As I finish up version 1 of InstallRunner, I went to set the UAC setting for “Require Administrator Privileges”.  I did that, and got this error:

Doing some research*, the cause of the error was that I did this:

By default, uiAccess is false.  I changed it to true.  I’m not sure why, ignorance perhaps

What does uiAccess do anyway?

(more…)

Windows 7 x32 RC.

This happened as soon as I started Microsoft Excel 2007.  Given that I was running several VMware machines and memory was running a bit low, I wasn’t worried.

But if I was still running Vista, I’d be applying Hotfix KB938194

Was asked to comment on a Vista upgrade proposal some time ago, as I’ve been around the block once or twice with SOE designs.

Reading through the proposal document, from a Microsoft Gold Partner no less, was this gem:

“We’ll create a ‘Power User’ group on the Vista PCs.”

WTF???

If you have read my previous posts about Power Users, you’d know my response.  For those which have not …

A POWER USER IS A USER WHO HAS NOT GRANTED THEMSELVES ADMIN RIGHTS … YET.

The Corporate Consulting Bozos who wrote the report think it’s a great idea.  It will get around the heartache of re-packaging “legacy” applications.

Even though, Vista has technologies built right in, to cope with shonky old applications.

There are some other “gems” in the proposal, which will guarantee on-going work for the Consulting Bozos.  Via the use of proprietary tools.

If you’re a business customer, thinking about making the upgrade from Windows NT4/2000/XP, I’d be waiting for Windows 7.

By all means, plan and test with Windows Vista, and then take the lessons that you learn, to apply for your Windows 7 rollout.

Here are 2 and a bit reasons why:

Reason 1 – Offline Domain Join.
“Offline domain join is a new process that computers that run Windows 7 or Windows Server 2008 R2 can use to join a domain without contacting a domain controller.  This makes it possible to join a domain in locations where there is no connectivity to a corporate network”
- Offline Domain Join Step-by-Step Guide

… locations where there is no connectivity to a corporate network

Such as PC build centres, or virtual machines (Windows 2008 R2 based servers for example)

Microsoft also make the point:

“… If there are any problems with the (normal – online domain join process) domain join, such as network connectivity problems or problems associated with necessary servers that are offline, the problems have to be diagnosed and resolved at that time.”

In other words, your PC deployment process STOPS until you fix the problem.  With Offline Domain Join, it removes one less failure point.
Additional italics’ words are mine.

Reason 2 – Bitlocker To Go.
USB memory sticks are a data security nightmare.  You put data on them, then lose them, or leave them where people can read them.  So what’s the solution at the moment?

1. Deploy the same encryption/decryption software, such as Truecrypt, to all computers in your organisation.
   (what do you do if you have a Sales Exec who wants to share their presentation with a customer, at the customer site?
   how do you recover the data, if an employee gets hit by a tram?)
2. Use the “”security”” software which comes with the USB memory stick.
   (not standard across your organisation.  requires Administrative Rights to install)
3. Use a Secure USB memory stick.
   (expensive to buy.  cheaper than data loss, granted, but how many non-IT managers consider that?)

Windows 7 has Bitlocker To Go (BTG).  This Microsoft blog post has more details.
Long story short: Bitlocker encrypts the USB memory stick, places a BTG access program on the drive, and away you go.  You can read BTG files on any Windows Vista (or later) computer.

Reason 3 (the bit reason) – Group Policy Preferences.
Group Policy Preferences are just that, preferences.  And it’s a useful feature.  In a corporate environment, preferences are used every day.  Such as mapping drives as part of a logon script.

Now you can, and should, read the Microsoft whitepaper to see what they think are the benefits, but here are 2:

1. Mapping drives.
   Don’t need to program this in a scripting language anymore.  No more discussion around “Should we continue to use DOS Batch/Kixtart, or go to VBscript/Powershell”.
2. INI file updating.
   Based on the user’s location even.  I spent time in previous years writing and maintaining “Localisation” scripting.  Localisation is the process of changing how the computer behaves when you change location.  Simply put, if I travel from Melbourne to Perth for the day, I want to download my updates from the Perth office, not the Melbourne office.
   You can update registry keys as well.

Group Policy Preferences Overview

Is really easy with Windows Easy Transfer
(http://www.microsoft.com/windows/windows-vista/features/easy-transfer.aspx)

I’m a fan of the clean operating system install, rather than an operating system upgrade install.
The bad thing about clean installs is that it removes all of yours, and any other users settings.

You can here the complaints now “I’ve lost my favourites” whinge whinge whine whine.

Windows Easy Transfer can help here.  It can transfer all your settings, documents and pictures across to the new computer.  EVEN computer encryption certificates (EFS and Internet certificates).  Certificate transfer is a BIG THING, as the other Microsoft product, USMT, couldn’t do this, until recently.

Backing up

You get three choices on how to transfer the files.  I picked the “CD, DVD or other removable medium” because I had an external hard disk, and was formatting the current computer (aka, a bare metal install).

You can password protect your backup file.  It’s a good idea, but don’t forget the password.

You’ll be asked what you want to transfer.  I picked “All user accounts …” as there were several accounts on this Windows XP computer.
Important point: make sure you have the passwords available for all the user accounts, as you will need them later.

Windows Easy Transfer now goes off and checks what can be transferred.  You will see this screen.

You’ll remember that I selected the “All files … ” option.  When it says “All files … “, Windows Easy Transfer goes out looking for everything, including external hard drives.  I’ve deselected them here, and the transfer file size changed from 497GB –> 17GB.

Here are some of the Windows settings which will be transferred.

Clicking next will kick off the transfer file creation process.

And,

you’re done with the export of your data files and settings.

Restoring

… shows the start of the restore process.  Remembering how I said, choose which accounts you want to transfer, this is why.  You have to map an old account to a new account.

Yes, you do get to see what is going to be restored, but you don’t get a choice to unselect.

The transfer is complete, and gee, we transferred a lot of files.

This is the end of the process.  Windows Easy Transfer will ask for the password of each user you transferred, when they logged on.  This is so any encrypted files, and web site security certificates, can be used in Vista.  It’s a great feature, as the any other way would see you lose encrypted files and certificates when you backup.

Done!

Things to note:

1. You need to know the passwords, or have access to them, for the accounts you are backing up.
2. Only backup those accounts that you need to.  When you are running the restore process, you don’t get a choice of what accounts you are going to restore.
3. Only backup files and settings you actually need.  That’s because you don’t get to choose what you can restore.
4. For picky users, screenshot their desktop so you can get the same look and feel in Vista.
5. While you should not have to, I’d recommend backing up the security certificates for each user you are transferring, separately.
   (here’s one step on instructions http://www.stanford.edu/services/encryption/desktop/windows/efs/backup_xp.html)

I have dozens of Virtual PC/VMware images, and can never remember the password for the things.

A cleverer guy than me (Tony Cinanni) suggested this solution:

Set a “Password Hint”.  Works with Vista as well.

To set a password hint:

1. Start the User Accounts Control Panel applet, which you can find in the Start Menu / Control Panel / User Accounts
2. Select the account for which you want to add a password hint (in the above shot, you can tell it’s LimitedUser)
3. Click Change the password.
4. Enter your password in the two locations and enter your password hint (ie. in my example above, it’s the password), type your password hint, and click Ok.
5. Done!

To fix,

Short version:
Under the
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
registry key, create 32-bit DWORD value named LocalAccountTokenFilterPolicy, and set it to 1 .

Long version
See the How to Geek for the detailed instructions.

1. Open a command prompt (as administrator).
2. Run "cscript c:\windows\system32\slmgr.vbs -skms IP_address_of_KMS:1688 && slmgr.vbs -ato"

Videocast seen over here.

It was worth an hour of my time.

Some of the highlights:

• If you’re going to deploy it and expect it to run on four year old hardware, wellll, it’s not going to operate very well.
• Vista SP1 made a huge difference to performance.
• Using the latest drivers is key.
• In the corporate environment, never upgrade. Rebuild the PC instead.
• Set expectations.  If a PC boot is taking 6 minutes, it’s not a “”Vista”” problem, your PC has a problem.  You need to get it fixed Mr. End-user, by telling someone.
• Review your Group Policies.  Do you really need synchronous blocking enabled?
• 64-bit Vista is best for systems with >4gb memory and the workload to support it.
• Defragging makes no difference on a SSD drive.
• Defragging on a normal drive doesn’t make much difference.
• Xperf toolkit will allow you to trace the entire Vista boot process.
• Task Manager has a new option, Resource Manager, located in the Performance tab.
  ”Hard Faults” are virtual memory faults which result in disk I/O being performed.
• Start with a clean image.  Vendor OEM images add value, and sometimes decrease performance.
• Autoruns is a better tool to use than MSconfig.
• Don’t disable SuperFetch.

The other speakers were Stephen L Rose, Michael Boyd, Doug Miller, David Straydee, Gabe Auld, Ed Bott & Celine Allee.
Apologies to those people who’s names I have mangled.

Trying to install my Lexmark X215 multi-function printer results in this error message under Vista:

I don’t know the actual cause, as I have 3GB of memory installed, but this workaround works:

1. Select “Add New Printer”
2. Select “Local Printer” instead of “Add Network Printer”
3. Select “Add New Port”
4. For the port name, type in the network path to your printer.
   ie. \\homeprintbox\lexmark
5. Click Next, and follow the remaining prompts.

And this is not the only way to resolve the problem. Over at VirtualTechSupport.ca, Simon writes about another way to solve the issue.  The printer he was having problems with was a Samsung ML-1710.
VirtualTechSupport.ca: Error when connecting to a shared printer with Vista