Windows 2000 Information

Important Legal NOTICE!

Click Here To Read Important Legal NOTICE!


Also check out my DOS and Windows XP and Windows 2003

A Microsoft said that they would soon be retiring the Windows 2000 Server line. The products will be phased out over time beginning March 31, 2004, and ending with full retirement April 1, 2006.
www.microsoft.com/windows2000/server/evaluation/availability/default.asp
1) Create an Generic NT Startup Disk
MS Knowledge Base Q254119 Get a new diskette, format it with fat on a Windows NT 4 or 2000 Computer. Do not put a system on it. Copy the following four files from the root of your NT 4 or 2000 C: drive to the new floppy
NTLDR
BOOT.ini
NTDETECT.com
NTBOOTDD.sys
This diskette will start up your computer/server using the floppy, then when it needs to load the NTOSKERNAL.EXE from your hard drive.
Can Fix some of the following:
Corrupted boot sector
Corrupted MBR
Virus infections
Missing or corrupted NTLDR or Ntdetect.com files
Incorrect Ntbootdd.sys
2) Boot.ini has several switches
Add /SOS to the end of the OS choice line. It makes NTLDR display the kernel and device driver names as they are loaded
Use when you suspect a driver is missing or corrupt at startup Q253874
3) Recovery Console Commands
Disable (Services)
DiskPart (add delete partitions)
Fixboot (install a second OS)
FixMBR
ListSvc (lists all services and drivers available)
Q254582
4) Put Recovery Console in Startup Menu
At a does command type the following CD\i386\winnt32.exe /cmdcons
If your normal OS will not start, this gives you a DOS Command Prompt window with NTFS drivers. No good if hard drive failure.
5) Creating 4 Setup Boot Discs
If the computer BIOS does not support booting from the CD, Windows 2000 requires four setup boot disks. If the setup disks are missing, you can create new disks by using the makeboot utility, in the Bootdisk folder of your install CD. You need different diskettes for Server and Pro
CD:\BOOTDISK\MAKEBT32.EXE
6) Computer naming Rules
Windows 2000 does not allow computer names containing an underscore character or all numbers. The underscore is not recognized by the DNS standard.
7) Convert from Fat To NTFS?
Open a DOS Prompt window in NT 4 or 2000, Type: convert c: /fs:ntfs You will need to restart your computer. This does not erase the data.
NOTE your file permissions will be set to Everyone Full Control
8) To disable the upgrade of basic disks to dynamic disks
Dynamic disks aren't supported on notebooks.
To turn off the option to prevent a user from getting into trouble.
1. Launch regedt32.
2. In the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmload
registry subkey, double-click the Start entry and enter 0x4 in the "Value data" field.
3. Restart the machine.
If you're checking the registry of a remote computer, check the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IDConfigDB\CurrentDockInfo\DockingState entry.
If the value is set to 0x1, the Dynamic Disk option is not present.
9) Bypasses the Recycle Bin and deletes the files directly
Launch regedit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
Change the NukeOnDelete (DWORD) value to 1 to enable immediate deletion
or set to 0 to go back to normal Recycle Bin
10) NTFS File & Share Permissions
Share Level Permissions are cumulative except for Deny
File Level Permissions are cumulative except for Deny
Combination of File and Share permissions are most restrictive
11) Force Windows to take a file's ACL
You can force Windows to take a file's ACL along with the file from NTFS volume to NTFS volume.
Take the following steps:
A. Launch regedt32.
B. Open HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
C. Add a subkey of type REG_DWORD and name it ForceCopyAclwithFile.
D. Set the data value to 1.
E. Log off, then log back on to make the change take effect.
12) Administrative Snapins on a 2000 Pro
Open the Server CD:\i386 Adminpak.exe. Run this program. The Snapins should now be available to you. Don't forget to set proper permissions.
13) Users & Groups
Local User Accounts have access only to resources on the local computer. They do not have access to domain resources. Domain user accounts have access to all domain resources (based on their rights and permissions). Domain user accounts can be administered through the Active Directory.
Default Users Group
Members of this group (normal users) do not have broad read/write permission as they did in Windows NT 4.0. They have read-only permission for most parts of the system and read/write permission in their own profile folders. Users cannot read other users’ data, install applications that require modification of system directories, or perform administrative tasks.
Default Power Users Group
They have all the access permissions that Users and Power Users had in Windows NT 4.0. They have read/write permission to other parts of the system in addition to their own profile folders. They can install applications and configure system settings. If you are running applications that have not been certified for use with Windows 2000, users will need to have Power User privileges.
Default Security Settings
If you do a clean-installation onto an NTFS formatted partition. It will Prohibit Users from compromising the integrity of the operating system and installed applications. Users cannot modify computer-wide registry settings, operating system files, or program files. Users cannot install applications that can be run by other members of the Users group, only themselves. Users cannot access other users' private data. They can run applications that were installed by an Administrator, Power User, or themselves.
14) Auto Creating User Accounts
You can type in the user information in Using Excel and then create a Visual Basic script. Q230750
15) Auto Logon User
Using Regedt32.exe or regedit.exe go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinLogon
Add REG_SZ = AutoAdminLogon = 1
Add REG_SZ = DefaultPassword Value = What ever the password is for the user.
Change the value of DefaultUser to the name of the user you want to login.
Hold Shift key down to logon as new user, MS Knowledge base Q253370
You can also Download TweakUI (a free utility) from Microsoft
16) Windows 2000 RunAs Utility
You do not want to read you e-mail or surf the web logged in with Administrator rights. If you catch a virus, worm or hack it has Adminitrative rights. Logon with normal user right for these functions.
Allows you to be logged on as a regular user then run a program as a user with Administrator rights
1/ Using a Dos command (Prompted for password) RUNAS /user:username command
2/ Hold down SHIFT then RIGHT Click the program
3/ Modify the properties of a short cut
Q225035
17) Type of Windows 2000 Groups
Security Groups are used to assign permission to access resources. Distribution Groups are used for non-security related functions such as mass e-mail lists. Distribution Groups cannot be used to assign permissions.
Global Groups
Members come only from the domain in which the group is created and can access resources in any domain
Domain Local Groups
Members can be added from any domain, but can access resources only in the local domain
Universal Groups
Members can be added from any domain and can access resources in any domain **only in Native Mode**
18) Cloning Computers Using SysPrep
Works in conjunction with third-party disk imaging tools. Used to remove configurations unique to the source computer such as computer name and SID. Download SysPrep from Microsofts web site, do not us the one on the installation CD.
1/ Prepare the source PC for cloning (load operating System and all applications)
2/ Do a disk defrag
3/ Install & run SysPrep
4/ Create disk image (to server or CD)
5/ Apply image to new PC
6/ Restart the computer, run through the mini setup
19) Types of 2000 Server Roles
Domain Controllers
Contain user accounts and other Active Directory service data for the domain
Member Servers
Belong to a domain, but do not contain Active Directory service data
Stand Alone servers
Do not belong to a domain, but instead belong to a workgroup
20) Upgrading a Windows NT 4 Domain
Factors to consider:
NTFS must be used on domain controllers. Active directory will only install on a NTFS partition. The TCP\IP protical must be used with Active Directory. The NT 4 Domain PDC must be the first domain controller upgraded.
21) Private Range IP Addresses
Class A (10.h.h.h)
Class B (172.16.h.h-172.31.h.h)
Class C (192.168.0.h-192.168.255.h)
http://www.learntosubnet.com
22) Trouble Shooting Terminal Services
TechNet Article ID: Q186645
test tcp \ip on client , server and switch
Does the user have the proper rights & permissions
Check License Manager, if you have gone over the number of clients
Check Maximum Connection Count
23) Always Create an Emergency Repair Disk
Start menu -then- Accessories -then- System Tools -then- Backup
Then click the Emergency Repair Disk button. You may also wnat to Copy the %SystemRoot\Repair\Regback to another drive.
To reapply the Emergency Repair Disk you must start the server with the install CD or Diskettes, then choose Repair.
Another way to back up the registry and active directory is by backing up the System State.
24) Demilitarized Zone (DMZ) Firewalls
Article ID Q191146 Proxy 2.0
Article ID: Q280132 - Exchange
25) Stop Browser Elections
C:\Browstat = test Browser service
Computers running server service announce their presence (with a Broadcast)
NT 3, 4, 2000, 9X (9X with File and print sharing)
HKEY_LOCAL_MACHINE\SYSTEM|CurrentControlSet\Services\Browser\Parameters
Set MaintainServerList to NO
Q246489
26) Third party Kerberos and 2000
Windows 2000 domains seamlessly interoperate with standards-compliant third-party Kerberos implementations such as CyberSafe's TrustBroker, thereby allowing SSO between Windows 2000 and networks running the MacOS, AIX, Digital Unix, HP-UX, IRIX, Netware, Solaris, SunOS, Tandem, and MVS/ESA operating systems.
FAQ Q266080
27) Loosen up security for legacy applications
If you the need to support non-certified legacy applications must loosen up the permissions allotted to members of the Users group to the point where their installed base of applications can be successfully run. The Windows 2000 operating system includes a security template for precisely this purpose. The template is named compatws.inf and can be found in the:
%windir%\security\templates directory. The template can be applied to a system using the Security Configuration Toolset. For example, the secedit.exe command line component of the Toolset can apply the template as follows:
secedit /configure /cfg compatws.inf /db compatws.sdb
28) Logon on Warning
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinLogon
Change LegalNoticeCaption to the following:
Logon Warning! Please read carefully.

Change LegalNoticeText to the following suggestion (you may need to get your lawyer to review this)
WARNING! By accessing and using this system you are consenting to system monitoring for law enforcement and other purposes. Unauthorized use of this computer system may subject you to criminal prosecution and penalties!

You can also do this in group policies:
Go to computer Configuration/Windows Settings/Security settings/Local Policies/Security Options (Half way down list)
Message text for users attempting to log on and
Message title for users attempting to log on
29) Where is the SAM Stored - Four Locations
1) C:\Winnt\System32\Config
2) Emergency Repair Disk (Do not leave it on your desk)
3) C:\Winnt\Repair
4) Backup Tapes (Off site and in a secure location. Data fire proof safe)
Please make sure all are in a SAFE location all are possible threats to your security.
30) Windows 2000 Encryption
Q255742 Methods for Recovering Encrypted Data
Q223316 Best Practices for Encrypting File System
31) Create a desktop shortcut that locks your Windows 2000/XP/2003 system.
Right-click your desktop and select
New, Shortcut to launch the Create Shortcut wizard. In the "Type the location of the item" field, type the command
rundll32.exe user32.dll,LockWorkStation
Click Next. Enter a shortcut name, such as Lock, and click Finish. The shortcut will appear on your desktop as the standard Windows icon.
32) Disable Adminisrtative Shares C$, D$
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/LanmanServer/Parameters
set AutoShareServer DWord value to = 0{zero}
33) CyberSafe Log Analyst (CLA)
The valuable CyberSafe Log Analyst (CLA) is included in the Win2K Server resource kit. CLA is a Microsoft Management Console (MMC) snap-in that lets you analyze the scattered Security logs of the systems in your domain as a whole. CLA has 11 prebuilt reports that provide useful views of your systems' security activity, but you can also design custom reports.
On the resource kit CD-ROM look in \apps\loganalyst directory
34) Implimenting registry changes
If you export a reg entry to import it into a system at logon use the command-line execution, with the following syntax
regedit .reg
35) Stop normal local users from creating extra local accounts on their Windows 2000 Professional systems
Log on to the computer as a member of the Local Administrators group.
Open a command prompt, and use the net command
Type: net localgroup users "NT AUTHORITY\INTERACTIVE" /DELETE
Log off
This process removes the ability for a local account to create a new account on that machine. An administrator can reverse the process if necessary.
36) Security Configuration Toolset
secedit /refreshpolicy
This command refreshes system security by reapplying the security settings to the Group Policy object.
or read up on Security Configuration and Analysis
37) File encryption Explained
MCP Artical on File Encryption some tricks and traps, XP users may cause problems?
38) Recover Encrypted Data
If a server administrator needs to recover data but can't determine who originally encrypted it? EFSinfo, a command-line utility that installs with the resource kit's Security Tools component, solves this problem. EFSinfo displays encryption information for a specified directory or file. If you don't specify a pathname, EFSinfo displays encryption information for each file in the current directory. If you type:
efsinfo /u
you learn whether the file is encrypted and who can decrypt it. To display a file's authorized data-recovery agents, use the /r switch. Windows Update in debugging mode
To watch or track the process when you run Windows Update, here's a solution: A simple registry edit can change your Windows Update downloads to debugging mode. In debugging mode, the system prompts you at each step as you download and install the update, so you can track the entire process. The following registry edit works with Windows XP and Windows 2000 systems:
1. Launch regedt32.
2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ActiveSetup subkey.
3. Enter a new String Value called SteppingMode.
4. Enter Y as the value of SteppingMode. (To disable SteppingMode,
change the value to N.)
39) Windows 2000 Time Service
Where do you find an SNTP server? In the United States, the navy is the official national timekeeper and runs a set of time servers, including the aptly named tick.usno.navy.mil and tock.usno.navy.mil. Most ISPs' DNS servers also seem to be SNTP servers. So, you could type the command
net time /setsntp:dns.isp.net
to cause your FSMO to sync with that DNS server. You can specify a list of servers in the command, but with a trick: Enclose the list in quotation marks, and separate server names with a space. For example you'd type
net time /setsntp:"www.acme.com www.apex.com"
If you forget what SNTP server your system is synchronizing with, you can find out by typing
net time /querysntp
40) Installing and Configuring Telnet on Win 2K
Telnet server lets you maintain two concurrent connections to any Win2K system. By default, Microsoft has disabled the Telnet capability in Win2K because having the Telnet service running without an administrator's awareness presents a security problem. To start the Telnet service, go to Services and select Telnet in the right pane. To configure the Telnet service to start when the server boots, modify the Startup Type from Manual to Automatic. Telnet is inherently an insecure protocol. By default, Telnet handles authentication over the network in clear text, which means that anyone who happens to be snooping on your network when you log on to the Telnet server can see your username and password.
Win2K's Telnet server can handle both clear-text authentication and also NT LAN Manager (NTLM) authentication. NTLM encrypts usernames and passwords as they cross the network so that they can't be discovered. To use NTLM to authenticate to the Telnet server, you must have a Telnet client that is Microsoft's Telnet client. To modify the authentication parameters for the Telnet service, launch the Telnet administration program, tlntadmn.exe, from a command prompt. From the main menu select the Display / change registry settings option to modify the Telnet service parameters. In the resulting menu, select the NTLM option to modify the authentication parameters. You can choose 0, 1, or 2. Never want to use NTLM authentication, choose a value of 0. Try NTLM first but fall back to clear-text authentication if NTLM fails, choose a value of 1. To support only NTLM authentication, choose a value of 2, which will never use clear-text authentication.
41) Event Log Query Tool
An automated tool for examining event logs, available in 2000 Server Resource Kit. The tool dumps an event-log summary to the screen. You can then search the output for particular keywords
Elogdmp's syntax is:
elogdmp computername logname
42) To lock down a Terminal Servies session
On a Windows 2000 client
You SHOULD create a new OU (Organizational Unit)
Edit the new group policy for the OU and Enable:
(Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options)
Do not display last user name in logon screen
Restrict CD-ROM access to locally logged-on user only
Restrict floppy access to locally logged-on user only
(Computer Configuration\Administrative Templates\Windows Components\Windows Installer)
Disable Windows Installer (Set it to Always)
(User Configuration\Windows Settings\Folder Redirection)
Application Data
Desktop
My Documents
Start Menu
(User Configuration\Administrative Templates\Windows Components\Windows Explorer)
Remove Map Network Drive and Disconnect Network Drive
Remove Search button from Windows Explorer
Disable Windows Explorer's default context menu
Hides the Manage item on the Windows Explorer context menu
Hide these specified drives in My Computer (Enable this setting for A through D.)
Prevent access to drives from My Computer (Enable this setting for A through D.)
Hide Hardware Tab
(User Configuration\Administrative Templates\Windows Components\Task Scheduler)
Prevent Task Run or End
Disable New Task Creation
(User Configuration\Administrative Templates\Start Menu & Taskbar)
Disable and remove links to Windows Update
Remove common program groups from Start Menu
Disable programs on Settings Menu
Remove Network & Dial-up Connections from Start Menu
Remove Search menu from Start Menu
Remove Help menu from Start Menu
Remove Run menu from Start Menu
Add Logoff to Start Menu
Disable and remove the Shut Down command
Disable changes to Taskbar and Start Menu Settings
(User Configuration\Administrative Templates\Desktop)
Hide My Network Places icon on desktop
Prohibit user from changing My Documents path
(User Configuration\Administrative Templates\Control Panel)
Disable Control Panel
(User Configuration\Administrative Templates\System)
Disable the command prompt (Set Disable scripts to No)
Disable registry editing tools
(User Configuration\Administrative Templates\System\Logon/Logoff)
Disable Task Manager
Disable Lock Computer
43) EFS Enhancements in Windows 2000
A serious weakness in Win2K that rendered EFS effectively useless on Win2K computers that were part of a workgroup rather than part of a Windows NT or Active Directory (AD) domain.
44) Windows 2000 services
For a complete listing of Windows 2000 services and a description of their purpose, take a look at Microsoft's Glossary of Windows 2000 Services.
www.microsoft.com/windows2000/techinfo/howitworks/management/w2kservices.asp
45) To Keep the Start menu open
To keep the Start menu open after launching an application, you simply need to press the Shift key while clicking the application you want to launch. The application will launch and the Start menu will remain open, letting you proceed to the next application. This tip
46) Which CurrentControlSet is associated with the Last Known Good
To find out which CurrentControlSet is associated with the Last Known Good options,
A) run regedt32.exe
B) go to HKEY_LOCAL_ MACHINE\SYSTEM\Select then LastKnownGood
47) Recovery Console Not Require the Administrator Password
How to configure the Recovery Console (RC) to Not Require Me to Enter the Administrator Password
Do the following steps:
1. Start a regedt32
2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Setup\RecoveryConsole
3. Double-click SecurityLevel
4. Set its value to 1 to not require password entry (or 0 to require the user to enter the password)
5. Then click OK.
6. Close the registry editor.
You can also use the Microsoft Management Console (MMC) Local Security Settings snap-in
go to Local Policies
Security Options
"Recovery console: Allow automatic administrative logon" enable
48) To limit concurrent connections per user.
MS KnowlegeBase Article Q237282
Windows 2000 Resource Kit tool named CConnect.exe on each client computer, in conjunction with an .adm file supplied by the tool.
49) Automatically log off users when logon time exipres
(Domain Group Policy) only effect domain computers at the domain root not one in an OU
Automatically log off user when logon time expires (OU Group Policy) effects computers in the OU not at the domain level
50) WIN2K will not block port 88 and 500
By default WIN2K will not block port 88 Kerberos and 500 Internet Key Exchanger using TCP packet filtering in advanced tab properties = HKLM\system\CurrentContolSet\services\ipsec + nodefaultExempt = 1
51) Enable normal users to install print driver
If you want users to install print driver an not have to be poweruser or admin
You need to set a group policy to:
diable the Prevent users from installing printer driver policy or
HKLM\system\CurrentContolSet\COntol\Print\Providers\LanMan\PrintServices\Servers
Change AddPrinterDriver to value of 1
52) Move a DHCP Database
How To Move a DHCP Database to Another Windows Server
Q130642
53) 10 DHCP Addresses Cashed in RRAS
When a Routing and Remote Access server provides dynamic configuration for dial-up clients, it first performs the following steps:
When the RRAS server starts it obtain 10 IP addresses from a DHCP server.
The RRAS access server utilizes the first IP address for the RRAS interface.
The remaining nine addresses are allocated to TCP/IP-based clients as they dial in to establish a session with the remote access server.
IP addresses that are freed when remote access clients disconnect are reused.
When all 10 IP addresses are used, the RRAS server obtains 10 more.
When the RRAS service is stopped, all 10 addresses are released.

Tool

Scope of Recovery

Safe Mode Option

When you start your computer in Safe Mode, it uses only the basic Windows 2000 files and drivers and runs only the minimum services required to start the system. There's no network connectivity in Safe Mode. To access Safe Mode, press F8 when prompted during the computer startup.

Recovery Console

The Recovery Console allows administrators to perform administrative tasks at a command-line console. Administrators can stop or start services, enable or disable device drivers, fix the master boot record or format a local hard drive. You can access Recovery Console from the Win2K CD, Win2K Setup disks or install it as a boot menu item.

Emergency Repair Disk

An Emergency Repair Disk (ERD) is used to fix problems that may prevent your Win2K computer from starting. You create an ERD when your computer is functioning properly. When you encounter problems, you can repair system files using this disk. ERD can be used to repair the boot sector, the startup environment (such as multiboot), or the system files. To create an ERD, use the Backup program from Start | Programs| Accessories | System Tools.

Last Known Good Configuration

Use this configuration to start your computer using the registry information that was saved at the last shutdown. Keep in mind that any changes that you’ve made since the last successful startup will be lost. To access this mode, press F8 when prompted during boot.

Directory Service Restore Mode

This is a special mode in Win2K used to restore the AD database. AD can’t be restored while you’re in the AD database. When you boot in this mode, you’re accessing the local SAM database, instead of the AD. This mode can be used to restore AD and the SYSVOL folder. To access this mode, press F8 when prompted during boot.

Backup

The Backup tool is used to backup and restore not only the data files but also the System State, which includes AD, boot files, registry and so on. To access the backup tool, run the Backup program from Start | Programs | Accessories | System Tools, or simply type ntbackup.exe at the command prompt.

Back To Main Page Important Legal NOTICE!

Click Here To Read Important Legal NOTICE!


Updated October 10, 2007
Copyright© 2007 by Dana Shea
Copyright© All rights Reserved. No part of the contents of this site may be reproduced
or transmitted in any form or by any means without written permission.
Any questions or problem links please email