VoodooV

ok, so when I lock my desktop workstation, Windows, of course, displays that the workstation is locked and that my user id is logged in. When I hit ctl-alt-del to unlock the workstation, I am taken to a screen where it shows my user name and I am prompted for my password. This is good. But on my laptop, when try to unlock the workstation, it takes me to a different screen where I see two icons, one is for my user, the other is for my smartcard. now sure, if I just hit enter, it defaults to my user account and then I enter my password and I'm fine. How do I get it so that I don't have to hit enter, and it behaves the same as my desktop? My first attempt was to merely disable the smartcard service, well sure, that turns off the icon for the smartcard, but it still shows an icon for my user account. I still have to hit enter, and THEN i can enter my password. I then did some google searching and found this: http://technet.microsoft.com/en-us/library/jj852183.aspx and that SEEMED to work at first, when I hit Win+L to lock the workstation, then unlock it, it took me right to the password screen instead of the icons, but after rebooting, when I go to unlock the screen, the icon changes from my user to "other user" I then found this: http://social.technet.microsoft.com/Forums/windows/en-US/16378967-8a39-4aef-85e4-d859a71648d3/hide-user-accounts-on-windows-7-logon but that seemed to have no effect. I realize this is a very minor thing, in fact, It only seems to have occurred recently, but I just lived with it. My users are starting to notice this now which is prompting me to look at it again, but I haven't found any solution yet. Thanks in advance!

because USB access isn't even the real issue. The main issue is getting around the PGP encryption (which I can), but how do I get WinRE/MSDaRT to see the system restore points? MSDaRT sees the restore points on an unencrypted drive just fine. PGP has a command line tool to authorize myself to the drive so that the C drive is visible but I need to somehow "reset" WinRE/MSDaRT so that it too recognizes the C drive and System Restore can get to what it needs to get to. I've got this same question out on Symantec's forums for PGP and I haven't gotten a response there either. I've seen two articles that say that all you have to do is reload winpeshl after authorizing and everything will be seen. That's great, but it doesn't work for me. It's certainly possible that i'm missing something, but Im running out of things to try short of starting completely from scratch.

yeah, diskpart is in MSDaRT. Already tried diskpart and rescan. no dice. what I'm currently doing is using the DriverView utility to compare what drivers get loaded in WinPE vs what drivers get loaded in MSDaRT and see if I can use drvload to load the missing drivers in MSDaRT. I also ran NET START to compare what services are running, but they appear to be identical. DriverView: http://community.landesk.com/support/docs/DOC-23264

I think I sorta see what's going on. I just don't know how to get around it. after I run the pgp command line to authorize myself to the C drive. I can see the C drive now, but I have to somehow get WinPE/RE/MSDaRT to recognize that the C drive is available and to look there for system restore points. That was my understanding for why you have to run WINPESHL.EXE when I run WINPESHL.EXE it appears to start over and it appears to recognize the C drive and it even asks me for the admin password to authorize myself to the windows installation. problem is, running WINPESHL.EXE seems to kill a bunch of needed services and loaded drivers because I noticed that after I run WINPESHL.EXE, I can no longer see my network card or USB drive. So it seems as though running WINPESHL.EXE got WinPE to see the encrypted C drive, but maybe it killed some driver or some service that system restore needs to work? I did some reading and my understanding is that wpeinit is supposed to re-scan PnP and load drivers but it doesn't seem to do that, at least not that I can see. How do I reset WinPE back to it's default state after I authorize myself to the encrypted hard drive and re-load all drivers and services so that system restore has what it needs? EDIT: after more investigating, it appears that MSDaRT doesn't load the usb drivers period. I never noticed before, but even prior to running WINPESHL.EXE, the USB stick is not recognized, wheras WinPE apparently does. so that's something else I'll need to figure out how to add to MSDaRT

I apologize, I'll try to be more clear. A while back, I built a WinRE 64bit stick (based on WinPE 3.1) The goal was to have a recovery option for our encrypted Win 7 64bit laptops if they should ever fail to boot. I installed the pgp tools to the WinPE image so even though when you first boot up to WinPE, you can issue a command line to authorize yourself to the encrypted drive and the C drive can be viewed/explored/read etc. details are here: http://blog.uvm.edu/jgm/2011/05/13/microsoft-emergency-repair-disk-pgp-and-windows-system-recovery/ Here's the thing though, even on an unencrypted laptop, I couldn't get the system restore to work on the WinRE image. More recently, I started fooling around with MSDaRT 8 64 bit (Windows 8 based), unfortunately I'm not able to add the PGP tools to that because apparently PGP doesn't support 8 yet, but even on an unencrypted laptop, System Restore seems to not be able to see restore points. Because of the PGP issues, today I built a MSDaRT 7 64bit image (Windows 7) That one, however IS able to see system restore points on an unencrypted laptop, however, when I add the PGP tools and try it on an encrypted laptop, even after authorizing myself to the C drive, it can't find any system restore points. I can see how PGP can be interfering with things, and using Win8 tools on Win7 could cause an issue but what I am baffled about is why it can't see system restore points even on un-encrypted laptops. the WinRE 3.1 image should be able to see the system restore points on a Win7 laptop

My google-fu is failing me so I guess I'll ask for help. I've been messing around with WinRE 3.1 I made a bootable USB disk and eventually I tested out System Restore, but for some reason, it cannot find any system restore points. I reboot normally and boot back into Win7, and launch System Restore there, sure enough, it sees plenty of restore points. I even create a brand new system restore point. I boot back into the WinRE stick and still, cannot find any system restore points. I thought maybe it had something to do with the PGP encryption we've got on our laptops. I did add in the PGPWDE tools into the boot.wim and I can authorize myself to the disk so that it can see the drive, but I thought maybe something there was still interfering but I tried the WinRE on an unencrypted laptop and it too cannot see any system restore points I also built a MSDaRT 8.0 stick today, but it too cannot see any restore points. Any idea what I could be missing? Thanks in advance!

If the policy keys don't exist anymore, then you need to create them, as the reg hack will do. I've deployed this reg hack to over 500 computers. It works. The update tab disappears. not even admins get bugged about updates anymore.

Yeah, it works and blocks the applet from loading (well sorta, but more on that in a bit), but IE still prompts that the website needs java and offers to override the block. IMO, the problem isn't necessarily java, but IE seems to love overriding blocks you put in place. I haven't seen an option to get it to stop prompting to override, I've seen an option to block the entire info bar, but I don't really want to do that. And yeah there is a security option to not run java applets but it seems to be disregarding that too as I set it to disable, but it prompts anyway. One thing I noticed about the page you linked was that they had that embedded applet to check your version. when I go to the page with the plugins supposedly blocked, it still knows that I have an out of date version which tells me that it didn't completely block the applet from loading. but when I go here to test if the applet loads, the applet is NOT able to determine my java version. It's this sense of unreliability is what's prompting us to completely remove java to get rid of the browser plugin and just push out the java files as part of the java app deployment

OK, so let me give you some history. Our programmers have a number of java apps. When they originally developed them, they put the jar files and an old version of JRE directly on the network so that all we had to do was grant them access to the network location and make a shortcut. This worked fine for a while, but when the use of the apps expanded to include our remote office users, the network performance was such that it literally did take minutes for the apps to start. So we started installing java locally for the users and re-did the shortcut so that it used the local copy of java, but the jar file was still on the network. This improved performance for everyone drastically. But as you probably know, the increasing number of java exploits out there and especially this most recent exploit has started to cause some issues. We did have a handful of Blachole infections last month. That's when I discovered that IE8 on Windows7 absolutely refuses to NOT run java applets. Disable them in the add-ons section of IE? Runs them anyway. Turn off the plug-in in the Java control panel? Runs the applets anyway. Fortunately, I did find the registry keys necessary to prevent Java Applets from running, but even though that does appear to work, IE still chimes in with the information bar and lets the user know that the website wants to run Java and lets the user override the block. I have yet to find a way to prevent that java applet info bar from appearing. disabling java applets in the security settings section of IE appears to not make a difference. Now I don't want to turn off the information bar completely, I just don't want it to offer to override the blocking of java applets. It appears that you can't install Java without the plugin, there apparently used to be some switches to disable the plugin during installation but they appear to be deprecated. It appears that what we're going to do is to remove Java, but still copy the JRE files over manually (well, through a script) so that the Java apps can use the files locally and the plugin won't be installed, period. I'm just curious how others have handled situations like this with Java and the browser plugin.

Yeah that's how I did it for my new Windows 7 Enterprise SP1 sysprep. I *wanted* to do it through DISM as well, but i never got it to work so I gave up and just incorporated it into my base sysprep image.

If you go to your list of approved updates, right click on the column headers and select "supercedence", then you can sort the list based on supercedence and decline anything that is superceded by another update and cleanup tool will then clear out the declined updates. It's my understanding that the cleanup tool is SUPPOSED to auto-decline superceded updates, but it never has for me, so I googled it and that's how I learned to get around it since other people apparently had the problem, so every month after I synchronize, I sort by supercedence, decline anything that is superceded, then run the cleanup tool.

We just run a reg hack (or you can push it out through group policy) after installing java Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy] "EnableJavaUpdate"=dword:00000000 "NotifyDownload"=dword:00000001 "NotifyInstall"=dword:00000001 The update tab for Java will disappear with this.

You don't know how tempted I am to do that. But since it would affect everyone, not just our agency, I'm not about to mess with that (and my livelyhood). And yeah..I just took a peek, I found the sysvol policydefinitions folder on our domain. Oh so tempting! I'm no MCSE though and I see multiple domain controllers out there so I'm not going to mess with it myself Besides, I'll derive more pleasure out of demonstrating to the powers that be that they need to keep up with our standards...again We found out who to contact to update that stuff so it should just be a matter of time now. Thanks for pointing me in the right direction gang

I was wondering if this wasn't more suited for the server forums, sorry about that. Unfortunately, I don't have access to our domain controllers. We're a state agency and it was decided a few years back that a central agency would control everything so our agency is just an OU in the big state domain. We do have our own 2K8 R2 w/SP1 servers, but they aren't domain controllers. I tried loading up RSAT on one of those servers but I didn't get the options there either. Last I heard, their DCs are 2K8 R2, but I have no idea if they have SP1 or not. Do you think it's a lack of SP1 that's causing the issue? If I get ahold of the domain admins, it would be nice if I had an idea what would fix it. EDIT: I moved on to the next set of settings and it appears they are missing too: There should be a group of settings called IPv6 Transition Technologies that should be under Computer Configuration\Administrative Templates\Network\TCPIP that just aren't there for me. when I was researching this, I got the impression that all those settings are stored in those ADMX files on the local machine. Do our domain admins just need to update the admx files on the DC? I know can do this through registry edits, but it would be tedious as hell EDIT2: loaded up local group policy editor on my Win7 box. The settings are there. so I guess I do have a way to automate it now. I'm still thinking I aught to talk to our domain admins about this though since these are security features that are rather important

I'm trying to create a group policy for Windows 7 to enable various security settings to create a NIST USGCB baseline. There are two settings under Computer Configuration\Policies\Administrative Templates\Network\Network Connections: Require Domain users to elevate when setting a network location Route all traffic through the internal network but these settings simply do not appear for me. I have only four items available to me: Windows Firewall (folder) Prohibit installation and configuration of Network Bridge on your DNS domain network Prohibit use of Internet Connection Firewall on your DNS domain network Prohibit use of Internet Connection Sharing on your DNS domain network My google-fu is failing me when I try to find any explanation as to why those two settings are missing. I checked out the NetworkConnections.admx file that's on the local pc that I'm creating the GPO on and I do see references to the two settings in question, but they just don't show up for me to configure them. Now I know when push comes to shove, I know the registry entries that they ultimately modify so I know I can resort to a registry edit if I have to, but I'd like to understand why those settings are missing. I tried updating my RSAT, I tried updating the ADMX files, I've tried editing the group policies from a 2K8 R2 server, but no luck. Any ideas? Thanks in advance!

So what is the deal with the SRT package? I know it was witheld from the Vista AIK, but why isn't it included in Win7 or in the supplement? So how do you go about adding WinRE functionality to a WinPE 3.X image? I've got a good set of WinPE files going, PGP encryption, secure deletion, etc. and I'd like to expand the usefulness of WinPE by adding these recovery tools. I tried adding WinPE-SRT_en-us.cab which is part of the AIK but it won't let me. so I assume I need to have WinPE-SRT.cab. It's my understanding that a WinRE base image is pretty similar to a base WinPE image so am I just better served by creating a WinRE image and adding all my customizations to that instead of WinPE?

I finally figured out why I was having so much trouble with the 3.1 supplement. Turns out the iso was about 1/10th the size of what it should. I didn't notice it right away because since this was just an update, the smaller iso didn't raise any suspicions for me. So I go to download it again and I STILL get a smaller file. Third time was the charm however and all is well now.

Success! It was the MSD drivers. Once I got the 32-bit drivers added through DISM, the rest was a standard diskpart of: select disk 0 clean create partition primary select part 1 active assign letter=c: format fs=ntfs both the dellafdt.exe tool and the paragon disk tools confirm that the partitions are properly aligned. The only other thing I had to do was use dism to add KB982018 and the updated 64bit RapidStore drivers after laying down my Win7 wim image. The only remaining issue is just what I mentioned before about copying over the WAIK supplement and getting the error about not supporting symbolic links. Anyone got any clues on that one? I'll try installing it on another machine to see if I can recreate the issue EDIT: Thanks Tripredacus, I'll remember that. I didn't see your post until after I updated the wim with the 32 bit drivers so the 64bit drivers are still in there but it appears not to have caused a problem. Ultimately I want to get on WinPE 3.1 AND build a new Win7 SP1 sysprep image that has all this stuff pre-added in. but this at least gets me moving forward and understanding the factors at play here.

oh snap...I think I might know what happened. We use Win7 64-bit. But our WinPE is 32 bit. and when I added the mass storage drivers for RapidStore...I used the same 64 bit version drivers that we use for my Win7 image . Tomorrow i'll get the right drivers and use DISM to add in the 32-bit drivers and see if that clears it up.

I was concerned about this too. I thought that WinPE didn't have the right mass storage driver. Dell's documentation of AFHDD also refers to making sure you have the most current MSD drivers http://www.delltechcenter.com/page/Deploying+Dell+systems+with+Advanced+Format+Hard+Drives#fbid=f0S9sYjriTs So I downloaded the RapidStore drivers from Dell. All the documentation I saw about adding mass storage drivers to WinPE talked about adding entries to a winpeoem.sif file in WinPE. I could not find this file for the life of me. (supposed to be in system32, but I couldn't find it anywhere) It later occurred to me that all that documention might have referred to older versions of WinPE so I used DISM to add the drivers to the boot.wim file. It claims to have added the drivers successfully...but how do I verify this? Is there a WinPE equivalent to Device Manager? I tried going into diskpart and doing a "detail disk" on drive 0 but none of the information seems to pertain to what driver it's using. As a side bar. I have been trying to get on WinPE 3.1 in case that's the solution to this problem, but I'm also running into a weird problem there. I'm on a new computer so I downloaded both WAIK and the supplement isos. I mounted the isos with MagicISO and installed WAIK, then mounted the supplement iso, but when I run the xcopy command to copy over the supplement files. I get an error in the middle of the copy process that the target does not support symbolic links. Anyone know how to fix this? My google-fu has failed me on this issue too! Is there anyway to get a WAIK that has the supplement built right into it? I'll have to run those diskpart commands tomorrow afternoon. so I'll get back to you then.

The version reported when I run diskpart is 6.1.7600 the error I get when I do that alignment of 1024 is "The specified alignment is not a multiple of the sector size" Just for grins I tried 4096 too but same error. I checked the registry. all the alignment entries are set to "0x00100000" except for "less than 4gb" which is "0x00010000"

Ok, We've got some new Dell Latitude E6420 and E6520 both with Advanced format drives. I'm currently using WinPE 3.0 patched with KB982018 and used DISM to add the current Intel Rapid Storage drivers to my WinPE USB stick. But what I'm not getting is how do you create a partition with Diskpart that is AFHDD aligned? I read online that you can "create partition primary align=1024" but this doesn't work. is this something I have to go to WinPE 3.1 for? I've searched through google and I haven't found squat. The only thing I've seen works so far is to make a misaligned partion, deploy my Win7 wim file and realign it later with Dell's paragon tools. But how do I use diskpart to align the partition correctly right out of the gate so I don't have to use those Paragon tools? Thanks in advance!

Thanks! I'll give that a try this afternoon. It's not just this one computer, it seems all of our Windows 7 computers that have printers deployed by GPO have this issue. Assuming that moving the computer object to a different OU that has inheritance blocked clears this up, How would I fix this for the future? Also, the printers are deployed on a per-computer basis if that helps at all.

domain account that is a member of the local Administrators group. our AD is such that we don't have control over the domain, we are given an OU on the domain and we put our own OUs and workstation/server/user/etc objects under that. The server that the printers are installed on are ours, as are the workstations, but the domain we put them on is not ours to control. The GP objects are created and maintained by us