NZ School Computer Technician

Windows 7 is a crock

2012-01-04T11:11:00.001+13:00

That is quite a statement, nevertheless I am seeing an increasing number of problems with hardware devices that will not run in Windows 7 despite having drivers available. There seems to be more and more difficulty in getting device drivers that are reliable under 7, or else getting Microsoft to look into these problems. The level of this is well in excess of our Windows XP experiences. For the first time since we switched to Windows 7, which first started to be used experimentally in our school two years ago and has been full-on for all of this year, I am starting to build a Windows XP image for a brand new laptop. This HP Elitebook 8460p has a compatibility setting for the hard disk in its BIOS which makes it run XP setup without trying to load a driver (which is nearly impossible without a built in floppy disk drive these days).

As alluded to in previous posts, I and others working in this field are starting to get a distinct impression that Windows 7 is not what it’s cracked up to be. The support from Microsoft for this platform is just not there the way it was with XP and previous versions of Windows. The new technologies in 7 are supposed to deal with the issues that make you need to reinstall Windows. This is really not the case in practice and I have spent more time in an average year with reinstalling 7 than I ever had to on XP. Added to that I have had to rebuild images completely from scratch when Microsoft locks you out of your own image with the anti-piracy technology and things like the sysprep limit that never caused any difficulties in XP. At home I am going to have a second computer running XP to deal with the phone’s drivers that 7 simply refuses to install or make work. XP is reliable and dependable and will run everything we need to. It will most likely keep us going until handhelds take over.

School shuns popular Apple Mac for Windows

2011-12-14T10:54:00.001+13:00

This interesting article appears in Computerworld NZ.

http://computerworld.co.nz/news.nsf/security/school-shuns-popular-apple-mac-for-windows

The article talks about setting up a network of iMacs on a Windows server cluster. Everything the Mac needs on a network to be centrally managed is provided for in third party software running on Windows Server.

The important lesson here is that Apple’s hardware lockin to the Mac OS is a bad policy that should be dropped. As the Mac OS can be virtualised on any platform, Apple should remove the hardware lockin required by Mac OS licensing, or allow selected third parties to license rights to manufacture hardware they themselves can’t be bothered producing.

One for the Mac snobs: the hardware is virtually identical to the PC hardware platform and can run the same operating systems and have the same physical upgrades applied to it. The only real difference is the operating system itself.

Maybe in the post-Jobs era we might see Apple get out of PC hardware altogether or at least allow their OS to be licensed on third party industrial grade hardware or get their act together on enterprise computing for their platform.

Multiple account signup in Google

2011-11-03T14:59:00.001+13:00

Google has introduced a nice new feature that we all wanted forever when we have multiple Google accounts. You can be signed in on more than one account at a time and switch between them. Today is the first time I saw this feature in Chrome. What a great idea. I wonder if any browser extensions have implemented it before now.

How to write a ranking query in MS Access

2011-11-01T19:20:00.001+13:00

One of my little jobs here at work is to produce a report for two year groups of students that ranks their results on three different subjects that they take. The easy way to do this with MS Excel is to use the RANK function operating on a whole set of results and it works out the ranks and it can put the result alongside each student’s name. Going from Excel to Access requires us to write our own ranking function as there is not one built in. This type of function is called an Aggregate (which operates on a whole set of results i.e. all rows of a query, instead of one row at a time as you would normally work on for a custom column) and the query that it is used in is called an Aggregate query. In other words you need to Aggregate together all the data in the column you want to work on (all of the students’ results) and work out a ranking for each row based on that aggregation. Aggregation queries are typically using functions like Sum, Count and so on. Also called a Totals query.

Another way is called the Domain functions in Access. You can write your own custom Domain function. Basically in such a function you will use DAO code to run a subquery on the database. In other words you aggregate all of the data inside that DAO procedure or function and then do the comparison with the value that you were passed as the function argument.

In this case I was able to find out how to do the ranking in MS Access directly using SQL. You can enter this into the grid if you know how, but it is probably easier to type into the SQL box directly and Access will turn this into a grid format. The first thing you need is to create a query or table that contains the data that you want to rank, along with the primary key for each row. The next thing is to create your ranking query. The way you do this is by joining your source dataset onto itself with the Count function. I used as my source this useful page here: http://www.1keydata.com/sql/sql-rank.html

Based on their example my query looks like this:

SELECT OG1.Row, OG1.Data, Count(OG2.Data) AS Rank
FROM [PA Year 10 Maths Overall Grades] AS OG1, [PA Year 10 Maths Overall Grades] AS OG2
WHERE (((OG1.Data)<=[OG2].[Data])) OR (((OG1.Data)=[OG2].[Data]) AND ((OG1.Row)=[OG2].[Row]))
GROUP BY OG1.Row, OG1.Data;

OG1 and OG2 are aliases for the same table. Since we are ripping data out of Musac, this data is in the Cells0 table which stores numerical columns. Row is the primary key (student number).

As it is written above, the main issue is that two equal results get a rank that is the higher value rather than the lower value, e.g. 1,3,3,4 instead of 1,2,2,4 when the 2nd and 3rd ranked grades are equal. Most of the time people would want the second type of output instead of the first type of output. This turned out to be quite a simple fix, and that was to replace <= in the first part of the WHERE clause with < instead.

The next steps we need to look at are generating the word “equal” if two students have the same grade, and generating suffixes to the grade itself so that we can output a line that looks like “Congratulations on a 1st equal place” or “Congratulations on a 3rd place”. You can pass the grade into a simple function on each row to generate the suffix. On the other hand to get an equal, I used to use the CountIf function in Excel. The way to do this in Access is similar to the above:

Create a new query
Add the above query twice
Join the two source query instances on the Rank field
Select the Row, Data and Rank columns from the first query instance
Change the query to an aggregate and select the Count function on the Rank field of the second query instance as the fourth column. The result will show the count.

All we then have to do is pass this column into a custom function to output another column that states “equal” if the count is greater than 1. As it happens we can create yet another query to include the results of the above query, otherwise it’s a little difficult to pass a results column in this aggregate query into another column’s formula.

The Cult of Apple (or insert your favourite IT company name)

2011-10-28T13:49:00.001+13:00

Some people find these subjects extremely divisive. Nevertheless it is true. The Apple Messiah just died. The company will never be the same without him, like they weren’t when he bunked off the first time in the 1980s. This isn’t just an Apple thing. There are lots of companies that fit that model in IT, and many of them have driven the biggest advances in computing technology. The driving personality cults of their founders or key people seems to be what gives them the ability to be at the forefront of their field. But this ability often only lasts as long as that leader is running the show because of that personality cult component.

I wrote this one because in Christian circles, we find cults teach people the wrong ideas about God. Is there a parallel into secular cults? Are the values imparted by the leadership of secular entities like Apple, the best ones for our society? Apple is based on a proprietary hardware model, protected by highly controversial IP patents with aggressive legal action against anyone who tries to compete. I think the whole patent idea is highly flawed to the extent that it is being used today with software. These are all elements of control and it’s undoubtedly true that control is a highly important component of a cult. It’s easy to argue there has been a Cult of Microsoft, which has been similar to Apple. Even though they don’t own their hardware platform, they effectively got control of it through licensing practices that commercially disadvantaged competitors. The Cult of Open Source is more of a communal type of cult than a corporate one.

I think that once these cults have reached their peak, which most of them do once their founding leader is out of the frame, they will fall out of the frame, and new cults will rise up and replace them. In years to come, we will wonder what all the fuss was about Apple Computer or Microsoft, or open source.

Built in obsolescence

2011-10-19T23:12:00.001+13:00

When I specced out the upgrade of my home computer I decided on the Intel DG41RQ mainboard, which is nearly the same as the DG41TX mainboard that my new (at start of this year) work computer has. The DG41RQ is specced for DDR2-800 RAM with two slots and a maximum supported level of 8 GB. However, DDR2-800 RAM is economically available only to a maximum of 2 GB per DIMM unless you want to quadruple the price to get a 4 GB DIMM. I don’t know if this situation will change for DDR2 memory. If it doesn’t then this board is effectively limited to 4 GB maximum, of which only 3 GB is effectively useful in 32-bit editions of Windows. I could install Windows x64 on my home computer and get a boost of 800 MB of extra memory available, but most apps I use at home are 32 bit and due to the emulation layer for x86 code, they actually run slightly slower on a 64-bit OS. As well, the 64-bit edition uses up more memory when loading the 32 bit applications than the 32-bit edition does. The result is, that I just can’t see the point of going up to x64 Windows at the moment. On the face of it the DG41TX is more up to date because it can use DDR3 RAM which comes in up to 4GB sizes at present. However this board is limited to 4 GB maximum.

The bigger concern is that the DG41RQ board does have this effective limit of only 4 GB of RAM. When I got my previous system 5-6 years ago it came with 512 MB, which in the course of its life got upgraded to 1.5 GB, partly easier to do because it had four slots, but also because the previous edition of DDR came up to at least 1 GB per DIMM. As such going to DDR2 and finding there is an effective limit of 2 GB per DIMM is a pretty poor advance, considering boards with DDR2 were being installed in new computers only a year ago. It means this board can’t really have any more memory put in it. Ideally I would like to go up to that 8 GB and put in x64 Windows, but I can’t do that without replacing the board and CPU. When I specced the board, I knew as LGA775 it was pretty much the last of the line; the newer generation LGA1156 was available, but more expensive. This is just something you have to be careful about. What it means is that I probably will have to upgrade this computer in three years’ time instead of five.

These are the annoying tricks that manufacturers like Intel pull on consumers all the time. The technology gets obsolescent faster and faster these days.

Windows 7 Folder Redirection

2011-10-15T20:00:00.001+13:00

One of the more useful features for server admins on Windows is folder redirection. Basically this is a feature in which the user’s key folders such as Documents, Music and Videos can be redirected out of their user profile and into a fixed server based location. Taking the data out of the user profile speeds up login/logout times significantly.

The Application Data or AppData folder is one that can also be redirected and in previous versions of Windows this was a useful feature to have. However, in Windows 7, Microsoft made a bizarre and stupid decision to take the user’s start menu and other shortcuts out of their dedicated folders within the main part of the user profile (for example C:\Users\username\Start Menu would be the equivalent of the XP folder path for their start menu) and put this into the AppData folder’s Roaming subdirectory. The result of this is that what was a previously functional capability of having application data (which for the most part is invisible to the user) has turned into having the start menu (which is quite important and visible) redirected as well.

Whilst I haven’t investigated what this means, the fact that on my computer I frequently have problems with Taskbar icons that disappear (or rather the message is displayed “Can’t display this item, it must have been removed”) is most likely, in my view, related to the Start Menu redirection stupidity implemented by this design change in Windows 7. Redirecting plain old AppData is useful because a lot of this data does build up to a significant size over time and therefore is best taken out of the user profile. Redirecting the start menu, which doesn’t take up a lot of room, and is going to be affected by network disruptions, or perhaps a server going offline, isn’t a good idea. It’s another one of the changes in Windows 7 that Microsoft has foisted onto users without fully considering the implications.

In order to get rid of the impact of this decision (the disappearing taskbar shortcuts) I am going to have to stop redirecting AppData and therefore ending up with a larger profile and slower login/logout times as a result.

Are major peripherals becoming disposable?

2011-09-01T19:15:00.001+12:00

Here’s a conundrum. I can buy a new printer from the likes of Brother for around $99. The official Brother drum for this printer costs $150. Maybe instead of buying that new drum I should just throw the printer away each time the drum wears out. The same goes for projectors which now typically have a very long bulb life up to 5000 hours. The issue there isn’t the cost of a new bulb, but rather the fact that after 5000 hours of use the projector could be considered worn out, or near to it, or uneconomic to justify the expense of the bulb.

When we get into more expensive printers, the cost of consumables is less proportionate to the cost of the printer, so it is more worthwhile to replace the items like a drum with new ones. Especially where you can buy third party consumables for a printer, as you can for most Brothers, since they are one of the few printer manufacturers who have not chipped and patented their consumables. This is all driven by cutthroat competition between printer manufacturers, to the extent that new printer prices are so low the manufacturers are selling at a loss. But we are the losers because we go out and buy a whole new printer instead of a new consumable and therefore are throwing away a large bulky printer which is bad for the environment.

At our school we buy Brother and the important reason for that is that their consumables are much cheaper. So are the printers. That is provided you can get a good performance from them. Lately I’ve had a lot of trouble with Brother’s drivers. I solved that by using HP drivers with the PCL5 compatibility. This works only as long as PCL5 adequately reflects all the printer’s features. And the printer is misidentified as to its capabilities. So it is a bit of a mixed bag all round.

Amazon one click patent reaffirmed in NZ

2011-08-31T16:55:00.001+12:00

Amazon’s one click patent reaffirmed

Software patents are associated with a lot of monopolistic business practices and as such, worldwide, they should not be allowed to exist.

Outlook 2010 doesn’t save Exchange Live passwords

2011-08-30T11:16:00.001+12:00

We use Exchange 2010 Live via the Live@Edu service and Outlook 2010 has the ability to save user passwords, but at times it will not save them even when the box is ticked. Here are some possible solutions:

http://support.microsoft.com/kb/290684 describes the Protected Storage System Provider section in the Registry, however this may not apply to Outlook 2010 or WIndows 7. In my computer this key exists but is empty. (To find out more about the PSSP, see here)
The same article describes creating a new Outlook profile as an option.
Open the folder %userprofile%\AppData\Roaming\Microsoft\Protect on your computer. Rename the subfolder which is named by your account SID. (If you don’t know what your SID is, look at the subkeys in the Registry at HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsNT \ CurrentVersion \ ProfileList )
Open Credential Manager in Control Panel. Remove credentials that are related to your email address or the address of the Exchange Live server. Create new credentials (see below). This is correct for Windows 7. I don’t know when this architecture was first implemented in Windows but it is not present in XP.

In my case after looking at all the options, the one I actually tried out and can certify as a valid outcome was the Credential Manager solution. Open it up and under “Generic Credentials” you should see some that look like this:

MS.Outlook:mailusername@maildomain@servername.outlook.com
Username: mailusername@maildomain
Password: ********

What you need to do is ensure there is a credential for your account on the right server. I found that I had a credential for my account on a different server than the one where my mailbox is. This is because when you use Outlook Live webmail it is hosted on a different server. You can get the name of the server where your mailbox is held by going to Account Settings on the file menu, select your Exchange Live account and click Change, in there is a “Server Name” which will be someserver.mailbox.outlook.com.

Now you need to create a generic credential with the address MS.Outlook:mailusername@maildomain@someserver.outlook.com (note the server name is slightly different because it doesn’t have “mailbox” in it). Put in the username, your full email address, and enter your password in the Password field, and create the credential. Now when you log off or restart, the next time you start Outlook, the credential should be picked up and there should be no need to enter your password anymore.

Unfortunately after a shutdown and restart this was not a successful fix, and when I started up Outlook at home, where I was normally not required to enter a password, one was requested. I am now looking further into where the problem could be, since there is only one password request for two separate Outlook accounts which are both held on the same server. The home computer has never requested the password before. I am now wondering if the problem is that the server details have changed or something. I think possibly a clue is credentials that are listed as being modified “today”.

UPDATE (13-9-2011): The funny thing is that Outlook has not asked for any passwords lately.

Windows 7 Printer Installation Problems SNAFU

2011-08-03T14:09:00.001+12:00

We have had a huge saga with printer installation when trying to automate that and control these through logon scripts or the various Group policy settings. Some way back a few years ago, in the days of Windows Server 2003 R2, Microsoft added the Print Management MMC tool along with the ability to manage printers using Group Policy. Later on, after buying out a company, Group Policy Preferences were added as a means of managing printers through Group Policy. Each of these has its own problems. The most serious problem you will encounter with Windows 7 is the dreaded hang when processing Group Policy Printers Policy. We have had numerous experiences where this simply freezes. I can leave a computer and come back the next day and it will still be stuck on this screen. This is a very debilitating experience for the user who cannot log on to their computer. All that will happen is that there will be entries in the events log talking about a long time spent processing Group Policy but when you try to find help to solve this problem there will not be any to find.

Microsoft has made a complete dog’s breakfast of centralised print management for domain administrators, although the early Print Management MMC approach that came in Windows Server 2003 R2 was a promising start. It is mainly the issue that the limitations of this, in particular removing printers which does not actually work properly, has been compounded by the further problems when using Group Policy Preferences, which leads to the situation mentioned above with the logon freeze. In short the possibilities of being able to effectively centrally manage printer installation in Windows 7 have been kneecapped by what is now becoming a typical Microsoft cost cutting approach to resourcing these capabilities adequately. Therefore the only real option is to return to login scripting to install or remove printers, although this can also be managed through Group Policy settings.

I have started out by using a Powershell script, as Windows 7 / Server 2008 R2 has built in support for these in GPOs. Here I ran into the dreaded black screen after logon where the computer appears to freeze. Using some of the more reliable GPP settings like pushing across the registry key for DelayedDesktopSwitchTimeout and setting login scripts to run synchronously seems to be doing the trick after a lot of mucking around. However you should also check the event log on target computers in Microsoft-Windows-PrintService and if there are a lot of errors referring to malformed registry keys for specific printers then go into HKEY_CURRENT_USER \ Printers \ Connections and remove the subkeys for specific printers. In my test case deleting all these keys stopped the errors from appearing in the Event Log and allowed the printers being mapped in the login script to appear in the Printers folder.

The next step will be to have more printers being added in the login script. Just why this appears to be successful when GPP Printers does not work isn’t particularly clear. For us as system administrators a series of experiences where Windows 7 technologies appear to be lacking proper resourcing or support from Microsoft demands we respond with a “back to basics” approach and revert to tried-and-true, in this case logon scripting (which I thought had gone out with the ark). I don’t consider myself to be a programmer but that script will be getting updated and added to in future in order to make sure that printer installation and configuration can be relied upon. This is very important because incorrect printer installation will cause a lot of strange errors and problems with lots of everyday applications. I have seen these numerous event log errors before and deleting the keys from the Registry is not a new experience. I wrote about it here in fact. And looking back at that situation it is by remarkable coincidence (NOT!!!!) that the latest problems involve another Brother printer…

UPDATE: The saga continues because even though we have switched the server and clients over to driver isolation, the print spooler is still failing. The types of events now being logged are an inability to load the Brother print processor, even though it is not actually being used. In order to deal with this some registry keys that cause print processors to be loaded will need to be removed. I hope this fixes the problem as we have already paid for this printer and don’t want to have to return it. Here is the info about the registry keys:

The summary of this is to look for and remove registry keys under HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ Print \ Environments \ Windows NT x86 \ Print Processors. There will be subkeys named for each print processor in use in the system. The content is part of a much larger article on how to debug print spooler crashes. I hope this will be successful as the only other option is to get rid of the particular printer.

UPDATE 2: The above didn’t work in this case, as the registry keys didn’t exist. Although we are using x64, a search of the registry for the BrPrint processor failed to find its key, and there are no recent events for this print processor’s DLL failing to load. I can only assume with applying the isolation settings, the Brother print processors are not actually being loaded.

The solution now being tested is to do away with Brother drivers altogether. Most printers are compatible with HP drivers, and this printer turns out to work satisfactorily with the HP Universal Print Driver for PCL5. So far all testing is good. If it all turns out then all the Brother 64 bit print queues on our print server will be changed over to HP drivers.

Dunford’s Laws of Ethics

2011-07-27T22:32:00.004+12:00

This came out of a discussion in a forum I am a member of. The forum was discussing the ethics of dealing with particular large multi-national computer corporations.

I can state with a high degree of certainty that every one of the world’s greater and lesser humanitarians practices or has practiced the first three laws.

Each of us is personally and individually responsible for our own behaviour and decisions whether good or bad.
We are not responsible for the behaviour or decisions of others except where we have a legal duty of care or responsibility (e.g. parents, teachers)
Accept everyone unless they are disrespectful, breaking the law of our country, breaking rules that we have legal jurisdiction to enforce, or inciting others likewise.
God is to judge everyone, therefore we only judge in accordance with law 3.

V2P [4], Thin PC [4]

2011-07-15T10:14:00.001+12:00

A couple of weeks ago I wrote about how our laptops which were set up with native boot VHD would all have to be V2Pd because VHDs on the native boot system tend to get corrupted more often. This week it is time to put that into reality by getting started on the 14 laptops which will be continuing over the next couple of weeks. The first step is to back up the VHD. Then we can mount it to a drive letter using Diskpart commands. We then use ImageX to capture it in place to a WIM. After ImageX is complete we apply the image to the same partition where the VHD was. We then remove the existing BCD from the boot partition (easiest just to format it) and then use bcdboot to create a new boot configuration on the system partition. Then we boot and the laptop should be exactly as it was.

The more experienced of you will probably say I left a step out, and I did. That’s because it shouldn’t have been necessary to sysprep the VHD because we were just moving the image from one partition to another. And because MS have limited the use of sysprep to a maximum number of times it can be done, I try to use sysprep a minimum amount. But regrettably sysprep has proven necessary in this instance, because Windows 7 will detect the subtle changes in the hardware environment and lock down the computer and say it is not genuine and there is absolutely nothing you can do to make it work normally. And with all of the negative comment I have written about MS in the past couple of weeks, I have to say that this adds further to that viewpoint, as does the rest of this post. I did get that computer working but it was a real mess to have to go through it all again after having sysprepped it and that should not have been necessary, it was totally unnecessary but that is another example of the MS mentality.

The second thing I have been working on lately is Thin PC, the latest effort being to see if it can run a very old software package we have which is called Successmaker 5.5. This package has been around our school pretty well for the last 6 years and we started with it on Windows 98. The installer that comes with it had some trouble on Windows 7 and it wasn’t totally due to lack of elevation, there were some of the things it was doing that just wouldn’t work at all for whatever reason. So I tried another tack. I built up a Windows XP machine and ran Ghost Autoinstaller (AI) on it to capture the machine state, I then installed SM on this machine, ran AI Snapshot again and built an AI installation. Then I went over to the Thin PC machine and ran this installation. I then had to customise some config files and then I tested it and it worked properly. So it looks like we can load up some machines with this version of 7 and have them running this old legacy package.

I then decided to capture the installation with sysprep and this is where I ran into problems. On reboot there was an error during installation, some problem with the product key, and Setup threw a fatal and told me to reboot. Well of course that did not fix the problem at all. This became another unrecoverable setup error like others I have seen before. The only fix is to remove the image and completely replace it. As you would understand this means I have to build the image again from scratch (as my pre sysprep image turned out to be corrupted). It’s becoming abundantly clear that Windows 7 Setup can’t actually recover from many errors and even if MS fixes the problems like this they have bought themselves another bad rep with OEMs and organisations which use imaging.

UPDATE: The one good thing about reimaging the laptop with a sysprep was that all I had to do after setup finished was join it to the domain. It picked up the existing user profiles and settings that were already on the laptop without problems. So it looks like to speed up this process, because I had to repeat nearly all the steps from the beginning to implement the sysprep, that we will just back up the VHD, then sysprep, then image etc. But sysprep would not have been necessary if some idiot at MS had not decided that we will make an image totally unusable instead of giving a user the chance to activate it again. And the same mentality exists when a setup fails and forces you to completely throw away your image and start again.

!@#$%^ Windows stupid ownership / permissions changes in Vista/Server 2008

2011-07-07T13:55:00.001+12:00

This is a response to the above message which zillions of system administrators world wide hate seeing on their server console. These messages were introduced as a new “feature” of Windows Server 2008, along with the changes that cause them. Microsoft arbitrarily brought in different meanings of ownership in Vista/2008 that are different from XP/2003. In Vista/2008 the ownership of a file or folder has precedence over permissions that are assigned to parent folders. For example in a home folders share, where individual users have created their own home folders or have had them created by an automated process, they are automatically the owner of those folders. Even if the administrator has full control over the parent folder this ownership blocks the normal inheritance of permissions. While there may be situations where an administrator should not have access to users’ home folders, this can already be catered for within the existing mechanisms for setting permissions on a parent folder and assigning them to different administrators, rather than imposing a one size fits all solution based on a Big Brother idea of dictating to organisations how to run their own file server in their own organisation.

Now, a solution to this is to change the ownership of all the files and folders in a location. Make the administrators group the owner and that will fix all these problems? Actually, it won’t. The second change which came about in Vista/2008 is that the administrators group in general no longer has the same authority over the server as they used to. Everyone has seen innumerable messages telling you that unless you tell something to run as administrator, the fact you are a member of the administrators group does not actually give you the rights you should normally have to do something. The implication of this for ownership is that changing the ownership to a group actually does not work. Changing the ownership to “administrators” group does not overcome the problem of getting the above message in the slightest. Windows basically will not honour those settings unless the ownership is changed to only one user. This means that a group of administrators cannot administer files because only one individual user account can be the owner of the files at any one time. Likewise you cannot grant other users administrative permissions to a file share because they are blocked by the ownership issue on the files and folders in it.

These features might make sense on a desktop computer used by only one server. They don’t make sense on a server where an administrator has to be able to manage files. For example we have scripted backups using Robocopy. It is common to see “Access denied” messages in the logs from running these scripts, purely on the basis of this arbitrary ownership change.

Why has this happened? MS has come up with the cheapest and simplest for it solution to all their massive security headaches and put these changes in without asking users what they wanted because all that matters is getting the bad publicity about security breaches off the front pages of newspapers. Some way back I wrote a hard headed post about all the ways that Vista lies to users. These faults to some extent were fixed in 7, but not in Vista. The solution, always, fork out more money for a new edition of Windows. A pattern that is becoming more and more common in Windows these days. Customer service has gone out the window.

Here is a thread that details how annoying Windows 7 home users find this functionality

As aside: What happens when you click Yes to the dialog box shown at the top of this thread? Windows automatically assigns you permissions (Read and Execute only) to the folder in question. Windows has to do this even if you are a member of the Administrators group and have already inherited permissions to the folder, and your user account you are logged onto at the moment is a member of that administrators group; in other words, you can’t use a group to manage security permissions for a resource any more unless they are not some of the built in administrative groups. I haven’t quite figured out yet if I can make up my own group of administrators and give them permissions, but so far everyone seems to be tainted by association with the membership of the Administrators group.
By way of more testing I have confirmed that if I give permissions on the folder to individual user accounts then all the permissions work. If I create my own group and make my administrative accounts members of that group and apply permissions for that group, they don’t work. It is like MS has forced a Deny full control by default to the Administrators group. You can have read only access but not full permissions unless those permissions are granted to individual user accounts only.

None of these changes make any sense, nor does Microsoft appear to have any concept of accountability for them.

Windows Thin PC [3]

2011-07-06T18:47:00.001+12:00

Today’s Thin PC experience has been to set up a computer at work to see what I can do with it. I wrote a custom shell in Delphi 5 which has a very simple task of launching Remote Desktop Connection and passing a RDP file to it. This means the user doesn’t have to do anything. By enabling the RD SSO settings in Group Policy, they don’t have to specify their username and password to log on to the RD server, instead the username and password they used to log onto Windows are used. The thin PC is joined to the domain so all the settings are configured using Group Policy. So when the user logs on to the computer, they don’t get the standard Windows shell; instead, they get connected automatically to the RD Server. When they quit Remote Desktop Connection by logging off, the only option they have, the custom shell detects the quit and automatically logs them off the computer as well.

There is a bit of tweaking still to do but overall this is a very positive and worthwhile experience getting this working.

Windows Thin PC [2]

2011-07-05T20:22:00.001+12:00

Following on from today’s earlier post, I have found out that WTPC is supported by WAIK, which allows for a custom image in the same way as we would set one up with Windows 7 Enterprise. I also found out how to get Remote Desktop client to start automatically by replacing the shell. However I will probably have to write a custom shell (a fairly simple task) to provide a way to shut down or log off when Remote Desktop is closed, as otherwise the user is left with a blank screen.

We can also use Group Policy to set up Single Sign On for Remote Desktop. Therefore our thin PC would be domain joined and the user would log onto it using their regular domain username and password. It would then automatically start up Remote Desktop Client and use their credentials to go straight through to the remote server, so the experience would be pretty seamless.

The next question is whether logging off the session can cause them to be logged off Windows, as well, or whether the custom shell would have to detect their logoff and then automatically log off Windows.

Windows Thin PC

2011-07-05T10:14:00.001+12:00

Recently I was logging into the MS VLSC and I noticed a MAK for Windows Thin PC. So naturally I wondered what this was and took a closer look. Windows Thin PC was put on general release on 1 July (five days ago) and it is essentially Windows Embedded Standard (2010) (i.e. Windows 7 SP1 embedded edition) made available to SA customers (which includes all NZ schools that are signed to the MOE Microsoft agreements). The installation onto my old home PC, which is six years old and pretty limited these days (for example it can’t run 64 bit), was as easy as it gets. You will need the minimum specs that have been around since Vista, the most important is 512 MB of RAM installed.

Although MS recommends a WDDM driver (i.e. Vista compatible), as is the case with Windows 7 generally, the drivers that come with it do a pretty good job with a lot of hardware. The motherboard in this case being an old Intel D915GAG – one of those infamous “Vista Ready” motherboards that didn’t have a native Vista driver and therefore can’t do Aero. For this type of application that doesn’t matter. However this MS driver doesn’t support widescreen resolutions so ensure your displays have the 4:3 aspect ratio or just put up with a slightly fuzzy picture. Drivers were installed by Windows for the other devices and everything works as expected.

Windows Thin PC on closer inspection turns out to be similar to other thin client editions of Windows I have used, with limited features and functionality. However the considerable advantage is that Microsoft supports it, so you aren’t limited to the functionality or support level of an OEM. I got my fingers burned when I bought a HP thin client box that had support for RD Gateway which I thought would let me log straight in from home on it. Only to discover that some of the components needed weren’t installed and HP didn’t make them available so that was a waste of time/money.

The main application I could see us using Thin PC for is a Remote Desktop client. I assume that all our Thin PC machines will be domain joined and have an automatic logon to a shared account. The desktop will be completely locked down and the only allowed application will be the Remote Desktop client which will automatically load and come up. The user is then logging in remotely using their own username and password, to a Remote Desktop server, which gives them the desktop they are normally using. We have done testing with Remote Desktop configurations with student accounts and also with hardware thin clients so it is a pretty standard lite computer configuration used in lots of educational settings.

Well, as it happened, the Remote Desktop experience was pretty much what I expected. It fully supports the functionality of RD Gateway and the like, and I have now got this Thin PC at home that I can log in to the school’s network on, although this is mainly just for demo purposes as my regular home PC can also do this of course. Thin PC is the replacement for Windows Fundamentals for Legacy PCs, which was based on XP Embedded rather than Windows 7 Embedded. WFLP is quite old having come out five years ago. It will be interesting to see if imaging can be used with WTP, although I doubt this is really necessary because the default installation does the job and nothing needs to be installed on it.

How to fix Windows 7 logon error: “The Group Policy Client failed the logon. Access is denied.”

2011-07-04T19:12:00.001+12:00

I have seen this particular error several times with Windows 7 and Vista and we are not helped by a lack of documentation from Microsoft for this problem.

In my case the most recent instance of this occurred when I had to drop and recreate a user account. The first time I got the error I tried deleting the local profile, deleting the server profile, giving the user administrative permissions on the laptop, you name it. In some instances instead of getting the above message the user would appear to log in as normal until “Preparing your desktop” then they would be logged out with no further explanation.

After a great deal of frustration I came across this helpful page and adapted the instructions to my situation and the problem is solved. Here is how I applied the steps:

Start up Regedit on the affected computer
Go to HKEY_USERS
On the File menu click Load Hive
Go to the folder of the affected profile and open NTUSER.DAT
Name the new key e.g. Profile
Right click this key and select Permissions
Select Advanced
Add the account of the user whose registry this is and give them Full Control and replace permissions for Child Objects with inherited permissions from this object.
On the File menu click Unload Hive
Close Regedit.

In this instance at Step 7 I found the SID of the previous user account had full control.

I still don’t have the foggiest idea why the new user account didn’t get the permissions assigned – how does this happen I have no idea. But it’s been a long day and time to go home.

FOOTNOTE: This all went well until I tried logging in the user on the Remote Desktop server – which picked up their new roaming profile, instead of the local one on their laptop (naturally), and threw the same error. To cut a long story short I had to repeat the steps on the server copy of the profile. Since this profile was created new, I don’t have any clue as to how the incorrect permissions got set in its NTUSER.DAT file.

Native VHD data integrity issues / V2P [3]

2011-07-01T14:39:00.001+12:00

The first thing to say is we are now moving to implement all of our deployments which have been in VHD, to physical i.e. V2P. This includes all computers such as desktops, although being networked with users’ personal files redirected to network shares, they are not as critical as laptops which all have users stuff in the same VHD. Simply put we are finding with desktops that there is a higher incidence of boot failures with VHD indicating we are perhaps pushing the technology beyond what was expected of it.

However this doesn’t get away from the greatness of native VHD as an image development/build scenario because you can still do that development process based around native VHD and then deploy to physical. To do this is currently a two step process using ImageX, mount the VHD to a drive letter, capture it with ImageX, then apply the WIM to the target using ImageX. What I am hoping for in the future is that Microsoft will come to the fore and change ImageX to work directly with VHDs so we don’t have to have WIM and VHD versions of the same image.

I wrote further back that I had figured out that we only need to keep pre-sysprepped images and sysprep them on each machine at deployment. Now our remaining post sysprep images will be getting wiped soon so I have enough disk space to store the WIMs I have to make of the deployment VHDs.

Compared with our native VHD deployments to things like a computer suite it actually takes no more time to deploy with ImageX from a network share than it does with NativeVHD and you do save the time it takes to copy the WIM locally to the target platform by getting ImageX to pick it up from a network share and apply it at the same time, this therefore is the equivalent of the VHD copy to target stage. The rest of the steps take exactly the same time as they would for VHD. You run BCDBoot the same as you would for virtual except giving it a different drive letter perhaps. In due course I will have scripts set up to run all the various steps including the ImageX step maybe.

The good thing for us is that the same technologies are used to prepare VHDs for deployment as can be used with ImageX WIM images and therefore there is an easy transition between the two. As Microsoft have given us this great technology for image testing and development, since it really is only suitable for test environments, and since they have integrated capabilities to mount VHDs in Windows 7 and Server 2008 R2 GUI as well as command line (Diskpart), I am quite hopeful they will come to the party with ImageX enhanced to work directly with VHD so that these images can be deployed to physical as this is what ImageX does.

Native VHD data integrity issues / V2P [2]

2011-06-29T20:12:00.001+12:00

Last time around I posted on the issue of native VHD data integrity considerations. Native VHD is a very fast to deploy imaging solution. However because having your whole hard drive in a single file increases your vulnerability to disk corruption which could make it much more difficult to recover data in case of bad sectors, I do not recommend Native VHD for computers on which the user will store all their own data, unless that data is stored on a different disk partition.

There are a couple of scenarios for addressing this:

Move the user’s profile storage onto a separate disk partition. Telling Windows to use a different drive for the Users folder should actually be possible by using the MKLINK command, which creates what is known as a Directory Junction. There is plenty of documentation on how to do this on the web. However my primary concern is whether this scenario is officially supported by MS. There are some scenarios where moving directories that are expected to be put into C drive can break the installation of service packs or updates. So this might not be the best option, unless you have tested it and are completely sure it works.
The second scenario is simply to do a V2P, converting the VHD to a WIM file for final deployment. At the moment this is what I am doing for a trial. We will partition the disk just as we do with VHD boot, but instead of copying the VHD to a partition and setting it up there as the boot drive, the WIM file will be applied with ImageX to a partition and BCDBoot will, instead, have to be invoked to cause the computer to boot from this different partition.

The scenario for a V2P is pretty easy to get started with. Simply mount a VHD to a physical computer. In our case I have a virtual server that has the image VHDs stored as files within its own virtual hard disk. Without shutting down that virtual server I can go into Disk Management and attach a VHD, which makes it accessible through a drive letter. I can then start up a deployment command prompt as an administrator, and run this command line:

imagex /capture source_path destination_image “image name” /compress none /verify

source_path is the directory path to be imaged e.g. C:\

destination_image is the path and filename of the WIM file to be created

image_name is a text string that gets saved in the WIM file to say what it is

/compress is an optional switch to specify compression. Turning it off will speed things up

/verify is for some sort of integrity checking

Note that the /capture switch requires all three of the parameters specified in italics above.

This got me a WIM file in about 38 minutes which is quite reasonable for about the same number of GB. The actual WIM file itself is only 21 GB which is interesting considering compression was turned off. Windows automatically excludes a few paths but it does bring up the idea that the VHD file could be compacted, but I can’t be bothered doing this. Also WIMs support Single Instance Storage which is probably not operating in VHDs, this could also reduce storage.

I then booted up the target in PE and performed the steps similar to VHD imaging, running a script through Diskpart to create the partitions the same way, then rebooted to get the proper drive letters assigned to the disks. Back in PE, I had to copy ImageX to my network deployment file share as it is not included in a standard Windows PE boot image. It is deployed in WAIK and since my virtual server mentioned above is also a deployment server (it has WAIK installed on it) I logged onto that and copied ImageX to the deployment share. I then ran ImageX to apply the image to the target with this command line:

imagex /apply image_file image_number dest_path

image_file is the WIM file that contains the image

image_number is the number of the image in the WIM file (since WIMs can store multiple images). In this case 1

dest_path is where to apply the image to – in this case E:\

The apply process looked like it was only going to take about 15 minutes so I found something else to do while it was working. This is quite quick, as every other time I used ImageX it seemed to take a lot longer. Maybe I was trying to do backup captures with a lot more data. In this case, incidentally, the image is stored on a network share, so ImageX is doing pretty well considering it has to download it over the network connection, although to be fair the server is physically about 2 metres away from the target. There is a bit more distance in copper and 3 switches involved but all of those are in the same building and running at gigabit speed. As it happened the image was completely applied in 16 minutes which is a pretty good achievement.

Once you have finished running ImageX the next step is to run bcdboot in order to designate your deployment partition as the one that gets booted up. This comes about because Windows 7 (and Vista) use a separate system partition to boot the computer. The boot partition then starts the operating system from its own partition (the one the image got loaded onto). The command here is pretty simple:

bcdboot windows_path /s system_path

where windows_path is the Windows directory in the OS partition and system_path is the drive letter of the system partition.

We already used this command for our native VHD deployments in a command script so it looks much the same.

Once this is complete then try rebooting to see if Windows will start up. I found that indeed it booted up as expected. If your VHDs have been built already on that target platform then it is likely they will have all of the required drivers already incorporated. So you are unlikely to run into driver installation problems. As expected Windows has set the partition to C drive (which will occur irrespective of the drive letters that appear in Windows PE; in this case E:)

Therefore the likely scenario for us for laptop deployment is to convert the final deployment image into a WIM and deploy it using a modified version of our Native VHD deployment scenario. We will therefore keep the use of Native VHDs to two scenarios:

Directly imaging platforms where user data is not saved to the boot drive (such as student computers or other networked desktops)
Testing our laptop deployments only – the actual deployment will be physical.

I now have to decide whether to do a V2P on those laptops I sent out. Since we already partitioned the disks that would be a relatively simple ImageX step but I would have to make a backup of the VHD first. Both however are relatively straightforward, the main issue is how big their VHD now is since we copied all of their data into it.

V2P added to VHD image development does require that extra step so we hope that MS will develop a version of ImageX that works directly with VHD files – at the moment ImageX only works with WIM files. This would eliminate the VHD to WIM conversion step and therefore save more time as well as the need to perform that conversion each time the VHD gets changed, and the extra space needed to store the WIM files.

The overall lesson is not to be too bleeding edge, and to read all the documentation. If you were backing up your VHD regularly then there wouldn’t be a problem. But people don’t do this. Microsoft really does talk about Native VHD being a test scenario. I haven’t seen them support it as a production scenario. It is mostly something that lets you service VHDs without special servicing tools (in other words, in scenarios where you can’t service them except by booting up) and it is only supported on Enterprise and Ultimate editions of Windows 7. We will continue to use it for both virtual and physical deployments as a useful image development system, but the actual deployment will be physical where necessary.

Data Recovery (and native VHD data integrity issues)

2011-06-29T15:32:00.001+12:00

There are a couple of important considerations with the use of native VHD based imaging. These are particularly necessary to think about when you are creating an imaging system that is based around the native VHD boot capability

Firstly, computer hibernation is not supported. Microsoft hasn’t particularly provided us with any reason why this is the case; they just state that that is so. This could be an issue with laptop computers.

Secondly, and this is the big one, all of your C drive is stored in that single file. In theory, this increases the risk of data loss from a disk if for some reason that single file is affected by errors on the physical hard disk.

Let me expand a bit on the second scenario. From time to time we see laptops that have a damaged hard disk. Even if the computer can’t boot Windows it is usually possible to recover most of the files on the disk simply by copying. It is rare to lose all of the data on the disk in a situation where there are only a few files that may be unreadable.

If you extrapolate this into the Native VHD scenario then if all your data is stored in a single file and that file becomes unreadable, then normal scenarios for copying files will not work. You will have to consider whether scenarios exist where you might be able to recover only part of the file and if there are any data recovery tools or systems readily available that can retrieve files from a damaged or partially recovered VHD file.

I have just about completed a deployment of laptops with Native VHDs and this scenario has somehow escaped me up to this point. It is very rare for me to have to deal with a situation where a hard disk fails to the point that data cannot be recovered off it, or it is unreadable by Windows (or Windows PE). Usually if there is a small amount of bad sectors I would boot to PE and then use Robocopy to copy as many files as possible onto a backup disk. If a few files got missed because of corruption we would look at recovery scenarios but this has never happened.

Imagine if a VHD file could not be copied in its entirety then you would have to make use of more sophisticated data recovery scenarios. There are some good Rescue CD options for this.

My idea for the moment is to take a look at V2P scenarios. I will post again later on once I have looked further into this scenario.

Windows Thin PC Due For Release

2011-06-20T11:46:00.001+12:00

If you have a subscription to the Volume Licensing Service Center, you may have noticed a MAK key for Windows Thin PC lately. WTPC is the replacement for Windows Fundamentals for Legacy PCs, and just as that was offered to NZ schools on the NZ MSA, it appears that WTPC will also be offered as part of SAB.

WTPC is a lite edition of Windows 7 and according to the FAQs it is based on Windows 7 Embedded. It will be downloadable through SA from 1 July. It would appear at this time that it could support older PCs with 512 MB of RAM and be able to be used primarily as a terminal server client. Basically this would be an alternative to installing Windows XP on those old machines. However we will have to see if a machine that doesn’t have its own Windows 7 driver could run WTPC successfully because such machines don’t have the WDDM driver that is recommended.

We do have some older PCs in classrooms that aren’t able to run Windows 7 so I expect this will be tried out to see what we can do with them in due course.

What works in Windows 7 imaging and what doesn’t

2011-06-15T11:51:00.001+12:00

With all of the experience I have amassed in Windows 7 imaging this year and with our experiences of different technologies it is becoming abundantly clear what works and what doesn’t, for the number of computers that we have.

What doesn’t:

MDT. Although this has a great deal of promise it is too complex for an organisation of our size. In order to get the best out of MDT it is necessary to spend a lot of effort setting and maintaining MDT itself, as well as scripting the installations for different platforms. This includes scripting the automatic installation of third party applications that don’t always work or aren’t as well documented or supported.
Deploying images that have been sysprepped from installation on one particular hardware platform. Our experience has been that it only takes small changes in a target hardware configuration for Windows to refuse to complete installation from an image that has been sysprepped, regardless of which drivers are involved.

The second point is a particularly troubling one. Our experience with Windows 7 is that it can refuse to complete installation from an image if the hardware is slightly different even where the drivers are not boot critical. This appears to be a fatal flaw in Windows 7 that should not even be an issue. If a device is not boot critical then it should be disabled and the installation continued allowing the affected device to be set up at a later time.

The second point also has an impact on MDT since it is sysprepping an image before it is captured. It may be that MDT’s driver injection process can work around this limitation but not having been aware of it at the time and not being a user of MDT now I can’t say if that is the case.

Along with the built in sysprep limit, this has caused me to review our imaging strategy as below.

What does:

Native VHD imaging. A great technology that makes it easy to deploy and back up images on target platforms simply by file copying procedures.
Deploying pre-sysprepped images to a target and sysprepping only that target as the final setup step. DISM is used only if there is a problem with a boot critical driver.

We have basically proved with our imaging experience to date that a pre-sysprepped image can be deployed to a relatively wide range of hardware. If there is a boot critical problem with such an image it is a relatively easy process to service the image with DISM and inject the necessary driver to the image to get it to boot on the target. Pre sysprepped images do not have the same problem with missing or incorrect drivers that sysprepped images do unless the driver is boot critical, such as for a hard disk or disk interface.

Because all images are only sysprepped as the final deployment on that computer, there is not going to be a problem of drivers providing that the pre sysprep image contains all the correct drivers for the target.

There will be fewer generations of images to store and thus a saving in disk storage space.

There will also not need to be as many different images for different hardware platforms especially those that are not used very often.

VHD Resize [2]

2011-06-02T13:59:00.001+12:00

A couple of posts back I wrote about getting a native VHD down to a smaller size to use on a system with a smaller HDD than what it was originally built on. That time I just used standard defrag along with shrinking in Disk Management. This time around that wasn’t going to get the VHD small enough to fit on an 80 GB HDD so I had to try another option. Helpfully Defrag will put information into the event log about immovable files. Using that I worked out I needed to boot the VHD and turn off System Restore in the OS, then mount the VHD in another OS and defrag it again, then shrink again. This time, success!!!! The VHD shrunk massively to 20 GB. After considering the further options, I then expanded it again, up to 50 GB.

After doing this you still need to change it from a dynamic 127 GB file (in this case) to something smaller. Even though it only has a 50 GB partition in it, Windows 7 will still try to expand it to the full 127 GB at startup, which of course fails. So VHDResizer is the next step to get it to, in this case, a dynamic 50 GB file.

There are still a few things I don’t understand, like why a VHD that physically only needs 32 GB of disk space can’t be shrunk in partition size below 72 GB. I presume that the dynamic format compresses zeros or blank space, but if it can manage this then it should be possible to defrag that blank space as well, instead we get the fiction that the unmovable file can’t be shifted, yet we know it is possible with third party tools.

The next little hassle with the target was to get it to boot Windows PE. When I fed it the pen drive, it spat it out. So then I had to spend a lot of time creating a Windows PE 3.0 boot CD, and that is like chalk and cheese compared to the pen drive; it displays the old Vista progress bar instead of the Windows 7 startup animation, and takes a lot longer, with much more blank screen, to get to the command prompt window. From there, after following the standard amount of initialisation of the disk and copying the VHD, it was a surprisingly short step to booting up on the VHD and getting this unsysprepped image to start.

Messy Imaging

2011-05-17T15:08:00.001+12:00

There are some scenarios that DISM doesn’t work in as you would expect. When I set up a reference image for a new platform, because of my imaging topology I have images that are pre-sysprep, post-sysprep and post-dism. Generally I would choose a pre-sysprep image, but then it has to be mucked around with and sysprepped before it is ready to use. If I only had one laptop, maybe it would seem simpler to use the post-sysprep image?

Well, it seems not all images are equal. We got an Elitebook 8540 laptop, it’s the only one the school will ever have. So I thought that a post-sysprepped image with the use of DISM to give it the right drivers to start up would work. I did something similar last week with a 6710b and used the pre-sysprep image because it would need to be cloned. The problem is that for my 8540p, the post-sp image doesn’t work. It bluescreens before the Windows 7 animated moving pieces of logo have even finished circling. But if I use a pre-sp image exactly the same way, there is no problem.

So it appears there is a good rationale for having three image generations – apart from the sysprep limit that forces us to have pre-sp images in the first place. Perhaps there is not a need for a separate post-dism generation (the dism stage is done on the post-sp image to prepare it for final deployment). At the moment the process for readapting an image to a new platform is to copy the pre-sp image from another platform, dism it to remove old drivers and add new ones, and move the serviced image to post-dism for deployment prototyping. Once the image has been prototyped on the target platform there is then a series of pre-sp, post-sp and post-dism stages for the reference image for the new platform. In this case some of those steps might be skipped.

So it would appear there is some difference between an image that has been sysprepped and one that has not when it comes to servicing the image offline so that it can be reused on a different platform.

Resetting a bootable VHD for another hardware architecture

2011-05-11T22:05:00.001+12:00

Today I tried putting a laptop bootable VHD image onto a different laptop. I had tried this before and it wouldn’t boot. There are two problems actually:

The VHD file when expanded to its full size (126 GB) which happens at boot time, was then too big to fit on the available space of the HDD. Microsoft has a new Blue Screen of Death number (0x135 I think) that comes up when this happens.
The VHD had to be serviced with driver files for the different laptop so it would actually be able to boot up Windows on this laptop.

To solve the resize problem is quite involved. The VHD has to be attached to a virtual machine, defragged and then shrunk in that VM. In this case defrag didn’t itself achieve anything beyond what shrink itself could do, but the latter did bring the size down to 72 GB which should be acceptable.

This page here gives one methodology with the steps you can use. I simplified this somewhat and just shrunk the partition in Disk Management of Computer Management. I then moved the VHD back to the server it was originally on and then ran a tool mentioned on that page called VHDResizer to size the VHD to the partition size. This basically works by creating a new VHD file and copying the existing one to it. The web page as mentioned above probably allows much greater levels of resize but it already took so long to get the VHD defragged and so on that I cut out some of the steps in the web page and just lived with the VHD being larger than desirable.

The next step is DISM using in this case the Chipset drivers for this laptop which are the ones that contain disk drivers, finally the disk got copied to the laptop and rebooted, which worked. Finally!

Don’t get burned by Trademe’s restrictive shipping fees policy

2011-05-01T06:57:00.001+12:00

I’ve operated a personal Trademe account for a couple of years. I only traded a small amount of stuff and haven’t had to ship anything that I can remember. Earlier this year I opened a work account and started to sell surplus computer equipment that we had had, which has brought in a small but useful amount of money for us. However, in doing this I have run into points of disagreement because Trademe seeks to regulate and restrict shipping costs in a way that is, in my view, completely at odds with the rest of the way their site operates. The auction process is a form of arbitration or negotiation. In effect the final sale price of goods is arbitrary and arbitrated in a way that is only lightly regulated in a system like Trademe’s – as it should be.

But when you get to shipping charges, Trademe has this clause which says “You may only charge reasonable amounts for shipping”. If you ask for that to be broken down, it comes to “You may only charge for the physical cost of packing” and “You may only charge for the amount you pay the shipper” (for example the fee for ParcelPost or a courier”. In actuality, when shipping goods, you are likely to incur additional costs. In our case, I would expect it to take me about half an hour to pack the goods, and there is likely to be fuel cost for me to deliver the package to a post shop. There is no logical reason why a shipping fee can’t include these costs. I think that most people would feel that these would be “reasonable”.

Every time that I have spoken to Trademe before to ask a question about how things work, they have always given me an explanation. This is the exception. They have not explained why they have this draconian restrictive shipping fees policy, nor are they open to having their policy challenged. It may be argued that the extra costs should be factored into the price of the goods themselves. This results in a higher price for buyers who are coming in to pick up goods. You could give a discount but this is possibly contrary to Trademe conditions as well as, like many things on their site, discouraged by financial penalty. It may be OK for a business to operate this way but many small traders are doing this part time or as a hobby, do not have a shipping department at their disposal to dispatch goods in the most efficient way, and therefore are doing it themselves and will incur the extra costs. Every other business that is doing mail order can charge the shipping they wish and the parties to trade can negotiate directly on shipping charges.

The only reason I could see for this policy is to push up the sale price and therefore, Trademe’s commission on the sale. As I have noted, in real life the cost of shipping, outside of doing business through Trademe, is one of those things that people can always negotiate. People are questioning the charges and fees that Trademe imposes, some of which are ridiculous (a fee to put a reserve on goods, a fee to change the closing time of the auction etc). Therefore there is room to question other parts of how Trademe operates and the possibility they might be abusing a dominant market position. The major competitor to Trademe is the Sella site which has managed to mop up Zillion and Sellmefree among others. I expect their popularity is far less but they have the correct policy on shipping fees, that it is by negotiation. I have had my fingers burned twice by Trademe over the shipping fees and they won both times because of the restrictive rules and (excessive) penalties they impose. I also believe strongly that there are traders who refuse to ship goods because of Trademe’s policy, and that other traders are interpreting “reasonable” as I would interpret it and as most “reasonable” people would interpret it.

Given the exorbitant price that Trademe was sold to Fairfax for (some $750 mlllion – who would pay that for a simple website) they are a “big business” and their policies and charges need to come under scrutiny as is the case for all big businesses.

Google targets enterprise with Chrome MSI

2011-04-05T21:31:00.001+12:00

Last time I wrote about the difficulties we had experienced with the standalone Google Chrome installer that is supposed to install for all users. Although I was not able to get support in the Chrome forum, I have discovered today that Google is producing Chrome in an enterprise edition. As the article I was reading noted, Firefox has traditionally been quite weak in this area. When we deployed Windows 7 to our suite PCs, we put the beta FF4 onto them. It wasn’t long before users let us know that they couldn’t get out to the internet with FF – for what reason I don’t know, but we quickly ditched the image and loaded a new one with Chrome instead. The standalone installer worked on that occasion but on numerous others since I haven’t been able to get it to do a full install. So the Chrome MSI and other enterprise offerings look as though they will address this problem.

The main other part of the enterprise package is Group Policy templates which let sysadmins preconfigure settings for users and computers on the network. Overall I would say this looks like a much better outcome than Chrome was looking like so far; Google has certainly put some effort into beating IE at its own game.

Google has also addressed the operation of Google Update in an enterprise environment with a policy template. Of course, if you prefer not to use Group Policy, you can directly enter settings into the registry for the keys specified.

Chrome policy templates – Download the Group Policy files here
Chromium Blog: Chrome is ready for business – Article describing the work done to prepare Chrome for enterprise environment and the options available. Link to download the MSI.
Chrome policy list – Details of the policies for Chrome
Google Update for Enterprise – documentation on the policy settings and download ADM template link for Google Update.

Google Sketchup is an application that doesn’t use Google Update to control its update settings. However, these settings can be controlled directly using the following registry keys:

HKEY_CURRENT_USER\Software\Google\SketchUp7\Preferences – change the value of CheckForUpdates to 0 to disable the check.
HKEY_CURRENT_USER\Software\Google\SketchUp7\WelcomeDialog – change ShowOnStartup to 0 to stop the welcome message (which often says “Update to the next edition”).
One of the reasons you get a welcome message is to get the user to select a template. You can set the path for the default template by writing the DefaultTemplate value in HKEY_CURRENT_USER\Software\Google\SketchUp7\Preferences. If you are using a login script or Group Policy Preferences to automate this, you will need to determine in some way where the templates directory is, since this will vary across 32 and 64 bit systems, and for different editions of Sketchup. Unfortunately there is not an easy way of reading the location from the Registry, just as there is not a way of determining which editions of Sketchup are installed on a local computer.

The Browser Wars Get Dumber

2011-03-22T19:23:00.001+13:00

Once upon a time there was NCSA Mosaic. And then there was Netscape Navigator, and then there was Internet Explorer.

And then, Netscape begat Mozilla. And then there was KHTML. And then KHTML begat WebKit, which begat Safari (after a failed tryst between Mozilla and Apple). And then Mozilla begat Firefox. And then there was Opera. And then WebKit begat Chrome.

And that describes the history of most of the major browsers available on Windows up until now.

The rivalry between Mozilla and WebKit based browsers in particular has got a lot of bad blood associated with it. WebKit was created by Apple as the basis of Safari after Apple took a look at Mozilla and decided it was too bloated (which it was at the time, being a whole communications suite instead of a lean mean browser). Mozilla’s response was to create Firefox. So the main browsers for a while were Safari, Firefox, IE and Opera. Mozilla cruised along with Firefox through the first three releases, until Google rolled out Chrome, based again on WebKit. Suddenly Mozilla felt threatened again, and they rushed out a very similar looking Firefox, copying many Chrome features. So Mozilla can be characterised as reactionary rather than innovative. Clearly, Mozilla feels they have to prove that their open source development model can keep up with market realities.

Chrome is an interesting and yet dumb piece of software. The dumb part is the installer that comes with it. The default mode of installation for Chrome, when you go to Google’s website and click on the download button, is a local installation for the current user only that runs from their AppData folder. It is specifically designed to get around application installation restrictions that an administrator may have placed on a system. As such Chrome is written by a bunch of cowboys.

The way that you are supposed to be able to do a global installation is by downloading a version of Chrome called “ChromeStandAlone”. But it still incorporates similar dumb behaviour as the regular version. The only time I have been able to make the standalone installer do a global installation is when starting from scratch with a brand new installation of Windows. As soon as the image got sysprepped and deployed, ChromeStandAlone switched back to local install mode. Even when it is installed properly, the first time any user runs it, it has to waste time creating a shortcut on that user’s desktop, even if there is one in the public desktop already. Bet it doesn’t know how to uninstall hundreds of extra Chrome shortcuts when the administrator decides to uninstall it. Dumb, dumb, dumb…

When I see all the dumb ways that companies like Apple and Google try to hijack the Windows platform to advertise their own (Apple puts videos of Steve Jobs into iTunes, Google does the above kind of thing) I think how dumb do these companies think users are? No, it is these companies who are just plain dumb.

64 bit Native VHD Deployment [3]

2011-03-21T18:25:00.001+13:00

I have just completed making our laptop image (also 64 bit) and that is to be tested shortly. I used MDT to make the previous deploy but now I am switching to native VHD as well. It looks like the laptop VHD is OK and there are no problems. So this means we can ditch MDT altogether and just use native VHD for everything (as we don’t use MDT for XP) except older Ghost stuff (XP). MDT is much more complex. It has its place if you do a lot of imaging and want to have fewer images with customisations to various types of hardware handled automatically. If you have only a few images and just want a simpler deployment method then nVHD is just an update on Windows AIK that means your deployment is just a simple file copy of the VHD file instead of applying a WIM. So updating the image is a much simpler process overall of just replacing the VHD file with the new one. At some future point I will detail how to do this practically as we do it.

The laptop image was deployed successfully although there seem to be issues with x64 Sysprep with the answer file because that wizard that comes up at first boot has six pages now instead of three. In the process of testing the laptop image I updated it to add the recently released SP1 of Windows 7 and had to install an additional software package. The deployment of the computer suite image has also been successful and it also is being updated to SP1 at the moment along with some minor tweaks.

When we transfer staff from their old laptop to the new one we make a complete image of the hard disk of the old laptop as a backup and then extract their personal files (My Documents etc) from the image. In the past I have used Ghost for this. However these days it is just easier to use the Disk2VHD tool released by the Sysinternals group of Microsoft to make a VHD backup of the HDD instead, which is done online by running it from within Windows. Then there are various ways to open the VHD. My preference is to use the latest version of 7-Zip which can open all sorts of useful formats like VHD, WIM and ISO among others, and it is freeware.

64 bit Native VHD deployment [2], etc

2011-03-15T21:03:00.001+13:00

Having completed the deployment of computers for student use the next task is to create the image for staff laptops. At this point we need a boot media for Windows PE x64 and traditionally I would have created a boot CD. But the Windows PE walkthroughs create one that seems to be a waste of time, really slow to boot, apparently running an older version of PE etc etc – so I have decided not to bother any more. The Probook 6550 card reader seems to be unable to boot my SD card so I set up a pen drive as a boot device and it copes with that OK. Pen drives are so much easier to set up than a bootable CD which has to be configured with extra steps to make it bootable and create an ISO file. You don’t need to do this with a UFD, it’s just a matter of copying files to the device after formatting it and away it goes. I have customised Windows PE by using startnet.cmd to start a custom script that maps up a network drive to an installation share which contains other scripts used to perform various tasks related to native VHD boot, which simplifies things a lot.

For the Probook 6550 I have run the HP applications installer over my basic installation VHD and am just about ready to sysprep the image – the next stage after that is driver injection with DISM. Then it will be ready to deploy.

We are now back having reopened yesterday. One of the things we had completed before the earthquake was the installation of Enable’s fibre connection. At the moment we are not switching to it but this might happen in the next few months. The biggest and best is a project to lay fibre between two of our sites. If this happens we can consolidate our servers with one main server and one backup. The current link between sites is using “54 Mbps” wireless (real speed around 15 Mbps) which is very slow and increasingly inadequate when transferring large amounts of data and it makes it necessary to maintain two full spec servers in order to reduce the amount of traffic on the wireless link or to give users a reasonable speed experience.

As I continue to explore the world of AIK, I discovered the Volume Activation Management Tool yesterday. The VAMT is primarily of benefit to those of us who wish to manage MAK license keys, as opposed to the use of KMS. It has been a lot more straightforward to us at the moment to use MAKs because the KMS hosts we set up don’t seem to be getting any activation requests and I haven’t got time to check this out. The VAMT lets me remotely activate computers that require a MAK which I guess would be for both Windows 7 and Office 2010. This means they don’t need to be manually activated.

Also part of the AIK is DISM which I previously mentioned. This works very well most of the time. The main problems being when it can’t unmount a WIM, this in fact happens too often in my view so I hope MS will address the many times as when it refuses to unmount then a reboot is the only option left.

Windows 7 SP1 has been released. There have been some issues which people have discovered when installing it. This seems to be mostly from using WSUS. Unfortunately DISM can’t be used to apply it offline. I wonder if this is yet another example of MS’s stripped support model that seems to be developing for everyone who isn’t using Azure or other cloud services. Everything that MS does these days seems to be geared towards pushing people onto Azure et al, everyone else gets a shrinking level of support on their stuff.

64 bit Native VHD deployment [1]

2011-03-07T18:44:00.001+13:00

This is my first post since the big earthquake hit Christchurch on 22nd February. I’m not going to write here on the earthquake itself except to say that we have been closed for the past 14 days and will reopen next week. At the moment I am just picking up where things have been 14 days ago. I was just finishing the preparation of a 64 bit VHD ready for our computer suite. Since our 32 bit VHD deployment was, from a technical viewpoint, successful, I have decided to move things along and use native VHD more as a deployment system. Hence I have started to produce 64 bit native VHDs for our two major deployment imaging requirements: staff laptops and student computers. The idea is that the computer that is running Windows AIK tools that are used to service these images can be running 64 bit Windows OS (in this case Server 2008 R2) and so I don’t need to maintain a 32 bit OS VM to service 32 bit images as is the requirement when using x86 images. Therefore I can store the images on the network shares of the server itself without having to copy them to the 32 bit VM to use DISM on a local disk as it won’t work on a network drive.

The second reason for building new images is to get around the Sysprep Rearm limit as detailed in my last posting. The 32 bit laptop images in particular were subject to this limit because they had been sysprepped multiple times. Therefore a new 64 bit image has to be built from scratch which is copied before it is sysprepped. My first attempt to build a VHD attached to a Hyper-V VM failed rather spectacularly when it came to the point where it had to be loaded onto the target platform (to install platform specific applications). It got partway into the boot screen (the point where the Windows 7 logo gets drawn from various moving parts) and then bluescreened. I poked around trying to debug what was happening but couldn’t work it out even though a Temp folder is put onto the boot drive which appears to contain information to help tracking down the problem. I think the issue is that Native VHD is very specialised and as yet not well enough documented beyond the MS group that created it.

So I have started again with building images, this time from scratch on each of the target platforms. The starting point in each case being a generic VHD that had been configured to be dynamically expandable to 127 GB maximum size and loaded with the Windows 7 x64 Ent installation files on it. When the target gets booted to this VHD for the first time it will set up Windows on it. It is not sysprepped, it just acts like a first time Windows 7 installation for any target platform.

The 64 bit image for our computer suite has been successfully test deployed and so far it looks good. A trial deployment will follow shortly in along with preparing to reopen our computer suite along with the rest of the school. The laptop image will be completed this week as we have to get the new laptops ready (the completion of this was deferred due to the earthquake). The tricky thing however about Windows PE is that I will need to create 64 bit boot media or use a MDT 64 bit boot CD that I already have. So my SD card will have to be updated to a 64 bit edition of Windows PE, including net card driver injection. This is mainly because BCDBOOT comes in 32 bit and 64 bit editions and therefore the 32 bit Windows PE image can’t run BCDBOOT which is needed to set up the BCD when creating a new system from scratch.

The nasty Sysprep Rearm 3-step limit and working around it.

2011-02-14T16:33:00.001+13:00

If you haven’t heard of Rearm (or SkipRearm before) then this is a tricky little thing that Microsoft has introduced into Windows Vista and Windows 7, as part of the more complex activation thingys. And it is an annoying thing. Any one image can only be sysprepped three times before you get this thing kicking in and telling you that Sysprep had a fatal error with the Rearm component. I got this today when I took what was supposed to be my do-all, good-for-everything 64 bit 7 Enterprise image. Last week I copied it to a laptop, installed the laptop-specific stuff on it, then put it back onto the VM, and today I tried to sysprep it, and got this error.

The simple answer: don’t sysprep more than you have to. Keep a master image that hasn’t been sysprepped, and make all the changes you need to it. Then make a copy of it, and sysprep that copy. Whenever you need to make changes, go back to your master that hasn’t been sysprepped, make the changes on that, copy it, sysprep it, deploy it. It just means extra work copying files around.

I suspect this is the reason that MDT Sysprep stopped working the last time I tried to use it. The imager VM had the same image on it that it always had, and it had been sysprepped a few times. Enough to hit that limit. Even though I haven’t been able to find out what error was thrown, it would have been the same count as the sysprep I tried to do today, and so it failed.

As you may recall, one of the criticisms I had of MDT and AIK was the need to keep a 32 bit VM running to allow 32 bit installations to be serviced using these tools. Well, that won’t be an issue for much longer. I think we’re about to bite the bullet and go to 64 bit Windows on everything. And then the AIK and MDT can be installed on a 64 bit server and there won’t be any issue for them. What in fact I will do is install those on my server now and set up new 64-bit-only MDT/AIK shares that they service.

But for right now, for getting those laptops out, what I am going to do? Well after some thought I decided to start building my image again from scratch, this time making the necessary copies of the VHD so that it can be done properly this time. Another thing I did today is to run the Office 2010 OCT to make an installation that automatically puts the activation key in, so we don’t have to bother about the KMS to get things installed. So pretty soon I am going to be building a new image for our computer suite that is 64 bit and then they will all be changed over to 64 bit the next time they need reimaging.

Don’t use 32 bit Windows with more than 3 GB of memory

2011-02-11T20:46:00.001+13:00

Well the subject of this post is that everyone should be getting used to 64 bit operating systems and migrating to them. Today I saw a laptop that had 4 GB of RAM, the very latest HP that we can lease for a school in the TELA scheme. With the 32 bit edition of Windows 7 it reports it has 2.92 GB of RAM available. Now I thought this was a bit low as I knew more memory is reported for the 64 bit edition of Windows 7. I was quite shocked to discover that the latter figure is 3.8 GB. In other words a difference of around 900 MB. This is quite a significant difference.

Since as far as I know these TELA scheme HP Laptops are only available with the 32 bit edition that has been built up for the Tela scheme, we will definitely be continuing to customise our laptops with the 64 bit edition of Windows 7. We are currently looking at the best way to deploy these. As previously described in this blog I spent a lot of time learning to use MDT and while it is a very sound method it is technically complex and requires a significant amount of specialised resources to maintain. Therefore I am having a look at Native VHD deployment as a means to achieve what we want, which will be along with the use of WSIM and DISM as described in a recent series of articles. At the moment I am as a first stage loading a VHD to one of the actual laptops in order to customise it with hardware-locked applications that are normally installed by a MDT task sequence. After that it will go back onto the imaging VM for tweaking and then the sysprep for deployment. The way of doing backups with VHDs (instead of MDT based capture) is to use Microsoft’s Disk2VHD tool to capture a hard disk into a VHD file. So we could almost dispense with MDT altogether.

After the first week back at school our nVHD deployment of 30 computers in our suite has been generally successful. The main issue to date is getting Windows and Office activated; as we put in a key for Windows it still has to be manually activated, while Office should be activating against a KMS server but isn’t. I can switch Windows in future back to KMS but we still have to work out why the Office KMS server (which is a different server from the one that handles Windows 7 activations) isn’t receiving activation requests. As it happens Office will not stop working but it will just keep on warning it needs to activate so we have a bit of time to sort out that problem.

Another big task is creating 300 accounts for all our students who have individual logon accounts. We used our previous SMS to export a CSV that was hacked in Excel and then fed into a VBscript to use ADSI to set up the accounts. This year with Musac I have created a separate Access database to handle this task and that of creating the output CSV file to feed into the script. Naturally I have decided some enhancements are possible. For example with Outlook Live having a Powershell interface it should be possible to create email accounts at the same time. Further capability will be added later. The main change is that the creation of the accounts will be automated with the names of students being used and, to get around the 20 character length limit for the sAMAccountName field, the UPN name field will be set with a 3 character UPN suffix, thus each logon will be xxx.yyyyyy@zzz which is standardised for all logons. This will be the first time we have set up and distributed accounts with the expectation for using a UPN name.

It is important to note when using UPN names for accounts that Windows still sets the %USERNAME% environment variable for the user to the value of sAMAccountName. When you create home folders for your users you need to allow that the sAMAccountName is the one that is relevant to Group Policy Folder Redirection for %username% and that this still needs to be unique even if it is truncated to 20 characters for users with longer names stored in the UPN. Log in, look at the environment variables and see how many uses there are made of that sAMAccountName value. Also all our new users are getting their home drive changed to O: because a lot of computers have extra drive letters with the additional partitions for Windows 7 and nVHD as well as card readers and the like.

Deploying Native Boot VHDs [6]

2011-02-06T20:58:00.001+13:00

We have successfully completed our first ever mass deployment of computers using the Native Boot VHD technology of Windows 7. This article carries additional detail of the deployment phase of this project.

The average transfer rate for the 15 GB VHD over the network was around 45-55 MB per minute equating to around 4-5 hours to complete the copying. The machines then had to have several more scripts run to complete the initial setup. In future updating the machines will only require the VHD file to be replaced. After rebooting the Windows Setup Wizard will appear and ask you to provide some settings such as the computer name and a username. It automatically restarts the computer again and brings up first time login. After this the only remaining step is to join the domain, this may be automated in future.

Both of the main activation tasks, the Windows 7 and Office 2010 activations can be handled by setting up a KMS server. This has not yet been done but it is one of the next tasks, being quite straightforward, and relieves you of the need to manually activate, and in Office’s case enter the product key as well.

Although the copying stage of the VHD may seem slow it is roughly equivalent to Ghost without the network congestion that multicasting produces. My experience of simultaneously ghosting multiple machines is that it rarely meets expectations, in that it is typical to require several hours or more and thus produce no real time saving at all.

D-Day

2011-02-05T22:19:00.001+13:00

D-Day is Deployment Deadline Day. D-Day is also the day where I have had a record amount of trouble with my work computer, which has had to be restarted twice so far, firstly when Explorer crashed and wouldn’t restart, and then the second time Windows Live Writer wouldn’t load.

The process of getting from a reference image to deploying it to target machines is somewhat multi faceted. The process we use goes something like this:

The VM is shut down
A pre-sysprep backup of the VHD is made
The VM is booted
The VM is sysprepped (which can only be done live). At the end it shuts down again automatically.
A post-sysprep backup of the VHD is made.
The VHD is copied to another VM for offline servicing.
DISM is used to inject the drivers in offline servicing.
The VHD is copied to a network share to be deployed.

Bare metal deployment requires numerous steps and I have been in the process of creating and testing command or Diskpart scripts to automate as much as possible. A spare SD Card with Windows PE, scripts and tools loaded on it is set up to boot. Press the right key and the hardware boot menu comes up, then select the SD Card to boot from it. First task was a simple Diskpart script to create the three partitions needed on the HDD. So what was done on Wednesday afternoon was to boot every new PC to this card and run this script against Diskpart to initialise and format the disk. Then we had two days off for our annual staff retreat and I came in to work again today, Saturday.

Looking at the rest of what was needed I got started with a script that mapped a network driver letter to the share on the file server to allow the VHD to be copied over the network instead of an external HDD. This is all fine but the problem that showed up is that network drivers for this particular hardware platform are not included in Windows PE. Some time ago I wrote about learning how to inject drivers into Windows PE 2.0. As this is PE 3.0 the process is slightly different and is basically the same as injecting them into a Windows boot image: using DISM, first step is to use DISM to mount the boot.wim file (you don’t need to use ImageX to do this anymore). But as we don’t need or want the 1.4 GB of images that the VHD got, I just gave it the path to the network drivers folder and it injected two drivers only taking about 4 MB. After all changes are completed use DISM to commit changes to the WIM. Then this was copied over the existing boot.wim folder on the SD card and away we went. The Net Use command can be scripted to specify both username and password in the command line so that has been handled OK.

My next act was to attempt to fully script the process of running BCDBoot to copy the boot files and set up the BCD in the system partitition. This has run into snags because as soon as I tried to get Diskpart to set up the partition it threw various errors. In the script I got it to attach the VHD and assign it a drive letter. It objected to the select vol that it was given and apparently therefore could not assign the drive letter or do any of the other commands except detach the VDisk at the end. But when I ran diskpart with the script that attaches and assigns, the volume was there as expected at the end so I don’t see why all the other errors occurred. At this point I decided it was just easier to put all the scripts and tools onto Y drive (the network install share I had set up earlier) than mucking around with the SD card all the time, and this lets me make some boot CDs as well to speed things up for deployment.

Also in the deployment tools documentation for Windows 7 AIK is detailed instructions on how to install RE and customise it to specific requirements. A future project is to add the RE to the system partition so that a boot media isn’t needed to boot up the machines for reinstallation in future. I’ll look into it sometime when I get some free time.

Basically at this point all the machines are copying the image all at once and network performance seems to be extremely slow. This means the machines will probably take half the night to complete copying the 15 GB file. I’ll come back in the morning to finish working on them.

File and registry virtualisation in Windows 7 and Vista

2011-02-05T00:32:00.001+13:00

File and registry virtualisation in Windows 7 and Vista is a new technology that deals with the requirement of some applications to be able to write data in locations where the user does not have access permissions, as well as the user inadvertently choosing these locations. The latter functionality in particular can trip you or your users up and perhaps it is better to educate your users about the limitations of saving their data into “system reserved” locations.

For example C:\Program Files (or the equivalent for different boot drive letters) is such a location and you may find (as I did this week) that attempting to save data files from an application into this directory will result in the file “disappearing” or “appearing”. In this case I found I could see a view of the file only in the Save dialog of the exact application that created it. Explorer wouldn’t display the file at all.

After looking into this I found a resource on MSDN that details this process. In this case the file is being written into a subdirectory of C:\Users\<username>\AppData\Local\VirtualStore and actually did exist in that location when I checked. The point of what was in its original location is that it looked like a file, not a shortcut to a file that was stored somewhere else.

These technologies appear to be targeted at legacy applications in that they only apply to 32 bit apps, not 64 bit for example. As such they fit in with applications that wouldn’t meet the current Windows Logo cert requirements.

Migrating to Windows 7 from XP with OS Specific Desktop Policy

2011-01-28T20:34:00.001+13:00

This article is mainly focused on the issues which come with the migration for the user experience, as opposed to the task of getting new hardware or upgrading older hardware and installing the operating system on it. There are challenges which come with differences in the operating systems and the configuration settings that apply to them. This is especially true if you are using Group Policy or Registry settings to lock down desktops for certain classes of users, as would be quite common in a school environment with students for example.

Whilst it is tempting to think some of the differences can be dealt with by using loopback policy to apply OS specific settings only to machines which have a specific OS, this brings other complications, mainly when a user with administrative rights logs on to a computer and finds that the same lockdowns are applied to their account. I would highly recommend from experience that loopback policy for desktop experience settings is only used as a stopgap measure, until such a time as all of your computers, or as much of them as possible, can be transitioned to as much commonality in these settings as possible, so that the majority of them can be taken out of loopback policies and put back into the per-user section of the policy tree where they don’t affect all your users the same.

For example, we used to redirect the Start menu in Windows XP so that it displayed a pre configured set of icons. In fact, it was redirected to the All Users Start Menu, which in turn was configured with exactly the set of icons we wanted the user to have access to. This immediately causes problems in Windows 7 because the equivalent is stored in a physically different path. I decided ultimately to stop using this redirection completely in Windows 7. This means at least for the moment that I have to find a way of differentiating between Windows 7 and Windows XP computers. In the short term I can immediately do this using a loopback policy. However that will also limit me if I log on to one of these computers as an administrative user because that policy ends up being applied to every user the same. In the longer term therefore I must be able to take as many as possible of the policy settings out of loopback and into a user specific policy.

If I have a browse through my Windows 7 policy file then there aren’t that many settings that are Windows 7 specific. So it wouldn’t really take long to weed out the ones that only apply to 7 and loopback only these specific settings, with everything else into a user specific policy, and then make life simpler for people administering these computers. I wouldn’t say it will totally fix the problems and it is possible we would look at other means of making these computers administrable. One option is to set up local administrative accounts as these are not subjected to the limitations of group policy.

MDT & Intel Arrrrrgggghhhh!

2011-01-27T16:48:00.000+13:00

Last year I spent a great deal of time learning how to use MDT. And it seemed like a good system. It worked well and there were only a few hiccups with it.

Suddenly this year it is proving to be a great deal of trouble and I’m wondering why I bothered with it.

Firstly, I made an effort to get a capture done from a VM image. There were no problems getting that capture done before. But now, for no apparent reason, MDT starts refusing the capture, and when it’s MDT, the reasons won’t be that obvious; the error messages you get will be meaningless like “CloneTag” or something, and you won’t be able to work out just what is going on without a lot more work.

The second instance is this year when I have started to work on laptops, and for good measure I loaded the carefully crafted and fully tested laptop image onto three new laptops. These types of laptops never gave us any trouble before loading this MDT image. But now, all three of them have inexplicably crashed during the MDT deployment process, leaving me with a pile of work to get them completed because half the task sequence hasn’t been completed.

At the moment I am not in a place where I have got time to poke around trying to find out why MDT has failed. I expected this deployment to go smoothly. It hasn’t. It is very time sensitive and it will have to be completed manually with a lot of extra work involved.

With all the amount of trouble that it can be with MDT at times like this I am really seriously considering just going over to native VHD deployment for all of our Windows 7 computers. Then we will only need MDT to simplify some of the management and I won’t be doing captures or deployments with it.

The second MDT (and AIK for that matter) annoyance is the design limitations that means a 64 bit installation (which is made on a 64 bit platform i.e. Windows 7 or Windows Server 64 bit edition) can only service installations that are for 64 bit target platforms. To be able to service both 64 bit and 32 bit installations, the 32 bit version of MDT (which can only be installed on a 32 bit edition of Windows) has to be installed. So this means that the computer that MDT and AIK is installed on has to be running a 32 bit edition of Windows. And since 2008R2 came out it is 64 bit only. Now the importance of this is that I wanted to have my Setup share a local drive letter on the MDT/AIK VM. This means it can only be running a Desktop edition of Windows and thus there is the infamous 10 connection limit. So in reality this would limit access to that share to 10 connections. Sometimes when you see these limitations you wonder if MS really has a clue what people use these packages for or they just must think people are made of money so they can fork out for another license for a machine that runs that specific edition of Windows (and another hardware box if that is what is needed). For me I have a Enterprise server license that will let me run this VM as part of the license but it still ends up with that 10 connection license to run a desktop edition of Windows.

The other annoyance is the server rail kit for Intel 5295 chassis. We ordered a rack that is 700 mm deep, thinking this would be plenty, after all the chassis is about 500 mm deep. But this very poorly designed Intel product will not fit in a chassis that is less than that size, even though it allows a huge gap at the back of the server, the rails require minimum of 700 mm depth in the chassis to fit in, and even at that you should really be looking at 800 mm chassis depth because the front door of your cabinet will not close. But of course in the minimum size 12RU chassis that we purchased, it is not available in more than 700 mm depth. Not until you go to 22RU and that is much too big and expensive.

So while the rack manufacturer’s product is good, Intel has really let us down with this silly very poor design. I went all over Intel’s website and looking at other websites to see what information is there about this design limitation (the product is called APP3RACKIT) and there is NO information. Absolutely NONE at all. If we can’t get the kit returned we are going to end up having to try to resell it, and we’ll end up losing money on it.

Deploying Native Boot VHDs [5]

2011-01-27T13:15:00.000+13:00

The steps for deploying a native VHD boot are the same as if you are using a third party imaging solution, such as Ghost. Effectively, copying a VHD is a kind of third party imaging solution, in that it is not a directly supported deployment scenario for the Microsoft Deployment Toolkit, its predecessor Business Desktop Deployment, Windows Deployment Services, or System Center Config Manager. Ideally at least MDT would have task sequences added to automate the required steps, namely Sysprep and DISM.

Hence having used a third party imaging scheme before, it took me little effort to get going with Native VHD deployment as we originally developed a Vista image using Ghost along with WSIM and Sysprep. The stage I didn’t get around to at that time was DISM, or possibly it was different under Vista. This time I have to use it because the network card driver for our particular target platform is one of those which is not included with Windows 7, and thus, out of the box, Windows 7 will not be able to search for drivers for the other hardware.

When we developed our first Vista image I had a buck both ways and also ImageX’d the PC so that I had this image available in case Ghost didn’t work out. As it happens, Native VHD deployment is like ImageX except that the stage of physically imaging the hard disk and reloading that image to target PCs is replaced by copying the VHD file to target PCs. ImageX has the advantage over Ghost of being file-based rather than disk-based, and various other things it can do like having multiple images stored efficiently in one WIM file due to single instanced storage. Native VHD on the other hand is like a partition, due to the fact that a VHD file is a virtual hard disk. When you deploy it, multiple VHDs can represent multiple partitions on the target system. Its strength lies in the fact that you don’t have to physically define and maintain partitions on the target computer’s hard disk, especially if you have more than one. Re imaging the target is as easy as booting up to a Windows PE command prompt and copying the new VHD file over the old.

Once you have sysprepped your VM with your deployment VHD attached to it (as this is an online step), the final step before deployment to target platforms is to perform offline servicing. This is what DISM does. Its name stands for Deployment Image Servicing and Management, and like other tools that you use in a Windows PE command prompt, such as Diskpart, it has been extended for Windows 7 to work with native boot VHD files as well as WIMs. Supposedly you can pass Dism an unattend.xml file that you set up with WSIM that has a driver path specified in the [2 offlineServicing] section. I wasn’t able to make this work, so I just copied the drivers to the local HDD and used the Add-Driver option instead. The use of DISM is pretty straightforward, although since it cannot work over network paths, you may need to copy your image file somewhere locally first (I recommend you also copy your unattend.xml file to the same directory):

Start the Deployment Tools Command Prompt by right clicking it and choosing “Run as administrator”.
Browse to the directory which contains the image you are performing offline servicing on.
You will need to use Diskpart first in order to map the VHD to a drive letter.
- Start Diskpart
- At the Diskpart prompt, enter select vdisk file=<path_to_vhd>
- Enter attach vdisk
- Enter list vol to see if diskpart has assigned a drive letter to the file. If not, use the assign command to assign a drive letter. In this case drive letter F has been assigned. Typically you will find two extra drive letters automatically assigned: one for the boot drive partition, and one for the system partition.
- Enter exit to quit Diskpart
Type in a command which starts with dism /image:<drive_path> followed by a servicing command.
- For example: dism /image:F:\ /get-drivers will list the drivers already present.
- To add drivers off a local path such as C:\dism, enter a command like dism /image:F:\ /Add-Driver /Driver:C:\dism\Intel /recurse (Intel is where I have copied the driver files to).
- After doing this you can use something like dism /image:F:\ /get-drivers to see what was installed.
- The first time I tried this 198 driver packages were added to the image. YMMV – You may wish to trim down your driver folders (These were only four devices in total). This number of drivers added 1.2 gigabytes (!) to the image size.
After using DISM, detach your VHD using more Diskpart commands before you copy it to the target platform.
- Start Diskpart
- Enter select vdisk file=<path_to_vhd> (or press the up and down arrows to recall the command that you entered when you used Diskpart earlier in the session)
- Enter detach vdisk
- Enter exit to quit Diskpart
Deploy and test. (I copied the VHD straight over the network from C:\Dism on my MDT VM)

Eventually AIK is going to get installed on my tech server VM where all the setup files are local so that I don’t have to copy the files around each time I’m using DISM.

We have more or less finalised the process of imaging for our computers now. There is just a bit more tweaking and customising the image to get it all working properly before we deploy soon.

Deploying Native Boot VHDs [4]

2011-01-26T17:51:00.001+13:00

The first time startup with the sysprepped VHD went reasonably well until an error message was displayed:

After that the system was stuck in an endless loop of displaying messages which basically said “Windows could not complete the installation. To install Windows on this computer, restart the installation”. Then the system would restart and, you guessed it, the same message was displayed again.

Now our first thought might be that that isn’t where we originally put our unattend.xml file and that is probably true, however it does get copied here. So we need to get the log files that are created by the installation which will tell us what problems have caused this error. To do this I need to boot my target system into Windows PE again and examine the VHD that way. We can do this by using Diskpart to attach the VHD and assign a drive letter to it. Then I can browse it directly to find the log files, which in this case are in c:\windows\panther\unattendgc. It is recommended to detach the VHD before quitting, using Diskpart commands again. After I checked the log files I found a couple of issues which have resulted in corrections being made to the listed settings in Part 3 of this article series. Part 3 has been updated with these corrections. I fixed up the answer file using WSIM again.

I’ve also decided I will set up a custom folder for DISM for OOB drivers for this image because it’s pretty easy to do and will simplify the process of injection by limiting the number of drivers that are injected to those which are needed for this image. So that stage will require the drivers being copied to a custom folder in the AIK share and then the path in the answer file will be changed. With the changes to the answer file that also needs to be recopied to the VM before reprepping it.

There is one software package I have not been able to install onto the VM because it is the software for the DVD writer and it won’t install if the drive is not present. This means that final customisation of the VHD will require it being deployed to the target platform so this will be done before it gets sysprepped. This of course means a target platform has to be available at some stage of the image development process. I will have to see how I can make this work out in practice. It was something I had hoped to avoid because obviously the primary benefit of using a VM to build up images is that you don’t need access to a target platform until deployment. However in practice this should be OK, just a little inconvenient. After this convoluted process of getting the VHD onto the target and then back again, the software installation was completed. The reprep was then started. This went more or less as expected. I am currently testing and finalising settings and preparing to DISM the image.

Deploying Native Boot VHDs [3]

2011-01-25T17:52:00.001+13:00

OK so we start up Windows System Image Manager (WSIM) and create a deployment share, which is in my Setup share (where all the other setup files and images are stored). AIK uses something similar to MDT; as far as I can tell, MDT adds a few folders to a basic AIK deployment share. I’ve started up a new one rather than trying to use one of my MDT shares. Next, select an image – I went into MDT shares and selected the Windows 7 Ent x86 image. Then create an answer file and do stuff to it.

I think we need stuff in the answer file for the following passes:

offlineServicing – DSIM uses this to inject the drivers. We “insert the driver path” to this pass and then later on we run DSIM and pass the answer file to it. This step should inject our custom platform drivers. Since MDT doesn’t actually create physical subfolders when you tell it to “create a folder” under “Drivers” we are just going to give it the OOBD folder and see what happens. That will give it a lot of drivers.
specialize – this is where many of the useful custom settings are applied when the platform is rebooted after a sysprep with the /generalize switch. Essentially this is where some of the settings are put for an unattended installation.
generalize – this specifies settings for a sysprep which is using this switch.
oobeSystem – other settings for unattended installation.

Inserting the driver path is done from the menus in WISM. The other components are inserted by browsing the list of components under the image that I selected, and right clicking gives you the option to insert the component to the appropriate pass of the answer file.

Once the answer file is complete it would be copied into C:\Windows\System32\sysprep on the target platform. Sysprep.exe is there already. Then run sysprep and give it the answer file and tell it to shut down the VM. Then copy the VHD to somewhere convenient. Run DISM and pass it the answer file and it will go get the drivers and copy them into the image. Then deploy, hopefully.

After this point specifying those components is the tricky part, like which ones do you need? These are the ones I’m trying out first:

Microsoft-Windows-International-Core [4 specialize]: this enables us to specify our specific regional settings. That’s the stuff that Windows Setup would normally ask us for, so it makes sense to put it into an answer file.
- InputLocale: en-US
- SystemLocale: en-US
- UILanguage: en-US (en-NZ is not the correct value for this field)
- UILanguageFallback: en-US
- UserLocale: en-NZ
Microsoft-Windows-Shell-Setup [7 oobeSystem]: various settings for first time setup. N.B. Some of these settings are only available for [7 oobeSystem] pass and some are only available for [4 specialize] pass.
- Autologon
  - Username: Administrator (this enables the default Administrator account)
  - Enabled: True (this doesn’t get set by default and will cause an error if left blank. Needs to be True to ensure the account is enabled.)
  - LogonCount: 1 (a workaround to make sure the administrator account gets enabled)
- OOBE
  - NetworkLocation: Work
  - ProtectYourPC: 1
  - HideEULAPage: True (hide the page asking the user to accept license)
  - HideWirelessSetupInOOBE: True (set this one to make sure it doesn’t pop up)
- ProductKey: Your Windows 7 MAK (this setting can only be entered for the 4 specialize pass)
- RegisteredOrganization: Name of organisation
- RegisteredUser: Name of user
- ShowWindowsLive: False
- TimeZone: New Zealand Standard Time
- UserAccounts
  - AdministratorPassword: whatever (the account must be enabled with Autologon\Username as above)
Microsoft-Windows-UnattendedJoin [4 specialize]: Enables an unattended domain join. This is useful even if you let the system choose a random name. At the moment we’ll leave this off and join manually after we’ve customised the computer name manually.

There are several corrections in the above which are underlined, these were found necessary to fix issues.

And that’s about it. Because the VHD already contains the OS we don’t need to bother about Windows PE pass settings. Save the answer file and then do the sysprep. I use the following command line in a command script file to automate sysprep:

sysprep.exe /shutdown /generalize /oobe /unattend:c:\windows\system32\sysprep\unattend.xml

To do this put sysprep.cmd (the command script containing this line) and unattend.xml in the sysprep folder shown in the above command, start up the virtual machine then browse to that folder in Explorer and double click sysprep.cmd. You will then see a dialog box that shows a moving progress bar as Sysprep does its thing. Eventually if you’re still watching, you will see a “Sysprep_succeeded.tag” file generated in the directory and then your VM will automatically shut down.

The next step is to run DISM to inject the drivers. DISM works offline whereas Sysprep works online. This means that my next step is to make another copy of my VHD (the post sysprepped one) and then call up DISM to inject drivers into that particular VHD instance. However right now I’m going to skip that and instead deploy the sysprepped but not yet DISMed VHD to my target platform in order to test out the unattend settings.

Before doing a sysprep stage I recommend you shut down your VM and make a backup copy of your VHD. I keep copies of the VHD both pre and post sysprep. After making the pre copy, start the VM up again before sysprepping it live. When the VM shuts itself down, make the post copy VHD for DISMing before it goes to deployment. Restore your pre copy to the VM before you do any more work with it.

Deploying Native Boot VHDs [2]

2011-01-25T11:38:00.001+13:00

My first test was to set up the target computer with its hard disk and boot environment and copy the VHD directly from the VM to the target and then boot. This was successful; the main issues being the missing Sysprep and driver injection stages. Since then, thinking about it overnight, I have decided I will have to learn how to use WSIM, Windows 7 Sysprep and DISM, all of which MDT nicely isolates you from. This is because MDT doesn’t have a deployment scenario for the situation we are using. Using the three tools mentioned above is what MDT encapsulates, but in a different way. The normal basic steps of deployment which I learned with Vista are:

Make a Unattend file using WSIM
Sysprep your reference system passing it the Unattend file
Image it by using ImageX to perform the capture.

And now, with VHDs, we can replace the third step with DISM to inject the drivers. Then we copy the VHD for deployment. Deploy it to the target platform and when that platform is booted it will automatically set itself up with the Unattended settings. The advantage of this overall is that we don’t need to have a separate imaging stage to copy what is on the VHD into a wim file, and we don’t have to have a separate stage of loading the image onto the target platform. All we have to do is simple copying of the VHD file to the target platform, so it saves a lot of time. In my test run yesterday it took about seven minutes to copy a 13 GB VHD off an external hard disk to the computer. Basically this is what MDT leverages, but in a different way. MDT splits up the setup passes so that some of them happen at the time of doing Sysprep and Capture, and some of them happen at the time of applying the Deployment task sequence. But if you do it so that you specified your unattend file and everything before you deploy the VHD, then it all gets done automatically when the VHD is booted up for the first time.

Let’s have a look in depth then at the old system like Ghost of copying a whole hard disk and that being the image of the machine. The main advantage of this is that it is very easy to set up and deploy. However since you still need to Sysprep before capture, you will still need to learn how to use the WSIM and Sysprep tools. Therefore you haven’t saved much. The main issue is that once you have captured with Ghost into its own format, servicing those images becomes the issue. The usual story is to deploy to a reference platform, service, sysprep, capture, and you have to have a reference platform to do it. The other big Ghost limitation is that it is tied to a single HAL and that means images are locked to that platform pretty much.

On the other hand we will be starting with a VHD that is attached to a VM. We build and maintain it on that VM. We then take a simple copy of that VHD, run Sysprep over it with our unattend.xml file that we have already built. We then use DISM to inject the drivers to it. It is then ready to deploy. We can still service the VHD offline at that point before it’s deployed, no matter how much is needed to it. Or we can go back to our VHD attached to the VM and service it live there then do the Sysprep and DISM stages again. At no stage is it necessary to recapture and at no stage is it necessary to deploy the captured image by special software. It is just a matter of copying the VHD to the target platform. This is an advantage even over WIMs which is why the native boot VHD capability is such an underrated feature of Windows 7.

Facebook food for thought

2011-01-21T19:39:00.001+13:00

Here’s some hard thoughts about FB.

I’ve been on FB for over four months and I have chosen to have only 20 friends. These friends are real life friends. People that I meet and talk with regularly for the most part. I don’t post much on FB. I reserve it for serious stuff. I like to think through what FB is really useful for and not waste more time on it than I really need to. I’ve changed the privacy settings to very restrictive ones that hide as much personal information as possible. My FB profile won’t tell you too much about me. Not like some of my friends who tell you who they are married to and their birthdate and the names of their kids.

So here are a couple of articles on the Net to have a serious read and think about if you are a serious FB fan:

For me, I think FB is mostly about an email replacement. That’s about it for the moment. Maybe sometime later I’ll think of other ways that FB could be useful to me.

Deploying Native Boot VHDs [1]

2011-01-20T17:36:00.001+13:00

Having discussed this lengthily in a previous series of posts it’s time to start working on a real world implementation – and by the way, happy new year!

The following steps should be those needed to set up a Native Boot VHD from scratch:

Develop the image
1. Create a new VHD and attach it to a virtual machine
2. Deploy the OS and all required applications
3. Sysprep the VHD by running a custom sysprep-only task from MDT
4. After the VM is shutdown, use DISM to service the VHD by injecting the drivers to it
5. Copy the VHD to a portable hard disk or similar means of distribution media
Configure the target machine
1. Boot the target machine in Windows PE using bootable media.
  1. Find out if the recovery option is installable in the standard boot partition so that F8 can be pressed to boot off the HDD instead of needing a boot disk in subsequent Windows PE tasks.
2. Run a few Windows PE commands to create a boot partition and create the required entries in the BCD
Deploy the VHD
1. Copy the VHD file to the target hard disk
2. Reboot the machine
3. Enter any initialisation data needed when Windows 7 boots off the VHD
Update the VHD
1. If the VHD needs to be updated follow the sequence again but it should just be a case of replacing the existing VHD file with a new one once the machine has been booted into Windows PE. To replace an existing VHD a command may be needed to dismount the existing VHD.

There are a few special considerations. One is that we want a second VHD that is used by the user as scratch space shared by all users (video editing for example). A special command can be used to create this the first time the system is set up. Another consideration is whether to convert the boot VHD from dynamic to fixed size after it is copied. Keeping it dynamic up until copying reduces the size massively. Fixed is recommended for best performance in a native boot VHD deployment. If it is dynamic it gets automatically expanded to its maximum size at boot anyway but this will lengthen the boot time.

Right now I am working on some of the steps in each group but not through all of them. I am about to get my target test platform set up so that I can be ready to check out some of the configuration work before I get onto finishing preparing the image for it.

The overall aim is to have a deployment system that is simpler to use than MDT for deployment. MDT is a good deployment system provided that you have the necessary training and means to resolve issues with it. If your deployment is just to a few machines and your staff are not specifically MDT savvy but they know how to do stuff in Windows PE then it’s easier that way and you eliminate the extra steps of doing a capture each time your deployment image is changed.

In the next part I will look in more detail at the nitty gritty of these steps above and hopefully I will have deployed to my target test system.

Previous series:

Using Network Access Protection with Remote Desktop Gateway [2]

2010-12-22T23:57:00.001+13:00

It is almost a month since I wrote about this topic. I was able to defer the setup of the RD Gateway that I was previously doing until today when I had to finish it without completing the NAP client setup. This means that for the moment all clients connecting to our server will be assumed to be non-NAP capable and the system health checks will not be performed on them. However in the course of the work I was doing today I stumbled across this useful article on MSDN:

http://blogs.msdn.com/b/rds/archive/2009/08/17/deploying-rd-gateway-r2-server-with-nap.aspx
This also links to another useful article on Technet:
http://technet.microsoft.com/en-us/library/cc732172(WS.10).aspx

The articles contain other content that I was not aware of up until now, namely that you have to do things on the client with the server certificate and add the RD Gateway server to the Trusted Server list on the client. The second article provides a link to a script to help configure the client. There is also a lot of information there about how to test for the proper operation of the NAP client and SHVs etc. Although I am of course very busy at the moment with just a couple of days of the work year to go, I will have a look at this stuff in more detail over the break when I am actually on leave.

We are about to take delivery of 35 brand new computers which is a substantial order for us and they are all built locally by one of NZ’s top educational market computer companies. The installation of these will be our major project over the summer holiday break with just some minor maintenance work being carried out as far as the servers go. The majority of the computers will probably be configured to use native VHD boot with Windows 7.

We are about to set up a proper backup system using removable hard drives and commercial grade backup software, replacing the use of spare server capacity and scripting to back up stuff. This is important as once we can link our sites by fibre it will dispense with the necessity to have duplicate servers in the two sites and enable the main file servers to be consolidated into one.

End of year Catchup

2010-12-13T18:02:00.001+13:00

By now it will be apparent I have not posted any work related content here for a good while. The reason is mostly that we are hideously busy with end of year stuff.

Here is a useful code snippet. How to get a ping log with nice neat output, with the time and date displayed. It is great when you are having problems with your internet connectivity and need a continuous log of pings at a particular time/date.

@echo off
:top
for /F "tokens=*" %%i in ('ping 1.2.3.4 -n 1') do set Pingresult=%%i
echo %time% %date% %Pingresult% >>pingrg.txt
echo %time% %date% %Pingresult%
goto top

Basically this tells the Windows shell command interpreter to:

Do a single ping and store the results in an environment variable called Pingresult
Send one line of text to the end of a text file
Send the same line of text to the screen.
Repeat infinitely.

Now for more substance. We are working through various things including buying lots of new computers so I expect that some of the process of deploying a large number of new Windows 7 computers for students will be written about here within the holiday period that is starting soon.

Slingshot complaints feature in the Herald

2010-12-05T13:03:00.001+13:00

Around two years ago I wrote about my trials in changing ISP from Telecom to Slingshot. The experience was bad enough that I ditched Slingshot and changed to TelstraClear and haven’t looked back. In fact I wondered why I hadn’t gone to Telstra in the first place. Today there’s an article in the Herald on Sunday about Slingshot. I don’t know if the experiences I had were similar to those mentioned. However I was fortunate in that Slingshot gave me a refund of advanced charges and waived the early termination fee; I only had to send the modem back to them.

One thing to be wary of is that Slingshot is not a member of the Telecom Dispute Resolution scheme. Most major carriers are and it gives you an avenue that you can follow if you feel a complaint has not been adequately resolved by the telco.

Using Network Access Protection with Remote Access Gateway [1]

2010-11-25T09:23:00.001+13:00

In amongst the new functionality for Windows Server 2008 is the Remote Access Gateway (it acquired this name in Server 2008 R2 but was introduced as Terminal Server Gateway in 2008 R1) and Network Access Protection enhancements. The latter technology existed in previous editions of Server but was mainly concerned with enforcing protection against remotely connected clients whereas the current version can apply measures against computers in a local network. For the purposes of this post I am concerning myself with the use of NAP in the context of the use of the Remote Desktop services, and RD Gateway is used mainly in the specific context of a user logging in remotely to a network. Part of the enhancements are concerned with the specific tasks of verifying and enforcing system health checks. The SHA functionality consists of components that run in a client system and report back to the NAP server on the results of specific system health checks (for example the status of any antivirus software that is installed). The NAP server can then decide what kind of access it can grant or deny depending on the results of health checks and what constraints are applied such as enforcing logon hours for the connection.

Getting NAP working properly is a matter of setting up the server components, configuring the client computers’ NAP agents and testing. Windows Server provides consoles for the server component and it is a matter of following some fairly straightforward steps. Then comes the client testing. Without any client configuration I assumed it would work out of the box but it proved to be the case that the server was reporting my client as non-NAP capable. One of the first steps is to open the Windows Action Center and look at the NAP status being recorded under the Security category. This told me that the NAP agent service was not running so I went to Services and configured it to start automatically and started it. The next step was to find the NAP support forum on Technet from which a post gives me some instructions in how to carry out some diagnostic checks by opening a command prompt and running the command netsh nap client show state. This told me among other data that

Id                     = 79621
Name                   = RD Gateway Quarantine Enforcement Client
Description            = Provides RD Gateway enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Further testing and checking has suggested the next step is to run the client configuration console on my computer, this is by running NAPCLCFG.MSC. Alternatively the same post gives information about how to run commands in a command prompt to achieve the outcome of changing that Initialized status to a Yes. Although this has occurred the next logon did not result in a remediation of this status and the client is still non-NAP capable according to the server. At this stage I have to leave my checking and go to other work so I will continue with this process over the weekend.

Excel import limitations in Access and Word

2010-11-20T12:36:00.001+13:00

Earlier this week I wrote about the frustration of transferring Excel data to Access with flaky OBDC connections or drivers. I’m not sure that was exactly the cause but a lot of error conditions were experienced trying to manipulate data with the linked tables which were Excel spreadsheets. Eventually I got the data to be transferred using VBA but it has come home to us this week in transferring data from Excel to Word (using mail-merge) for our school reports that there is a 255 character limit on some text fields. Excel basically will check the first 8 rows of a spreadsheet in order to try to determine the type of field and if strings are less than 255 characters in length they are cut to that length. From Access we know that to get more than 255 characters of text you have to use a memo field. If you use VBA code to automatically import a spreadsheet to a new table the data type of the table is set on each column automatically based on the above (text for strings up to 255 characters and memos for more than 255 characters). This can lead to data loss.

On the other hand if you manually import the spreadsheet from Excel into Access you get to specify the data type for each field as part of the wizard and can then choose to specify Memo for the fields which have more than 255 characters of text in them. The data is then imported according to the specified settings and is fully preserved. However I find it annoying that this can only be guaranteed to work if the manual import process is followed each time. If you create a table and change its field definitions and then use VBA code to import that table it will not honour the field data types, it just makes them up again which is pretty stupid because it should be able to detect what the user wants since they have no other way of programmatically specifying the data type for each field.

There is a registry key called TypeGuessRows which is supposed to have an impact on earlier versions of Office. It looks like support for this feature has been dropped in Office 2010 because changing the setting had no effect on the behaviour either in Word or Access.

I would like to say I am extremely annoyed at the way this functionality has been sprung on Office users through successive levels of arbitrary design and coding decisions taken at Microsoft. It is likely there are a considerable number of people doing mail merges from Excel sheets with text fields larger than 255 characters who will be impacted negatively by this design limitation. In previous versions of Office the registry mentioned provided a means of working around this problem. However the apparent discontinuation of this functionality in Office 2010 makes it impossible to guarantee a successful import or merge unless a clumsy workaround is used (this is to put a row at the top of your spreadsheet, preferably the 2nd row, that has more than 255 characters in each text field). Furthermore, that when using VBA code to import a spreadsheet directly in Access, there is again no surety, it would be OK if there was a means to specify the import specification which can be done with the TransferText method but this is not possible when importing a spreadsheet because that option simply isn’t available. You can only guarantee with a manual import and setting each field type at import time that you will get a successful transfer of all long text fields. There may be ways to work around this problem if you are using VBA with methods other than DoCmd. However these means seem to rely on the same drivers which are the functionality where the problems exist.

My advice therefore is to use one of the following:

Migrate to MS Access (which has a lot better functionality as a database that Excel)
Migrate to some other database if you can so you don’t have to use any part of Office
Try the workaround for the second row of the spreadsheet for current worksheets you need to import to Access/merge to Word

Native boot VHDs and MDT [4]

2010-11-17T22:17:00.000+13:00

This has taken a break because I have been very busy with other things. However I had a look at it at home last night and used Wim2VHD to make a VHD containing Windows 7 Enterprise x86. I then copied it to a portable HDD and took it to work this morning. I think the main error I made is that the system partition on the computer has to be set as Active (i.e. boot partition). This makes sense as it will be booted by the Bios and it then runs the bootloader to get Windows started. The “active” name is very poorly chosen for its function. Once I made that change with Diskpart BCDEdit suddenly started working and I could see that it was configured to boot the VHD. Once the VHD had been copied to the computer and restarted it immediately booted the VHD and after going through the usual first time steps it is now fully functioning. I noticed that D drive is attached and this is actually the physical hard disk with the files present on it. Since we can’t remove drive D we would look to limit access to it by ordinary users and provide them with another VHD as drive E for any scratch space.

I have also tried VHD Attach at home and it works well with attaching files as drives after the computer has booted up so that should be OK. The next thing is to work out how to add drivers to an image that has been sysprepped so it can automatically load them when the computer starts with the new VHD image. There are a couple of ideas out of all that I have looked at: test if MDT can do this as part of a sysprep task, or use DISM to service the image by adding drivers to it. I think MDT uses DISM to perform the inject task anyway. So the next part of this series will hopefully be wrapping up these options.

It turns out from examining the documentation that DISM is very easy to use with a VHD file. If you have the VHD mapped to a drive letter you just have to open a command prompt and type a few simple commands. If I have my platform drivers all nicely imported into MDT I can just pass the root folder to DISM and tell it to extract all the drivers from it, for example (if my VHD has drive letter V and my MDT path is on drive S:)

DISM /image:V:\ /Add-Driver /driver:S:\drivers /recurse

Then, in totality, my deployment process may well end up looking something similar to the following:

Develop the image on a VHD using a virtual machine
Run MDT sysprep only task to sysprep the VHD
Run DISM as noted above
Copy the VHD for deployment.

Ideally a future release of MDT would automate these steps in a task sequence.

The steps to set up a physical machine would be different and I would like to see if they can be scripted in some form.

NZ Open Source Society Praises Microsoft

2010-11-17T20:55:00.001+13:00

Remember… you heard it here first…

http://www.interfacemagazine.co.nz/articles.cfm?c_id=&id=791

http://wikieducator.org/Microsoft_Launches_Open_Source_Filter_for_Mediawiki

Peter Harrison, Vice President of the New Zealand Open Source Society commends the release.

“
The Internet provides humanity with a unequalled opportunity to leverage our communication technology to educate people across the globe. Through collaborative technologies such as Wiki people can work together to create rich common resources that are open to all. By enabling users to export their content from Word into MediaWiki Microsoft are encouraging the availability of a far wider range of educational resources online.
”

—Peter Harrison, New Zealand Open Source Society

MS Access and ODBC Drivers and “useful features” in Access 2007/2010

2010-11-14T12:22:00.001+13:00

I have used MS Access for 15 years to do various types of reporting and it is my defacto tool of choice with input data that looks like some form of database and a report as output, especially when it has multiple pages, requires calculations, or data to be joined together from multiple tables.

One thing I have been aware of over the years is that there are numerous ODBC drivers about that don’t like giving a linked live view of their data into queries that are joining multiple tables. I can’t quite explain this but it is not uncommon in a production situation to get problems when linking data via an ODBC connection to see error messages or missing data.

The three situations I have seen this in are:

A holiday job where I had to write reports to extract data out of an accounting system and display it.
Integris, customised reporting from data in the SMS
Excel, linking worksheets into Access for reporting

In all three cases working live with the source data (Access linked table) via ODBC seems to be the problem. The solution in all cases is to implement an intermediate step whereby data is imported into a table in the database, and then that table is used to provide the data for reports. This has proved necessary so many times that it should almost be considered routine.

The second part of this article is that I found that in the process of running make-table queries to import the data I would get an error that I was violating the range of values that could be put into a table. Now, for a make-table query, that doesn’t make sense. The table is being created from scratch to contain some data. This couldn’t possibly make sense unless Access thinks that somehow it knows what type of data is supposed to be in each field of your new table. Maybe it looked at the previous version of the table; the one you may have just deleted before you ran this make-table query. But the whole point of a make-table query is that it creates the table from scratch. If I wanted to update the records of an existing table I’d code the query as that. Access asks you to delete the table and then gives you the error message. If you delete the table manually and then run the query, you don’t get the error.

This unfortunate design “feature” of Access 2007 and Access 2010 cannot be turned off. I’ve read that there wasn’t a problem in previous versions of Access. The only change I was making was to increase the length of a text field and put more data in it. The default text field length is something like 255 if I remember rightly. But Access must have somehow locked that text field down to the exact length and in this case when the length changed it threw the error. Since it has already deleted the table and is creating it from scratch that shouldn’t actually be a problem. Note that here we are importing data from Excel linked sheets.

Further to the above: the whole Access importing/linking from Excel seems to be a complete crock. I think it’s a very sad situation when data can’t be linked from a product made by the same company without problems. Actually, there are problems all across different MS products, the whole linking/embedding thing seems to be overblown. Had to make even more changes to the report I was working on trying to get around all the issues, now I’m wondering if it is really ODBC or Access itself is at fault.

Native boot VHDs and MDT [3]

2010-11-10T21:25:00.001+13:00

At the moment I am trying out the walkthrough applying a sysprepped image directly to a VHD file that I created with Diskpart. This tool can be used with VHD files as well as ordinary hard disks and then it can mount the VHD to a drive letter.

As noted in previous discussion while this gives me an image that has been sysprepped, what it doesn’t have is the injection of drivers for a target platform so I don’t know what will happen when it is booted up to a specific platform. The previous debate so far has been over ways to inject those drivers. If my walkthrough works I will have to move on to trying out the different forms of driver injection.

First problem on the walkthrough was that the PC is too old to run x64. OK so then I set up a VHD for x86, because I didn’t have a captured image for Ent x86 I used ImageX to apply install.wim directly from x86 Ent ISO. The rest went smoothly enough until reboot. Note that you need to use the Windows 7 version of ImageX, the version from WinPE 2.0 (Vista) does not support vdisk (VHD). In order to run this I used a MDT LiteTouch boot CD in command prompt mode. When I rebooted I got “Bootmgr is missing”. The problem seems to be that the instructions in the walkthrough are wrong in some way. The VHD was assigned drive letter C, but on reboot, the drive letter C has been reassigned to the computer’s physical disk, and there seems to be no way to make the letter C stay assigned to the VHD. When I run the recovery console and open a command prompt, I change to C drive and then dir and find that my VHD file is present instead of the Windows directories that are present inside the VHD image. I can use Diskpart to assign a different drive letter to the physical disk and to assign drive letter C to the VHD, which is where the Windows files are, and exit Diskpart and find that C drive looks like a normal windows boot disk. Then BCDBoot can be used to set up the boot. I tried this a few different ways, assigning for example drive letter F to the VHD, and then it should have booted, but the drive letter F was lost on reboot and it wouldn’t boot at all.

However on the other hand I did find this posting which tells me about a useful tool called wim2vhd which is produced by Microsoft and will make a VHD easily from a Windows install DVD. This appears to automate some of the manual steps listed in the walkthrough. Another post here gives more useful info. Right now, though, I am stalled until Technet can give me a way to make the drive letter assignment stick. Here is some more info on how to sysprep a VHD so that it can be copied to another machine. I plan to sysprep using MDT just to simplify things especially if we can automate driver injection in MDT.

Since first writing the above, it has been determined that the limitation is built into Window 7: attached VHDs are not automatically reattached at boot time unless required to boot an OS. I guess this could be because of a performance effect on startup. However, I think that Windows should provide support for turning on automatic reattachment as I can see a scenario that would be attractive is to have a data VHD as well as a OS VHD in place of physical disk partititions. Fortunately others have recognised this need and have addressed it with software and scripts (here’s another post suggesting how to set up as a scheduled task). My preference would be the free software, if it is free, followed by the Powershell script (which automatically scans and attachs all VHDs in a folder). This puts pressure on MS to include this feature in subsequent editions of Windows.

I am now working on a new VHD creation at home in my free time, the first step is to upgrade my PC from Pro to Ent. Also here I commend the addition of various useful features to later editions of 7-Zip, a free zip archiver. The latest release edition 4.65 can open and extract ISO and WIM files, and the development beta 9.14 can open and extract VHD files. So I didn’t have to buy software to get stuff out of an ISO file, and you don’t any longer have to mount a WIM in ImageX to get stuff out of it. The VHD functionality is mainly of benefit on older versions of Windows that don’t incorporate VHD attachment (i.e. versions prior to 7).

Native boot VHDs and MDT [2]

2010-11-04T19:30:00.001+13:00

Continuing on from yesterday’s post, I did some thinking about this overnight and have made enquiries on Technet as well. I think the best scenario for creating your own native boot VHDs using MDT is to deploy an OS to a VHD using a standard deploy sequence. You would then run a sysprep only task sequence from it on MDT, using the LiteTouch script in the deployment share. What is particularly needed is to be able to provide or inject custom drivers before sysprepping, rather than this being done in a setup task, because we aren’t going to deploy using a deployment task sequence in MDT. The basic situation is that we are going to sysprep the OS installation in the VHD, and then deploy the VHD to platforms just by copying it. The platform is then native booted from the VHD and it runs through the normal first time startup sequence and finalises installation.

One possibility for the driver injection is to see if it can be added to a sysprep task sequence (it has to be done before the sysprep task is executed). When you look at the standard sysprep and capture task sequence in MDT you will see a task that adds mass storage drivers to sysprep.inf for Windows XP and 2003. However I’d presume in Windows 7 it is correct to use the Inject Drivers task sequence, the question is to whether this would actually work or not, and exactly where you would put it.

The second option is to use the Driverspath variable or Devicepath registry key. There are a few relevant posts listed below:

http://blogs.technet.com/b/deploymentguys/archive/2008/02/15/driver-management-part-1-configuration-manager.aspx (Part 2 is more relevant to this situation)
http://technet.microsoft.com/en-us/library/cc753716.aspx Unsure if this applies after Sysprep is run, will the key still exist and be referenced during Setup
http://technet.microsoft.com/en-us/library/dd919209(WS.10).aspx lists how to stage drivers for imaging or set up a network share. You can use a group policy to configure the drivers to be automatically loaded from the network share. The main issue is over signing driver packages – MDT eliminates this requirement.
http://exec.typepad.com/airdesk/2009/10/windows-7-deployment-part-6.html Describes how the injection phase actually works.
http://social.technet.microsoft.com/forums/en-us/mdt/thread/EE47C478-8910-4EE3-9593-B30109777805 This one suggests means of injecting drivers, or running a deployment task that just goes into Windows PE and doesn’t do the capture, at that stage you could get the VHD copied.

Obviously my preference would be to leverage MDT and get the drivers injected via a step in a Sysprep task and so I am trying to find out if this is possible. It should be because my experience with Sysprep is that the unattend.xml file contains the information for all of the Sysprep passes, of which the relevant one here is the specialise pass and offline servicing pass, hopefully I do not have to hand edit the xml file and hand run Sysprep, it should be possible to either use a inject drivers task or some means of customing unattend.xml before Sysprep executes and hopefully we don’t run into a lack of drivers.

There are a number of manual tasks to get the VHD able to be booted on a target system, so I’d be looking for some means of automating these to an extent, and buying a 16 GB or larger pen drive for the copying, otherwise I can use an external HDD.

Native boot VHDs and MDT [1]

2010-11-03T20:56:00.001+13:00

In my previous post I wrote about the development of the native boot VHD capability in Windows 7. As I noted, the specifics of this functionality is that a VHD can be copied to a destination computer’s hard disk and attached as a boot device. Windows can then be booted via the VHD file. There are considerable advantages for small scale imaging without the use of a full WDS environment such as we looked at in the past (about 4-5 years ago when I had more free time, I invested a considerable effort in setting up a Remote Install server and learning how to use RIS. The server did get upgraded to WDS but since then with Windows XP we have simply used Ghost for a very occasional re-image scenario).

My current plan is to have a look at a deployment walkthrough on Technet. However the next idea which has come along pretty quickly is whether MDT can help with creating a generalised VHD for native boot. So far I have found info on customising an MDT deployment task sequence to a VHD file on a physical computer. This doesn’t really address what I had in mind. My situation is that I want to be able to create a generalised VHD file that can simply be copied to target computers that applies the steps of the MDT deployment sequence, i.e. when the machine is booted to the VHD for the first time the operating system is deployed as if a user had selected a particular deployment task through the wizard. Generalised is important because the image has been sysprepped for deployment to multiple machines, and the MDT deployment task sequence can do useful things like inject drivers and install software allowing MDT’s customisation capabilities to be fully leveraged. The above scenario is basically to create an MDT deployment task sequence that will deploy the OS to a blank VHD on the target system instead of a physical hard disk. It is a good step in the right direction but I am looking for a bit more than that.

MDT does have support for using media to create bootable OS installs. For example you could deploy a task sequence using an external hard drive. What I am looking for beyond that is simply being able to copy a VHD to a computer, attach it as a boot device as described and then boot the computer which runs a task sequence saved on the VHD, applies an image and the deployment steps from the VHD and deploys the OS possibly to another VHD on the target platform. It may be that going through the media deployment steps is able to create the type of installation I am seeking, although the best scenario by far is to automate the deployment wizard steps, for which there are already means provided.

Backup imaging, VHD native boot, network management & remote desktop management

2010-11-03T12:09:00.001+13:00

A while back I wrote about my experiments in using MDT to back up laptops. Some of my MDT shares got moved to a new server recently and the backup share had to be set up again from scratch, which for some reason proved exceptionally difficult but it has happened eventually. However while I was working on that I realised there is another option to imaging a laptop and that is the Disk2VHD tool from Mark Russinovich. This uses Volume Shadow Services to image a live disk (you run it on the computer while Windows is running) and turns it into a VHD file. The great thing about a VHD file is that you can simply hook it onto Virtual PC, or in this case, a new virtual machine that I created in Hyper-V, and in this case the virtual disk worked when I booted the VM from it so that particular laptop can be brought up in a virtual machine with all of the software and files on it that the user had. Although in most cases I find that the user does not need to have further access to their old data (we always transfer everything across when they change laptops) this is another option in special cases where they may have an old application and there is even the possibility that the VHD could be put onto their new laptop with Windows Virtual PC. Take note that there is a setting in Disk2VHD that is required when you create a VHD for Virtual PC because otherwise the VHD won’t boot even in Windows 7 VPC. Next idea may be to add VPC to our standard laptop image.

I’ve noticed that there is a capability in Windows 7 for a VHD based boot of the operating system, which can be deployed simply by copying the VHD file to the hard disk of the target computer. This would appear to be worthy of further investigation, since it removes the need to use, say, WDS for a mass deployment of an image to multiple computers. If you can install an OS simply by copying the VHD file which contains an image you have built on a virtual machine for MDT deployment then I can see that making upgrades to student PCs would be much simplified over the standard WDS type deployment scenario if you don’t want to install a WDS server. The scenario here is that you would build your reference image on a VHD using a virtual machine so that drivers for that platform are injected into the image as it is built, and presumably when the VHD gets deployed onto the target machine, the drivers for the platform are able to be installed when the hardware is detected on first boot. Native VHD boot requires Windows 7 Enterprise, which is part of Software Assurance in the MS Schools Agreement. I am planning to have a look at this scenario here, seeing if I can use one of my existing MDT deployment scenarios to deploy an OS to a new virtual machine and then capturing that using the MDT Capture and Sysprep task into a WIM file that can be turned into a VHD file as described in the walkthrough. Hopefully MDT will be updated to simplify the steps needed.

Network management takes many forms but one consideration is how to track the traffic moving through different physical branches and the SNMP protocols are designed for this. SNMP can be used for many things these days but part of its fundamental functionality is to enable monitoring of network hardware such as switches and logging the utilisation of the network through individual ports. SNMP is not a technology I have had knowledge of before now, however there are a number of software packages that can be used to collect data from SNMP and we are currently playing with the free edition of ManageEngine OpManager which allows 10 interfaces to be tracked, so I am using it to see what is happening on my wireless network and hopefully the two managed switches on the backbone of our network will be able to give me the information about the traffic through each port which will help us to determine where congestion might be occurring on our network.

If you have any number of desktops to manage or at least monitor to keep an eye on what is happening on them then it will be advantageous to you to have remote control software. In the educational environment there are a number of packages which exist of which the most common features include being able to control all remote computers, put an image of one computer onto all of them, lock the keyboards/mice and watch what users are doing on them. I have looked at these packages for years and while there are different capabilities and functional levels they are also valuable for IT administration to save having to visit every remote computer, or at least being able to perform useful functions like simultaneous logon and software installation. The cost also varies widely and for our number of computers there would seem to be little benefit in spending $100 per computer when there are packages that are flat licensed for a few hundred dollars for any number of clients.

Backing up laptops on a network

2010-10-18T20:56:00.001+13:00

As a recent post noted, Offline Files is still a temperamental technology that I have decided is not worth the effort on Windows 7. So what other systems can you use? Take note of the following:

By default, Windows 7 will create a restore point on the laptop’s hard drive every day. This can be used to retrieve a previous version of a file
Windows Backup can be used to make a backup of files onto an external HDD. However, it has very limited options, and I recommend considering the use of either an external disk with its own software, such as the Seagate Replica, or a third party program such as Karen’s Replicator from karenware.com
Commercial backup software such as MS DPM or Seagate BackupExec can have agents installed to automatically back up a laptop to a server, in conjunction with a server based installation of the software.
Robocopy can be run from a server to automatically back up using a script. In the rest of this article I will describe this option further.

Robocopy is a command line tool that has been available since the days of Windows NT and has been progressively refined since then. It is a powerful tool that we have used to do some of our backups up until now. There are many parameters and settings that can be used. The following is a list of these and how they are being used in the evaluation so far:

Source directory: typically \\%1\%2\%3\documents and \\%1\%2\%3\desktop are used (Robocopy is being invoked twice, once for each path). %1 is the Netbios name of the laptop. %2 is the sharename, %3 is the foldername within that share. Typically you will need to share the Users folder in Windows 7 or Documents and Settings in Windows XP, in which case %3 is also the Windows username of the user. To avoid visiting each laptop user, if you are the domain admin, use Computer Management to connect to each laptop in turn and then create this share. I use random strings of 20 characters followed by the $ sign to name each laptop share individually and keep it hidden. Grant Read permissions to Everyone on the new share. Windows file permissions will still prevent anyone other than the user and Administrators from accessing these files.

Target directory: Typically this might look like \\server\share\%3\backup\documents or \desktop depending on the source directory as above. This makes use of a target folder based on the username of the user, which is the same parameter as was used on the source directory.

Filespec: I recommend you create a settings.rcj file and use it with the /JOB:settings parameter. In the RCJ file you place the option /IF on a line by itself and then one filespec per line thereafter. At the moment this will look like:

/IF

*.do*

*.xl*

*.md*

*.acc*

*.pp*

*.pub*

which will pick up most Office files. Add, delete or change to suit.

Other options: /R:45000 /w:1 /B /FP /V /S /MIR /MT /TEE /LOG+:%3.log. Put the rest of these except the last (log) option into the RCJ file (one per line). Specify the log on the command line.

/R: /W: specify a retry option and wait between retries (in seconds). The settings shown wait for up to 12 hours. The recommendation would be to run this with Task Scheduler and get it to force termination at a lesser interval than the frequency you are running this on (e.g. 20 hours if you are running daily) and adjust the retry count as appropriate.

/B will try to use Backup mode if you don’t have the full file permissions set up for backup. /FP, /V and /TEE are logging settings. /S is for copying files in subdirectories. /MIR ensures that the backup mirrors the source. This option deletes files on the target if they are deleted from the source, so it isn’t the setting to use if you want to guard against file deletions. /MT makes Robocopy use multiple threads. /LOG is used to create a log file, the + option appends to an existing log file of the same name.

The actual calls to Robocopy are contained in our case in a Robobackup.cmd command script. I write an individual CMD file for each laptop and set up Task scheduler to start this, in the cmd script it makes the call to Robobackup.cmd passing in the parameters specified. The idea is one backup per day in a 12 hour window. But you could be more versatile and try for three backups each in a 4 hour window. I am still tweaking our test environment to see what we can do, and I expect a few different options will be tried out, and these might also include turning on Shadow Copies on the server where the backups are being stored to see if it will keep previous copies.

In the end I changed R and W to 0 and taskscheduled my task to run 12 times a day, every hour. This sounds like a lot and might well prove to be, but given that laptops will not be connected a lot of times, and that it will quit immediately if it is not, the amount of traffic probably won’t be as much as one would think. Another option is to trigger if the laptop is connected, but this requires a custom script or other means to detect connection (pinging would achieve this).

UPDATE: Task Scheduler seems to have problems when it starts a command script that starts another command script that finally runs Robocopy. There also seem to be problems with a command script that has more than one command line in it.

After a lot of trial and error, therefore, my scheduled task is calling a cmd script that runs Robocopy directly using parameters that are passed into it. The task action passes four parameters into the command script that specify the laptop name, share name, username and folder for the source path. One of these also specifies part of the destination path, and another specifies another part of the destination path and the name of the log file. There are two task actions for each user, which arrange to back up the Desktop and Documents folders respectively. The common settings are passed in a .rcj file. There may be a fifth parameter to specify the rest of the destination path once I get my head around where these backups are going to be stored.

Solving Group Policy deployment headaches in Windows 7

2010-10-16T18:20:00.001+13:00

One of the most distasteful features of using Windows Vista and Windows 7 computers in a domain environment is their tendency to freeze during the Group Policy application phase of user logon. Although it is known that there were some instances of this occurring with Windows XP as well, we never saw these happen in our experience and first saw the problem in Windows Vista and Windows 7. The most common scenario for these problems is during the deployment of Group Policy Preferences for Printers. Extremely long timeouts going up to overnight in duration have been observed on some occasions, most commonly when a new computer is logged into for the first time. Although today I saw a laptop take a very long time to apply Folder Redirection policy, this is unusual whereas GPPP is the most common scenario by far. Even though event logging is greatly improved in Windows 7, there is still insufficient information recorded in the event logs for these instances. My latest effort is to get all the logging options turned on, both those specifically for GPPP logging and user environment processing, and hopefully with the logs now being produced routinely on all our computers we might get some progress towards resolving this matter. The fact that MS has failed to address this to date is a serious concern from my POV, even to the extent their logon processing should force the logon to continue after a reasonable period of time without these very excessive delays.

Windows Live Essentials gets a makeover

2010-10-16T14:04:00.001+13:00

Well, Windows Live Essentials has been updated to the 2011 edition and they have, at last, gone back to proper toolbars with icons, replacing text labelled buttons in the last few editions. In fact, the WLE applications (I’m using Writer to post this) are now using the Ribbon like Office does, this is the first time I’ve seen another app from MS that uses the Ribbon. I would guess there are more buttons and options on the toolbars as well, which is partly necessary because the menu bar has disappeared. There is a Quick Access toolbar as well, just like in Office, except that you can only turn on or off the preset options; you can’t add to these just like you can’t customise the ribbon. Another feature copied from Outlook 2010 is the conversation view for email.

A new functionality in WLE is Mesh, which lets you sync a folder on your computer with another computer running Mesh, or with a 5 GB space in Windows Skydrive. The functionality provided is pretty restricted, it is just one folder and everything in that folder. An interesting additional Mesh functionality is that it provides for remote access to your computers from another computer, presumably they all have to have the same Windows Live ID and password configured on them.

One annoying WLM feature was the modal dialog it would put up to say it was changing message flags. It would do this every time you clicked on a new message, doing this was very slow as was changing the message status from unread to read. This seems to be a lot faster in WLM2011 and doesn’t need that dialog box displayed.

Offline Files is still a crock under Windows 7

2010-10-15T21:04:00.001+13:00

Offline Files is a technology that was introduced in Windows XP. We used it for a time then but found it troublesome.

I have often wondered why Microsoft needed to use a special folder in the local computer instead of doing something like a straightforward automated sync between a visible local copy of the data and a server based one. Instead they use the special folder called CSC in Windows with the filenames specially changed etc. Then they use a complex system built into Windows that has to be configured through Group Policy setting and lacks functionality as well as the difficulty of getting this complex system to work properly.

The result is that Offline Files is difficult to configure and problems are difficult to solve. Currently I am getting a laptop that stops syncing after about a minute with “The specified network name is no longer available”. There is not any documentation on this problem that I can find out about.

There have been many times when I have thought there must be a simpler way to synchronise staff laptops when all you need is to have a script running on the server using one of the freebie programs like rsync or whatever that just syncs every so often. Another option with say Backup Exec is to look at automating backup of a share on each laptop using VSS. Best to avoid having to purchase and install the expensive BE agents as the cost soon stacks up and I am hearing that they have to be upgraded regularly. At the moment I am having a play with rsync guis on our backup server, customised only to back up specific file extensions (truly documents only *.doc *.xls etc etc) and seeing how it might be able to cope with the remote laptop going offline partway through and other considerations. Robocopy can cope with this (it can be told to retry or wait forever) but I don’t know how it would manage if the remote file had changed in the meantime.

I have now discovered Windows Mesh which can sync to Skydrive (5 GB free space) so I’m playing with that as well.

New computer 2 days on

2010-10-04T23:33:00.001+13:00

Still can’t get over how quiet this thing is. From the next room you can’t hear it at all. Although the old one turned out to have quite a bit of dust blocking things up. I got a serial backplane connector from an Asus motherboard and am pleased to report it worked the first time with the GPS. Am getting a 500 GB external HDD for backup and will also move two USBs from the front panel to the back and put an eSata port there as well, then we will be more or less finished customising.

New computer 1 day on

2010-10-03T21:18:00.001+13:00

Well, such a big project and now it’s over. Very pleased with the new box, just a few niggles of things maybe I should have checked over before I started. Mainly that this board has only got provision for 8 USB sockets, one of those is taken by the card reader and I wanted more of them on the back. So there are only 4 USB sockets on the back. However, the suppliers don’t bring every board model into NZ and there is quite a step up in price ($50 or more) to get more sockets (12). Given that there are several models of board in between, Intel is being silly not to put more sockets onto the lower priced boards – that board with 12 socket connections is a high performance model with DDR3 memory. But Intel is funny like that. All the Series 4 and 5 boards have PS/2 sockets for keyboard and mouse, but most of the Series 3 boards left these out altogether. My PC at work is such a creature and everything has to be USB, not that that is such a bad thing. Either I could swap two front USB sockets to the back (using a backplane adapter) or I could put in an accessory card with 4 more on it, which I may do. Also likely to be appearing in the backplane slots are an eSata socket and the 9 pin serial socket.

The next thing to look at is backup. Many years ago I bought a 400 MB Iomega tape drive to back up a previous computer. Those were the days. After that died, it was occasional CD and DVD based backups. Then I bought an external HDD enclosure and put a 40 GB laptop HDD in it. A great move, the only problem is that it is now too small. So I have to get a bigger external disk, maybe 250 GB or more. I trialled running Windows Backup on the new system and it said it needed 70 GB to back up my documents and pictures. And the backup could also include a system image if I wanted it to, although I don’t know that I will do that. 250 GB is a lot but it will probably need to store more than one generation of backups. However, online backup services are starting to become affordable, except for our ridiculously high broadband charges in NZ. Maybe in the future it will be possible to use these more than I have looked at so far.

One thing I have finally worked out how to do is to change the location of My Documents and My Pictures. I couldn’t work out from the time I installed Windows 7 at home why IrfanView wouldn’t recognise the “new” location of My Pictures which is on a different drive so it is not in the normal userprofile location. Well, it turns out that even though you can change the folder locations in the Libraries, this doesn’t actually change the stored locations in the system. You still have to find the folders in your profile and tell Windows that they are supposed to be in a different location. Now I can use My Pictures in IrfanView to find all my photos like under XP.

Rebuilding My PC [4]

2010-10-03T18:57:00.001+13:00

As we saw in the last post, I started it on the old PC and finished it on the new one. About halfway through writing, I saved the draft on the old PC and shut it down. I then booted from a Windows PE CD and started up ImageX to capture the boot disk to a WIM file. Once that was completed I did the same on the new PC with its new 250 GB HDD, first running Diskpart to partition the new disk and then again running ImageX to apply the boot disk image to it. After this I tried booting and got an error screen telling me to run the Windows Recovery Wizard. This is because the BCD command line tool needs to be run to fix the boot configuration. I had an MDT boot CD handy so I booted that and chose the Recovery Wizard option which fixed the boot configuration for me, then I rebooted and Windows 7 came up looking almost the same as it did on the old PC. While the old PC was imaging I tidied up all the power supply cabling on the new box.

You can see the power cabling has all been tied back to keep it out of the way of things. Particularly that CPU fan. This has become more necessary in the era where such large CPU fans are fitted that do not have enclosed blades like they did in the Socket370 era. But of course tidying up the cabling makes things easier all round for a nice and tidy PC inside.

Around this time I decided it would be safe to leave the new box on overnight so I went to bed leaving it running. Starting again in the morning I have lifted out the old box. Here is a picture of it:

I took the modem, 250 GB HDD and the old DVD writer across to the new box which will now have two 250 GB HDDs and two DVD writers and of course the modem for when the broadband falls over. At the moment I am copying some files off one of the 80 GB disks across. Then it will be all finished and ready to go. Here is the comparison of the WinSAT data for old and new PCs, both running Windows 7:

Component	Old spec	Old SAT	New spec	New SAT
CPU	Celeron D325 2.66 Ghz	3.4	Celeron E3300 2.5 GHz	5.9
Memory	2.00 GB	4.4	2.00 GB	5.5
Graphics	Intel D915	1.9	Intel G41 Express WDDM 1.1	3.3
Gaming Graphics	Not detected	1.0	780 MB total available memory	3.4
Primary HDD		5.3	207 GB free	5.9
Overall Score		1.0		3.3

Note that in spite of similar GHz the CPU score is quite different, obviously the new CPU is a bit faster. The memory is DDR2-800 instead of DDR 400. Not much difference in the HDD even though it has gone from SATA1 to SATA2. The low graphics scores of the old PC being in large part due to Intel’s controversial decision not to produce WDDM drivers for the 915 chipset. The branding of these chipsets as “Vista Capable” led to a class action lawsuit against MS and Intel in the US.

The one other issue with the old PC in particular was noise. The new one is almost silent. I checked up with the old PC and found the case and CPU fans are particularly noisy. The CPU is the “Prescott” series with the infamous “Netburst” microarchitecture, which was notorious for the high thermal envelope and resultant heat output. It was this class of CPU that first made it necessary for cases to have an extra ventilation duct put into the side to allow the CPU fan to exhaust directly from the side of the case. Even with 2 GB of RAM the CPU fan runs nearly at full speed almost all of the time even at idle with Windows 7 installed. When I stopped those two fans, the power supply fan was fairly quiet. I rebooted into the BIOS hardware monitor and read off temp of 72 degrees C for the CPU and its fan was turning at 2600 rpm which is flat out. This in a room temp of 20 degrees and with the case completely open so plenty of airflow. In flat out burn in tests with the new box it never got above 55 degrees (frequently a lot less) and the fans only turned around 1100 rpm. Another dumb thing is the old box will not boot off a 160GB HDD, only an 80 will do for those old 915s. I am planning to take the old box to school, purely as a stopgap until we upgrade, because it is so limited that it won’t even run 64 bit editions of Windows.

Rebuilding My PC [3]

2010-10-03T18:50:00.001+13:00

Now that we have the board completed, the next task is to install it into the chassis. Your existing chassis should already have spacers installed, the board sits on these spacers to hold it up clear of the chassis. Check that the spacers are in the same number and positions as the board needs, if not you will need to remove or install spacers to suit. Carefully slide the board into position getting the rear panel connectors in place, you may have to bend tabs on the I/O shield to make it easy. Just slide the board around carefully to get the spacers to line up with the mounting holes. Then use a magnetic screwdriver and take it really easy and get the screws into the holes and carefully tightened. Don’t use a power screwdriver and don’t overtighten the screws. If your screwdriver slips and hits the board the chances are very high that the board will be fatally damaged. So take it real slow and careful here. Once you have the board fastened down, connect the power supply connectors. The usual requirement is the 2x10 or 2x12 for the main power connector and a separate 4 pin connector for extra CPU power (this is NOT optional, even though the connector looks the same as the extra 2x2 that gets tacked onto the end of the old 2x10 power connector). Modern PSUs typically have a 2x10 and 2x2 connectors that clip together for the main connector, as well as a separate 2x2 for the CPU connector. As sometimes modern supplies have replaced the 2x2 with a pair of 2x2s that clip together, you may find as I did with the Enermax that the pair of 2x2s will need to be separated so that one of them can be plugged into the CPU power connector on the board. Getting the main power connector in can be a little tricky, especially with this board where there isn’t adequate support under the connector, so you want to take it carefully to avoid bending the board too much.

The next bit of fun is to connect the front panel cables to the board. Typically there will be front panel USB and audio connectors, perhaps these days firewire or eSata could be installed, and there are also power and HDD lights, power switch and perhaps a reset button. The switches and lights will usually be on one set of combined headers, while USB and audio each have their own set. In this case the Foxconn TS001 shines out with the clear labelling of the various connectors. As it happened most of them seem to work so far although I haven’t tested out the audio jacks. I also put in an old DVD drive from my old PC and it had to be plugged into the IDE port.

Now for the moment of truth. Connect VGA, Keyboard, Mouse, turn the thing on and see if it comes up to the Bios screen. Then select the Bios settings and go into Hardware Monitor to read out the temps and fan speeds. I started off reading around 60 degrees C for the CPU which is probably in an acceptable range. If this all works out then install an OS and some kind of test and monitoring software (for example burn in software such as Burn In Test, temperature monitor software such as SpeedFan). Run the software for a reasonable time frame to give an acceptable burnin test period. This is an optional step, just one you might want to try to see that everything is working OK, especially that the heatsink and fan are doing their job properly and keeping that CPU nice and cool.

Finally, before you get the thing into use, tidy up inside the case. Typically you will need to reroute cables so that they have no chance of getting caught up in fans or other moving parts, and make everything look really neat and tidy inside.

This is my first blog post from the newly rebuilt PC, I’ll explain that further in the next post.

Rebuilding My PC [2]

2010-10-03T18:42:00.001+13:00

After the power supply, the next thing to do is to assemble and install the main system board. The board comes with an I/O shield which fits into a space on the back of the chassis and this has the cutouts in it for the onboard connectors. Which in this case are PS/2 mouse and keyboard, VGA, four USB ports, RJ45, and three sound minijacks. Uggh, I just noticed there is no serial connector, which means the GPS won’t be able to connect to it. The board has a serial header, but you need to get a slot bracket with the connector and cable mounted on it, or a USB to serial adapter. I have to think about this one; I don’t use the GPS much, but I will have to make arrangements for it one way or the other. I hadn’t thought much about it because hardly anything these days is dependent on the old parallel or serial interface connectors, but Garmin has a backward attitude and even a 2 year old GPS still only comes with a bog standard DE-9 serial port interface. I think I can find an old slot serial connector at work somewhere (we have a small number of very old towers lying around), or I could look at getting an external adapter as they are very cheap nowadays. Four USBs isn’t much these days. The board has headers for another four, of which the two built into the front of the chassis and the card reader’s one will give me three at the front for seven total, one more than the old PC. Intel does make some boards that have more USBs on the rear; this board is a budget model.

Putting the board together is pretty straightforward but you just need to take it slowly and carefully as there are plenty of bits on it that can get broken and can’t be repaired. The key task you need to do before you put it into the chassis is to install the CPU and fan. On older style boards (here I’m thinking really old, like Socket 370) it was possible to install the fan with the board in the chassis, though risky; the fan was held on with a metal spring clip that took a lot of physical force to hook/unhook, and I have vague memories that I may have killed a board once trying to get the clip hooked on, because I missed hooking it over the retaining lug on the socket and gouged the board instead. The LGA775 boards use a heatsink/fan assembly that has four posts that lock into holes in the board, and believe me, it is nearly impossible to lock these into place with the board in the chassis. So put the CPU and fan in before you put the board in. And buy the model of CPU that comes with a heatsink and fan in the package (unless you are an overclocker of course). Have a good look at the locking posts on the fan to see how they go down and lock in position, because I found the arrows on them were anything but helpful. Basically you need to start by turning the posts in the direction of the arrows, put the post in, push the top part firmly down and then turn it in the opposite direction to the arrow. When you push it down, it’s best to put your finger under the board so you don’t bend the board too much. Check all the posts are properly locked so the heatsink-fan isn’t going to fall off. Then run the power cable around the posts to the onboard connector so the wires don’t get caught in the fan. Of course you should orient the fan in the first place so there isn’t any excess wire to float around and get caught in the fan.

The not-so-flat board with the heatsink-fan assembly locked into place on top of the CPU. This appears to be absolutely normal with these boards, although you’d think they could have extra support under that part.

The assembled board with, in this case, the RAM in place as well. Although, that is easy to install later. The heatsink in the middle is the northbridge which needs it because of the onboard GPU. Fortunately the board comes with this heatsink already installed. This is a microATX board so it is quite compact.

Earlier picture showing the board without the CPU installed, this was when I thought I could put the fan on in the chassis, I was sorely mistaken and had to take the board out again to get the fan in.

This picture shows the CPU being installed, the load plate still has to be lowered.

Rebuilding My PC [1]

2010-10-03T18:35:00.001+13:00

Well, of course, we all know that PCs don’t last forever, and I am not interested in the extremist brigade that say you should try to get 8-10 years of life out of a PC. The way I see it is, a PC is obsolete after about five years and while it will still do some things, it is getting pretty slow and the parts are wearing out.

However, depending on how much PC standards have changed in that timeframe, it is possible to rebuild a PC into virtually as-new specification. There are some important considerations of course:

Whether the PC supports standard design components. Forget this idea if your PC was made by Dell, HP or IBM, etc. These manufacturers prefer to use proprietary case and board designs that usually can’t be upgraded. No, this series of articles is strictly for those who have purchased a locally manufactured PC using generic off-the-shelf components. My host system was built by Cyclone Computers. The chassis is a Foxconn TS001, the motherboard was also made by Foxconn (Intel brand) and the power supply was made by Enermax. All of these items are ATX standard and can easily be replaced or reused.
Whether the chassis and power supply in particular meet modern specs. These days the power supply requirement is ATX12V version 1.x as a minimum for the average type of board, although new PSUs are v2.x. The chassis of course should be ATX spec. Baby AT just isn’t going to cut it. If you are reusing a power supply check that the board you are planning to use matches the connectors available from the power supply. It’s also important to have SATA HDDs / DVD drives, although most new boards still have one PATA connector able to connect up to 2 drives, and even new PSUs still have Molex 4 pin power connectors.
If you use Windows, MS says you need to buy a new license sticker when you change the motherboard, because effectively this is a new PC. Of course this won’t be an issue with a free operating system.

In my case, this PC is 5 years old and the power supply spec happened to be ATX12V 1.x with the right connectors available. However I chose to replace the power supply with a new Enermax Tomahawk 400W supply, a bit of an overkill but pretty good value with the deal I got.

Assuming you need to install a new motherboard, the minimum number of parts you are likely to need is the new board, new CPU and new RAM, because the two latter components are often matched tightly to the board and as specs change so often, it is unlikely you could reuse an older CPU and RAM. However, I was pleasantly surprised to find that the 5 year old board (Intel D915GAVL) is still LGA775, the same as the new board (Intel DG41RQ) meaning the CPUs might fit each other’s board though whether they would work is another question. The new CPU is a Celeron E3300, a dual core with Intel VT hardware virtualisation and some other features supported. I bought 2 GB of DDR2-800 memory as well.

The first job was to remove all the bits from the old chassis, after which I put in the new power supply, just a simple job of doing up the screws.

Here is the new power supply in the chassis. Well, you can see in the picture that this photo was taken on the 23rd of March, which is just over 6 months ago. That was when I first started on this project, and there have been a few glitches and holdups since then. But now as I am writing this the task is nearly finished; the new PC is sitting next to me as I type this on the old PC at home, and as soon as I have finished testing and assembling the new PC and migrating the Windows 7 installation to it then it will be ready to go and to replace the old one (which incidentally uses the same chassis type as seen above, but it is a year older with a D915GAGL board inside).

Advanced MDT

2010-09-17T20:32:00.001+12:00

My production deployment of the Win7EntX64 image has had a few glitches we are looking into. Two deployments had errors, but two worked more or less as expected. I have started to leverage the VM produced monolithic images by creating custom task sequences to deploy them to other platforms, which is one way we can prove the benefits of using a system like MDT to set up our computers.

The next task is to see how I can package Windows XP Mode and a preconfigured VM with certain legacy applications into the custom image deployment task sequence so that it is all set up and deployed to certain platforms ready for use.

Another part of MDT is to use it to do backup captures of machines, something we do regularly with Ghost. To do this I set up another deployment share and customised it with a different path (to my backup share rather than my setup share) then put in a capture task and disabled the sysprep on it. Captures get started using the LiteTouch script on the share rather than using a boot CD so it is very convenient. The first capture with this system has now been successfully completed for backing up a laptop and the system will be used again with all the laptops that we need to return at EOL as well as the other occasions in which we back stuff up.

Switchcraft EH Series [2]

2010-09-16T19:45:00.001+12:00

We received our order today of the inserts and some plates we had also bought from Jansens to go with them.

Here is what one of these looks like straight out of the bag. You will see that the coupler looks like a standard VGA gender changer, and in fact that’s exactly what it is. This is good if you ever have to replace one of these, although the M/F changer is hard to find as it is actually a joiner, and I have never seen them in a supplier’s catalogue. The coupler is reversible when assembled (obviously only applies to the M/F type).

And here, assembled to a plate. It can only be front mounted unless you make cutouts in your places to clear the VGA plug locking screws. I had thought it would be necessary to do this anyway with the front mount as shown but the design of the thing is such that the screws don’t go on deep enough to have a problem with the plate behind.

Thanks to Jansens who have recently taken the Switchcraft agency as this EH Series design is pretty well unique especially with the range of different connectors (Neutrik produce RJ-45, USB and Firewire connectors in this XLR size insert style as well, but not all the other stuff that Switchcraft have come up with).

Building Windows 7 Enterprise x64 Image [5], Earthquake !!!!

2010-09-08T20:43:00.000+12:00

On Friday I wrote about the difficulty I was having in getting proper support for software for schools making their own Windows images for HP laptops. After a very long and convoluted process involving the IT Helpdesk, Tela Helpdesk and Axon, which is the Tela laptop repair agent for HP, I have finally had my enquiry passed onto HP where they have advised me that software discs will be sent out to me. The process has been quite difficult but I hope that the HP discs will arrive soon. There is still uncertainty as to whether these discs will include WinDVD and Roxio DVD Creator which are supplied on the Tela laptop images. As it happens Windows 7 Pro/Ent include DVD playback in Media Player and the new Windows DVD Maker software for authoring, so it is not so critical now in Windows 7. However I have determined that the 6730b disks did include Roxio DVD Creator and have copied this to my new installation so that I can get on with it.

So I am continuing to put the image together with the necessary drivers in MDT, Windows includes some of these but one that will need to be injected is the network card driver, the same as I had to inject it into the Windows PE image, otherwise the deployment task fails partway through when it needs the driver to reconnect to the network share that contains the task. There will be some other drivers and bits of software like on the 6730b laptops. We are just moving ahead to get the deployment finished and the laptops out to their users as quickly as possible.

One thing we are changing with Windows 7 on laptops is utilising Offline Files as a backup system for documents stored on laptops. Basically we change folder redirection policy to put Documents onto the server and then sync it onto the laptop for offline use. We also change the policy settings so that Pictures, Video and Music are stored directly on the laptop itself and are not part of the offline files sync. Offline Files has been around since XP, but was pretty poor then. It is better in 7, although some users are reporting issues in Technet Forums.

Today what time I was able to focus on work was spent getting the Probook 6550b specific task sequence ready for a test run tomorrow. Basically there are three specific parts to the task sequence:

Make the Windows 7 Enterprise x64 generic install image (operating system and software) which I described in previous steps. This becomes the basis of a custom install task sequence for deploying Windows to the target platform.
Inject target platform-specific drivers

Create a platform specific folder to store the drivers and import them to it
Create a platform specific selection profile and include the above folder in it
In the Postinstall group of the task sequence, following the generic “Inject drivers” stage, insert a new custom named “Inject Drivers” task and configure it to use the selection profile configured above.

Install target platform-specific applications

Create a platform specific folder to store the application items
Determine the means of automating each application’s installation
Add the applications to the above folder along with their silent installation command. Configure each application item by checking the box “Hide this application in the Deployment Wizard” to avoid distracting the user who runs the automated installation task.
Create a custom group for application install in the State Restore group of the task sequence (suggested positioning is just before the generic “Install Applications”
Insert an “Install Application” task into this group for each of the required applications. Configure each application install task by checking the “Continue on error” box.
Determine how many reboots are needed and insert “Reboot computer” tasks between app install tasks as needed.

Now, err, that more delicate subject – the Canterbury earthquakes. There have probably been about 300 shocks in all since Saturday morning, but things took a bit of a new turn today when a number of shocks started to be centred in the Port Hills on the outskirts of Christchurch – or nearby, such as in Halswell or Quail Island. This explains why the Richter 5.1 quake at 7:42, widely cited as the most severe aftershock yet, centred in the Horotane Valley, could have such an impact with its far smaller magnitude than Saturday’s 7.1. I daresay that it has come as something of a rude shock for Cantabrians when things have seemed to be returning to normal. Civil Defence closed all schools in the region on Monday and Tuesday, then extended this to the whole week, then relented and left it up to individual Boards to decide if they wanted to open before next Monday – we will stay closed until then however.

The practical effect of the earthquake has been to throw a spotlight on our backup systems. The power has been off twice and each time a typical pattern of UPSs running down to flat batteries followed by servers going off has occurred. This brings its own challenges, on Saturday one of the UPSs failed to restart properly so that the servers could not automatically reboot as they kept losing power during POSTing in an endless cycle. Also the ISA server firewall service does not start automatically on a restart which means it has to be started manually each time. The UPSs don’t seem to last very long which suggests either inherent low battery capacity or battery life expired in any case.

Building Windows 7 Enterprise x64 Image [4], Thin Client, Home Computer

2010-09-02T12:41:00.001+12:00

Firstly, thin client. The T5720 does have support for TS Gateway but in actuality is unable to run it, when flashed with the latest available XP Embedded image from HP. I am not going to delve too much into this but suffice it to say that with thin clients you are tied to the vendor for operating system support and if they can’t be bothered to support a particular functionality you are pretty well stuck. As I have not been able to get TSG functioning on the T5720 at the present, with our WS2008R2 RD Gateway server, I will just do some more testing to see if there is a compatibility problem with R2 by setting up a 2008 TS gateway inside our network. If this doesn’t work this is just another thin client I can use for something, albeit a more expensive one (the total amount I have spent on it to date is about comparable for T5720s in general secondhand, considering the extraordinarily low price I paid for the base unit in the first place). Whilst thin clients can generally run local apps quite well, the lack of space on the flash card (512 MB in this one) is a significant consideration with less than 100 MB free at the moment.

The home computer is progressing with the arrival and installation of the motherboard. In a day or two I will order the CPU and RAM.

The laptop image for Windows 7 Enterprise is still in progress as I need to get the software from HP. Whilst Toshiba are easy to get stuff for from the Laptop Company which is a domestic retail outlet, the HP agents Axon are a different kettle of fish to deal with altogether, being more geared towards the enterprise market. It has been previously quite convoluted with a big run around to find out how to contact the right person in Axon to get the software and at the moment what has been supplied is incomplete.

Tela have announced that in a couple of months they are switching over to Windows 7 on their laptops. Obviously we are still waiting to see the details. If what is shipped is x86 only then it will still be unsatisfactory as all new laptops with the amount of memory that is now being supplied should be shipping with x64. As such I expect to have to continue new laptop imaging until such time as x64 becomes supported on the standard desktops.

Building Windows 7 Enterprise x64 Image [3]

2010-09-01T18:21:00.001+12:00

OK so recapping. Getting on with Windows 7 x64 imaging installing feature apps, then another capture, then testing full deployment. After that it will be customising with 6550b deployment task and testing the outcome on a 6550b.

The pre release of Update 1 had problems but the production release looks like working satisfactorily so I am migrating the previous (32-bit Pro) deployment share to it. Overall impressions of MDT are that it does what it says and that it is fairly straightforward for someone like me who does not use it regularly to pick it up again for a new deployment project at irregular intervals.

As MDT can do full captures it is probably the straightforward means for backing up old laptops as well. I haven’t used this yet but will probably look at it with the transfer of old laptops with these new ones we are setting up.

My second x64 capture, this time with the full apps, failed at first with the error message saying “there is not enough space on the disk”. I remember this situation happening before with MDT. Part of the capture stage is to create a reserved partition that, presumably, holds the Windows PE boot image, which is then used to reboot the captured system in Windows PE in order to carry out the actual capture process. If this partition is already present from a previous capture stage then this error results. The solution is simply to go to Computer Management, Disk Management and delete the reserved partition. After applying this step the capture worked normally.

The next step was to trial deployment to a target platform, in this case the same laptop I used to deploy the first x64 capture image. Once again this took about 40 minutes to deploy. The image is now a little over 6 GB which compares to about 2 GB for the base OS installation. I am unsure whether that really means 4 GB of stuff was installed or whether one is compressed and the other isn’t etc etc. The deployment was successful and everything on the laptop works about as expected.

This completes our task of building reference 64 bit images for the present. The next step is to create a platform specific task for deploying the Probook 6550b which I expect will be a similar process to that used to create the previous deployment for the 6730b laptops.

Building Windows 7 Enterprise x64 Image [2] – Test Deployment Base OS & Core Apps

2010-08-31T16:07:00.001+12:00

OK, start deployment capture using MDT 2010 Update 1 capture platform. Apply Windows PE capture step fails. Capture task eventually reports 8 errors. Logs are written to C:\MININT subdirectories and %temp%\SMSTSLog folder and %temp%\smsts.log.

Try updating deployment share. Install 7Entx64 as OS in MDT. Update deployment share again to use new OS boot images. This time capture task is going OK. Can’t RDP into captured machine due to network disconnect during Sysprep. Continue with direct access. Capture completed successfully, 0 errors.

Test deployment to target platform (6550b laptop). Will try to deploy this image on MDT 2010 Update 1 instead of Gold. Received an error about networking driver not installed after starting the Deployment Wizard (The following networking device did not have a driver installed. PCI\VEN_8086&DEV_10EB&SUBSYS_1471103C&REV_05). Abort MDT2 deployment. Download Intel network drivers from HP, import drivers, update deployment share & burn new LiteTouch CD.

Retry deployment on 6550b. Wizard starts & connects OK. Wizard commences deployment @ 14:36. Windows 7 install sequence commenced. Deployment completed automated around 15:11.

Still have a few devices not installed with this image so the drivers need to be injected in a custom deployment task sequence which is some way off yet. Next step is to install Feature Apps into the deployment image, recapture, test this then create the platform specific task for the Probook 6550b.

Building Windows 7 Enterprise x64 Image / Home PC

2010-08-31T10:21:00.001+12:00

We have started deploying new laptops (HP Probook 6550b) with 4 GB RAM so x64 Windows 7 is the preferred OS due to 3.5 GB limit of x32 Windows. Previous image covered in the series of articles starting here was 32 bit Pro generic and specific, now building 64 bit Ent generic / specific. I expect most desktops hereon in to have 64 bit OS eventually standardising on this except special cases.

Basic deployment steps:

Deploy OS to target platform
Deploy “core apps” (Office, SEP, SMS, Adobe, Smartboard)
Capture generic x64 OS + core apps image
Deploy “feature apps” (e.g. Firefox, Google Earth etc)
Capture generic x64 OS + core apps + feature apps image
Either one of the following:

Deploy to specific platform for image capture & deployment

Deploy this image to specific hardware platform (Probook 6550b for example)
Make any specific hardware customisations
Capture platform specific image
Test image deployment

Create platform specific task sequence for deployment

Create specific task sequence
Inject platform specific drivers (in addition to Windows driver injection)
Install platform specific applications
Test task sequence deployment

The above is a summary of my experience to date in the MDT system as well as some possible options for future exploration. Obviously MDT is a specialised system that I need to have some knowledge of, but I am not an expert in this system as I do not use it every day. For deployment to specific platforms to date (only one so far) I have preferred to use a customised task and this will probably be the means implemented for 64 bit deployment. Also I have two MDT environments, one used for capture and the other for deployment.

Building new home PC continues with purchase of motherboard. Next month will buy the CPU and RAM hoping to complete assembly in a few weeks. Delivery of memory for T5720 thin client expected shortly so can test capabilities soon.

LCD Form Factor Trend Hype

2010-08-30T11:07:00.001+12:00

New laptops being shipped today have a native resolution of 1366x768. Previously it was 1280x800. Before that it was 1024x768.

Considering I can get 1280x1024 or 1440x900 on the desktop the trend to increase only the width of the screen while keeping the height roughly the same seems backward. Application and OS design favours horizontal toolbars which increase in size over time, for example the Office 2007 Ribbon etc. This then presumes that screen height will increase over time. However the emphasis of LCD manufacturers of late in base models has been geared towards increasing the width leaving the height essentially unchanged. The screen starts to look very cluttered when considering the height of these screens is essentially unchanged since the days of 17” glass, and that’s probably going back more than 10 years. Recently I was working on a HP 8510 laptop with a native resolution of 1680x1050 approx, a huge difference in resolution and one that makes the screen sizes of mid range business laptops look positively antiquated.

HP T5720 Thin Client

2010-08-29T13:38:00.000+12:00

This is my latest acquisition from Trademe, and a very good one at that – the T5720 is almost a current model (not quite) and this particular one was made only four years ago. Although this one, which cost me $83, has 256 MB of RAM, I have ordered some more for it in order to be able to flash it with the 2008 update of XP Embedded. This will give it RDC 6.1 capabilities and therefore I should be able to take it home and connect over my broadband to the school system via our RD Gateway.

Our evaluation of lower end TCs continues and it is likely we will have more in classrooms by the end of the year (we have just one at the moment). Presently while there is a reasonably high volume being offered on Trademe, some of the prices being asked are more than I would expect to pay. However one of the major vendors (Core Technology Brokers) has told me they would discount to schools, this company also offers warranties, and I would be therefore inclined to choose them over ad hoc dealings with one off sellers and small players which sometimes are inexperienced in this line of product, also they would have the technical knowledge to be able to answer the various questions I have had up to now. Based on my experience to date I would recommend the T5300, T5510, T5520, T5700 models as being those which have sufficient capability to connect to a 2008 RDP server inside a network. So far I only have used the T5510 and T5520 models. Both of these are running Windows CE which is very suitable for RDP use because it has just enough capability and you don’t need to muck around too much to set it up. Here is a comparison table of some of the key specs of these different models of HP clients. I am preferring just to standardise with HP thin clients for now even though there are various brands.

	T5300	T5510	T5520	T5700
CPU	TM5600 533 MHz	Crusoe 800 MHz	Eden 800 MHz	TM5800 up to 1 GHz
Flash ROM	32 MB	32 MB	64 MB	up to 256 MB
RAM	64 MB	64 MB / 128 MB	128 MB	256 MB
Graphics	Rage XC 8 MB	Radeon 7000 16 MB	S3	Rage XC 8 MB
Display modes	640x480 32 bit 800x600 32 bit 1024x768 32 bit 1280x1024 32 bit 1600x1200 16 bit	640x480 32 bit 800x600 32 bit 1024x768 32 bit 1152x864 32 bit 1280x1024 32 bit 1600x1200 32 bit	640x480 32 bit 800x600 32 bit 1024x768 32 bit 1280x1024 32 bit	640x480 32 bit 800x600 32 bit 1024x768 32 bit 1280x1024 32 bit 1600x1200 16 bit
Printer port	DB25	DB25	DB25	DB25
Serial port	No	DB9	DB9	DB9
Display port	HD15 VGA	HD15 VGA	HD15 VGA	HD15 VGA
USB ports	1.1 x4	1.1 x4	2.0 x4	1.1 x4
Network port	100 Mbps RJ45	100 Mbps RJ45	100 Mbps RJ45	100 Mbps RJ45
Audio	Internal speaker In/out ports	Internal speaker In/out ports	Internal speaker In/out ports	Internal speaker In/out ports
Keyboard port	USB only	PS/2 or USB *	PS/2 or USB *	USB only
Mouse port	USB only	PS/2 or USB *	PS/2 or USB *	USB only
OS	WinCE 4.22.144	WinCE 4.22.144	WinCE 5.04.595	WinXPe 5.1.212
RDP version	5.1	5.2	5.5	5.2

* Note: T5510, T5520 have only one PS/2 port, for either a keyboard or mouse but not both. Unsure if port splitter can be used.

There are many other models but I have chosen four models than can be priced somewhere around $100-130. We have screens that are either 1024x768 or 1280x1024, meaning any of these models would suit. Personally my preference from all of the above would be the T5520 which tends to be at the higher end of current pricing, being the newest model. However I would be just as happy with one of the other three models for our typical classroom situation (subject to testing). As you can see the main difference between the 5300 and 5700 is the OS. For RDP support Windows CE is perfectly satisfactory (make sure you have the latest version on your platform; I had to flash the upgrade to the 5520 I had bought to fix problems with display redrawing). Note that all of these only support 4:3 native display ratios. If you are buying new screens make sure they are specced for the above list of resolutions. 15” screens (1024x768) are just about unobtainable new now but there are still plenty of 17” 1280x1024 screens available new and both sizes will be available second hand for years yet.

Switchcraft EH Series Audio/Video/Data Connectors Now Available In New Zealand

2010-08-25T09:24:00.001+12:00

Back about two years ago when we were fully in the swing of installing projectors in our classrooms, I had to come up with a scheme for getting wall plates in for the VGA cables that connect projectors and laptops. Up until now all that has been available or easy to find has been a PDL or HPM plastic wallplate that can have a butchered plug screwed to it (see the series of articles here: parts 1, 2, 3, 4). There are some other brands of wallplate becoming available with different combinations of VGA adaptor and other connectors, but they are still hard to find, and some of them require the cable to be connected as bare wire ends (which is very fiddly to do with a wallplate, because you need some way of securing the cable to the plate to stop from breaking the wires off).

Switchcraft is a US manufacturer well known in the professional audio industry for their high quality connectors (XLR and others) and their approach to this market has been to develop the EH Series, which is a range of different types of audio, video and data connectors. Most of the audio/video connectors are of the feedthrough type, which is designed to be connected with a plug on both sides. They are very easy to install like this because there is no need to strip and solder wires onto terminals. As we prefer to install VGA cables that already have plugs fitted, the feedthrough suits our requirements perfectly as we just need to screw the plug directly onto the feedthrough and install it into a wall plate. The EH Series are particularly notable in that they are designed to fit within the profile of a standard panel mount XLR connector, and thus the inserts will fit into a wide existing range of panels already manufactured for the professional audio industry. Switchcraft product is now handled in New Zealand by Jansen Professional Audio, who can also supply the various panels and have recently begun to bring in small quantities of EH Series connectors; if there is not one listed on their website that you want, they may be able to order in other types. For a wall mount scenario have a look at this type of plate which is one of an extensive range they carry to handle various different situations. Jansen give substantial discounts to schools so these products are well worth looking into, particularly for control rooms and other situations where you may want to install these connectors into panels with other types.

Electrical safety standards falling

2010-08-23T23:53:00.000+12:00

This photo is of the inside of a well known and supposedly high quality (Australian) brand of plugbox which I would have unhesitatingly recommended to anyone until recently. Observe the earth contacts on the two left hand sockets, which have a much wider gap than the two on the right. The left hand pair are in fact not making contact with the earth pin on any standard 3 pin plug and this came to notice because the plugbox failed when connected for testing in a Portable Appliance Tester. This plugbox is less than a year old and the two left sockets would have each done less than 100 insert/removal cycles.

Since I have many older plugboxes which have withstood considerably more cycles and are more robustly built (yet were not expensive in their day) I asked the authorities in this country why this design was allowed to be sold in New Zealand and pass our national electrical safety certification standards. Their only response is that “these products are not designed for this type of use”. To which I would ask “why not”? Effectively what we are told is that it is acceptable to sell a plugbox that is designed and built so cheaply that the integrity of the safety earth cannot be guaranteed. Here in words is the requirement of the safety standard: “In New Zealand (and Australia) the EPOD is a declared article, requiring formal approval by the electricity Regulator before legal sale. In order to gain approval, each model of EPOD is tested and inspected to a specific AS/NZS safety standard that a New Zealand and Australian committee of industry experts and Regulators have produced to ensure that EPODs are safe to use.” If the above is an indication of what is required to pass this standard then it is very poorly written or does not mandate durability. Probably this is in part because the standard does not mandate sufficiently a minimum standard of construction.

As the public at large would not have access to Portable Appliance Testers most people would be unaware that a plugbox which is by all appearances in good condition, could have sustained internal damage that renders the integrity of the safety electrical earth invalid. If that is the case then why are there any requirements for the design of plugs and sockets in relation to the earth pin and earthing as safety mechanisms for appliances? The failure of this plugbox was detected as part of an inspection and testing regime for New Zealand schools that is mandated by the Ministry of Education. It appears there would be a strong case to advise schools that these devices must be considered failure prone and potentially unsafe with a short working life.

Offline Files in Windows 7

2010-08-21T22:26:00.001+12:00

Offline Files is a technology that was first introduced in Windows XP. And it was pretty much of a dog back then. We did experiment with getting some laptop users to have it running, because we hoped it was going to make automated backups of their stuff. The problem with the earlier versions of Offline Files are things like, if the server got changed around, Offline Files stopped working. Not long after we started testing, we changed from a Linux Samba DC to a Windows DC. That was the end for Offline Files because there was no obvious way to tell it how to change the location of where the files were, or to sync its existing cache to a new location, or something. There were other problems as well, but I’ve forgotten, however I think it gained a certain unenviable reputation in the industry, and my response to it was to configure a group policy for our whole domain to disable it.

In Windows Vista, Offline Files became part of the Sync Center and this has continued in Windows 7. We didn’t have enough laptops running Vista to get around to trying out OF before we started moving to 7, and then I was advised that OF has become a “mature product” in 7, worth implementing for that backup type of system again. So that is what we are doing. In order to get the best out of OF and especially with a laptop that is connecting to a server, I am setting up new Group Policy objects for folder redirection and OF settings. The user’s Documents folder will be redirected to the server and automatically cached by OF, but their Pictures, Videos, Music and Downloads folders will be redirected to the local profile so that these bulky items don’t consume sync bandwidth or server space. Folder redirection is per-user, but in order to ensure that it only applies to specific computer usage (i.e. Windows 7 laptops), it will be configured as a loopback policy. OF settings is either per-computer or per-user, and in this case it will be configured per-computer.

Login delays when processing Group Policy Printer Preferences – Vista/7

2010-08-18T19:23:00.001+12:00

This has been a recurring situation ever since we started with Vista and Windows 7. Basically when the user logs in, if verbose login messages are disabled (a GPO setting), they just see “Please wait”. If verbose messages are enabled, they see a number of different messages about policy processing, but the one that is most relevant here is that about Group Policy Printer Preferences (I forget if that is the exact words used). It is not at all unusual to see this taking up to an hour or even more to get past this message. In this instance there is not a print services log on the terminal server (which is the computer being logged onto in one case, by a thin client).

At the moment it is most likely I will have a look at the settings of each printer in Group Policy Preferences because the GPP printer item settings now work better if the option to “run in the local user’s security context” is selected as I referred to not very long ago in another context.

UPDATE: I have spent a bit of time working on this today, and it’s still not resolved. The particular situation that is especially relevant is logging on to a terminal server using a thin client. Not only are these delays continuing to occur, but if the user has disconnected from the terminal server session and then tries to reconnect later, they get a message saying that the terminal server can’t log them on because it is currently processing a connect, reset, delete or <something> operation. This operation apparently lasts forever because they keep getting the message even days later. And the Terminal Services Manager doesn’t have their username listed in its list of disconnected sessions.

The next step will be to try changing the login to a RDSH server that is running a different edition of Windows to see if this is related to particular editions of TS, and looking to see whether this problem is specific to TS. However I have seen similar sessions of delay involving other computers lately, it is a Windows Vista/7 specific happening. Like the Windows 7 print problems we had recently, this is turning into a very complex multifaceted problem with no clear answers that will end up taking an inordinate amount of my time to solve. As operating systems get more sophisticated and have more features added, they are also getting more complex and we end up spending a lot more time solving problems on them.

The RD server is currently installing 2008 SP2 to see if this helps the situation.

Security & Networking Questions for Windows Users - [1]

2010-08-12T17:15:00.001+12:00

Here is some useful information on the security of computers which are connected to a network. This is phrased in a Q&A format to try to give a good understanding of how computer security works, and how this changes when connected to networks. It applies to most versions of Windows but some information may be applicable to other operating systems.

First part is to look at a standalone computer, like a laptop or a home computer, that is not connected to any network (including the Internet or any wireless connection). Please note that security permissions are not supported by Windows 95, 98 or ME. Any user of these operating systems always has full access to the entire computer contents.

Q: How can I control who can log on to or access my computer?

A: You can create individual accounts and passwords for each user in the User Accounts control panel.

Q: If I have given a separate username and password to each user of my computer, can anyone who logs on using a different username and password, get access to my files?

YES if you have Windows 95, 98 or ME installed.
YES if you have granted certain Rights (such as Administrator) to any of those other user accounts.
YES if you have set security Permissions on any folder that will allow those other user accounts to access the folder or any files in it.
YES if you have given the Administrator account password to another user.
YES if you have stored files in locations other than your personal folders and have not changed the default security permissions. (By default, all users of a computer can access any folders except for personal folders. An Administrator can change the access rights however)
NO otherwise.

Q: If I have saved files onto a pen drive or external hard drive and I lose that, can some other person access those files?

A: YES (even if you have set security permissions on those files to prevent another user from accessing them, any Administrator of a different computer who plugs in your drive can get access to those files)

Q: If I lose my laptop, can anyone get into my laptop even if they don’t know the administrator password?

A: POSSIBLY. There are a number of techniques that can be used to crack administrator passwords on a local computer. Generally, for this reason, Microsoft recommends that you disable the administrator account.

Q: If my laptop doesn’t ask me to put a password in when Windows starts, can I set it up to require a password?

A: YES.

Q: If I log on to my computer with an Administrative account (either Administrator username, or an account that has been given Administrative rights), can software install itself on my computer or make changes to my computer without my knowledge?

YES if you have Windows XP or older
YES if you have Windows Vista or later AND you have disabled the security feature called “User Account Control”
NO if you have Windows Vista or later and you have not disabled the “User Account Control”. In this case this feature will cause a message to pop up asking you if you want to allow changes to be made to your computer.

Part 2 of this series will cover the situation of a computer connected to a corporate network (business or educational institution etc).

MUSAC System Files 32 Bit Installer for Unattended Install

2010-08-11T15:43:00.001+12:00

This refers to the 32 bit system file distribution for Musac Classic Jan2010 Secondary package (2.0.2008.4).

There are two different MSIs that could be extracted from the install package to be considered for unattended installation. Since Musac appears not to want to support any unattended / automated installation (it is specifically noted as such in the documentation) I’ll have to try to break down

Do the standard routine of starting the installer, going to your temp folder and copying the extracted MSI file to somewhere (54603 KB).
Use the instructions supplied to do an “administrative install” which extracts a large number of files in specified folders and another smaller MSI (28356 KB).

Neither MSI will do an automated installation when pushed to a computer using the Software Installations Group Policy settings. The installation will simply freeze and not allow the computer to pass the installation stage. Every test platform has had to be “rescued” by removing the GPO in GPMC and then resetting so that it can complete the Computer Settings (system startup) stage of Group Policy without hanging.

Double clicking either MSI produces a request for more information. The smaller MSI states it will not run on 64 bit systems (a fatal error is produced for the MDAC 2.8 install, since these components are x86 only and have been superseded by WDAC, this level of the installation is not able to deal with that). Running the full executable (EXE) install is apparently functional on a 64 bit system but requires more checking to see if it is compatible (the documentation states this is a 32 bit compatible installation only). The larger MSI produces a similar experience to the full EXE and it appears that this EXE merely launches a fully interactive installation in the MSI, rather than acting as the user interface front-end to an MSI which performs only the installation steps with default responses. This appears to be the primary cause of the failure of this MSI to install unattended.

Errors from 64 bit install:

CTL3D32.dll must be placed in the Windows directory or similar
Error 1904: Module C:\Windows\SysWOW64\CPWCTL32.OCX failed to register. HRESULT –2147220473.
Error 1904: Module C:\Windows\SysWOW64\Cp5ocx32.OCX failed to register. HRESULT –2147220473.

Although I have Orca available it is not practical to use it with the MSIs without knowing how to force default settings in the customisations.

My next step will be to try the 64 bit installation on Windows Server 2008 R2 which is our RD server that would be used for staff remote access, once I have a better understanding of the technical issues.

UPDATE: Report for Windows Server 2008 R2 (64 bit as R2 is now not available as x86).

Installation as above except only the error for CTL3D32.dll was received.

Print Spooler Problems [3]

2010-08-09T12:50:00.001+12:00

With the problems still happening after all this time and the number of users affected it is looking very much like the Window 7/2008 compatible drivers won’t work with Windows Server 2003 print servers. Print queues on a 2003 print server are having serious problems but queues on a 2008 server are unaffected. Next step is to switch all the print queues to a 2008 server with any Brother queues using Winprint instead of BrPrint.

At the moment I am also trying 2008 R2’s feature of isolating the difficult Brother driver as well. I’m holding my breath to see if it works.

Unfortunately since applying some of these changes to my own accounts I am seeing an increasing trend of my computers taking a very long time to complete the application of GPP printer settings in particular, the dreaded extremely long GPO processing that is a “feature” of Windows 7 and Vista. This demands an article of its own to try to analyse what is happening (we don’t see this to the same extent, if at all, in XP). I have thought that it may be due to needing the policy settings to allow unattended printer installation but the computers concerned are in the correct group so a lot more work is needed to try to nail down what is happening. There seems to be a similar effect on other elements of system startup (e.g. System Event Notification Service) so perhaps it is just coincidental.

Sugar on Windows?

2010-08-06T21:25:00.001+12:00

In a previous post I referred to the refocusing of the OLPC project. Part of the reorganisation was to split off the Sugar shell from the core OLPC project, at which time Sugar Labs became separate and has developed the shell in its own right for a number of platforms. Since there is so much expectation of the merits of Sugar as an educational tool, it would be reasonable to expect that one day it will be ported to Windows and be able to run upon many more PCs worldwide than is currently the case.

At the moment with the lack of a proper port, there are several options which produce only a demo view of Sugar:

LiveCD
LiveUSB boot
Virtual machine
Emulator

I have played with the last two in particular. In theory the virtual machine would be an option but it is one that would have to be physically installed on each computer in turn. This is because Oracle VirtualBox, while it contains its own RDP server which can allow connections directly to VMs, it is not a session host server like Windows Remote Desktop Services is. This means one instance of the VM cannot spawn multiple RD sessions to allow each user to have their own shell instance of a VM.

The second issue is that the virtual machine is set up with one single virtual hard disk file which is quite large, some 540 MB at the present time. I don’t know if the shell can save data to this file and thus save the user state between sessions. If it can, then the only way of backing up this session is to copy the entire large vhd which is rather inefficient. If it was expected that a user would have data that is worthwhile to be saved and the virtual machine is capable of saving it, then the first enhancement necessary is to have a second vhd to save the user data. With a bit of work this file could be specified in the VM settings to be on a network volume and therefore a user would be able to retrieve their session while in different locations.

However everything I have written herein is somewhat speculative as it is not clear whether the VM edition of Sugar is intended to be usable in a production setting or is just another demo edition.

Another option is if this system can be made to work on a Linux terminal server (LTSP), it could be functional for any clients that want to connect, the sticking point so far seems to be whether it requires to be netbooted from the server or can just start a session in the OS’s RDP client. PXE requires more work to set up and it precludes user switching between two different terminal servers if there is more than one on a network. From my POV the PXE boot would be more complex and tricky, from my POV the whole point of virtualisation (whether session host or VM) is to avoid having to change boot configurations.

Print Spooler Problems [2]

2010-08-06T12:03:00.001+12:00

Well I am doing more work on this today to see if I can get a solution for my Windows 7 users (including myself). And it turns out that print driver isolation is exclusively a feature of Windows Server 2008 R2 only. And I have only one R2 server in the whole school, which is also our Remote Desktop and RD Gateway server. So I will have to try out some print queues on that, less than ideal so I will have to get another R2 license eventually.

The interesting thing was that after I had installed the printer on the RD server and isolated its drivers, it is using WinPrint instead of BrPrint. When I installed another HL5140 onto a standard 2008 server it is still using BrPrint. So the isolation system must force the WinPrint processor to be used.

Another possible workaround, which I am also going to test, is to change the existing print queues to use WinPrint instead of BrPrint. I guess the root problem is that Brother has not updated BrPrint to be compatible with Windows 7. The drivers provided are for Windows Vista or 2008 at the latest. It may turn out there is a compatibility issue with BrPrint on Windows 7 and this is not going to be fixed by Brother because this printer is too old. At this stage I don’t have any experience of what happens when you change print processors so we will try out both options side by side to see.

OLPC refocuses on education

2010-08-05T14:11:00.001+12:00

It is good to see OLPC is refocusing themselves on an educational project rather than the political aspects of their previous format. At the end of the day it should be schools’ individual choice of what systems they want in their schools and having OLPCs able to run a variety of OS platforms and software, along with their Sugar interface being able to run on a variety of OSs, will be a winner for the education market. It is a simple reflection of the fact that there is very little in reality between different hardware and software platforms and open hardware platforms allowing a choice of OS and software are the way to go. Keep politics out of education always.

Sugar running on the QEMU emulator on Windows 7. Next step: VirtualBox virtualisation of Sugar. And hopefully we will see WinSugar soon enough, because isn’t that supposed to be what Open Source is all about?

Live@Edu successful after 4 months use

2010-08-05T14:07:00.001+12:00

As referenced previously we migrated our staff from onsite Exchange Server to Live@Edu in April and haven’t looked back since then. Around 30 staff are hooked on using Outlook 2007 or 2010 to access all parts of their Exchange mailbox on Outlook Live, and using the webmail where necessary. A few staff are sharing their own calendars or contacts with other staff. Outlook 2010 adds some useful enhancements including password caching and free/used space display for the hosted mailbox.

One issue that came up was with the updating frequency of calendar events, which is important when users are sharing calendars used to book appointments etc. I found there are some group policy settings covering these which are found in User Configuration\Policies\Administrative Templates\Microsoft Office Outlook 2007/Tools | Account Settings\Exchange\Cached Exchange Mode with three entries to do with sync, upload and download times. We set all three to 60 seconds and have had no further concerns about sync time. The policy settings say there are defaults of 15-60 seconds for these settings, but it was unclear whether the remote server could override them.

Essentially because all email (except for internal between user accounts on the same domain) is always reliant on external servers such as those provided by ISPs, concerns about the reliability of hosting mail externally are not really significant and in any case the Live@Edu solution has been reliable with the most issues being local connectivity.

Install software via Group Policy

2010-08-05T11:16:00.001+12:00

Automated software installation via GPO is a low end remote admin tool which does work sometimes provided an MSI file can be used. If the installation is internally MSI based the file can be extracted and used to perform the automated installation, this is easy to do by running the installer executable, looking in %temp% for the temporary folder that contains the MSI and copying it to a network share. Then deploy the package, this can be frustrating (choose the Advanced option since you get the most choices about how to deploy the package).

The actual scheduling of installations via GPO is rather unpredictable and it can take several days before all the target computers will have completed installation. If you have a remote events console or subscriptions to the target computers, look for events from source Application Management in the Applications event log, event ID 302 indicates a successful completion of installation. Even if this is indicated it is not always certain that a usable installation has resulted, as automating an MSI installation is not guaranteed to work out the way you want to, depending on the settings which the installation designer specified when they built the package. Package settings can be customised using the Microsoft Orca tool.

Printer Spooler Problems

2010-08-04T19:25:00.001+12:00

A user has had numerous problems with the Print Spooler in firstly Vista and now Windows 7. The same laptop in both cases, each OS was a clean install. They were the only staff user on Vista (apart from myself) for quite a while. Vista print spooler crashed often for them with particular print drivers. We have a number of 7 users and computers none of which are having same problems.

All of our laptops are configured using Group Policy Preferences and receive the same set of printers. These are per-user printers which are Shared Printers under the GPP classification. There are 2 print servers; one running WS2003SP2 and one running WS2008SP2. The 2008 server was recently Hyper-V virtualised from a physical server. Some time before that the 2003 server was similarly virtualised. The 2008 server is a DC; the 2003 server is not.

Seen to date:

Dialog box “Test page failed to print. Would you like to start the print troubleshooter? The Print Spooler service is not running”. Even when it is running.
Similar message saying the print server’s print spooler service is not running. Even though it is running and no other user has had any printing problems.
Event log events 365 with text “Windows could not load print processor BrPrint because EnumDatatypes failed. Error code 126. Module: BRPP2KA.DLL. Please obtain and install a new version of the driver from the manufacturer (if available), or choose an alternate driver that works with this print device.”. Even though the printer the user is trying to print to does not use this print processor, and it is not listed as a print processor for any printers in the Print Management administrative tool.
Event log events 602 with text “The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-21-1131366045-2363284717-2431634961-2688\Printers\Connections\,,DC02,C8 Photocopier 1045 PCL. This can occur if the key name or values are malformed or missing.” Logged for a number of different printers.
In the case of this particular laptop there are 1708 print service events logged in just 48 hours of which 1703 are Errors.
Investigation is that the BrPrint print processor is in fact used by some Brother printers, particularly the model HL5140, but not used by others.

Remedies tried to date:

The laptop was rebuilt with Windows 7 replacing Vista. The user’s profile was copied over from Vista to 7.
The user’s profile was dropped and a new profile created, then the user’s documents, pictures, music etc were restored, but not their AppData or other application data or system files.

Next step:

Next step is to isolate the user account into its own test OU in ADUC and configure GPP to delete all the current printer connections and install only nominated printers excluding any Brother printers.
After that if there is still a problem we will look at dropping the user account and creating a new account.
We may look at changing the print processor on the server for particular printers that use BrPrint, even though it is hard to prove this is the problem.
The registry key errors might be related to the SID of the user account and it’s possible creating a new account with its new SID might resolve this particular part of the problem.

More Info [1], [2] – both of these suggest that a print driver problem is the cause.

UPDATE 1: I soon found another Windows 7 user at our site having the same problems. And digging into the event log on my own computer found masses of the same type of error logged. So it appears that there is just a difference on how this problem presents to the end user, not that it is happening. The events are logged in the Microsoft-Windows-PrintService/Admin log, which is one of the new extended logs that are provided in Windows 7 and which greatly expand upon the logging options in previous versions of Windows. At our site the BrPrint processor is only being used by the Brother HL5140 printer which is a fairly old model now, problem is I have two of them. So the first step to try is updating the drivers on the servers to the latest available.

UPDATE 2: In the meantime I tested the most difficult user by applying a GPP to remove all their printers, then another GPP to install just the printers that aren’t from Brother. So far this has been successful so it will be applied to all the affected users. After that I will be using a test configuration to test out Brother drivers.

UPDATE 3: In theory driver isolation should help with these problems. Driver isolation is a new technology that was introduced on Windows Server 2008 and Windows 7 which enables individual print drivers to be isolated from being able to affect other print drivers. The main issue is that most of the print queues are running on a 2003 server so the next step is to move some of them, particularly the suspect ones, to a 2008 server.

RDC 6.x on HP Thin Clients

2010-08-03T18:54:00.001+12:00

If you want your thin client to connect through a RD Gateway then it must support RDC 6.0 or later. Even if you aren’t using RD Gateway (for example on an Intranet) it will let you use 2008 RD Services out of the box with NLA enabled. RDC 6.1 client connecting to RDS 7.0 server may support some of the new capabilities of the RDP 7 but not all of them. Still, RDP 6 would allow a thin client to be at a remote site connecting to a server over the Internet which is an attractive option for some situations where you might want to provide a remote logon for people who haven’t got a computer or where you/they don’t want to spend the money for a full PC.

HP thin clients will need to be running XP Embedded or Windows Embedded – some of the cheaper/older ones run Windows CE or various editions of Linux which only support earlier versions of RDP, typically 5.2 (or rdesktop 1.6 which is effectively the same). At the moment from the best I can tell you should look at the HP T5730 or later models such as the current T5740 – the 5730 out of the box should support RDP 6.0. XP Embedded and Windows Embedded are updated from time to time so there may be an update to the version of RDC available in a particular thin client, the latest version of XP Embedded for the T5730 is 5.1.860 but so far I haven’t got info on what is in it. This edition of XPe is also available for the older HP T5630 thin client and according to the release notes, contains “RDC version 6.0.6001, which supports RDP version 6.1”. RDP 6.1 will give you Remote Apps and some other stuff over RDP 6.0. I am looking at buying a T5630 or T5730 if I can get one at a reasonable price on Trademe, to try out at a remote site for personal interest.

FOOTNOTE: Windows CE 6.0 R2 also supports RDP 6.0. Windows CE 6.0 R2 is the operating system deployed on HP T5540 thin clients (a current model) and the older T5530. However it looks like RD Gateway is not a supported capability on the Window CE 6.0 R2 Remote Desktop client.

Also the T5720 thin client will provide “RDC version 6.0.6001, which supports RDP version 6.1” with the 5.1.710 release of XP Embedded, the device requires a minimum 512 MB RAM to run this satisfactorily but HP recommends 1 GB. However I would guess that the amount of RAM is less significant for RDP due to its low resource demands.

Fibre is coming…

2010-08-02T18:52:00.001+12:00

A thrust borer has been here putting in a duct from the street. The fibre will come in. Then it will get connected up. Then it will get plugged in. At the moment you wouldn’t necessarily do it for the Internet because data rates look to be much the same as they are for broadband. You’d do it to get connected to the KAREN network (other schools, universities and the Ministry of Education). You could use the Ministry’s e-asTTle system without being bottlenecked over broadband. You could use an online SMS from a vendor without worrying about data charges or congestion. You could pool with other schools and get a shared server into a new datacentre that is being built in Christchurch which only charges for electricity at 61c a unit.

Hmm

2010-08-02T18:44:00.001+12:00

http://www.stuff.co.nz/technology/digital-living/3979817/A-mobile-teacher-in-the-palm-of-your-hand

Does technological advance have all the answers? NO. Each new technology is a mixed blessing. We should not become carried away on the sea of technological development and become oblivious to its hidden impacts. For me there is nothing that technology can do that can replace the intimacy of spending personal time with family or friends. Likewise in a classroom there is a huge benefit from social interaction between the teacher and the students that isn’t possible in distance learning. Technology can’t replace the physical experience of going to church with 500 other people, either, or the special times of personal prayer with God.

Ricoh Aficio PCL Drivers

2010-07-30T15:20:00.001+12:00

No significant record of problems with Aficio 1045 or 3045 either PCL or RPCS.

Problems started with using PCL drivers for Aficio MP C5000 colour copier with popup user code customisation by Ricoh NZ. Some users had difficulty printing from Word / Publisher etc but OK when file converted to PDF and printed in Adobe Reader.

After 64 bit driver was added all Windows 7 users started having problems with all printers.

After popup and standard PCL drivers were updated to latest version 3.2 many users had printing problems.

Currently are working around by deploying RPCS drivers with hardcoded popup codes which is working for Windows 7 users & will be deployed to all users.

FOOTNOTE: We are using Group Policy Preferences to manage all our printers.

Testing DPM 2010 Evaluation

2010-07-30T15:14:00.001+12:00

Probable (preferred) backup solution:

Low end dedicated backup server (Intel entry server SC5299, S3210 board, Xeon, max 8 GB RAM, RAID-1 disks, Promise EX8350 8 port SATA disk controller) - $2000 - $2500

Stardom SOHOtank 4 tray removable disk array (eSATA)

Evaluating DPM for 180 days.

Automated agent deployment unsuccessful so far (probably firewall problems). Trying to install agent on WS2008 virtualised DC manually unsuccessful so far. Manual install agent onto a Windows 7 workstation succeeded. Workstation added to protection group and configured.

I think issues are already coming up with DPM’s design. Had hoped to be able to use NAS but DPM doesn’t support it. The big problem will be if using removable disks, will have to test with Sohotank as possibility exists that DPM won’t be able to cope with removal of disks. If so then look at other software.

UPDATE: Firestreamer can be added to DPM to work with removable storage. Will check further.

Agent install success on Hyper-V host server. Attached successfully. Requires KB 948465 (i.e. Service Pack 2) and KB 971394 installed on WS 2008 Hyper-V server. SP2 already installed. 971394 installed. Still getting prereq error mentioning above two updates on attempt to create protection group and add Hyper-V partition.

BackupExec is the alternative solution with various workarounds to keep cost down and simplify. For example taking a virtual server offline then backing up VHDs as alternative to expensive 1-size-fits-all-license for Hyper-V online backup component.

Wiping old laptops’ disks before return / loading RAID drivers on Server 2008

2010-07-29T18:27:00.001+12:00

Use DBAN (www.dban.org)

The old version 1.0.x doesn’t always work but there is a newer version 2.2.6 beta available which works well (tried on Toshiba S200 so far).

If installing Server 2008 on a box that needs RAID drivers the process is vastly improved from 2003 which could only access a FDD. 2008/R2/Vista/7 can load drivers from various locations including pen drive. However 2003 drivers will not work, they must be 2008/Vista at minimum.

Group Policy Preferences Deploying Printers Tips

2010-07-29T18:13:00.001+12:00

Using Group Policy Preferences to deploy printers and getting “Access denied”: ensure the printer’s security permissions include Full control for the System user.
Using Group Policy Preferences to deploy printers to Windows 7 / Vista computers and getting event ID 4098 with message “The RPC server is unavailable”: on the properties of each printer item that you are deploying, click the Common tab and ensure the box “Run in logged on user’s security context” is checked. For security reasons this is preferable to disabling User Account Control or the MSKB 937624 solution bypassing LSA checks.

Blog Angst & Random Notes

2010-07-29T12:07:00.001+12:00

What should this blog be about? I’ve decided it will just present technical info / tips / notes in abbreviated format – quicker to write – NO POLITICS OR COMMENTARY ANY MORE – can’t be bothered.

Who needs Facebook etc or iPhones or iPads. Why do we need all this technological development. Where is it taking us. Life is devalued by requiring an inexhaustible supply of cheap labour in undemocratic countries.

Primary school is good to work in because their technological needs in classrooms are not very demanding. Most resources here go into teachers’ needs.

Drivers for Windows Server 2008 unavailable for LSI MegaIDE onboard RAID controller on Intel SE7230NH1 board only 4 1/2 years old = useless technology companies that stop supporting things after about three years. Ditto MS (Windows Server obsolescence).

Need a download manager? Use VisualWGet hooked into Firefox with FlashGot extension. Very reliable and fast now that we download so much large software files like complete OSs. Better than Download Express that I used for years, recent versions are unreliable.

Ideal backup hardware solution: looking more like a NAS/NSS server (Seagate or Western Digital). Testing SCDPM2010 on a test server. Looks very good so far.

Automating Windows 7 Installations [6]

2010-07-08T21:02:00.001+12:00

Following our prototype deployment of Windows 7, we now have five laptops in regular use with this OS, along with Office 2010, with few if any significant problems showing up. This includes switching one existing laptop running Vista to Windows 7. Office 2010 has a lot of improvements, especially in Outlook which has adopted the Ribbon for the first time. An example that applies across all the Office applications is the Print section of the Backstage view (File tab of the Ribbon) which has a whole lot of useful options that can be set without opening a separate dialog box. In addition to five laptops now running Office 2010 on top of Windows 7, we have one other running Office 2010 on XP, and there will be more of these as time goes on.

Meanwhile I am continuing MDT development in order to iron out a few issues, mainly in getting applications to deploy unattended successfully. It would be nice if HP could ship packages for their laptops that all install as part of a normal driver installation process (Windows plug and play driver detection) because it would be so simple to deploy these in a one step driver injection process. However that isn’t the case and the result is I have to try and work out how to make the installations work unattended. At the moment I am (hopefully) finishing off the deployment task sequence with testing on a Compaq 8510, but still using the 6730 drivers at the moment. MS today released the Update 1 to MDT 2010 in production form (rather than the Beta I tried earlier). I have installed this onto the VM that was already running the Update 1 Beta. For the moment I am continuing to use the MDT 2010 gold VM for deployment development and the Update 1 VM for capture tasks only.

The latest install was mostly successful except for one minor popup issue that has now been addressed, and a problem with the automated Lightscribe installer which still has to be checked out. This time around all the HP specific apps (except LS) were installed automatically without requiring user intervention. This was done by using unattended install batch files provided by HP in the standard installation files in some cases, in other cases by using extracted SP files rather than the SP executables themselves together with standard Installshield or Windows Installer command line switches. So it looks like this MDT deployment process is a pretty good plan for deploying a new OS with apps. I have also started using ImageX to back up laptops instead of Ghost. I use GImageX to simplify some parts, including mounting an image on my desktop computer to extract stuff from it. So in general it does look like MS’s deployment and imaging tools work well and are a good replacement for third party tools.

Automating Windows Installations [5], Data Ownership in Major Databases

2010-06-25T13:52:00.001+12:00

This has been a big project for us, starting from scratch to get a Windows 7 image built for our particular uses. At times it has been kind of overwhelming. I wrote before that monolithic is out and componentised is in. However the simple fact is that no single solution will suit all requirements. After my previous experience of being unable to create a monolithic application, I tried componentised, then when that didn’t seem to be going anywhere, I tried monolithic again with a freshly built image on a virtual machine this time. Applications got installed in two stages – the optional or “Feature” applications that staff like to have (like iTunes and some specific teaching situations) and required or “Core” applications (antivirus, Office, etc). Both capture stages were completed successfully leaving me with images that could be successfully deployed to test platforms. The next step is to deploy to a production environment, our laptops, so I created a deployment sequence to add the hardware specific drivers, and the specific additional applications just for these laptops. At the moment the first production deployment is completing and has just had two minor glitches so far with dialog boxes popping up that shouldn’t be there. I think the model we will follow in the future is to build the monolithic image on a generic VM for the base OS and applications for a specific scenario and then customise it to the specific hardware with the drivers and any related apps. The great advantage of this scenario is being able to use the VM to customise the image and therefore I don’t have to have an example machine at hand to test it on, although one will have to be borrowed for the production deployment test. This time around the settings I specified in the deployment wizard were applied (joining the domain etc) so that is also good. With the particular image we are using at the moment, the base OS + apps image takes about 40 minutes to be installed and the platform specific apps take about another 40 minutes. We are currently using MDT 2010 gold to do everything except sysprepped captures and MDT 2010 Update 1 beta to do the captures. I guess the total experience has been for a similar amount of time as our first Vista image but in this case being a lot more repeatable and reusable so learning MDT will be worth a lot more to us overall.

The other issue I am writing about today is data ownership in major databases. The biggest database that a typical NZ school will have is their Student Management System, which I will use here as an example. There is a tendency to think of applications in terms of the old file based DB approach where each application has its own data and tends to use it exclusively. For those of us with DBA experience that is not taking advantage of the key advantages that databases have to offer, mainly centralisation and ease of management. However most vendors are well aware of this in providing the capability to export data for other uses and, in some cases ODBC access to their backends. One of the important considerations is being able to allow other applications access to a major database such as an SMS, and being able to take that data to another product of the same type (e.g. another SMS) if for some reason you need to change vendor. An SMS vendor should be prevailed upon to give you, at least, read-only access to all of your data, and full documentation of its functionality and how it uses the data. Our experience of Integris being that both of those requirements were fulfilled – the documentation has not always been complete but enough information was available to begin with to enable me to link two specific reporting applications into Integris to analyse PAT and other assessment data (STAR, WL etc), using Integris as the data entry frontend, and Microsoft Access to do the reporting.

The important consideration in getting free and full access to your data, particularly to all of it, and to proper documentation, is that at some future stage you may need to switch, for example, an SMS, as your requirements change. Having your data locked into the vendor’s proprietary format with sparse documentation can make it difficult to switch to another SMS as easily as you would switch an operating system or other general purpose application. To a certain extent the specialisation of SMSs is part of the problem, but vendor lock-in is a consideration that needs greater attention from the powers that be. I understand that there is official interest in getting NZ SMS vendors to move to client-server architecture, which gives better options for sharing SMS data. Within a school locally this can still be ensured if a backend provides access to other apps using a standard interface such as ODBC.