the Blender group’s permissions by combining the permissions for all groups they belong to.

CHAPTER 7:


2. Which of the following CACLS command lines can you use to grant the Blenders group access to read these files? a. CACLS “Mash Recipes” /G Blenders:R b. CACLS “Mash Recipes” /E /G Blenders:R c. CACLS “Mash Recipes” /D Blenders d. CACLS “Mash Recipes” /R Blenders

251

CHAPTER 8

CONFIGURING AND MANAGING SHARED FOLDER SECURITY Upon completion of this chapter, you will be able to: ■ Create and remove shared folders ■ Control access to shared folders by using permissions ■ Analyze and troubleshoot combined share and NTFS permissions ■ Manage and troubleshoot offline files ■ Manage and troubleshoot Web server resources

In Chapter 7, you learned about NTFS permissions. NTFS permissions are more than sufficient to protect files and folders stored on a system. There are times, however, when it is necessary to deploy a system that will support users across a network. To enable us to use files over a network connection, we must share the folders that contain them. The process of sharing folders makes them available to networked client systems. In this chapter, you will learn how to share folders. You will explore share permissions and how they interact with NTFS permissions. We will discuss the setup and management of offline files. Finally, we will discuss Web sharing and how it differs in its application from standard shares.

253

254


UNDERSTANDING SHARED FOLDERS You use shared folders to provide network users with access to file resources. When a folder is shared, users can connect to the folder over the network and access the files it contains. However, to access the files, users must have permissions to access the shared folders (Figure 8-1). Server Computer

Client Computer

Data Folder Network Connection A

User A accesses folder locally (access is controlled by NTFS permissions)

B User B accesses folder over the network (access is controlled by Share and NTFS permissions)

Figure 8-1 Accessing folders locally and remotely FT08HT01.TIF

Shared Folder Permissions A shared folder can contain application data, user documents, and even software. To control how users gain access to a shared folder, you assign shared folder permissions. Each type of data requires different shared folder permissions. The following list explains what each of the shared folder permissions allows a user to do: ■

Read Display folder names, file names, file data, and attributes; run program files; and change folders within the shared folder.

■

Change Create folders, add files to folders, change data in files, append data to files, change file attributes, delete folders and files; also allows the user to perform actions permitted by the Read permission.

■

Full Control Change file permissions, take ownership of files, and perform all tasks permitted by the Change permission.

As with NTFS permissions, you can allow or deny shared folder permissions. Generally, it is best to allow permissions and to assign permissions to a group rather than to individual users. Deny permissions only when it is necessary to override permissions that are otherwise applied—for example, when it is necessary to deny permission to a specific user who belongs to a group to which you have given the permission. If you deny a shared folder permission

CHAPTER 8:

CONFIGURING AND MANAGING SHARED FOLDER SECURITY

to a user, the user won’t have that permission when accessing the folder across the network. For example, to deny all access to a shared folder, deny the Full Control permission. A user with no share permissions assigned, either as an individual or as a member of a security group, will not have access to the shared folder.

NOTE

The following are characteristics of shared folder permissions: ■

Shared folder permissions apply to folders, not individual files. Because you can apply shared folder permissions only to the entire shared folder and not to individual files or subfolders in the shared folder, they provide less detailed security than NTFS permissions.

■

Shared folder permissions don’t restrict access to users who gain access to the folder at the computer where the folder is stored. They apply only to users who connect to the folder over the network.

■

Shared folder permissions are the only way to secure network resources on a FAT volume. NTFS permissions aren’t available on FAT volumes.

■

The default shared folder permission is Read, and it is assigned to the Everyone group when you share the folder. The Everyone: Read permission allows all users accessing a system to read documents in a folder. This includes those who have not been specifically authenticated as a user on the system. You should always remove this permission from shares and use Authenticated Users instead (or even more specific user groups). We will discuss the reasons for this in more detail in Chapter 13.

NOTE

Guidelines for Shared Folder Permissions The following list provides some general guidelines for managing your shared folders and assigning shared folder permissions: ■

Determine which groups need access to each resource and the level of access that they require. Document the groups and their permissions for each resource.

■

Assign permissions to groups instead of user accounts to simplify access administration.

255

256


■

Assign to a resource the most restrictive permissions that still allow users to perform required tasks. For example, if users only need to read information in a folder and they will never delete or create files, assign the Read permission.

■

Organize resources so that folders with the same security requirements are located within a folder. For example, if users require Read permission for several application folders, store those folders within the same folder. Then share this folder instead of providing each individual application folder with its own share.

■

Use intuitive share names so users can easily recognize and locate resources. For example, for the Application folder, use Apps for the share name. You should also use share names that all client operating systems can use. Microsoft operating systems prior to Windows 2000 might shorten the shared folder name to 12 or fewer characters.

■

Do not deny access to the Everyone group. Instead, completely remove the Everyone group from the permissions. Denying access to Everyone denies access even to administrators.

How Shared Folder Permissions Are Applied Applying shared folder permissions to user accounts and groups affects access to a shared folder over the network. Denied permissions take precedence over allowed permissions. The following list describes the effects of applying permissions: ■

Multiple permissions A user can be a member of multiple groups, each with different permissions that provide different levels of access to a shared folder. When you assign permission to a user for a shared folder and that user is a member of a group to which you assigned a different permission, the user’s effective permissions are a combination of the user and group permissions. For example, if a user has Read permission and is a member of a group with Change permission, the user’s effective permission is Change (which includes Read).

■

Deny permissions Denied permissions take precedence over any permissions that you otherwise allow for user accounts and groups. If you deny a shared folder permission to a user, the user won’t have that permission, even if you allow the permission for a group the user belongs to.

CHAPTER 8:


■

NTFS permissions Shared folder permissions are sufficient to gain access across the network to files and folders on a FAT volume but not on an NTFS volume. On a FAT volume, users can gain access to a shared folder for which they have permissions, as well as all of that folder’s contents. When users gain access to a shared folder on an NTFS volume, they need the shared folder permission and also the appropriate NTFS permissions for each file and folder to which they gain access. A user’s effective permission for a shared folder on an NTFS volume is the more restrictive of the shared and NTFS permissions.

■

Moving, renaming, copying, or deleting a shared folder When you copy a shared folder, the original folder is still shared but the copy is not. When you rename or move a shared folder, it is no longer shared. When a folder is deleted, the folder share is deleted as well.

PLANNING SHARED FOLDERS When you plan shared folders, you can reduce administrative overhead and ease user access by putting resources into folders according to common access requirements. Determine which resources you want shared, organize resources according to function and use, and decide how you will administer the resources. Shared folders can contain applications and data. By consolidating data and applications into shared folders according to function, you gain the following benefits: ■

Ease of use By centralizing files in just a few shared folders, you make them easier for users to find.

■

Simpler configuration When files are consolidated into common folders, it is easier to apply permissions.

■

Centralized administration If data folders are centralized, you can back up them up more easily and you can upgrade application software more easily.

Requirements for Sharing Folders In Windows XP Professional, members of the built-in Administrators and Power Users groups can share folders. By default, in a Windows Server domain, members of the Domain Admins and Server Operators groups can share folders on any machine in the domain. If the folder to be shared resides on an NTFS volume, users must also have at least the Read permission for that folder to be able to share it.

NOTE

257

258


Shared Application Folders Shared application folders are used for applications that are installed on a network server and that can be used from client computers. The main advantage of sharing applications is that you don’t need to install and maintain most components of the applications on each computer. Although program files for applications can be stored on a server, configuration information for most network applications is often stored on each client computer. The exact way in which you share application folders will vary depending on the application and your particular network environment and company organization. When you share application folders, consider the following points: ■

Create one shared folder for applications, and organize all of your applications under this folder. This designates one location for installing and upgrading software.

■

Assign the Administrators group Full Control permission for the applications folder so members of this group can manage the application software and control user permissions.

■

Assign Change permission to groups that are responsible for upgrading and troubleshooting applications. If you are in an environment where viruses are a possibility, you might want to assign administrators and others who maintain the applications the Read permission. This will prevent a virus from attacking your application files. Permission can be raised temporarily during maintenance (usually by taking ownership) and lowered again afterward. For more information on taking ownership of files, see Chapter 7.

NOTE

■

Remove any permissions for the Everyone group, and assign Read permission to the Users group.

■

Create a separate shared folder outside your application folder hierarchy for any application for which you need to assign different permissions. Then assign the appropriate permissions to that folder. If you support an application that must write to a data file on the application share, it might be necessary to grant Change permission to allow this operation to take place. If this is the case, consider separating this application from those that will operate effectively with the Read permission.

NOTE

CHAPTER 8:


Shared Data Folders Users on a network use data folders to exchange public and working data. Working data folders are used by members of a team who need access to shared files. Public data folders are used by larger groups of users who all need access to common data. Create and share common data folders on a separate volume from the operating system and applications. Data files should be backed up frequently, and keeping data folders on a separate volume makes this convenient. With this system administration scheme, if the operating system requires reinstallation, the volume containing the data folder remains intact.

NOTE

Public data When you share a common public data folder, do the following: ■

Use centralized data folders so data can be backed up easily.

■

Assign Change permission to the Users group for the common data folder (Figure 8-2). This provides users with a central, publicly accessible location for storing data files that they want to share with other users. Users can access the folder and can read, create, or change files in it. Public data

Public

Users C

Working data

Data

Administrators FC Accountants Accountants FC

• Back up centralized data folders consistently. FT08HT02.FH10

• Share lower-level folders.

Figure 8-2 Public data and working data shared folders

Working data When you share a working data folder, do the following: ■

Assign Full Control permission to the Administrators group for a central data folder so administrators can perform maintenance.

259

260


■

Share lower-level data folders below the central folder by assigning Change permission to the appropriate groups when you need to restrict access to those folders.

Figure 8-2 above shows an example of these practices. To protect data in the Accountants folder, which is a subfolder of the Data folder, share the Accountants folder and assign the Change permission to the Accountants group so that only members of that group can access the Accountants folder. Users accessing the folder tree via the upper-level shared folder receive different permissions to the lower-level shared folder because they access it through the upper-level share point. In the example above, administrators have Full Control access to the Accountants folder because they access it through the Data share point. Keep this in mind whenever you need to restrict access to a down-level folder. It might be necessary to separate the folders into two different trees.

CAUTION

Administrative Shared Folders Windows XP Professional automatically shares folders for administrative purposes. These shares are marked with a dollar sign ($), which hides them from users who view shared resources in My Network Places. The root of each lettered volume, the system root folder, the connection point for interprocess communication (IPC), and the location of the printer drivers are hidden shared folders that you can directly access across the network (if you have sufficient permission). The following list describes the purpose of the administrative shared folders that Windows XP Professional provides automatically: ■

C$, D$, E$, etc. The root of each volume on a hard disk is automatically shared, and the share name is the drive letter with a dollar sign ($). When you connect to this folder, you have access to the entire volume. You use the administrative shares to remotely connect to the computer to perform administrative tasks. Windows XP Professional assigns Full Control permission for this share to the Administrators group. Access to other file system objects through this share depends on the NTFS permissions assigned on those objects. Removable media are not automatically given an administrative share. To share the contents of a CD-ROM drive, you must create a manual share.

NOTE

■

Admin$ The system root folder, which is C:\Windows by default, is shared as Admin$. Administrators can access this shared folder to administer Windows XP Professional without knowing which folder on

CHAPTER 8:


the hard disk Windows XP Professional is installed in. Only members of the Administrators group have access to this share. Windows XP Professional assigns Full Control permission for this share to the Administrators group. ■

IPC$ This hidden share is used to manage connections for IPC, which lets processes running on two different systems create communication channels with each other to pass data and control messages.

■

Print$ When you install the first shared printer, the %systemroot%\ System32\Spool\Drivers folder is shared as Print$. This folder provides access to printer driver files for clients. Only members of the Administrators and Power Users groups have Full Control permission for this share. The Everyone group has Read permission for this share. NOTE Hidden shared folders aren’t limited to those that the system creates automatically. You can share additional folders and add a dollar sign to the end of the share name. Only users who know the folder name and have the proper permissions can access it.

SHARING A FOLDER When you share a folder, you can give it a share name, provide comments to describe the folder and its content, control the number of users who have access to the folder, assign permissions, and share the same folder multiple times. There are three ways to share folders in Windows XP: the Computer Management console, Windows Explorer, and the NET SHARE command. If you have enabled Windows Firewall on your system, the act of sharing a folder opens the Windows network basic input/ output system (NetBIOS) file-sharing ports on your machine to the local network. If you are using an Internet connection, this might expose your system to potential Internet attacks. Be sure that you are protected by an additional layer such as a firewall or router between your local network and the Internet before you share folders.

IMPORTANT

Sharing Folders in Computer Management You can work with shared folders using the Shared Folders console in Computer Management or by adding the Shared Folders snap-in to a blank Microsoft Management Console session. Either method allows the creation, management, and removal of shared folders. We will discuss management in a later section; this section discusses the creation of a shared folder.

261

262


To share a folder in Computer Management:

1. Log on with a user account that is a member of a group that can share folders. 2. Open the Computer Management console by right-clicking My Computer and selecting Manage. 3. Locate the Shared Folders item in the Computer Management console (Figure 8-3). Expand it by clicking the small plus sign next to it.

FT08HT03.BMP

Figure 8-3 Computer Management administering shared folders

4. View any existing shares (by clicking the Shares item) to ensure that the share you are creating is unique. 5. Begin the process of adding a new share by right-clicking the Shares item and selecting New File Share. 6. Complete the first page of the Create Shared Folder Wizard by selecting a folder to share and providing a share name and description (Figure 8-4).

FT08HT04.BMP

Figure 8-4 The Shared Folder Wizard configuring a shared folder

7. Complete the Create Shared Folder Wizard by assigning permissions to the new share and clicking Finish (Figure 8-5).

CHAPTER 8:

FT08HT05.BMP


Figure 8-5 Setting permissions in the Shared Folder Wizard

8. You will be presented with a success dialog box (Figure 8-6). If you do not want to share any more folders, click No to close it.

FT08HT06.BMP

Figure 8-6 Completing the Shared Folder Wizard

The same method of creating a shared folder also applies if you are using a Shared Folder snap-in you have added to a blank Microsoft Management Console (MMC) session. We will discuss customizing the MMC with snap-ins in Chapter 9.

NOTE

To stop sharing a folder in Computer Management:

1. Right-click the folder, and select Stop Sharing (Figure 8-7).

FT08HT07.BMP

Figure 8-7 Removing a shared folder

2. Confirm the selection. The folder will no longer be shared.

263

264


Be sure no users have files open on the shared folder before you remove it. Stopping a share with open files might lead to data corruption. See “Disconnecting users from open files” later in this chapter for more information.

CAUTION

Sharing Folders in Windows Explorer Using Windows Explorer is perhaps the simplest way to share folders. Sharing is managed in the Properties dialog box for the folder, right alongside the Security settings for NTFS.

To share a folder in Windows Explorer:

1. Log on with a user account that is a member of a group that is able to share folders. 2. Right-click the folder that you want to share, and then choose Sharing And Security to open the folder’s Properties dialog box. 3. On the Sharing tab, click Share This Folder and configure the options shown in Figure 8-8. These are the options:

FT08HT08.BMP

Figure 8-8 The Sharing tab of a folder’s Properties dialog box ❑

Share Name The name that users from remote locations use to connect to the shared folder. You must enter a share name. By default, this is the same name as the folder. You can type a different name up to 80 characters long. Be sure to use share names that all client operating systems can read. Microsoft operating systems prior to Windows 2000 might shorten the shared folder name to 12 or fewer characters.

NOTE

❑

Comment An optional description for the share name. The comment appears in addition to the share name when users at client

CHAPTER 8:


computers browse the server for shared folders. This comment can be used to identify the contents of the shared folder. ❑

User Limit The number of users who can concurrently connect to the shared folder. If you click Maximum Allowed as the user limit, Windows XP Professional supports up to 10 connections.

❑

Permissions The shared folder permissions that apply only when the folder is accessed over the network. On an NTFS volume, these permissions interact with the NTFS permissions for the data being accessed to determine the final level of access. By default, the Everyone group is assigned Read permission for all new shared folders. For security purposes, it is best to remove the Everyone group and replace it with the Users group or Authenticated Users group.

NOTE

❑

Caching The settings to configure offline access to this shared folder. See “Using Offline Folders and Files” later in this chapter for more information.

To stop sharing a folder in Windows Explorer:

1. On the Sharing tab of the folder’s Properties dialog box (Figure 8-9), select the Do Not Share This Folder option. 2. Click Apply.

FT08HT09.BMP

Figure 8-9 Stopping the sharing of a folder in Windows Explorer

Using the NET Command to Share Folders In addition to the graphical methods of sharing folders, you can share folders from the command line by using the NET command. This method is great if you need to create or remove many shared folders at once or you need to script the

265

266


creation of shares into a batch file to automate system installation and configuration tasks. When used without options, NET SHARE lists information about all resources being shared on the computer. The syntax of the NET command allows you to perform any shared folder management task you would perform with either the Computer Management console or Windows Explorer. The syntax for NET SHARE includes the NET SHARE command pair followed by options from the following list. (Note the three syntax options used to create a share, change a share, and delete a share.) To create a shared folder: NET SHARE sharename=drive:path [/USERS:number | /UNLIMITED] [/REMARK:"text"] [/CACHE:Manual | Documents| Programs | None ]

To change a shared folder: NET SHARE sharename [/USERS:number | /UNLIMITED] [/REMARK:"text"] [/CACHE:Manual | Documents | Programs | None]

To remove a shared folder or printer: NET SHARE {sharename | devicename | drive:path} /DELETE

Here are the switches for the NET SHARE command: ■

sharename The network name of the shared resource. You can also type NET SHARE with a share name to display information about only that share.

■

drive:path Specifies the absolute path of the directory to be shared. An example is C:\Deploy.

■

/USERS:number Sets the maximum number of users who can simultaneously access the shared resource. For Windows XP, this limit never exceeds 10 users due to restrictions on Microsoft client operating systems.

■

/UNLIMITED Specifies that an unlimited number of users can simultaneously access the shared resource. For Windows XP, this limit never exceeds 10 users due to restrictions on Microsoft client operating systems.

■

/REMARK:“text” Adds a descriptive comment about the resource. Enclose the text in quotation marks.

■

devicename Specifies the device that is being shared (usually a printer port).

■

/DELETE Stops sharing the resource.

CHAPTER 8:

■


/CACHE Controls how caching for offline files is managed for this folder. The following options are available for this argument: ❑

/CACHE:Manual Enables manual client caching of programs and documents from this share.

❑

/CACHE:Documents this share.

❑

/CACHE:Programs Enables automatic caching of documents and programs from this share.

❑

/CACHE:None

Enables automatic caching of documents from

Disables caching from this share.

The /CACHE settings refer to offline files and folders. We will discuss these settings in more detail in the “Using Offline Folders and Files” section later in this chapter.

NOTE

To share a folder using the NET SHARE command:

1. Log on with a user account that is a member of a group that can share folders. 2. Open a command prompt session by clicking Start | Run, typing cmd.exe in the Run dialog box, and clicking OK (Figure 8-10). The Windows XP command-line console opens (Figure 8-11).

FT08HT10.BMP

Figure 8-10 Opening the command-prompt session

3. Execute the NET.EXE command with the SHARE argument (Figure 8-11). To share the C:\Deploy folder with default settings: NET SHARE Deploy=C:\deploy

FT08HT11.BMP

Figure 8-11 Sharing a folder at the command line

267

268


To stop sharing a folder using the NET command:

Issue the NET SHARE command with the /DELETE switch: NET SHARE Deploy /DELETE

Sharing a Folder on a Remote Computer You can direct Computer Management to configure a remote computer by rightclicking Computer Management (Local) and selecting Connect To Another Computer (Figure 8-12). Once connected, you can configure shared folders on the remote computer as if the computer were local.

Figure 8-12 Connecting to a remote computer F08HT12.BMP

NOTE To manage shared folders on a remote system, you must have an account with rights to manage shares on that system.

MANAGING SHARED FOLDERS Although you can configure shared folder permissions using both the Computer Management console and the NET SHARE command, we will concentrate for the rest of this chapter on configuring shared folders in Windows Explorer. The tasks you might carry out when managing shared folders include assigning folder permissions, creating additional—differently named—shares on the same folder, and changing the name of the shared folder.

Assigning Shared Folder Permissions When you assign the permissions for a shared folder, make sure you have considered the permissions required for each group of users. If you have not

CHAPTER 8:


already done so, read the “Planning Shared Folders” section earlier in this chapter.

To assign shared folder permissions in Windows Explorer:

1. On the Sharing tab of the Properties dialog box for the shared folder, click Permissions. 2. In the Permissions dialog box, ensure that the Everyone group is selected and then click Remove. This clears the permissions that apply to all users to make way for more specific permissions. 3. In the Permissions dialog box, click Add. 4. In the Select Users Or Groups dialog box (Figure 8-13), browse for or type the name of the users or groups to which you want to assign permissions. If you want to enter more than one user account or group at a time, separate the names with a semicolon. If you want to ensure that the names are correct, click Check Names.

NOTE

FT08HT13.BMP

Figure 8-13 The Select Users Or Groups dialog box

5. Click OK. 6. In the Permissions dialog box for the shared folder, click the user account or group and then, under Permissions, select the Allow check box or the Deny check box as needed for the user account or group (Figure 8-14). 7. Click Apply or OK to complete the permissions assignment. Be sure to remove the default Everyone permissions to ensure that the permissions you have configured are not overridden by any more lenient permissions.

IMPORTANT

269

270


FT08HT14.BMP

Figure 8-14 Assigning permissions to users

Creating Multiple Share Names You might want to set different permissions on a shared folder. You can create multiple share names for the same folder and assign each a different set of permissions. To share a folder with multiple share names, click New Share in the folder’s Properties dialog box. In the New Share dialog box (Figure 8-15) you can assign a new share name, limit the number of connections to the share, and click Permissions to set the permissions for the shared folder.

Figure 8-15 The New Share dialog box FT08HT15.BMP

Modifying Shared Folders To change the name of a shared folder, you must stop sharing it and then share it again with the original permissions. Before you do this, be sure to document the permissions.

CHAPTER 8:


If you stop sharing a folder while a user has a file open, the user might lose data. If you click Do Not Share This Folder and a user has a connection to the shared folder, Windows XP Professional displays a dialog box notifying you of that fact. You should notify users and ask them to close any open files. You can then use Shared Folders in Computer Management to verify that the files have been closed before you proceed. For more on monitoring shared folders, see the section titled “Monitoring Access to Shared Folders” later in this chapter.

CAUTION

CONNECTING TO SHARED FOLDERS Once you have configured your shared folders, you can configure client computers to connect to them. You can access a shared folder from a client computer by using My Network Places, mapping a drive in My Computer, typing a path in the Run dialog box, or mapping a drive with the NET USE command. Browsing the My Network Places might be a simple way of locating files, but it takes time. If you map a drive letter to a folder, it cuts the time it takes to access files in the future. To map a drive, you must know the Universal Naming Convention (UNC) path to the folder. This is an address formatted as \\Server\share. An example using the folder from previous demonstrations would be \\BEHEMOTH\Deploy (where BEHEMOTH is the server’s name).

To connect to a shared folder using My Network Places:

1. Open Windows Explorer by choosing Start | All Programs | Accessories | Windows Explorer. 2. Find My Network Places in the tree view on the left side of the screen. 3. Expand My Network Places, and browse for the computer that is sharing folders on your network. If you are on a large network, you might have to expand Entire Network and browse for the appropriate workgroup or domain. 4. When you locate the share to which you want to connect, expand it by clicking its plus sign. You can navigate the share and its files to select the resources you want to use (Figure 8-16).

FT08HT16.BMP

Figure 8-16 Navigating My Network Places

271

272


To map a drive using My Computer:

1. Click Start | My Computer. 2. On the Tools menu, choose Map Network Drive. Windows XP Professional displays the Map Network Drive dialog box (Figure 8-17), which allows you to assign a drive letter to the connection. By default, the drive letter displayed is Z or the last letter of the alphabet that is currently unassigned.

FT08HT17.BMP

Figure 8-17 The Map Network Drive dialog box

3. In the Folder text box, type \\server\sharename or click Browse to browse for a share. By default, Reconnect At Logon is selected. 4. Clear the Reconnect At Logon check box unless you want to have Windows XP Professional create a connection to this share each time you log on to your computer. If you are connecting to a folder to which your logged-on user does not have the appropriate permission, you can choose the Connect Using A Different User Name option to select another username and password to use for the connection.

NOTE

5. Click Finish to establish the connection. The newly mapped drive opens in a new My Computer window. You will find Map Network Drive in other places as well. It is available as a right-click menu option in My Computer on the Start menu and Windows Explorer, and you can find it by right-clicking My Network Places.

NOTE

CHAPTER 8:


To map a drive using the NET USE command:

1. Open a command prompt session by clicking Start | Run, entering cmd.exe in the Run dialog box, and clicking OK. The Windows XP command-line console opens (Figure 8-18).

FT08HT18.BMP

Figure 8-18 Mapping a drive with Net Use

2. Execute the NET.EXE command with the USE argument. To map a drive to the \\BEHEMOTH\Deploy folder: NET USE Y: \\BEHEMOTH\deploy

To connect to a shared folder using the Run dialog box:

1. Click Start | Run, and then type \\computer_name in the Open text box. Windows XP Professional displays shared folders for the computer. 2. Double-click the shared folder to which you want to connect. NOTE

You can also type the full UNC path to the folder you want to use.

COMBINING SHARED FOLDER PERMISSIONS AND NTFS PERMISSIONS You share folders to provide network users with access to resources. If you are using a FAT volume, which has no security of its own, the shared folder permissions are the only resource available to provide security for the folders you have shared and the folders and files they contain. If you are using an NTFS volume, you can assign NTFS permissions to individual users and groups to better control access to the files and subfolders in each shared folder. When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission. One strategy for providing access to resources on an NTFS volume is to share folders by giving the Authenticated Users group Full Control and then controlling access by assigning NTFS permissions.

273

274


Always avoid sharing a folder to the Everyone group. Authenticated Users is an acceptable alternative and ensures that users are known and authenticated.

NOTE

Shared folder permissions provide limited security for resources. You gain the greatest flexibility by using NTFS permissions to control access to shared folders. Also, NTFS permissions apply whether the resource is accessed locally or over the network. When you use shared folder permissions on an NTFS volume, the following rules apply: ■

You can apply NTFS permissions to files and subfolders in the shared folder. You can even apply different NTFS permissions to each file and each subfolder in a shared folder.

■

In addition to shared folder permissions, users must have NTFS permissions to the files and subfolders in shared folders to access those files and subfolders. This is in contrast to FAT volumes, in which permissions for a shared folder are the only permissions protecting files and subfolders in the shared folder.

■

When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission.

In Figure 8-19, the Users group has the shared folder Full Control permission for the Public folder and the NTFS Read permission for FileA. Because the effective combined permission is the more restrictive of the two, the Users group’s effective permission for FileA is the more restrictive Read permission. The effective permission for FileB is Full Control because both the shared folder permission and the NTFS permission allow this level of access.

Public FC NTFS permission Users File A

R NTFS permission

File B

FC

NTFS volume • Apply NTFS permissions to files and subfolders. • The most restrictive permission is the effective permission.

Figure 8-19 Combining shared folder permissions and NTFS permissions FT08HT19.FH10

CHAPTER 8:


MONITORING ACCESS TO SHARED FOLDERS The Computer Management console in Windows XP Professional includes the Shared Folders snap-in, which allows you to easily monitor access to network resources and send administrative messages to users. You monitor access to shared folders to determine how many users currently have a connection to each folder. You can also monitor open files to determine which users are accessing the files, and you can disconnect users from one open file or from all open files.

Reasons for Monitoring Network Resources It is important to understand why you should monitor the network resources in your computer environment. Some of the reasons it is important to assess and manage network resources include: ■

Maintenance You should determine which users are currently using a resource so you can notify them before making the resource temporarily or permanently unavailable.

■

Security You should monitor user access to resources that are confidential or need to be secure to verify that only authorized users are accessing them.

■

Planning You should determine which resources are being used and how much they are being used so you can plan for future system growth.

When you use the Shared Folders snap-in in the Computer Management console, you can monitor the resources on the local computer or on a remote computer.

Requirements for Monitoring Network Resources Not all users can monitor access to network resources. The following list describes the group membership requirements for monitoring access to network resources using the Shared Folders snap-in: ■

By default, in a Windows Server domain, the Domain Admins and Server Operators groups can manage share folders residing on any machines in the domain. The Power Users group is a local group that can share only folders residing on the standalone server or folders on a computer running Windows XP Professional on which the group exists.

■

In a Windows workgroup, the Administrators and Power Users groups can share folders on the Windows Server standalone server or the computer running Windows XP Professional on which the group exists.

275

276


Monitoring Shared Folders You use the Shares folder in the Shared Folders snap-in to view a list of all shared folders on the computer and to determine how many users have a connection to each folder. In Figure 8-20, the Shares folder has been selected in the Computer Management console tree, and all the shared folders on that computer are shown in the details pane.

Figure 8-20 Shares folder of the Shared Folders snap-in FT08HT20.BMP

The following list explains the information provided in the details pane shown in Figure 8-20. ■

Shared Folder The shared folders on the computer. This is the name that was given to the folder when it was shared.

■

Shared Path The path to the shared folder.

■

Type The type of network connection: Windows, Novell NetWare, or Apple Macintosh. Because Windows XP does not support clients from non-Windows operating systems, the Type field would always show Windows for the local system. If you were viewing a Windows Server 2003 system remotely with Computer Management, you might see other clients if the appropriate service to support them has been installed.

NOTE

■

# Client Connections The number of clients who have made a remote connection to the shared folder.

■

Comment Descriptive text about the folder. This comment was provided when the folder was shared.

CHAPTER 8:


Windows XP Professional does not update the list of shared folders, open files, and user sessions automatically. To update these lists, on the Action menu, click Refresh.

NOTE

Determining how many users can access a shared folder concurrently You can use the Shared Folders snap-in to determine the maximum number of users who are permitted to access a folder. In the Shared Folders details pane, click the shared folder for which you want to determine the maximum number of concurrent users. On the Action menu, click Properties. In the Properties dialog box for the shared folder, the General tab shows the user limit. In Windows XP Professional, the maximum is 10, but you can set this to a lower value. You can also use the Shared Folders snap-in to determine if the maximum number of users permitted to access a folder has been reached. Connection limits might be one reason a user can’t connect to a share. To check this, determine the number of connections to the share and the maximum connections allowed. If the maximum number of connections has already been made, the user cannot connect to the shared resource.

NOTE

Monitoring open files Use the Open Files folder in the Shared Folders snap-in to view a list of open files that are located in shared folders and the users who have a current connection to each file (Figure 8-21). You can use this information when you need to contact users to notify them that you are shutting down the system. You can also determine which users have a current connection and should be contacted when another user is trying to access a file that is in use.

Figure 8-21 Open Files folder of the Shared Folders snap-in FT08HT21.BMP

277

278


The following list describes the information available in the Open Files folder: ■

Open File

■

Accessed By

■

Type The operating system running on the computer where the user is logged on.

■

# Locks The number of locks on the file. Programs can request that the operating system lock a file to gain exclusive access and prevent other programs from making changes to the file.

■

Open Mode The type of access that the user’s application requested when it opened the file, such as Read or Write.

The names of the open files on the computer. The username of the user who has the file open.

Disconnecting users from open files You can disconnect users from one open file or from all open files. You might want to do this, for example, when you make changes to the NTFS file system permissions for a file that is currently opened by a user. The new permissions will not affect the user until she closes and then attempts to reopen the file. You can force these changes to take place immediately by doing one of the following: ■

Disconnect all users from all open files In the Shared Folders snap-in console tree, click Open Files. On the Action menu, click Disconnect All Open Files.

■

Disconnect all users from one open file In the Shared Folders snap-in console tree, click Open Files. In the details pane, select the open file. On the Action menu, click Close Open File. Disconnecting users from open files can result in data loss. It is always safer to notify the user to save and close the file normally rather than disconnecting the user.

CAUTION

USING OFFLINE FOLDERS AND FILES When the network is unavailable or when you are on the road and your laptop is undocked, offline folders and files allow you to continue working on files that are stored on shared folders on the network. These network files are cached on your local disk so they are available even if the network is not. When the network becomes available or when you dock your laptop, your connection to the network is reestablished and the cached files and folders on your local disk are synchronized with those stored on the network.

CHAPTER 8:


Understanding Offline Files To make shared folders available offline, copies of the files are stored in a reserved portion of disk space on your computer called a cache. Because the cache is on your hard disk, the computer can access it regardless of whether it is connected to the network. By default, the cache size is set to 10 percent of the available disk space. You can change the size of the cache on the Offline Files tab of the Folder Options dialog box. You can also see how much space the cache is using by opening the Offline Files folder and choosing Properties from the File menu. When you share a folder, you can allow others to make the shared folder available offline by clicking Caching in the folder’s Properties dialog box. In the Caching Settings dialog box (Figure 8-22), use the Allow Caching Of Files In This Shared Folder check box to turn caching on or off.

Figure 8-22 The Caching Settings dialog box FT08HT22.BMP

The Caching Settings dialog box contains three caching options: ■

Manual Caching Of Documents Users must manually specify all files they want available when working offline. This option, the default, is recommended for a shared network folder containing files that are to be accessed and modified by several people. To ensure proper file sharing, the network version of the file is always opened.

■

Automatic Caching Of Documents This option makes every file that a user opens from your shared folder available to that person offline. Files that aren’t opened are not available offline. Each time a file is opened, the older copy of the file is deleted. To ensure proper file sharing, the network version of the file is always opened.

279

280


■

Automatic Caching Of Programs And Documents This option provides offline access to shared folders containing files that are read, referenced, or run but that will not be changed in the process. This setting reduces network traffic because offline files are opened directly without accessing the network versions in any way, and generally they start and run faster than the network versions. This option is recommended for folders containing read-only data or applications that are run from the network.

Configuring Your Computer to Use Offline Folders and Files Before you can use offline folders and files, you must enable offline file support on your system: 1. In My Computer, choose Folder Options from the Tools menu. 2. On the Offline Files tab of the Folder Options dialog box, select the Enable Offline Files check box and the Synchronize All Offline Files Before Logging Off check box (Figure 8-23).

FT08HT23.BMP

Figure 8-23 The Offline Files tab of the Folder Options dialog box

Offline files are disabled if you have Fast User Switching enabled on your system. You must use the User Accounts tool to disable Fast User Switching before you can enable offline files.

IMPORTANT

On the Offline Files tab, you can also click Delete Files to delete the locally cached copy of a network file. Click View Files to view the files stored in the Offline Files folder; these are the locally cached files that you have stored on your system. Click Advanced to configure how your computer responds when a network connection is lost. For example, when a network connection is lost, you can configure your computer to notify you and allow you to begin working offline.

CHAPTER 8:


Synchronizing files File synchronization is straightforward if the copy of the file on the network does not change while you are editing a cached version of the file. Your edits are simply incorporated into the copy on the network. However, another user might edit the network version of the file while you are working offline. If both your cached offline copy of the file and the network copy of the file are edited, you must decide what to do. You have a choice of retaining your edited version and not updating the network copy with your edits, of overwriting your cached version with the version on the network, or of keeping a copy of both versions of the file. In the last case, you must rename your version of the file, and both copies will exist on your hard disk and on the network. Configuring the Synchronization Manager To configure the Synchronization Manager, in Windows Explorer choose Tools | Synchronize. Notice that you can manually synchronize your offline files with those on the network by clicking Synchronize. You can also configure the Synchronization Manager by clicking Setup. In configuring the Synchronization Manager, you have three sets of options. The first set of options is on the Logon/Logoff tab (Figure 8-24). You can configure synchronization to occur when you log on, when you log off, or both. You can also specify that you want to be prompted before synchronization occurs. You can specify the items to be synchronized at logon or logoff, or both, and you can specify the network connection.

Figure 8-24 The Logon/Logoff tab of the Synchronization Settings dialog box FT08HT24.BMP

281

282


The second set of options in configuring the Synchronization Manager is on the On Idle tab (Figure 8-25). These are similar to the options on the Logon/ Logoff tab.

Figure 8-25 Configuring the settings on the On Idle tab in FT08HT25.BMP

Synchronization Manager

The following items are configurable on the On Idle tab: ■

When I Am Using This Network Connection Allows you to specify the network connection and which items to synchronize

■

Synchronize The Following Checked Items which items to synchronize

■

Synchronize The Selected Items While My Computer Is Idle Allows you to turn synchronization on or off during idle time

Allows you to specify

Click Advanced on the On Idle tab (Figure 8-26) to configure the following options: ■

Automatically Synchronize The Specified Items After My Computer Has Been Idle For X Minutes

■

While My Computer Remains Idle, Repeat Synchronization Every X Minutes

■

Prevent Synchronization When My Computer Is Running On Battery Power

CHAPTER 8:


Figure 8-26 Configuring advanced On Idle settings FT08HT26.BMP

The third set of options for scheduling synchronization is on the Scheduled tab (Figure 8-27), where you can add, edit, and remove scheduled synchronization tasks.

Figure 8-27 The Scheduled tab in Synchronization Manager FT08HT27.BMP

MANAGING INTERNET INFORMATION SERVICES Windows XP includes Internet Information Services (IIS) to enable users to create Web servers for personal or small business intranet use. Enabling and using IIS to share files is slightly different than standard file sharing. File sharing allows clients to connect to and use files by using tools such as Windows Explorer and My Computer; IIS serves files to clients using Web browsers such as Microsoft

283

284


Internet Explorer and Mozilla. IIS also includes a feature called Web Distributed Authoring and Versioning (WebDAV), which you might also see referred to as Web folders. Most Web serving of document files is read-only via HTML-based Web pages, but you can share Microsoft Office documents via IIS as well. In this section, we will discuss the installation and configuration of IIS for document serving.

Installing IIS IIS is installed as a Windows component in Add/Remove Programs in Control Panel: 1. Click Start | Control Panel. 2. Click Add/Remove Programs to launch the Add/Remove Programs application. 3. Click Add/Remove Windows Components to launch the Windows Components Wizard. 4. Select Internet Information Services (IIS), and click the Details button. 5. Optional components of the IIS installation are displayed. Choose the default options. 6. Complete the rest of the Windows Components Wizard to complete the installation of IIS. IIS is designed for Internet communications. Be aware that installing it on your system increases the system’s attack surface—the portion of the system exposed to Internet probes and attacks. Make sure you have enabled the protections of Windows Firewall and Automatic Updates before activating IIS. We will discuss Internet security topics in more depth in Chapter 11.

IMPORTANT

Also be careful to not install unnecessary services. IIS includes many components, such as FTP services and Internet e-mail (SMTP) services. To minimize your attack surface, do not install any of these services unless they are absolutely neccessary.

NOTE

Using IIS After installing IIS, you can manage it via the IIS console (Figure 8-28). This console presents the major administrative functions in a single interface for ease of administration.

CHAPTER 8:


Figure 8-28 The IIS console FT08HT28.BMP

You can start the IIS console in the following ways: ■

Open IIS from Administrative Tools in Control Panel.

■

Type IIS.msc at a command prompt.

■

Select the Internet Information Services item in Computer Management.

You can use the IIS console to add virtual folders to the Web server, restart the IIS server services, manage Web server security settings, and manage server certificates for Secure Sockets Layer (SSL). MORE INFO Extensive security and configuration of IIS is beyond the scope of this course, but you can find additional resources at the Microsoft Internet Information Services Web site at www.microsoft.com/ iis. The IIS Web site is targeted toward IIS 6, but it contains many useful resources for the administration of IIS 5.1 (the version included with Windows XP).

Sharing Web Folders You can make your documents available for Internet use by configuring Web folders. When you view the Properties dialog box for a folder after IIS is installed, you will note the addition of a Web Sharing tab (Figure 8-29). If you select the Share This Folder option, you will see the Edit Alias dialog box (Figure 8-30). Use this dialog box to choose the permissions this folder will have for Web users.

285

286


Figure 8-29 The Web Sharing tab of a folder’s Properties dialog box FT08HT29.BMP

Figure 8-30 The Edit Alias dialog box FT08HT30.BMP

Access permissions By configuring access permissions, you can enable users to read, write, and edit scripts contained in the published folder. The available options are: ■

Read Allows users to read documents in the folder.

■

Write Allows users to post and modify documents in the folder.

■

Script Source Access Allows users to access the source code of scripts in this folder. If Write is enabled, this setting also allows users to modify and upload scripts.

■

Directory Browsing Allows users to view the contents of the folder. When this option is disabled, the user must know the exact names of files to request them. This is fine for serving Web pages because the links to the files are embedded into URLs in the pages themselves. But when you serve documents, you might want to enable this option to let users browse available files.

CHAPTER 8:


Application permissions Application permissions control the access that remote browsers have to execute code and scripts on the local system. These permissions are not required for simple document sharing, but they come into play when you are serving Active Server Pages (ASP) or other server-side scripts. ■

None Allows the browser to access only static files such as Web pages.

■

Scripts Allows only the execution of scripts, such as Active Server Pages (ASP).

■

Execute (Includes Scripts) All file types can be accessed or executed. When you enable Write permission on a Web Folder, you receive a warning about enabling Write with either Script or Execute permission enabled. Doing so can open your server to the upload and execution of malicious code. If you are document sharing over the Internet, be sure to allow only the None application permission on Web folders.

IMPORTANT

After configuring options in the Edit Alias dialog box, click Accept to enable Web sharing for the folder. Users can locate the folder at http://servername/foldername with their Web browsers. You can also construct a default Web page for your server to link to the Web folders you have published. As with all Internet-facing features, it is wise to be proactive about any patches and protections related to Web folders. Ensure that Windows Firewall is enabled and that Automatic Updates are properly configured so the latest patches will be downloaded and deployed as soon as they are available.

IMPORTANT

NTFS Permissions and Web Folders You can also use NTFS permissions to control access to Web folders. You can set the permissions as you would normally, and then enable Windows authentication in the Internet Manager console.

To enable Windows authentication:

1. Right-click the default Web site in Internet Manager, and select Properties. 2. On the Directory Security tab of the Properties dialog box for the default Web site, click the Edit button under Anonymous Access And Authentication Control. 3. In the Authentication Methods dialog box (Figure 8-31), choose the appropriate options. Choosing integrated Windows authentication allows NTFS permissions to be used. Choosing basic authentication

287

288


does as well, but basic authentication poses some security risks (discussed below). If you choose to disable anonymous access, unauthorized users cannot connect to the folder.

FT08HT31.BMP

Figure 8-31 Setting directory security in Internet Manager

This dialog box includes options to enable basic authentication (to support non-Microsoft browsers), but passwords are sent as clear text and might compromise security by revealing the users’ passwords.

NOTE

Using Web Folders Users can navigate to a Web folder using their Web browser with the URL http: //servername/foldername. This allows read-only access to the documents in the folder. Users can also, with Internet Explorer 5 or later, connect to the folder as a Web folder. They can then use the documents in the folder as if they were opening them in Windows Explorer. They can drag and drop additional files into the folder, delete files (given the appropriate permissions in NTFS, of course), and save documents using Office applications. MORE INFO Other browsers are available for WebDAV folders. You can obtain additional information about WebDAV support as www.webdav.org/ projects.

To open a Web folder:

1. On the File menu in Internet Explorer, click Open. 2. Enter the URL of the Web Folder, and select the Open As Web Folder option. Internet Explorer opens the folder with a My Computer–like interface.

CHAPTER 8:


SUMMARY ■

You can make a folder and its contents available to other users over the network by sharing the folder.

■

Using shared folder permissions is the only way to secure file resources on FAT volumes.

■

Shared folder permissions apply to folders, not individual files.

■

To access a shared folder, users must connect to it and have the appropriate permissions. Shared folder permissions restrict access to users who connect to the folder over the network, not to users who gain access to the folder at the computer where the folder is stored.

■

The three shared folder permissions are Read, Change, and Full Control.

■

The default shared folder permission is Read, and it is assigned to the Everyone group when you share the folder.

■

Best practices for security include removing the Everyone group from Shared Folders and using another group, such as Users or Authenticated Users, instead to prevent unauthorized access to files and folders.

■

Windows XP Professional automatically shares folders for administrative purposes. These shares are marked with a dollar sign ($), which hides them from users who browse the computer.

■

In Windows XP Professional, members of the built-in Administrators and Power Users groups can share folders.

■

You can access a shared folder on another computer by using My Computer, My Network Places, the Run command, or the NET USE command.

■

On an NTFS volume, you can assign NTFS permissions to individual users and groups to better control access to the files and subfolders in the shared folders.

■

When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission.

■

Use the Shared Folders snap-in to monitor access to network resources on local or remote computers.

■

Offline files are network files that are cached on your local disk so they are available even if the network is not.

289

290


■

Before you can use offline files, you must choose Folder Options from the Tools menu of My Computer or Windows Explorer to configure your computer to use offline files.

■

You must use the User Accounts tool to disable Fast User Switching before you can enable offline files.

■

You use Synchronization Manager to configure synchronization of the offline files you are using and the copies on the server.

■

You can use Synchronization Manager to configure synchronization to occur when you log on, when you log off, or both, and you can specify that you want to be asked before synchronization occurs.

■

Web folders offer a way to enable Internet file sharing via WebDAV.

REVIEW QUESTIONS 1. If you are using NTFS permissions to specify which users and groups can access files and folders and what these permissions allow users to do with the contents of the file or folder, why would you need to share a folder or use shared folder permissions? 2. Which of the following are valid shared folder permissions? (Choose all correct answers.) a. Read b. Write c. Modify d. Full Control 3. _______________ (Denied/Allowed) permissions take precedence over ____________ (denied/allowed) permissions on a shared folder. 4. When you copy a shared folder, the original folder is _______________ (no longer shared/still shared) and the copy is ____________________ (not shared/shared). 5. When you move a shared folder, the folder is _____________________ (no longer shared/still shared). 6. When you rename a shared folder, the folder is ___________________ (no longer shared/still shared). 7. The system root folder, which is C:\Windows by default, is shared as ____________.

CHAPTER 8:


8. To assign permissions to user accounts and groups for a shared folder, which of the following tabs do you use? a. The Permissions tab of the Properties dialog box for the shared folder b. The Sharing tab of the Properties dialog box for the shared folder c. The General tab of the Properties dialog box for the shared folder d. The Security tab of the Properties dialog box for the shared folder 9. By default, how much of the available disk space is allocated for the cache for making shared folders available offline? a. 20 percent b. 15 percent c. 10 percent d. 5 percent 10. Which of the following statements about combining shared folder permissions and NTFS permissions are true? (Choose all correct answers.) a. You can use shared folder permissions on all shared folders. b. The Change shared folder permission is more restrictive than the Read NTFS permission. c. You can use NTFS permissions on all shared folders. d. The Read NTFS permission is more restrictive than the Change shared folder permission. 11. Which of the following statements about shared folder permissions and NTFS permissions are true? (Choose all correct answers.) a. NTFS permissions apply only when the resource is accessed over the network. b. NTFS permissions apply whether the resource is accessed locally or over the network. c. Shared folder permissions apply only when the resource is accessed over the network. d. Shared folder permissions apply whether the resource is accessed locally or over the network.

291

292


12. How do you determine which users have a connection to open files on a computer and which files they have a connection to? 13. How can you disconnect a specific user from a file? 14. Which of the following statements are true about Web folders? (Choose all correct answers.) a. Web folders are designed to allow Internet file sharing. b. Web folders work with all browsers. c. Web folders use the FTP protocol to transfer files. d. Web folders use WebDAV to transfer files.

CASE SCENARIOS Scenario 8-1: Shared Folder Tree You are designing security for a small office workgroup network. You have decided to create a tree for data folders for all the departments in the office. The departments (and the folders you will create) are: Accounting, Operations, Manufacturing, and Facilities. Answer the following questions about the configuration of these folders: 1. To allow each department to have access only to its own folder but to promote ease of administration for you, how should you arrange these folders? 2. The operations department wants to allow all others to read their files but not modify them. How can you assign permissions to the Accounting folder to enable this? 3. If you have Full Control permission to the folder containing all the department folders, what is your permission to the Accounting folder?

Scenario 8-2: Command-Line Nirvana You are the administrator of a large network in a law office. Your office has just joined with a larger law group, and you need to set up access to allow attorneys from the other group to access your firm’s files. Your boss doesn’t want to give them full access to all files just yet and has asked you to give them only the ability to read files for now. You are creating a group of folders for users, and you want to

CHAPTER 8:


automate folder creation by using the NET SHARE command. Answer the following questions about this scenario: 1. You are sharing the Pending Briefs folder, which is located at D:\PendingBriefs. What NET SHARE command should you use? a. NET SHARE Briefs=D:\Data\PendingBriefs /REMARK: “Pending Briefs” b. NET SHARE Briefs /DELETE c. NET SHARE D:\Data\PendingBriefs=Briefs /REMARK: “Pending Briefs” d. NET SHARE Briefs=\\Server\PendingBriefs /REMARK: “Pending Briefs” 2. After you share the Pending Briefs folder, what is the permission for attorneys from the larger office? 3. After some time, you boss decides that the other attorneys can be trusted and should have greater access to the files in the Pending Briefs folder. He wants them to be able to modify documents there but not delete them. How can you implement this?

293

CHAPTER 9

SUPPORTING APPLICATIONS IN WINDOWS XP PROFESSIONAL Upon completion of this chapter, you will be able to: ■ Manage applications using Windows Installer packages ■ Manage distribution of applications using Group Policy ■ Verify application compatibility ■ Manage application compatibility settings ■ Troubleshoot application compatibility

Microsoft Windows XP supports a wide array of software, ranging from legacy 16-bit MS-DOS and Windows-based applications to modern 32-bit and 64-bit applications. In this chapter, you will learn how to install, manage, and configure applications in Windows XP. We will explore application installation using Windows Installer technologies, managing application installation using Group Policy, and application compatibility, including Windows Logo compatibility and application compatibility features included with Windows XP Professional.

295

296


UNDERSTANDING WINDOWS INSTALLER TECHNOLOGIES Organizations that operate large numbers of desktop computers need ways to manage installed software effectively. They are also concerned with security. In the past, these two concerns conflicted when it came to automating software installation. Software was distributed on CD-ROM, shared in a network installation folder, or pushed with logon scripts. In all these instances, the software was installed with default settings in the environment of the user who was currently logged on to the system. This caused problems for organizations that restricted users’ security permissions. If these organizations restricted a user, the user would not have the required permissions to execute the setup routines. If they relaxed security enough to allow the user to run the installers, the user would have more permissions than the administrators wanted them to have. They needed a solution to accommodate restricted user security while allowing for automated installation of software.

Windows Installer The Windows Installer was created as a solution to the installation issues facing enterprise customers. It runs as a system service (at elevated privileges) and receives instructions from an installation executable controlled from the user environment. This executable—Msiexec.exe—is called by the user or by automated installation settings placed into group policy objects (GPOs) stored in Active Directory. It manages the installation of an application and also allows for sophisticated management capabilities by applying any customizations and updates required at installation time or afterward. It can even allow installations to be scripted to completely automate custom configurations and settings according to the organization’s requirements.

Windows Installer Packages Windows Installer executes installation instructions placed into Windows Installer packages. These packages contain all the components and configuration information required to completely install the packaged application. They can be distributed by the software manufacturer or created as a customized installation of a specific application by an administrator.

CHAPTER 9:

SUPPORTING APPLICATIONS IN WINDOWS XP PROFESSIONAL

Components of Windows Installer packages Windows Installer packages consist of a central installation package with associated transform files that can modify the installation. In addition, patch files are used to install updates to the Installer packages. The main components of the Windows Installer packages are: ■

Windows Installer Packages (.msi) Windows Installer packages contain the entire application being installed, sometimes packaged into a single .msi file, which is a database of application objects along with installation settings. Large applications might be stored in a folder, with the installation being directed by a smaller .msi file stored in the folder with it.

■

Transform (.mst) Transforms contain custom installation parameters and settings. When specified along with the Windows Installer package, the transform modifies the installation according to the settings contained within. These settings override any similar settings contained in the original package.

■

Patch (.msp) Patch packages are used to install application updates or patches. These files are designed to apply fixes to Windows Installer packages by modifying settings and cabinet files contained in the original package.

Using Msiexec to execute Windows Installer packages The Msiexec.exe application is associated with the .msi file extension in Windows XP system settings. When an .msi file is executed, the Msiexec.exe application, in concert with the Windows Installer, reads the .msi file and performs the package installation. If an .mst file is specified, it is also processed to include the appropriate customizations in the installation. Msiexec.exe can also be called directly to perform an installation action. Here is an example of syntax for the Msiexec.exe application: msiexec /I c:\sample\package.msi transform.mst

In this example, we are installing the “package” application, with custom settings specified by the Transform.mst file. A complete list of command-line options appears in Table 9-1.

297

298


Table 9-1

Msiexec.exe Command-Line Options

Option

Parameters

Description

/I /f

Package|ProductCode [p|o|e|d|c|a|u|m |s|v] Package| ProductCode

Installs or configures a product. Repairs a product using the original source files. The default argument list for this option is ‘omus.’ The options are: ■ p Reinstalls only if the file is missing. ■

o Reinstalls if the file is missing or an older version is installed.

■

e Reinstalls if the file is missing or an identical or older version is installed.

■

d Reinstalls if the file is missing or a different version is installed.

■

c Reinstalls if the file is missing or the stored checksum does not match the calculated value.

■

a Forces all files to be reinstalled.

■

u Rewrites all required user-specific registry entries.

■

m Rewrites all required computerspecific registry entries.

■

s

Overwrites all existing shortcuts.

■

/a

Package

/x

Package|ProductCode [u|m]Package [u|m]Package /t Transform List [u|m]Package /g LanguageID

/j

/L

v Runs from the source and recaches the local package. Installs a product on the network. This option is used to create administrative installation points for installation from shared folders on the network. Uninstalls a product. Advertises a product. ■ u Advertises to the current user. ■

m

■

g Language identifier.

Advertises to all users of machine.

■

t Applies transform to advertised package. [i|w|e|a|r|u|c|m| Writes logging information into a logfile at the o|p|v|x|+|!|*] specified path. Flags indicate which information to Logfile log. If no flags are specified, the default is ‘iwearmo.’ ■ i Status messages. ■

w Nonfatal warnings.

■

e

All error messages.

CHAPTER 9:


Table 9-1

Msiexec.exe Command-Line Options (Continued)

Option

Parameters

Description ■

a Startup of actions.

■

r Action-specific records.

■

u

User requests.

■

c

Initial UI parameters.

■

m Out-of-memory or fatal exit information.

■

o

■

p Terminal properties.

■

v Verbose output.

■

x Extra debugging information. Only available on Windows Server 2003.

■

+

■

! Flush each line to the log.

Out-of-disk-space messages.

Append to existing file.

■

/m

filename

* Wildcard. Log all information except for the v and x options. To include the v and x options, specify ‘/l*vx’. Generates an SMS status .mif file. Must be used with the install (-i), remove (-x), administrative installation (-a), or reinstall (-f) option. Ismif32.dll is installed as part of SMS and must be on the path. The fields of the status .mif file are filled with the following information: ■ Manufacturer Author ■

Product

Revision number

■

Version

Subject

■

Locale Template

■

Serial Number Not set

■

Installation Set by Ismif32.dll to “DateTime”

■

InstallStatus

■

Description Lists error messages in the following order:

“Success” or “Failed”

1. Any error messages generated by installer. 2. Resource error message from Msi.dll if installation could not commence or user exited.

299

300


Table 9-1


Option

Parameters

Description

3. Any system error message.

/p /q

/? or /h

PatchPackage [;patchPackage2 . . .] n|b|r|f

4. A formatted message: “Installer error %i,” where %i is error returned from Msi.dll. Applies a patch. Sets user interface level. ■ q No UI. ■

qn No UI.

■

qb Basic UI. Use ‘qb!’ to hide the Cancel button.

■

qr Reduced UI with no modal dialog box displayed at the end of the installation.

■

qf Full UI and any authored FatalError, UserExit, or Exit modal dialog boxes at the end.

■

qn+ No UI except for a modal dialog box displayed at the end.

■

qb+ Basic UI with a modal dialog box displayed at the end. The modal dialog box is not displayed if the user cancels the installation. Use qb+! or qb!+ to hide the Cancel button.

■

qb- Basic UI with no modal dialog boxes. Note that /qb+- is not a supported UI level. Use qb-! or qb!- to hide the Cancel button.

Note that the ! option is available with Windows Installer 2 and works only with basic UI. It is not valid with full UI. Displays syntax help and copyright information for Windows Installer.

CHAPTER 9:


Table 9-1


Option

Parameters

Description

/y

Module

Calls the system function DllRegisterServer(…) to self-register modules passed in on the command line. Specify the full path to the DLL. For example, for My_file.dll in the current folder, you can use: msiexec /y .\MY_FILE.DLL

/z

module

This option is used only for registry information that cannot be added using the registry tables of the .msi file, and for modules capable of self-registration. Calls the system function DllUnRegisterServer(…) to unregister modules passed in on the command line. Specify the full path to the DLL. For example, for My_file.dll in the current folder, you can use: msiexec /z .\MY_FILE.DLL

/c

/n

ProductCode

This option is used only for registry information that cannot be removed using the registry tables of the .msi file and for modules capable of unregistering themselves. Advertises a new instance of the product. Must be used in conjunction with /t. Available starting with the Windows Installer version that ships with Windows Server 2003 and Windows XP SP1. Specifies a particular instance of the product. This option can be used to identify an instance of an application installed using multiple instance support. Available starting with the Windows Installer version shipped with Windows Server 2003 and Windows XP SP1.

Msiexec options are not case sensitive. In the preceding table, /I and /L are capitalized for clarity.

NOTE

Advantages of Windows Installer packages Software packaged using the Windows Installer technologies is tailor-made for automated installation. You can advertise (or publish) it for installation using the Msiexec.exe command-line command, and you can install it or publish it using

301

302


Group Policy in Active Directory. You get amazing control and management abilities, essentially for free, just by taking advantage of these features. NOTE

We will discuss publishing applications later in this chapter.

Another advantage of the Windows Installer technologies is the prospect of selfhealing applications. Simply reinstalling from Add/Remove Programs or executing the appropriate Msiexec.exe command causes the application to examine all its files against the original installation source, replacing or repairing any missing or corrupt files. Applications such as Microsoft Office can even launch this process from within the application to provide automatic self-repair.

DEPLOYING SOFTWARE USING GROUP POLICY We’ve alluded to group policy objects (GPOs) several times in this chapter. Group Policy is one component of Microsoft’s Intellimirror technologies, and it is used to manage system and application configuration and software installation. We will now examine the role of Group Policy in application management and support.

Overview of Group Policy Group Policy allows you to manage configuration of computers and user settings in an Active Directory environment. Using Group Policy, you can control settings for software configuration, manage registry settings, configure security, install software updates, manage user profiles, and carry out many other tasks. Group Policy settings are stored in group policy objects that are attached to Active Directory domains, sites, or organizational units (OUs). GPOs can store settings for users and/or computers, allowing administrators to configure many settings at once. MORE INFO There is obviously much more to Group Policy and Active Directory that falls beyond the scope of this course. For more information on Active Directory and Group Policy, see Microsoft Official Academic Course 70-294: Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

Software Installation Policies Software installation policies are one facet of GPOs. They allow administrators to specify .msi packages that are to be advertised or installed on systems. These applications can be installed for specific users in the domain or for individual

CHAPTER 9:


computers themselves. We will examine the two methods of making software available with GPOs: publishing and assigning (Figure 9-1). Published

Installed on demand*

Assigned

Installed on first use* *or first use of associated document

Software Installation Policy Installed on next restart

Figure 9-1 Managing software installation policy FT09HT01.TIF

Publishing software Publishing software is like advertising the availability of an application. The application appears in the Add/Remove Programs area as available for installation; you can also install it on demand the first time a user executes an associated application extension. Because published applications require action from a user to be installed, they can be made available only to users (rather than being assigned to computers). Assigning software Software can be assigned to the user or directly to the computer. If an application is assigned to the user, an icon for the application appears on the desktop or on the Start menu, and the application is installed the first time the icon is activated or the first time an associated file is opened. Software assigned to the computer (Figure 9-2) installs on the system before the next user logon. It is thus ready when any user of the system needs it. If userspecific options need to be installed, as specified by the .msi file, they are quickly installed the first time the user runs the application.

Figure 9-2 Software assigned to a computer FT09HT02.BMP

303

304


Upgrading or patching software with Group Policy In addition to directing installation of software, you can configure GPOs to install application updates. You can configure these updates to upgrade the existing application or even replace it (Figure 9-3).

Figure 9-3 Installing an application upgrade with Group Policy FT09HT03.BMP

Removing Software Installation Policy When a software installation policy for an application no longer applies to the computer or user, you can manage the application in either of two ways (Figure 9-2): ■

Uninstall the application when it falls out of the scope of management This removes the application if the computer or user to which it is attached leaves the domain or OU the GPO is assigned to. It also removes the application if the GPO or its software installation policy is deleted. This option is an excellent way to ensure that software licensed by your company is uninstalled if a PC is ever lost or stolen. If a user removes the computer from the company domain, the software is uninstalled.

■

Leave the application in place when it falls out of the scope of management The software remains in place if the user or computer falls out of management, either through changing domains or OUs or the policy being deleted. You explicitly select the Uninstall When It Falls Out Of The Scope Of Management option when you configure a software installation policy. Leaving the application in place is the result of not explicitly selecting that option.

NOTE

CHAPTER 9:


UNDERSTANDING APPLICATION COMPATIBILITY Windows XP brought together the stability of the Windows NT family of operating systems and the hardware compatibility of the Windows 9x family of operating systems. The Windows XP designers were faced with hard choices. Users and corporations needed the security and reliability features of the Windows NT operating systems but wanted to be able to use all the legacy applications they had acquired over the years. Some of these applications were incompatible with the strict requirements of the Windows NT line. Microsoft therefore designed application compatibility technologies into Windows XP. Users can customize settings to emulate the environments that legacy systems require to operate effectively. In this section, we will explore these application compatibility technologies and how to configure them.

Windows Logo Program Before we discuss application incompatibility, let’s take a look at application compatibility. Microsoft operates the Windows Logo Program Qualification Service (Winqual) to test and certify products for compliance with Windows operating systems. Software manufacturers submit their products to the Winqual service for testing and obtain logo certification for their products, entitling them to submit their products to the Windows Catalog and use one of the Windows logos in their advertising and on product packaging. The Windows Logo Program specifies three levels of application compatibility: ■

Compatible with Windows XP This level indicates that the application will perform its primary function without crashing your system.

■

Designed for Windows XP Applications with this logo will not interfere with other applications in use on your system, will install and uninstall properly, and will not overwrite files that are needed by the operating system. These applications will support Fast User Switching and will not require a reboot unnecessarily. Designed for Windows XP applications are eligible for inclusion in the Windows Catalog (http://www.microsoft.com/windows/catalog). Users can browse listings of compatible applications in the Windows Catalog (Figure 9-4) and be confident that those applications have been certified for Windows compatibility.

■

Optimized for Windows XP These applications meet the Designed for Windows XP logo requirements as well as take advantage of

305

306


advanced Windows XP technologies for gaming, multimedia, or accessibility. They might also be certified for compatibility with future Windows versions. They might even integrate the new Windows XP visual styles or enable the ability to traverse network address translation (NAT) firewalls in their Internet communications.

FT09HT04.BMP

Figure 9-4 The Windows Catalog displaying Designed for Windows applications

Causes of Application Incompatibility Legacy applications might be incompatible with Windows XP for a number of reasons, including the following: ■

Changes in data formats The legacy application might fail to run if the updated data access technologies in Windows XP do not support access methods used by the application. An example of this would be changes in Microsoft Data Access Components (MDACs) that require programs using older versions to be updated to remain compatible.

■

Different user profile formats and locations Windows XP places all user profiles in the Documents and Settings folder on the system volume. If the application was specifically programmed to store user data in the C:\WINNT\Profiles or C:\Windows\Profiles folders (the locations in Windows NT and Windows 9x, respectively), it might fail to properly store data files or application settings. Systems upgraded from Windows NT Workstation and Windows 9x will still use the former user profile folders.

NOTE

CHAPTER 9:


■

Windows reports wrong version number Some applications that were designed for Windows 95 or Windows 98 will not run on other operating system versions. Even if there is no functional reason for them not to run, they simply won’t continue with the wrong operating system version.

■

Application cannot operate with large amount of resources The application might not know how to operate with greater than 2 GB of free disk space or too much RAM. The application will assume that resources are insufficient for proper operation and will present an error and/or shut down.

■

Application uses direct hardware access methods For stability reasons, operating systems in the Windows NT family do not allow applications to directly access hardware resources. Applications must access hardware through a device driver. This causes incompatibility with applications designed for Windows 9x that might have accessed hardware directly. An example of this might be an application that manipulates system memory directly.

Application Compatibility Tools The developers of Windows XP recognized the challenges presented by legacy software and designed several application compatibility technologies into Windows XP. During Windows XP setup, existing applications are compared against a list of known incompatible applications stored in the Migdb.inf file (Windows 9x) or Ntcompat.inf file (Windows NT/2K). These files allow Setup to warn users about incompatibilities during setup, long before the incompatible application would be used. Compatibility fixes Some incompatible applications can be supported if you modify how Windows XP responds to the application or if you create an emulated environment that the application will find suitable. You do this by using “shim technology” to insert code between the application and the operating system to fool the application into believing it is running in its preferred environment. These compatibility fixes are stored in the application compatibility system databases sysmain.sdb and apphelp.sdb. These databases are stored in the application compatibility database folder (/AppPatch) in the Windows main system folder (usually C:\Windows).

307

308


Compatibility modes Applications written for older applications often took advantage of specific (and sometimes undocumented) features. If these features are no longer available in Windows XP (for security or stability reasons), those applications will normally not run in Windows XP. However, by mimicking the older operating system, Windows XP can still execute the application. Windows XP accomplishes this by using compatibility modes. These are collections of compatibility fixes that, taken together, mimic the earlier operating system. There are three kinds of application compatibility modes: ■

FT09HT05.BMP

End-user modes These are the compatibility modes included with Windows XP and displayed when a user browses the Compatibility tab of an application’s Properties dialog box (Figure 9-5). They apply a collection of compatibility fixes designed to mimic the earlier operating system. Application compatibility modes are available to mimic Windows 95, Windows 98, Windows Me, Windows NT 4, and Windows 2000. In addition, users can choose to revert display settings to VGA resolution (256-color, 640×480) and to disable visual themes and advanced device input.

Figure 9-5 Setting the compatibility mode for an application

■

System modes These modes are accessible to system administrators and include, in addition to the end-user modes, fixes to enable users with limited accounts to operate applications and fixes to support user profile interaction changes in Windows XP. These modes are configured with the Compatibility Administrator tool (discussed later).

■

Custom modes Customized modes, consisting of fixes designed for a specific application, can be created and applied with the Compatibility Administrator tool.

CHAPTER 9:


You select end-user compatibility modes on the Compatibility tab of the Properties dialog box for an application executable (Figure 9-5). Program Compatibility Wizard The Program Compatibility Wizard (Figure 9-6) is designed to allow end users to manage their own application compatibility settings. The wizard walks you through setting compatibility modes or display settings and allows you to test compatibility. You launch the wizard from Help and Support Center by searching on “application compatibility.”

Figure 9-6 Managing application compatibility with the Program Compatibility Wizard FT09HT06.BMP

Advanced Compatibility Tools System administrators can use two additional tools to manage compatibility fixes for applications: the Compatibility Analyzer and the Compatibility Administrator. They can scan for known application compatibility issues with installed software, apply specific fixes to an application, and evaluate the results. You can obtain them by downloading the Application Compatibility Toolkit from the MSDN Web site at http://msdn.microsoft.com/compatibility. Compatibility Analyzer The Compatibility Analyzer tool (Figure 9-7) scans the computer for applications and reports their compatibility status. It can also maintain a database of installed software from data collected on computers around the enterprise, allowing administrators to assess application compatibility issues on all their systems from a central location.

309

310


Figure 9-7 The Compatibility Analyzer tool FT09HT07.BMP

Compatibility Administrator The Compatibility Administrator tool (Figure 9-8) lets you customize fixes for a specific application. Of the hundreds of available fixes, you might apply one or more to an incompatible application and test the results. If the program is made compatible, you can store the compatibility settings in a database and apply them to other systems in the organization.

Figure 9-8 The Compatibility Administrator tool FT09HT08.BMP

Troubleshooting Application Compatibility Issues When you’re faced with an incompatible application, you should eliminate any potential installation mistakes before you call the software vendor. If reinstalling

CHAPTER 9:


the application according to the manufacturer’s instructions does not solve the problem, you might consider the following steps: ■

Check the vendor’s Web site for application updates After your company acquired the application, the application’s vendor might have solved the compatibility issues with the application and made an updated version available for download. Some software manufacturers also make their updates available via the Windows Update Web site (http://windowsupdate.microsoft.com).

■

Install the application using an administrator-level account Some applications cannot store required files or make the necessary registry modifications when they are installed by a limited user account. Reinstalling the application as an administrator might solve the problem.

■

Make sure no other users are logged on to the system If Fast User Switching is enabled, other users might be logged on to the computer. This might interfere with the installation or operation of a program that was not designed to operate in this environment.

■

Analyze the program with the Program Compatibility Wizard The wizard can apply compatibility modes to the program and test the results. This might enable a legacy program to operate.

■

Manage the program with the Compatibility Administrator tool This tool can apply individual or multiple compatibility fixes and evaluate the results.

311

312


SUMMARY ■

Windows Installer runs as a system service (at elevated privileges) and receives instructions from Msiexec.exe. It manages the installation of an application and allows for sophisticated software installation management. It can completely automate custom configurations and settings according to the organization’s requirements.

■

Windows Installer packages consist of a central installation package (.msi) with associated transform files (.mst) that might modify the installation.

■

The Msiexec.exe application is associated with the .msi file extension. In concert with the Windows Installer, it reads the .msi file and any .mst transforms and performs the package installation.

■

Group Policy allows you to manage configuration of computers and user settings in an Active Directory environment.

■

Software installation policies allow administrators to specify .msi packages that are to be advertised or installed on systems. These applications can be installed for specific users or for the computer itself.

■

Microsoft operates the Windows Logo Program Qualification Service (Winqual) to test and certify products for compliance with Windows operating systems.

■

Legacy applications might have used features of older operating systems that are not available in Windows XP. By mimicking the older operating system, Windows XP can still execute the application. You accomplish this by defining compatibility modes.

■

The Program Compatibility Wizard helps users set compatibility modes or display settings and allows them to test compatibility.

■

The Compatibility Analyzer tool scans for applications and reports their compatibility status to an administrator.

■

The Compatibility Administrator tool allows you to customize fixes for a specific application and package those fixes for distribution to multiple Windows XP systems.

REVIEW QUESTIONS 1. You are installing an application that should be available to specific users wherever they use a computer. The application should be installed when they execute it for the first time or open an associated application. You are planning to implement a software installation

CHAPTER 9:


policy, and you have placed the users into an organizational unit. What method of software policy implementation should you use to ensure that only the users in this OU receive the application? a. Assign the software to the users in the OU b. Publish the software to the users in the OU c. Assign the software to the computers in the OU d. Publish the software to the computers in the OU 2. You are distributing an application to all computers in your organization. You want to install it with different settings for one department in your home office. How can you configure software installation Group Policy settings to accomplish this? a. Create an OU for users requiring the special settings. Create a transform for the special settings. Assign the Windows Installer package to the users in the domain. Assign the package, along with the transform for the special settings, to users in the special settings OU. b. Create an OU for users requiring the special settings. Create two Windows Installer packages to support the different settings. Assign the default package to the domain users, and assign the other to the users in the special settings OU. c. Create an OU for users requiring the special settings. Assign the application’s Windows Installer package to the computers in the domain. Create a transform for the special settings, and assign it to the users in the special settings OU. d. Create a transform for the special settings. Assign the Windows Installer package to the computers in the domain. Instruct the users who require special settings in how to reinstall the application with the special settings transform. 3. Which of the following Msiexec.exe commands would uninstall the program.msi package? a. msiexec /r program.msi b. msiexec /x program.msi c. msiexec /i program.msi d. msiexec /f program.msi

313

314


4. You are purchasing a new accounting application for your small business. You want to make sure the application is compatible with Windows XP. Which of the following compatibility logos would you look for? a. Designed for Windows 98 b. Designed for Windows XP c. Compatible with Windows XP d. Designed for Windows Server 2003 5. You are configuring a legacy business application to run on Windows XP. It presents several errors on startup, and you have tried several compatibility modes in your attempt to find a solution. Windows 95 mode works best but still has a few issues. The manufacturer has gone out of business, and you cannot find any other information about compatibility upgrades. Which of the following tools might help you? a. Compatibility Analyzer b. Program Compatibility Wizard c. Compatibility Administrator d. Msiexec.exe

CASE SCENARIOS Scenario 9-1: Windows Installer You are planning the implementation of a complex business application to systems in a mid-size company. The application supports Microsoft Installer technology and is packaged into a single .msi file. All users of the application will use the application’s default settings, but some will make use of features that other users will not need. The business owner has asked you to install the application so that users have only the features of the application they require. The users have been grouped into three groups based on the functionality they require. The groups are Finance, Sales, and Production. You know you can perform a custom installation from CD-ROM, but you want to automate the installations in the interest of time and consistency. You discover a list

CHAPTER 9:


of available installer transforms for different configurations. You select three that seem like a good fit for users in the organization: Accounting.mst, Salesforce.mst, and Manufacturing.mst. Answer the following questions about this scenario: 1. If the users are maintained in an Active Directory domain environment, how do you automate the installation of the application to the three groups of users? 2. If Active Directory isn’t available, how do you automate this installation? 3. Which of the following Msiexec command lines installs the application for the Finance group? a. Msiexec /I Application.msi Finance.mst b. Msiexec /a Application.msi Accounting.mst c. Msiexec /x Application.msi d. Msiexec /I Application.msi Accounting.mst

Scenario 9-2: Irreconcilable Differences? You have been contracted by a small company to see if there is any way to make their legacy business applications work with Windows XP. They have three applications in particular that are causing trouble. After some research, you discover the following: ■

Application A has the Designed for Windows 98 logo and runs on Windows XP. Errors occur when you attempt to access data files, however. The manufacturer no longer produces or supports the application.

■

Application B was written by a former employee that the business has lost contact with. When the application is executed, it returns the error “This application requires Windows 95.” It then terminates.

■

Application C does not run at all. The manufacturer is still in business and has a version compatible with Windows XP. When one user attempted to install it, the installation program returned the error “Unable to write to program folder.”

315

316


Answer the following questions about this scenario: 1. Which of the following actions will most likely help Application A operate effectively? a. Operate the application in Windows 98–compatibility mode b. Run the application as an administrator c. Remove and reinstall the application d. Change the permissions on the application data files 2. What is most likely the cause of Application B’s error? How can you configure Application B to operate? 3. What is the most likely cause of Application C’s failure during installation? How can you install this application?

CHAPTER 10

CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK Upon completion of this chapter, you will be able to: ■ Configure and troubleshoot the TCP/IP protocol ■ Connect to a wireless network ■ Connect to the Internet using dial-up networking ■ Connect to a virtual private network (VPN) ■ Configure and troubleshoot Internet Connection Sharing (ICS) ■ Configure and manage Remote Desktop and Remote Assistance

We have so far concentrated on installing and supporting Microsoft Windows XP and its applications. In the next few chapters we will explore networks and connecting Windows XP to them. In this chapter, we will discuss making the basic network connections. You will learn about the properties of the TCP/IP protocol. You’ll explore dial-up networking and use it to connect to networks. You will also learn how to connect your Windows XP system to the Internet and how to share that connection with other systems on your network. Finally, we will configure and use Remote Desktop and Remote Assistance to enable remote control.

317

318


CONFIGURING TCP/IP A protocol is a set of rules and conventions for sending information over a network. Windows XP Professional relies on the Transmission Control Protocol/ Internet Protocol (TCP/IP) for logon, file and print services, replication of information between domain controllers, and other common functions. This section presents the skills and knowledge necessary to install, configure, and troubleshoot TCP/IP. It also discusses the process for configuring network bindings, which are links that enable communication among network protocols and services.

The OSI Reference Model Most discussions of network architecture begin with an overview of the Open Systems Interconnection (OSI) model for networking (Figure 10-1). This reference model for designing networks was proposed in 1979 by the American National Standards Institute (ANSI) to the subcommittee on Open Systems Interconnection of the International Organization for Standardization (ISO). It was published in 1984 as a standard for designing open network applications. The OSI Reference Model

The DARPA Model

Application Application Presentation Session Transport Transport Network

Internet

Data Link Network Physical

Figure 10-1 The OSI and DARPA reference models FT10HT01.VSD

The seven layers designate discrete steps in a network communication, beginning at the Application layer and progressing until the data is placed on the physical network medium. Each layer adds its own information for use by its counterpart in the destination stack. Data received at the next system passes up through the protocol stack to the application at the top. Each layer in the upward progression reads its information from the stack and passes the encapsulated data up to the next layer. When the application layer receives the data, it recognizes it and processes it. This process repeats for each communication over the network.

CHAPTER 10:

CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK

Applications designed strictly using the seven-layer model were found to be ungainly and difficult to configure. Protocols were created to enable faster communication, and they evolved into the TCP/IP and IPX/SPX protocols in use today. The seven layers of the OSI model are: ■

Application (layer 7) Applications themselves are placed in this layer. The application is responsible for communicating with the user. An example of an application at this layer is a Web browser.

■

Presentation (layer 6) Converts the information entered by the user into something meaningful to the application. This layer is also responsible for making different data formats or character sets compatible, such as an ASCII–to-EBCDIC translator. Other tasks performed in this layer include certain types of compression and encryption.

■

Session (layer 5) Provides a session or channel for communication between two computers or users. A Session layer protocol is responsible for establishing and breaking down communication sessions. An example of this is a streaming video session.

■

Transport (layer 4) Aids the Session layer in preparing data for transmission. This layer is responsible for breaking up the data into manageable units. It is also responsible for sequencing packets and ensuring that lost packets are retransmitted so no data is lost during the communication sequence. There has always been some overlap between the Session and Transport layers, which is one reason why applications that follow the OSI model strictly can be ungainly. Protocols such as Transmission Control Protocol (TCP) actually operate in both layers to ensure guaranteed communication.

NOTE

■

Network (layer 3) Routes the information within individual networks and across networks. It maintains a routing table of possible destinations and directs packets to the desired destination.

■

Data Link (layer 2) Connects the Network layer to the physical media. This layer consists of device drivers and low-level protocols (such as Ethernet and Token Ring) for communication with network adapters. It begins the process of converting the data packets into frames made up of binary signals (1s and 0s). The Data Link layer exists partially in the device drivers and partially in the network adapter firmware.

319

320


Frame formation encapsulates data in a structure that provides the correct signals for communication on the wire. Frames begin with a preamble or unique sequence of bits that indicate the start of the packet, and they end with a cyclical redundancy check or checksum at the end of the packet. In between are addressing information and data. Other systems on the wire can examine Ethernet frames to determine if those frames are intended for them. Frames received by the final destination system are unpacked and sent up the protocol stack.

NOTE

■

Physical (layer 1) This layer consists of the network hardware and the physical network medium. It transmits the electrical or optical signal from one system to the next. As you study networking, you will see references to layer 3 switches or layer 2 devices. This is industry terminology for devices that have capabilities on the named layer. A layer 3 switch, for example, can perform some of the functions of a router (a layer 3 Internet device).

NOTE

The DARPA Reference Model Around the same time that the OSI model was being conceived, the U.S. Department of Defense (DoD), in cooperation with a consortium of universities, was creating its own model for communication (see Figure 10-1, shown earlier). This model, called the DARPA (for Defense Advanced Research Projects Agency) model or the DoD model, is simpler and more applicable to the protocols in use today. Both models are excellent tools for understanding networking—we will refer to them as we discuss the topics in this chapter. The OSI and DARPA models are shown side by side in Figure 10-1 to give an approximate comparison of which layers in one correspond to layers in the other. When you refer to these models, try to keep this relationship in mind so it will be less confusing when you hear someone speak of layer 3 devices, for example. When we refer to numbered layers, we are referring to the OSI model (layer 3 being the Network layer). Understanding the relationship between models will help you understand which TCP/IP function would be happening at the respective layer (Internet layer). Knowing this helps you understand that a layer 3 switch can actually perform routing functions.

NOTE

The layers of the DARPA model are more simplified than the OSI model. Internet protocols and applications also work more closely with these layers (Figure 10-2).

CHAPTER 10:


The DARPA Model

TCP/IP Protocol Suite

Application

Telnet FTP SNMP DNS

Transport

TCP

UDP

ICMP IGMP Internet

IP ARP

Network

Ethernet

Frame Token Relay Ring

Figure 10-2 The DARPA reference model compared with the TCP/IP protocol suite FT10HT02.VSD

The layers of the DARPA model are: ■

Application layer Designates communication processes that are typically internalized by the actual applications that end users use to do their work. It receives user input and processes it for transmission through the Transport layer. Examples of applications at this layer include Telnet, FTP, and DNS. Applications that make use of Winsock or NetBIOS access this layer.

■

Transport layer Determines the transport method, usually at the urging of the application. This layer uses TCP or User Datagram Protocol (UDP) as the situation warrants. Protocols in this layer can provide ports or connecting points for multiple applications at once. When a client application connects to a port, a socket is formed consisting of the IP address and port. Systems can maintain many socket connections at once. Examples of Transport layer protocols include: ❑

TCP Provides connection-oriented, reliable communication for applications that typically transfer large amounts of data at once or require an acknowledgment for data received. TCP is connection oriented, so a connection must be established before hosts can exchange data. TCP provides reliable communication by assigning a sequence number to each segment of data that is transmitted so the receiving host can send an acknowledgment (ACK) to verify that the data was received. If an ACK is not received, the data is retransmitted. TCP guarantees the delivery of packets, ensures proper sequencing of the data, and provides a checksum feature that validates both the packet header and its data for accuracy.

321

322


❑

■

UDP Provides connectionless communication but does not guarantee the delivery or the correct sequence of packets. Applications that use UDP typically transfer small amounts of data at once. Reliable delivery is the responsibility of the application.

Internet layer The layer responsible for addressing and routing. The four Internet layer protocols are: ❑

IP IP is primarily responsible for addressing and routing packets between hosts. It provides connectionless packet delivery for all other protocols in the suite. Does not guarantee packet arrival or correct packet sequence. Does not try to recover from errors such as lost packets, packets delivered out of sequence, duplicated packets, or delayed packets. Packet acknowledgment and the recovery of lost packets are the responsibility of a higher-layer protocol, such as TCP.

❑

ARP Provides IP address mapping to the media access control (MAC) address of the network device at the destination system. IP address resolution is required when IP packets are sent on shared access networking technology, such as Ethernet. IP broadcasts a special Address Resolution Protocol (ARP) inquiry packet containing the IP address of the destination system. The system that owns the IP address replies by sending its physical address to the requester.

❑

ICMP Provides special communication between hosts, allowing them to share status and error information. Higher-level protocols use this information to recover from transmission problems. Network administrators use this information to detect network trouble. The Ping tool uses ICMP packets to determine whether a particular IP device on a network is functional. One instance in which ICMP provides special communication between hosts occurs when IP is unable to deliver a packet to the destination host; ICMP sends a Destination Unreachable message to the source host.

❑

IGMP Informs neighboring multicast routers of the host group memberships present on a particular network. An IP multicast group is a set of hosts that listen for IP traffic destined for a specific IP multicast address. Multicast networking is a form of networking that allows a host to direct information to a multicast address that is shared by multiple computers. By joining a multicast group, a computer essentially “signs up” for traffic sent to that address. A typical use of multicast networking is for streaming broadcasts of live audio or video streams.

NOTE

CHAPTER 10:

■


Network layer The layer at the base of the model. It puts data on the wire and pulls data off the wire. This layer comprises device drivers and physical devices used for data transmission. Examples are Ethernet network adapters and their associated drivers, along with the physical cabling used to transmit Ethernet data frames.

The TCP/IP Protocol Suite TCP/IP is an industry-standard suite of protocols that enables enterprise networking and connectivity on Windows XP Professional–based computers. Using TCP/IP with Windows XP Professional offers the following advantages: ■

A routable networking protocol supported by most operating systems Most large networks rely on TCP/IP to be the glue that holds disparate systems together. It enables programmers to use it as the lingua franca of network communications due to its nearly universal acceptance.

■

A technology for connecting dissimilar systems You can use many standard connectivity tools to access and transfer data across dissimilar systems. Windows XP Professional includes several of these standard tools, such as FTP, Telnet, and Microsoft Internet Explorer. You can connect using Internet Explorer to another system running UNIX/Linux that is serving Web pages and never know a thing about the underlying operating system. The user experience is separated from the inner workings of the underlying operating system due to the compatibility of the network protocols.

■

A robust, scalable, cross-platform client/server framework TCP/IP supports the Microsoft Windows Sockets (Winsock) interface, which is ideal for developing client/server applications for Windows-based systems. It also eases the porting of any TCP/IP sockets-based application and the development of tools that work with sockets applications on other platforms.

■

A method of gaining access to Internet resources The TCP/IP suite of protocols provides a set of standards for how computers communicate and how networks are interconnected. They form the backbone for Internet addressing and routing of data from one network to another.

Understanding IP Addresses Each IP address consists of a network ID and a host ID. The network ID, also known as the network address, identifies the systems that are located on the same physical network. All computers in the same physical network must have the

323

324


same network ID, and the network ID must be unique to the internetwork. The host ID, also known as the host address, identifies each TCP/IP host within a network. IP addresses are logical 32-bit numbers that are broken down into four 8-bit fields known as octets. Microsoft TCP/IP supports class A, B, and C addresses. The class of an address defines which bits are used for the network ID and which bits are used for the host ID. Classful addressing uses these classes to determine whether a host is on a local or remote IP network based on the network portion of its address. Table 10-1 summarizes class A, B, and C IP addresses. Figure 10-3 graphically represents the network and host ID portions of the different classes. Table 10-1

TCP/IP Address Classes

Class

Description

A

Addresses in which the first binary digit of the first octet is 0. This results in network IDs from 1.0.0.0 to 126.0.0.0 and allows for 126 networks and 16,777,214 hosts per network. The class A address 127.x.y.z is reserved for loopback testing and interprocess communication on the local computer. For class A addresses, the network ID is always the first octet in the address and the host ID is the last three octets. Addresses in which the first two binary digits of the first octet are 10. This results in network IDs from 128.0.0.0 to 191.255.0.0 and allows for 16,384 networks and 65,534 hosts per network. For class B addresses, the network ID is always the first two octets in the address and the host ID is the last two octets. Addresses in which the first two binary digits of the first octet are 11. This results in network IDs from 192.0.0.0 to 223.255.255.0 and allows for 2,097,152 networks and 254 hosts per network. For class C addresses, the network ID is always the first three octets in the address and the host ID is the last octet.

B

C

Classful Addressing A

12.123.123.123

B 134.123.123.123 C 213.123.123.123 Network

Host

Figure 10-3 Network and host IDs of classful IP addresses FT10HT03.VSD

CHAPTER 10:


Classful IP addressing is wasteful of IP addresses and is less widely used than classless interdomain routing (CIDR) addressing (covered in Chapter 11). CIDR provides the ability to split up the network and host IDs into more manageable portions.

NOTE

Using a static IP address By default, Windows client computers obtain TCP/IP configuration information automatically from the DHCP Service, which is a service configured to automatically hand out IP addresses to client systems. However, even in a DHCP-enabled environment, you should assign a static IP address to selected network computers. For example, the computer running the DHCP Service cannot be a DHCP client, so it must have a static IP address. If the DHCP Service is not available or is not used in your organization, you can also configure TCP/IP to use a static IP address. For each network adapter card that uses TCP/IP in a computer, you can configure an IP address, subnet mask, and default gateway, as shown in Figure 10-4.

Figure 10-4 Configuring a static TCP/IP address FT10HT04.BMP

The following list describes the options used in configuring a static TCP/IP address: ■

IP address A logical 32-bit address that identifies a TCP/IP host. Each network adapter card in a computer running TCP/IP requires a unique IP address, such as 192.168.0.108. Each address has two parts: a network ID, which identifies all hosts on the same physical network, and a host ID, which identifies a host on the network. In this example, the network ID is 192.168.0 and the host ID is 108.

■

Subnet mask Subnets divide a large network into multiple physical networks connected with routers. A subnet mask blocks out part of the IP address so TCP/IP can distinguish the network ID from the host ID. When TCP/IP hosts try to communicate, the subnet mask determines whether the destination host is on a local network or a remote network.

325

326


To communicate on a local network, computers must have the network address as defined by the subnet mask. ■

Default gateway The intermediate device (usually a router) on a local network that stores network IDs of other networks in the enterprise or Internet. To communicate with a host on another network, you configure an IP address for the default gateway. TCP/IP sends packets for remote networks to the default gateway (if no other route is configured), which then forwards the packets to the destination system, either directly—if it is connected to the remote system—or through other gateways until the packet is delivered to a gateway connected to the specified destination.

To configure TCP/IP to use a static IP address:

1. Click Start | Control Panel | Network And Internet Connections. 2. In the Network And Internet Connections window, click Network Connections, double-click Local Area Connection, and then click Properties. 3. In the Local Area Connection Properties dialog box, click Internet Protocol (TCP/IP), verify that the check box to its left is selected, and then click Properties. 4. In the Internet Protocol (TCP/IP) Properties dialog box (Figure10-4), on the General tab, click Use The Following IP Address, type the TCP/IP configuration parameters, and then click OK. 5. Enter any assigned DNS server addresses, and click OK to close the Local Area Connection Properties dialog box. Close the Network Connections window. IP communication can fail if duplicate IP addresses exist on a network. Therefore, you should always check with the network administrator to obtain a valid static IP address.

CAUTION

Obtaining an IP address automatically If a server running the DHCP Service is available on the network, it can automatically assign TCP/IP configuration information to the DHCP client, as shown in Figure 10-5. You can then configure client computers and DHCP-compatible network devices to obtain TCP/IP configuration information automatically from the DHCP Service. This can simplify administration and ensure correct configuration information. Windows XP Professional does not include the DHCP Service. Only the Windows Server products provide the DHCP Service.

NOTE

CHAPTER 10:


DHCP Server

1 Request

2 IP address

DHCP Client

Figure 10-5 A server running the DHCP Service assigning TCP/IP addresses FT10HT05.VSD

You can use the DHCP Service to provide clients with TCP/IP configuration information automatically. However, you must configure a computer as a DHCP client before it can interact with the DHCP Service.

To configure a DHCP client:

1. Click Start | Control Panel | Network And Internet Connections. 2. In the Network And Internet Connections window, click Network Connections, double-click Local Area Connection, and then click Properties. 3. In the Local Area Connection Properties dialog box, click Internet Protocol (TCP/IP), verify that the check box to its left is selected, and then click Properties. 4. In the Internet Protocol (TCP/IP) Properties dialog box (Figure 10-6), on the General tab, click Obtain An IP Address Automatically. Click OK. 5. Click OK to close the Local Area Connection Properties dialog box, and then close the Network Connections window.

FT10HT06.BMP

Figure 10-6 Configuring Windows XP to obtain an IP address automatically

327

328


Using Automatic Private IP Addressing (APIPA) The Windows XP Professional implementation of TCP/IP supports automatic assignment of IP addresses for simple LAN-based network configurations. This addressing mechanism is an extension of dynamic IP address assignment for LAN adapters, enabling configuration of IP addresses without using static IP address assignment or installing the DHCP Service. APIPA is enabled by default in Windows XP Professional so home users and small business users can create a functioning, single-subnet, TCP/IP-based network without having to configure the TCP/IP protocol manually or set up a DHCP server. APIPA can assign a TCP/IP address to DHCP clients automatically. However, it does not generate all the information that typically is provided by DHCP, such as the address of a default gateway. Consequently, computers enabled with APIPA can communicate only with computers on the same subnet that also have addresses of the form 169.254.x.y. APIPA address assignment carries with it certain disadvantages. While it allows local communication, it does not specify a default gateway and is not routable on the Internet. Systems configured by APIPA in the absence of a DHCP server cannot communicate with other properly configured systems on the same network until they regain a DHCP-assigned address.

NOTE

APIPA at startup The process for the APIPA feature (Figure 10-7) is as follows: 1. Windows XP Professional TCP/IP attempts to find a DHCP server on the attached network to obtain a dynamically assigned IP address. 2. In the absence of a DHCP server during startup (for example, if the server is down for maintenance or repairs, or if one does not exist), the client cannot obtain an IP address. 3. APIPA generates an IP address in the form of 169.254.x.y (where x.y is the client’s unique identifier) and a subnet mask of 255.255.0.0. DHCP Server 2

1 Request

3 APIPA: Client assigns its own IP Address DHCP Client

Figure 10-7 APIPA FT10HT07.VSD

CHAPTER 10:


The Internet Assigned Numbers Authority (IANA) has reserved the nonroutable range 169.254.0.0 through 169.254.255.255 for APIPA. As a result, APIPA provides an address that is guaranteed not to conflict with routable addresses.

NOTE

After the computer generates the address, it broadcasts to this address to see if any other system is already using it; it assigns the address to itself if no other computer responds. The computer continues to use this address until it detects and receives configuration information from a DHCP server. It looks for the DHCP server every 5 minutes until it returns online, at which time it obtains a valid DHCP-assigned address. APIPA with a previous address If the computer is a DHCP client that has previously obtained a lease from a DHCP server and the lease has not expired at boot time, the sequence of events is slightly different. The client tries to renew its lease with the DHCP server. If the client cannot locate a DHCP server during the renewal attempt, it attempts to ping the default gateway listed in the lease. If pinging the default gateway succeeds, the DHCP client assumes that it is still on the same network where it obtained its current lease, so it continues to use the lease. By default, the client attempts to renew its lease when 50 percent of its assigned lease time has expired. If pinging the default gateway fails, the client assumes that it has been moved to a network that has no DHCP services currently available and it autoconfigures itself as previously described. Once autoconfigured, it continues to try to locate a DHCP server every 5 minutes. Windows 98, Windows Me, Windows 2000, Windows Server 2003, and Windows XP Home Edition also support APIPA.

NOTE

Disabling APIPA By default, APIPA is enabled. However, you can disable it by specifying an alternative configuration to use if a DHCP server cannot be located (Figure 10-8), as discussed in the next section.

Figure 10-8 Specifying an alternative TCP/IP configuration FT10HT08.BMP

329

330


Specifying an alternative configuration for TCP/IP Auto-Configuration for Multiple Networks Connectivity provides easy access to network devices and the Internet. You can configure Auto-Configuration for Multiple Networks Connectivity by specifying an alternative configuration for TCP/IP to use if a DHCP server is not found. The alternative configuration is useful if a computer is used on multiple networks, one of which does not have a DHCP server and does not use an APIPA configuration. It also allows a mobile computer user to seamlessly operate both office and home networks without having to manually reconfigure TCP/IP settings.

To configure Auto-Configuration for Multiple Network Connectivity:

1. Click Start | Control Panel | Network and Internet Connections. 2. In the Network And Internet Connections window, click Network Connections, double-click Local Area Connection, and then click Properties. 3. In the Local Area Connection Properties dialog box, click Internet Protocol (TCP/IP), and then click Properties. 4. In the Internet Protocol (TCP/IP) Properties dialog box, choose the Alternate Configuration tab. 5. Specify the alternative TCP/IP configuration (Figure 10-8).

Managing Network Bindings Binding is the process of linking network components on different levels to enable communication between those components. A network component can be bound to one or more network components above or below it. The services that each component provides can be shared by all other components that are bound to it. For example, in Figure 10-9, TCP/IP is bound to both File and Printer Sharing for Microsoft Networks and to the Client for Microsoft Networks. Note also that in Figure 10-9, NWLink is not bound to the Microsoft Networking components. It is installed in this scenario to support Client Service for NetWare and is not required to communicate with the Microsoft network. If you experience delays when you access network resources, check the binding order and unbind unused protocols. Binding order controls the order in which protocols are used when you support multiple protocols or clients. If a particular network supports TCP/IP only and NWLink is bound first to the network client, it will attempt to locate a server first using NWLink. Only if that fails will it attempt to locate a server using TCP/IP.

CHAPTER 10:


Figure 10-9 Managing network bindings FT10HT09.BMP

To configure network bindings:

1. Click Start | Control Panel | Network and Internet Connections. 2. In the Network And Internet Connections window, click Network Connections. 3. In the Network Connections window, on the Advanced menu, click Advanced Settings. 4. In the Advanced Settings dialog box, under Client for Microsoft Networks, do one of the following: ❑

To bind the protocol to the selected adapter, select the check box to the left of the adapter.

❑

To unbind the protocol from the selected adapter, clear the check box to the left of the adapter. Only an experienced network administrator familiar with the requirements of the network software should attempt to change binding settings.

CAUTION

Troubleshooting TCP/IP Microsoft provides several tools for troubleshooting TCP/IP connectivity. These commonly used tools, which are executed from a command line, offer insight into the nature of the failure. The following list describes their use: ■

Ping Ping is an ICMP testing tool that transmits ICMP ECHO packets to a destination computer and waits for a reply. If the remote system replies, the connection is verified. Some systems are configured to not

331

332


reply to ICMP packets for security reasons, so Ping’s value as a troubleshooting tool is becoming somewhat limited. ■

ARP Displays the ARP resolution cache table, which displays which systems on the local network have communicated with your system. This is useful when you troubleshoot connectivity or investigate security incidents in progress. Addresses in the ARP cache are maintained for 2 minutes unless they are used a second time. If used a second time, they are retained for 10 minutes after the final use of the address.

NOTE

■

Ipconfig Displays the current TCP/IP configuration. Ipconfig can also be used to refresh the IP address and register your system with Dynamic DNS (DDNS) servers.

■

Nbtstat Displays statistics and connections for the NetBIOS-overTCP/IP protocol. It is useful when you troubleshoot file and print connectivity issues.

■

Netstat Displays current TCP/IP sessions and gives statistics about each connection. It is useful for connectivity testing and security investigations.

■

Route Displays or modifies the local routing table.

■

Hostname

■

Tracert Checks the route to a remote system by issuing ICMP ECHO requests with varying time-to-live (TTL) values. As the values are incremented, the router that has the packet when TTL expires drops it and returns a notification to the client. In this way, the client can trace the route to a destination system across the Internet.

■

Pathping Similar to Tracert, except Pathping issues multiple ICMP ECHO requests to each hop and records the resulting packet loss. This tool is helpful when you investigate sporadic connectivity problems.

Returns the local computer’s host name.

Each of these tools has a help option that you can use to display syntax and usage information. To display this help, type /? at a command line, where is the name of the tool. NOTE

Testing a TCP/IP configuration After configuring TCP/IP and restarting the computer, you should use the Ipconfig and Ping command-prompt tools to test the configuration and connections to other TCP/IP hosts and networks. Such testing helps ensure that TCP/IP is functioning properly.

CHAPTER 10:


Using Ipconfig You use the Ipconfig tool to verify the TCP/IP configuration parameters on a host. It helps you determine whether the configuration is initialized or if a duplicate IP address exists. Use the Ipconfig tool with the /all switch (Figure 10-10) to verify configuration information.

Figure 10-10 Output of the Ipconfig command FT10HT10.BMP

Type ipconfig /all | more to prevent the Ipconfig output from scrolling off the screen; to scroll down and view additional output, press SPACEBAR.

NOTE

The result of the Ipconfig /all command is as follows: ■

If a configuration has been initialized, the Ipconfig tool displays the IP address and subnet mask, and, if assigned, the default gateway.

■

If a duplicate IP address exists, the Ipconfig tool indicates that the IP address is configured; however, the subnet mask is 0.0.0.0.

■

If the computer is unable to obtain an IP address from a server running the DHCP Service on the network, the Ipconfig tool displays the IP address provided by APIPA.

Using Ping After you have verified the TCP/IP configuration, use the Ping tool to determine whether a particular TCP/IP host is available and functional. To test connectivity, use the Ping tool with the following syntax: ping 127.0.0.1

By default, the following message appears four times in response to a successful Ping command: Pinging 127.0.0.1 with 32 bytes of data: Reply from 127.0.0.1: bytes=32 time