Tag Archives: Vista

List folder contents – XP vs. Vista

Yesterday, a client called me complaining that, after installing Vista SP2, she couldn’t access a folder on a file share. She could access that same folder from her XP workstation, logged in with the same account.

I paid a service call (across the parking lot; any excuse to get up and walk outside :-) ), and after some poking around confirmed her claim. We did determine that she might not have attempted to access that folder from her new Vista system before.

So I started digging deeper. The folder granted her (via a group)  the “List Folder/Read data” permission. So I created a test folder and granted an analogous group this specific permission to the folder. This is displayed in the output of icacls thas “(S,RD)”.

C:\>icacls s:\cit\ZTest
s:\cit\ZTest CAMPUS\ETS-FileServices-Browse:(S,RD)
             BUILTIN\Administrators:(OI)(CI)(F)

This permission alone allows Windows XP workstations to browse the folder, but Windows Vista or later give an “Access in denied” error.

When creating a “browse” permission for a single folder, I start by granting the “List Folder Contents” standard permission, which assigns the following permissions to the folder and subfolders (not to files):

  • Traverse folder/execute file
  • List folder/read data
  • Read attributes
  • Read extended attributes
  • Read permissions

With icacls, this permission looks like this:

C:\>icacls s:\cit\ZTest
s:\cit\ZTest BUILTIN\Administrators:(OI)(CI)(F)
             CAMPUS\ETS-FileServices-Browse:(CI)(RX)

The (CI) indicates “Container inherit,” which means that permission (ACE) will be inherited by subfolders. Now I open the advenced security dialog, and edit the ACE to change the “Apply to” control to “This folder only.” Now the browse permission applies only to the particular folder. In icacls, it looks like this:

C:\>icacls s:\cit\ZTest
s:\cit\ZTest BUILTIN\Administrators:(OI)(CI)(F)
             CAMPUS\ETS-FileServices-Browse:(RX)

I changed the permissions on the client’s folder, and her access was restored.

See also:

Troubleshooting Wifi logon

I’ve been working with  client to try to identify why we sometime log onto the UVM wifi network successfully before workstation logon, but frequently this fails and drive mappings are not performed successfully.

In consulting with a colleague, he suggested that it could be a race condition between the network authorizing  the connection and the Windows system DHCP Client behavior.

In looking for details of the dhcp process on a Windows Vista client, I found a couple useful resources:

TCP/IP Fundamentals for Microsoft Windows
PDF book discussing TCP/IP protocols and services, and their configuration. Over 500 virtual pages.

Microsoft Enterprise Networking Team blog: DHCP Client Behavior
Now this is good detail! I have to review this blog in more detail.

Wednesday – April 29

Some Microsoft updates released yesterday, including Office 2007 SP2. TSGateway server Web and Terminal services didn’t restart gracefully. Investigating, I find some weird behavior from our Networker backup software. However, installing two outstanding updates and rebooting resolved the issue TS issue. Now I have two Networker issues to follow-up on: restoring .Net config files, and NDMP file restores missing ACLS.

Client with Dell Latitude d630. LiteTouch deployment created BDEDrive at S:, which conflicts with our standard drive mappings. Tried booting to Vista DVD, deleting the volume and then repairing, but that recreated the same system volume. Found a KB article that described renaming a registry key to change the drive letter that the system drive was using. Moved it to Z: and things started working normally.

Began deployment of new DC; drive cloning is s-l-o-w, and so is drive formatting.

Went on a wellness walk on Nation Walk @ Lunch Day; had a nice conversation with a friend from Health Promotion Research.

Checked-in on MSPSS issue; support engineer didn’t receive my email and data sent yesterday. Re-sent.

Some discussion of Vista software compatibility.

Added another laptop to test Wireless group policy.

Developed initial server admin group policy.

Friday – April 17

Last night, I stumbled across this video:

Office Casual: How to work with the ribbon 

The Inside Office Online blog post for the video includes links to the interactive guides for the big five office applications.

I haven’t watched the whole thing, yet, but it also links to video of a presentation that discusses the evolution of the ribbon interface. My son and I watched the first ten minutes or so before bed last night, and he’s interested in watching the rest. Hurray for GeekKids!

Other agenda items, today:

I got the windump capture to work, using the local computer policy startup script setting. I did the same thing using the nmcap.exe command-line component of Microsoft’s Network Monitor 3.2. And one thing I learned is that I don’t know nearly enough about network communications.

Elevated ShellRunAs

Back in the day, I was a good Windows admin and did my administration using the Windows Server admin tools from my workstation, logged in with a non-admin user, using the RunAs shell feature (shift+right-click) to start the admin tool with administrator credentials.

Vista’s “Run as administrator”  feature will run a program with elevated (i.e., administrator) rights, but with the credentials of the current user. The runas.exe shell command provides a way to execute a command with different credentials, but they aren’t elevated.

Now, granted that it is rare that I need to run a tool both as a different users and have elevated rights on the local system. It can happen, though.

Sysinternals provides a handy utility called ShellRunAs, which provides the RunAs feature, and I found a forum post suggesting a method for getting “Run elevated as a different user” functionality.

I haven’t tried it, yet, but I wanted to share the solution.

Recalcitrant Vista SP1 install

I have spent a number of hours troubleshooting the installation of Windows Vista Service Pack 1 on a particular Dell Optiplex 755, but I finally succeeded.

Symptoms: The SP1 update was downloaded and queued for installation via the Automatic Updates engine. When initiated, the install would look like it had completed (going to 100% through the third configuration step). But upon reboot, the installation would rollback all changes.

Troubleshooting: I did some of the normal troubleshooting steps, including downloading the full installer, disabling AV, etc. Each attempt to install the service pack was time consuming, but ended the same way. Eventually, I tried running the system file checker,but that didn’t change anything.

SP1 installation support: Microsoft offers free support for SP1 installation, so I decided to give that a try. The first suggestion was that I try the installation in a clean boot environment, created using MSCONFIG:

    1. Click "Start", type: MSCONFIG in the search box and press Enter.
      Note: Please click "Continue" if the "User Account Control" window pops up.
    2. Click "Services", check the "Hide All Microsoft Services" box and click "Disable All" (if it is not gray).
    3. Click "Startup", click "Disable All", click "OK" and restart your computer.

I made the changes and attempted the install again, but without success. I bundled up some log info and sent it off to my support technician. Her next request was that I repair Vista, using installation media of the same Vista version that was currently running on the system, by running setup and selecting the upgrade option.

I ran into some issues with unreadable media and had to perform a firmware update on my DVD drive, but I got that working. The upgrade/repair took hours on a relatively powerful system. It did complete, however, and then I was able to run the SP1 install from the version I had downloaded.

Since this was a very significant system update, it would be prudent to back up any important data before performing this procedure on any system. All my software and data appears to have been preserved, but this is a lightly used system, and my important data is on my network account.

Troubleshooting Windows Activation

[UPDATE: Removed Vista info: instead of troubleshooting Vista, upgrade it.]

Here are some troubleshooting steps — for my future reference as much as anyone else’s — for for gathering information for diagnosing and resolving Windows KMS client activation issues.

Quick Fix: Try this first!

Most Windows activation issues I’ve encountered are resolved by entering the appropriate product key (not a secret; see footnote):

Windows 7 Enterprise Volume: 33PXH-7Y6KF-2VJC9-XBBR8-HVTHH
Windows 8 Enterprise Volume: 32JNW-9KQ84-P47T8-D8GGY-CWCK7
Windows 8.1 Enterprise Volume: MHF9N-XY6XB-WVXMC-BTDCT-MKKG7

Enter the code above and attempt to reactivate. If it works, you should be all set. If it doesn’t, the following steps will help identify the issue.

Gathering Information.

Gathering data is essential to fixing problems. If you ask me (or other IT staff) for help with Windows activation, the first thing I will ask from you is the output of the commands below.

I recommend opening a text editor and copying all the commands and output into a file, which you can send to us if you need additional help resolving the activation issue.

NOTE: All these steps require running commands from a console window (cmd.exe), which you may need to run As Administrator. These commands work in Windows 7, 8 and 8.1.

1. Run ipconfig /all to capture current IP configuration information.

This could tell us whether the system is in a netreg-ed subnet and needs to register at http://netreg.uvm.edu, or if there are other basic network configuration problems. We really just need the Ethernet adapter, assuming that’s what is being used to connect the system to the network. We don’t need all the additional tunneling adapters, etc. If someone is using a wireless adapter, possibly with the VPN client, then info about those adapters also should be captured.

Continue reading

Disabling IPv6 in Vista

As part of troubleshooting the Cisco VPN with my Vista system, I’ve been asked to “turn off” IPv6, just in case. I decided to take the comprehensive approach, as described in the IPv6 for Microsoft Windows FAQ, and use the registry:

Add the following registry value (DWORD type) set to 0xFFFFFFFF:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents

This method disables IPv6 on all your LAN interfaces, connections, and tunnel interfaces but does not disable the IPv6 loopback interface. You must restart the computer for this registry value to take effect.

Beware that there are Windows features, most prominently in my experience Windows Meeting Space, which require IPv6 to function. I think IPv6 is pretty cool, though, so I’ll turn it back on and keep thinking about how to integrate it into our infrastructure.

Resources:

Update:

It turns out that disabling IPv6 system-wide or just on the adapters involved in the VPN connection (Wireless and VPNVirtual adapters, in my case) has resolved the connectivity issues I have experienced most recently with the Cisco VPN. As someone who uses the IPv6-dependent applications, I find this less than optimal.

More IPv6 resources (added as I find them…)

Reset Offline Files cache

For my reference, mostly…

In Windows XP: In Explore’s Tools → Folder Options → Offline Files, then press CTRL+SHIFT and click the “Delete Files” button. How Macintosh is that? I’ve had to perform that maneuver a few times. With Windows Vista and later, the reworked Offline Files facility has worked much better. But occasionally, the Offline Files database still gets munged.

NOTE: Once you set the value and reboot, all the content in the Offline Files cache for all accounts on the system is purged. You need to perform a sync operation in order to populate your files into the Offline Files cache again.

If you have files in the Offline Files cache that haven’t been successfully synced to the server, those files will be lost. For this reason, I will often make a local copy of “My Documents” to another folder on C: (e.g.: c:\temp\MyDocsCopy) while the network interfaces are disabled, to make sure I’m copying data from the cache. It never hurts to create a backup.

In Windows 7 and 8, the process requires setting a single registry value:

To reinitialize the Offline Files cache, create the following DWORD registry value with a value of 1 and restart the system.

HKLM\System\CurrentControlSet\Services\CSC\Parameters\FormatDatabase

Note that you will have to create the Parameters key, and any unsynchronized changes will be lost.  In addition, any files and folders pinned by means other than Folder Redirection or Group Policy will no longer be pinned on that client.

The setting of this registry value may be automated using REG.EXE.

In an elevated command prompt, run the following command.

REG ADD "HKLM\System\CurrentControlSet\Services\CSC\Parameters" /v FormatDatabase /t REG_DWORD /d 1 /f

http://support.microsoft.com/kb/230738
http://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx