Sunday, 26 July 2009

Loopback processing of Group Policy, explained.

Hi guys,

Today I want to write a few words about Loopback processing of Group Policy. When you deal with this setting for the first time it may be a little bit confusing. You can find explanations of this policy setting on the internet, but in my case I will try to explain everything in simple words.

As we know group policy has two main configurations, user and computer. Accordingly, the computer policy is applied to the computer despite of the logged user and the user configuration is applied to the user despite of the computer he is logged on.
For example we have a Domain, this Domain has two different organizational units (OU) Green and Red, Green OU contains a Computer account and Red OU contains User account. The Green policy, which has settings “Computer Configuration 2” and “User Configuration 2” is applied to the OU with the computer account. The Red policy, which has settings “Computer Configuration 1” and “User Configuration 1”, is applied to the OU with the User account. If you have a look at the picture below it will become clearer.

If Loopback processing of Group Policy is not enabled and our User logs on to our Computer, the following is true:

As we can see from the picture, the User gets Computer Configuration 2 and User Configuration 1. This is absolutely standard situation, where policies are applied according to the belonging to the OU. User belongs to the Red OU, he gets the Red User configuration 1 accordingly.

Now let’s enable the Loopback processing of Group Policy for the Green OU. In this case if the User logs on to the Computer, the policies applied in the following way:

As we can see, now the User is getting User Configuration 2 despite of the fact that he belongs to the Red OU. So, what has happened in this scenario, the User Configuration 1 was replaced with the User Configuration 2, i.e. with the configuration applied to the Computer account.

As you have probably noticed, the picture above says “Loopback in replace mode”. I have to mention that the Loopback processing of Group Policy has two different modes, Replace and Merge. It is obvious that Replace mode replaces User Configuration with the one applied to the Computer, whereas Merge mode merges two User Configurations.

In Merge mode, if there is a conflict, for example two policies provide different values for the same configuration setting, the Computer’s policy has more privilege. For example in our scenario, in case of the conflict the User Configuration 2 would be enforced.

In the real work environment Loopback processing of Group Policy is usually used on Terminal Servers. For example you have users with enabled folder redirection settings, but you do not want these folder redirection to work when the users log on to the Terminal Server, in this case we enable Loopback processing of Group Policy in the Policy linked to the Terminal Server’s Computer account and do not enable the folder redirection settings. In this case, once the User logged on to the Terminal Server his folder redirection policy will not be applied.

To enable Loopback Processing navigate to: Computer Configuration/Administrative Templates/System/Group Policy/Configure user Group Policy loopback processing mode

If you liked the post, please feel free to click on a few Ads on this page ;-)

Thank you!


Thursday, 23 July 2009

Installing program as an ordinary user, or how to give users an ability to install programs.


Recently I came across a task where I had to give users an ability to install and uninstall programs but without giving them administrative rights. Probably you can create some fancy scripts or buy a piece of software which can do this, but I found a simple and free solution :-)

Here are the steps.

1) Create a .bat file which will have only one line:


Call this bat file 1.bat and place it in the root of your C: drive.

2) Issue the following command in the CMD:

runas /user:Domain_name\user_name /savecred c:\1.bat

(where domain_name is the name of your domain, or local name of your PC and user_name is the name of the user with the appropriate rights to run Add and Remove programs)

this command should ask for the password of this user, enter the password
Once you have entered the password, Add Remove programs windows should open on behalf of the specified user. Once it’s done, close all open windows and go to the next step.

3) Now place a shortcut for appwiz.cpl (you can find it in C:\Windows\system32) on the user’s desktop, next time when the user will double click appwiz.cpl it will run on behalf of the user which we specified in step 2, because we used the key / savecred the password has already been saved in the Stored User names and Passwords. Do not worry, the user cannot see the saved password.

After you have done everything, you can just delete the batch file from your drive as it will not be used anymore, it is just used once, to store the password in the system.

Here you go, it’s done. I understand that this is not the most optional method and it has some disadvantages, such as manual entering of the password, but it is simple and it works :-)

If you liked the post, please feel free to click on a few Ads on this page ;-)

Take care,


Thursday, 16 July 2009

Preparing XP computer as a dedicated Terminal Services client. (making a thin client from your old XP based computer)


Recently one of my clients asked me to prepare his old PCs with Windows XP operating system for use with the terminal services. For the users the whole process, of connecting to the Terminal Services Server, had to be as simple and seamless as possible.

The final result that I achieved was following: Users were turning on their PC’s and after booting they saw a Terminal Session Screen with a prompt to enter their username and password, just like on the picture below:

I think simpler is impossible :-)

Now let me explain you in details how I achieved this, to be frank this whole operation consists of several very simple steps and most of you already know how to do this. But all together these steps give an interesting result.
Here are the main steps:

1) Make Windows XP log on automatically.
2) Make Remote Desktop Session to run automatically once Windows XP loaded.
3) Disable Windows Explorer Shell.

Now let’s walk through the steps in details. Before you begin, I always recommend making a backup of important data and creating a system restore point, just in case :-)

Step 1. Make Windows XP to log on automatically.

1) First of all you have to create a dummy user that will be used in order to log on to XP, it can be either domain or local user.

2) Now open Registry Editor (regedit)and navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon key

find the following keys:

• DefaultUserName
• DefaultDomainName
• AutoAdminLogon
• DefaultPassword

You may not have all of the keys, most probably there will not be DefaultPassword and AutoAdminLogon, so we have to create these keys. In order to create a new key right click on the empty area and select New > String Value (see picture)

In the name box which now says New Value #1 type the string name that we need, for example DefaultPassword.

Once we have all required Strings we can change the values. We have to insert the following values:

• DefaultUserName – Exact “user name” of your dummy user that we created earlier
• DefaultDomainName – Here we have to enter “Domain name”, if you are not using the Domain topology you have to provide a “Computer Name” of this PC.
• AutoAdminLogon – this String has to be set to “1”, it means that auto logon is allowed.
• DefaultPassword - Password for the dummy user.

Here is an example:

In my case I have created a user with the following details:

- User name: User_name
- Password: password
- My Domain’s name: Domain_Name

Now you can have a look at the picture below to see how I set it up in my Registry.

Once you made all the changes in the Registry, just close it.

The first step is done, this will allow the PC to logon automatically, now you can restart your PC and if you did everything correctly the PC should boot up and log on without your interaction. If you ever decide to log on using another user account, hold down the shift key as you log off. Or you can set the value of "AutoAdminLogon" key, back to 0.

Step2. Make Remote Desktop Connection to run automatically once Windows XP is loaded.

1) Create a Remote Desktop Connection file and enter all the required information. To do this follow these steps:

- Click on Start > Run > type mstsc and press Ok, you should see Remote Desktop Connection window.

- Click on Options and provide name or ip address of your TS Server, also you can go through all tabs and assign preferred settings.

- Once we have entered the TS Server name or address and finished with all other settings we have to save this file, to do so click on Save As and specify a location for this file (I usually put it on a shared folder so I it would be accessible from any other PC that I will be setting up in the future)

- Now when we have the *.rdp file (the file that we have just saved) we have to add it into the Startup. To do this, right click on the Start button and choose Explore, it should open the Start Menu folder navigate to Documents and Settings\user_name\Start Menu\Programs\Startup, copy your *.rdp file into that folder.

The second step is done. What we did, we created a Remote Desktop Connection file (which has .rdp extension) and added it into Startup so that Remote Desktop Connection is started automatically without user’s interaction.

Step 3. Disable Windows Explorer Shell.

This step is optional, because you do not really have to disable the Windows Explorer shell to get the final result. I prefer disabling it to eliminate any possible interaction of the users with the local systems. The less users can do on the local machine, the less is chance that they will brake anything :-)

To disable Explorer shell do the following:

in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon find the "shell" Key and remove explorer.exe Value from this Key.

The step 3 is done. Now, if we reboot the PC it will not start the Shell, i.e. there will not be any shortcuts or buttons, only the background of your Desktop.

One more thing to add, if your users turn off PCs in the evenings you may want to give them the option to Shut Down the PC. As we disabled the Shell the users will not have any buttons so cannot click on Start > Shut Down. What I do in this case, I set up the PC to power off from pressing the Power button on the PC case. To do this you have to go to the Control Panel > Power Option > in the Advanced tab set behaviour for the Power Buttons to Shut Down.

Here we go, everything is done. Now when we power on the PC it should start, logon automatically and bring you TS logon screen. If the user closes TS logon screen he can do nothing to the PC, unless he is more or less IT literate and can call the Task Manager and just start explorer.exe, but there are loads of ways to stop him from running task manager and/or explorer.exe :-) if you want to do this.

As I said, all the steps are quite easy and familiar, but together they give us an interesting outcome. If Microsoft could collect all these steps into one installation package and add some additional features, it would be a quite interesting product.

If some steps are not clear, or you have any questions, feel free asking me.

Thank you!


Saturday, 11 July 2009

Windows 7 with no Internet Browser.


This post is not about IT tips, but about the world of IT in general. Just an interesting issue that came to my mind :-)

Most of you have already heard and those who have not, here is the news, in the European Union Windows 7 will be released without any internet browser. Do not panic, it just means that a browser will not be built into the system but people can easily download and install any browser they want. Most probably computer producing companies such as Dell or HP will be pre-installing a browser before shipping a computer. Even if they will not, it is not a big deal installing a browser so what is all fuss about?

Here comes the other side. As we know in the beginning of 2008, Microsoft was fined 899m euros by the European Commission for anti-competitive behavior, because Windows had media player and browser built in. Now, in order to comply with the anti-competitive legislation Microsoft decided not to ship Internet Explorer 8 together with Windows 7, but also mentioned that there will be a load of simple ways to install a browser (in my opinion, most probably it will be done through the Windows Updates system).

I am not sure how the European Commission will react to this Microsoft’s move, because this whole situation is a bit tricky. I will explain why, for instance you have purchased Windows 7 with no browser, now you want to install a browser so what you will try to do? Some of you are now thinking – “I will just download and install it”, yes this would be the easiest solution, but how are you going to download it if you have no Internet Browser? :-) So the user will have to get a browser somewhere, purchase a CD, download on another PC and transfer to the new one, but all these steps require additional action, i.e. spent time and energy. Eventually the users will be “forced” to use Microsoft’s easy way of downloading Internet Explorer 8, so all this thing about not shipping Internet Browser worth nothing. On the one hand European Commission will be “happy” because Microsoft met some anti-competitive requirements, on the other hand people still will have to install and use Internet Explorer 8 and Microsoft will not lose a market share of the Internet Browsers, so in the end it is us, simple users, who will suffer from the whole this situation.

What I would do in this situation, of course it will not be heard, but at least I can suggest :-)
I would create an independent source or repository of internet browsers, supported by all companies who publish their Internet Browsers on this resource. Maybe an FTP server with loads of different browsers presented by the different companies. I would also build a feature into Windows 7 which would allow users to access this Internet Browsers repository and download the browser of their choice. In my opinion, this would be a fair and open solution. But this will never happen, because: 1) to create this repository somebody has to spend money, but I do not think that European Commission will pay for it. 2) Microsoft will never agree to build in such a tool into their operating system, and I can understand this because it is their product and they can do whatever they want.

So here is the tip of the day, download Internet Browser of your choice and keep it ready when you buy Windows 7 :-)

Good luck,


Friday, 10 July 2009

DataStream Advance crashes Excel 2007


Today I had an issue with the application called DataStream Advance 4.0 by Thomson. It is a financial application used for some real time queries of the financial data.

So here is the situation, one of the clients installed this application on his PC and added the Advance add-in into his Excel 2007. After this, his Excel started crashing on exit, I mean whenever he was trying to close Excel 2007 it was crashing and was trying to send a report to Microsoft.

Eventually I have found out that the crash was caused by incompatibility of Advance DataStream 4.0 and Service Pack 2 for MS Office 2007. The only thing that helped is un-installation of the Service Pack 2. (how to uninstall Office 2007 SP2)

Let's hope the next version of Advance DataStream will be compatible with the SP2 for Office 2007.

I have tried to find a solution to this issue on the internet, but there was nothing, so I decided to put it in my blog in case if anybody will have a similar problem.

Good luck,


Thursday, 9 July 2009

System Restore

Quite often I hear from people that something went wrong after they did some harmless operation, i.e installed an updated driver for a hardware, installed a new application or a new hardware. In other words did some manipulation which lead to the system instability. It happens, because nothing and nobody is perfect. And please do not start blaming Windows, according to my experience in 90% of the cases the source of the problem was between the mouse and the chair :-) (I mean the user, if you have not understood)

If you are having such problems it is always good to start with the simple fixes and solutions, maybe delete the driver causing errors or try repairing the installed application. But if nothing help here comes one of the most useful, in my opinion, features in Windows operating systems. It is called System Restore and it saves loads of time and nerves :-)

How it works:
System Restore creates such as called Restore Points and keeps them for the future use. For example when you do some serious changes to your PC, System Restore saves the state of your system as it was before the changes were done. It is just like in the computer games, before completing some difficult mission you save your game and if anything goes wrong you go back to the saved game and try again. You may ask – “Hey, what about my documents, will they also be restored to the previous date, will I lose my work?” the answer is NO, System Restore affects only the system and program files, it does not touch any documents. But I also have to mention that you will lose any applications installed after the used restore point. For example if you use a System Restore point form the 1st of July but you installed some game on the 2nd of July, this game will be gone, because the system will be restored to the state as it was on the 1st of July. I hope I could explain it.

I will not be explaining the technical details of how System Restore works, the main thing you need to know is that it really helps :-)

Hot to use System Restore in Windows XP:

1. Click on Start > Programs > Accessories > System Tools > System Restore

2. You should see a window like this. In this windows choose “Restore my computer to an earlier time” and click Next.

3. In the next windows you are given a choice of the restore points. I was performing the System Restore on 8th of July and as you can see on the picture I have chosen the 7th of July as my restore date. So I go one day back. On the picture you can also see the explanation, why this point was created, in my case I installed “Debugging Tools for Windows” and the operating system automatically created a restore point before installing the applications. You have to choose the restore point dated before you started having problems.

4. The next window is just a summary of the System Restore operation. Once we click Next the System Restore will begin. You can see a message on this screen that this process does not cause you to lose your recent work.

5. Once you clicked Next on the previous screen the restoration starts. You will see a small window with a progress bar saying “Restoring Settings”. When the restoration completed, the PC will restart itself.

6. Once your PC restarted you should see a Restoration report. In order to proceed Click Ok.

If everything worked fine, your system should be working with no errors and the world should have one happier person now :-)

If the report says that the restoration was unsuccessful, you may want to try a different Restore Point (different date), maybe previous to the one you have just used. If you tried several restore points but still no luck. You may want to perform the System Restore in the Safe Mode (you will have to do the same steps as I described before, but these steps have to be done in a special mode of the operating system called “Safe Mode”). See how to access the Safe Mode

If you want, you can undo the changes that you have just done. For example you realised that some application, which you installed yesterday, has gone and you do not have the installation CD. You can undo the system restore, this will restore your lost application, but you will have to fix your system in a different way.

In order to do Undo you have to open the System Restore (you already know how to do this) and chose “Undo my last restoration”

You can use System Restore to save your System’s state before you will do any serious changes to the system. For example you plan to install a new fancy video card with loads of different features and applications, I would recommend you to create a system restore point before you begin, just in case ;-)

If you cannot access System Restore it means that it is off on your PC. If it is off and you want to turn it one, here is what you do:

1. Right click on your “My Computer” and go to properties.

2. In the System Properties window go to System Restore tab. Here you have to make sure that “Turn off System Restore” is un-ticked. Also you can chose how much space on the hard drive you would like to allocate to the System Restore, I would say just leave it default.

The good news are, you turned on the System Restore feature on your PC, the bad news you cannot restore your PC right now because the System Restore was not running and it was not creating any restore points. But you can use this feature in the future.

Microsoft has a very good article about the System Restore feature, you can find it here but I think my version is simpler and easier to understand :-)

Wednesday, 8 July 2009

IT stuff, the beginning :-)

Hi there,

Nowadays everybody has a blog, so I decided why not :-)

First off all pardon my English as I am not a native speaker, so if you will see something really terrible, feel free correcting me :-) You may ask, why did I decide to write in English, first off all everybody knows English so I can cover bigger audience, and the second reason is because I live and work in English speaking country and have access only to English operating systems and application, so I can do the screen shots only in English software.

The main idea of my blog is small help hints for PC users, some interesting and useful tips and recommendations. Even if this information will help to a single person, I will be happy.

I am working on my first useful tip, so very soon it will be available on this blog.

Thank you!