Fine Grained Password Policy in WS2008; Virtualising Servers in Hyper-V; Windows 7 WAIK; Integris on Windows 7

Before Windows Server 2008 your Windows domain could only have one password policy for the whole domain, even though the password policy settings appear in any GPO. Only the settings in the Default Domain policy would be actually applied. One of the advances of Windows Server 2008 is to allow multiple password policies to be applied, generally to a specific group of users. The official UI isn’t too hot just yet. I used a tool from Christoffer Andersson as an alternative to the tedious process of setting up the password policy in ADSIEdit (which requires certain fields to be encoded in a very specific way). The domain functional level must be Windows Server 2008 at least. This is readily accomplished since now we have two WS2008 DCs, but I had to raise it from WS2003 where it was when DC01 was a WS2003 R2 server. Then I started testing it out. One small but important point to note is that just putting a user into the group doesn’t force them to comply immediately. The policy is not actually enforced on an existing user until the next time they change their password. So the way to ensure this is to check the box for a password change at next logon in the user’s account settings each time you add a user to the group. The FGPP will let us have a stronger password policy for remote login users to ensure there is less chance of their account being compromised.

We set our TS up from scratch again by making it a virtualised server. This is another step in the direction of making all our servers virtualised, running under Hyper-V. By the end of the year instead of four physical servers, we will have two Hyper-V servers running about six virtual servers. In every day use the workload of the virtual servers will be distributed across the two servers but if one of them breaks down then in theory the other should be able to pick up most of the load. I am really looking forward to having everything virtualised because it nearly means an end to down time when a server has to be shut down. Just move the VM to another server and have everything back in action real quick while maintenance is performed at your leisure, in fact the maintenance can be done in ordinary working hours.

This week I downloaded the new WAIK for Windows 7. That was something of an ordeal. It took four goes to get it to download completely so that it would install. Finally I managed to get one that would work, and that’s a big thing with a 1.7 GB download. As I am installing it on an x64 workstation it will only be able to build Windows 7 images for x64. I’m also installing it on Vista x86 on the Vista boot disk of my dual boot Vista-7 workstation and that will be able to build x86 images should that ever prove necessary. The Vista disk also has Windows PE 2.0 already on it from the previous WAIK and I have used this a lot with boot CDs and very recently learned how to inject drivers into it, which came in handy big time when I had to ghost a server with special RAID drivers. We are, however, not likely to build any new images for anything except Windows 7×64 now because it is my full intention to only use x64 because that is the way of the future. 

I am looking at a more expensive option for rebuilding my home PC. This is to go for the bleeding edge and choose a LGA1156 board and CPU, which is superseding LGA775. Since LGA1156 is pretty new, it is still relatively expensive; these options will push the overall cost to about $500. The board does have other useful higher end features like DVI and HDMI outputs, eSata connectors, but not Firewire which one of the LGA775 boards I looked at provided. Obviously the more powerful the system is, the longer it will be of use. I am about to order the power supply (Enermax Tomahawk 400W) which is $80. I have recently purchased a new Acer 17” screen which is a huge step up for my home computer over the Philips glass CRT.

If you use RM Integris Classic SMS in your school, you’re probably wondering about its compatibility with Windows 7. When I was testing the 7 RC, I tried the install of Integris onto x64 and found no problems. I was therefore surprised to experience crashes when installing the latest NZ release (6.91.10) onto both Windows 7 Pro x64 and our Windows Server 2008 R2 Terminal Server. The specific problem experienced is at startup when an error dialog comes up stating

Quitting Omnis due to unrecoverable error: Insufficient memory available.

When I searched Google I found people referring to problems with corrupted printer drivers. In the terminal server, I disabled the Print Spooler service and have had no more problems. Of course, this is a temporary fix; since there is only one printer installed, the Microsoft XPS Document Writer, I will have to try uninstalling that to see if it resolves the problem. The most important issue for Integris users is that the NZ edition has a core module that isn’t certified for Windows 7 and will have to be updated to a later edition, and I have been advised that this probably won’t take place until the middle of this year. So the current edition of Integris is not W7 certified.