Microsoft Tips

RESTRICT ACCESS TO THE COMMAND CONSOLE
In most cases, you probably don't mind if users open or use a command console to perform tasks. If you're trying to restrict the actions that users can perform on a Windows 2000 workstation, however, a command console (Cmd.exe) can offer a way around other restrictions. For example, you might remove My Computer from the desktop to prevent users from browsing local drives outside of applications. The command console lets them get around this restriction.

There are several ways that you can restrict access to the command console. First, if Cmd.exe is located on an NTFS volume, you can configure permissions on the executable to allow only specific users or groups to run it. You can also delete Cmd.exe; although this is not the best solution because you might need Cmd.exe on the computer for administrative reasons. If you can't restrict access to Cmd.exe with NTFS permissions, consider renaming the file and assigning it a name only you know.

The best option for Windows 2000 systems is to restrict the command console through group policies. You can restrict access to the command console at the organizational unit (OU), domain, or site levels. Use the Active Directory Users And Computers console to set the policy at the domain or OU level, and use the Active Directory Sites And Services console to set it at the site level. Use the User Configuration\Administrative Templates\System branch to set the Disable The Command Prompt policy to Enabled to restrict access. You also can optionally disable command prompt script processing, but you should do so only if users don't run startup, logon, logoff, or shutdown scripts.

DELETE DIRECTORIES FROM A CONSOLE
It's a breeze to delete entire directories and their contents within the Windows 2000 GUI: select a folder and type DEL. This moves the directory and its contents to the Recycle Bin. If you want to bypass the Recycle Bin and delete the files immediately, hold down [Shift] when you type DEL.

In some cases, you might need to delete directories from a command console. Maybe you prefer working in a console prompt rather than the GUI, or you need to delete several unrelated directories and want to accomplish that task from a batch file. Although you could use multiple DEL commands, the RD command (which is synonymous with RMDIR) is a better choice.

The RD command removes all files and directories in the specified directory and then removes the specified directory. The syntax for RD is: RD [/S] [/Q] [drive:]path.

When you use it without switches, RD removes only the specified directory if that directory is empty. The /S switch causes RD to remove all subdirectories and files and then remove the specified directory. The /Q switch runs RD in quiet mode, in which RD does not prompt you to confirm the deletion of directory trees.

A WORD OF CAUTION: Make sure you know what you're doing when you use RD with the /S and /Q switches. If you're not careful, you can easily remove critical directories in the blink of an eye.

PREVENT USERS FROM SHUTTING DOWN COMPUTERS
By default, users have the ability to shut down a computer. In many situations, this doesn't present a problem unless the user has the right to shut down a server.

If you're using Windows 2000 computers in a peer-to-peer environment where workstations share their resources, a user can cause havoc by shutting down a computer at the end of the day. Other users might need to continue to access its files or printers, or the computer may be handling incoming faxes or acting as an Internet Connection Sharing computer to allow others to access the Internet. Taking the system down will disrupt all of these functions. Therefore, preventing users from shutting down workstations can be almost as important as preventing them from shutting down servers.

Members of the Users, Power Users, Backup Operators, and Administrators groups can shut down the computer by default. To restrict this ability through group policies, apply the policy at the site, domain, organizational unit (OU), or local level. To set it at the local level, open the Local Security Policy console from the Administrative Tools folder. Open the Security Settings\Local Policies\User Rights Assignment branch. Double-click the policy Shut Down The System and clear the Local Policy Setting check box for those groups that you don't want shutting down the system. You can click Add to add other groups and grant them the ability to shut down the system if needed.

You can also apply the group policy at higher levels. To apply it at the site level, open the Active Directory Sites and Services console on a domain controller. Right-click the site, choose Properties, and then click the Group Policy tab. Select (or create) a policy, click Edit, and open the Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment to locate the Shut Down The System policy. Use the Active Directory Users and Computers console to configure policies at the domain or OU levels.

DELETE CACHED USER PROFILES
Roaming profiles allow users to log on from any workstation on the network and access the same user profile. Windows 2000 accomplishes this by copying the user's profile from the server when the user logs on.

A user profile can be quite hefty because it incorporates the user's desktop folder, My Documents, and other folders and data. If the user maintains an Outlook folder file or other large documents or data stores, the user profile may approach or even surpass several hundred megabytes. When the user logs off, the data remains on the workstation. If several users work from the same computer, there is a potential for a lot of data to be on the workstation that doesn't need to be there.

You can address the problem by directing Windows 2000 to delete the cached user profile data when the user logs off. You accomplish this through a registry change. Open the Registry Editor and go to this key:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon

If the value DeleteRoamingCache isn't present, create the value and set it to 1. You can change this value to 0 later if you decide you want to delete cached roaming profiles.

NOTE: As always, we'll remind you that editing the registry can be risky, so be sure you have a verified backup before making any changes.

HELP YOUR USERS WORK AT HOME
More and more users work on notebook PCs at the office and then take the notebooks home and hook the machines up to their home networks. And since the odds are good that these users hook up to a domain at work, the question becomes: How can they move between a domain and a workgroup without causing logon and access problems?

One common misconception is that a user must be a member of a workgroup to access resources such as shared folders and printers in that workgroup. But as long as the user has an account on the computer sharing the resource, he or she can access it--even if his or her computer is a member of a different workgroup or a member of a domain. So it's not necessary for the user to switch his or her computer from a domain to his or her home workgroup in order to access resources at home.

The best solution is for the user to create a local account on the notebook and use that account to log on to his or her computer when it's connected to the home network. The local account doesn't have to be a member of the local administrator group; however, that configuration will make it easier for the user to make changes to the system if he or she needs to get it onto the home network. If the user can't use the company's local administrator account, request that someone in IT support create a local account on the computer, along with a hardware profile that contains the hardware he or she uses to connect to the home network.

Another consideration is addressing. A DHCP server at the office probably assigns the IP address for the user's computer. If all of the systems on the user's home network use APIPA (Automatic Private IP Addressing) to automatically assign IP addresses, the user won't have a problem because all computers will come up in the same private subnet. Otherwise, the user might have to manually assign an IP address to his or her computer while working at home and then switch it back to using DHCP when working at the office.

STUDY SEVERAL DIR COMMAND SWITCHES
In previous Windows 2000 Professional TechMails, we've offered tips on how to use the DIR command. To use this command, simply type DIR and press [Enter]; now you can see your file list. However, DIR offers several switches that control the resulting output.

For instance, DIR by itself displays the date, time, size, and long file name for each file or directory. In many cases, however, you might also want to see the short 8.3 file names Windows 2000 automatically generates for each file. Use the command DIR /X to view the short name as well as the long name for each file and directory. (If a file or directory doesn't have a short name, DIR pads the line with spaces.)

DIR /Q is another handy variation. The /Q switch causes DIR to also display the owner of the file or directory. This can save you time when you're working in a command console and don't want to switch back to the GUI to look up the properties of a file.

Another useful switch is /T, which you can use to specify the timefield that is displayed or used for sorting the directory list. For example, use the command DIR /T(timefield), where timefield is one of the following:

* C: Creation date
* A: Last access
* W: Last written




HOME EDITION OR PROFESSIONAL?
Microsoft ships two versions of Windows XP--Home Edition and Professional. Even though they are based on the same code, they are very different. Home Edition targets less experienced home users, and Professional calls for usage by businesses and advanced users.

Here is a list of some features that are in Professional but NOT in Home Edition (note that this list is not exhaustive) that will help you decide which version to buy:

* Support for two CPUs (HE supports only one CPU.)

* Remote Desktop (HE includes Remote Assistance but not RD.)

* Domain support (HE cannot join a domain, but it can still access the resources in the domain.)

* Group Policy

* Roaming User Profiles

* Offline files and folders

* IPSecurity

* Remote Installation Services (RIS)

* Simple Network Management Protocol (SNMP)

* Encrypting File System (EFS)

* Indexing Service

* Backup tool (HE includes the backup tool only on the CD.)

* Automated System Recovery (ASR)

* Dynamic Disk Support

* Internet Information Services (IIS)

* Fax support

Most of the features that are missing in the Home Edition are used by corporations and are not needed by home users who are not connected to a larger network--for instance Group Policy, joining a domain, RIS, IPSec, EFS, and SNMP. But some other Pro-only features might interest you. For instance, if you have a dual-processor machine or want a simple Web service, you'll have to pick Professional version.

WHAT'S NEW IN WINDOWS XP, PART 1
The first thing you'll notice about Windows XP is an improved user interface that supports skinning. This means that you can use special files, called skins, to change the look of the operating system. Windows XP ships with two skins: the classic Windows 2000 look and the new Windows XP style that comes in blue, olive green, and silver.

Another improvement in the user interface is the Start menu. It is much bigger now and more intelligent. The Start menu will now automatically place the programs you use most often at the top of the so-called dynamic section. The more often you run a program, the higher it is placed on the menu. A completely new feature targeted at home users is integrated CD burning. This engine allows users to burn files directly onto a CD-R/RW from within their programs or by using drag and drop in Windows Explorer.

Beyond the interface improvements, XP includes a host of features designed to ensure that each user is offered a consistent, customized operating environment. The new Welcome Screen interface, which is displayed after boot up, lists all local user accounts on the machine and can additionally display users' pictures. The Files and Settings Transfer Wizard can pack your settings and documents into a file that can be later restored on the same or another computer. You can even run this program directly from the CD, which allows you to back up all of your settings and documents on your existing operating system (Windows 9x, Windows NT 4, Windows 2000, or Windows XP) and migrate to the new system.

One of the best new XP features, Fast User Switching, allows other users to log on to the machine while your programs continue running. This is a major improvement over the Windows 2000 locking feature, which prevented all other users from using the computer.

Windows XP includes several other new features that might interest you. Stay tuned for the next part with a short introduction to some of the new features for advanced users and corporations.


Comparison of the major features supported in each version of the operating system.

Feature Highlights

Windows 2000 Server Windows 2000 Advanced Server Windows 2000 Datacenter Server*
Maximum CPUs 4 8 32
Maximum Memory 4 GB 8 GB 64 GB
File/Print Services x x x
Internet Information
Services (IIS) 5.0		 x x x
Application Services x x x
Networking and
Communications Services		 x x x
Active Directory x x x
Terminal Services x x x
Kerberos and PKI Support x x x
COM+ x x x
Failover Clustering x x
Network Load Balancing x x
Process Control Manager x
WinSock Direct x
Windows Datacenter Program x