Network Health Check-up

[lumpusmaximus]

If I post my 2003 server's domain settings, can I get comments on whats right or wrong about it? Things like Redirection, Logon, Terminal Server lockdown, etc.

 

[dberg35]

Obviously you post you issue and someone should be able to help depending on the issue. So that being said what are you having problems with?

 

[acl03]

Go ahead and post the settings about which you have questions. No need to ask for permission.

Like dberg35 said, if you have specific questions you should ask them specifically.

Thanks,
Andrew

Hard work often pays off over time, but procrastination pays off right now!

 

[itsp1965]

Have you tried Microsoft's Best Practices Analyzer tools which will check the overall health of your server environment and make recommendations based on their "best practices" I know there used to be one for Windows but now it seems that they have been rolled up into Exchange or SQL versions of the tool.

 

[lumpusmaximus]

Well, here it is, 2 scripts at bottom. If something doesnt look right, just say so. Thanks to all those that make it to the end without becoming comatose.


Group Policy Objects

Redirection


Computer Configuration (Enabled)hide
No settings defined.
User Configuration (Enabled)hide
Windows Settingshide
Folder Redirectionhide
Desktophide
Setting: Basic (Redirect everyone's folder to the same location)hide
Path: \\server1\users$\%USERNAME%\Desktop
Optionshide
Grant user exclusive rights to Desktop Disabled
Move the contents of Desktop to the new location Disabled
Policy Removal Behavior Leave contents
My Documentshide
Setting: Basic (Redirect everyone's folder to the same location)hide
Path: \\server1\users$\%USERNAME%\My Documents
Optionshide
Grant user exclusive rights to My Documents Disabled
Move the contents of My Documents to the new location Disabled
Policy Removal Behavior Leave contents
Administrative Templateshide
Network/Offline Fileshide
Policy Setting
Do not automatically make redirected folders available offline Enabled
Event logging level Enabled
Enter [0-3]: 3
0 = Cache data corrupted
1 = Log 'server offline'
2 = Level 1 + log 'net stopped' and 'net started'
3 = Level 2 + log 'server available for reconnection'
Policy Setting
Prohibit user configuration of Offline Files Enabled
Prevents users from changing any cache configuration settings.
Policy Setting
Remove 'Make Available Offline' Enabled
Synchronize all offline files before logging off Disabled
Synchronize all offline files when logging on Disabled
Synchronize offline files before suspend Disabled
Turn off reminder balloons Enabled

LOGON

Computer Configuration (Enabled)hide
No settings defined.
User Configuration (Enabled)hide
Windows Settingshide
Scriptshide
Logonhide
Name Parameters
logon.bat
outlooksetup.bat
printers.vbs


Local Admin

Computer Configuration (Enabled)hide
Windows Settingshide
Security Settingshide
Restricted Groupshide
Group Members Member of
BUILTIN\Administrators MYDOMAIN\Local Admin, MYDOMAIN\Domain Admins
BUILTIN\Remote Desktop Users MYDOMAIN\Domain Users
User Configuration (Enabled)hide
No settings defined


Terminal Server Lockdown

Computer Configuration (Enabled)hide
Windows Settingshide
Security Settingshide
Local Policies/Security Optionshide
Deviceshide
Policy Setting
Devices: Prevent users from installing printer drivers Disabled
Interactive Logonhide
Policy Setting
Interactive logon: Message text for users attempting to log on Welcome to the mydomain Terminal
Server, All Computer Equipment is blah, blah, blah.
Interactive logon: Message title for users attempting to log on "READ THIS OR ELSE!!!"
Restricted Groupshide
Group Members Member of
BUILTIN\Administrators MYDOMAIN\Local Admin, MYDOMAIN\Domain Admins
BUILTIN\Remote Desktop Users MYDOMAIN\Domain Users
ure Documentation
Administrative Templateshide
System/Group Policyhide
Policy Setting
User Group Policy loopback processing mode Enabled
Mode: Merge
System/User Profileshide
Policy Setting
Add the Administrators security group to roaming user profiles Enabled
Delete cached copies of roaming profiles Enabled
Do not check for user ownership of Roaming Profile Folders Enabled
Do not detect slow network connections Enabled
Windows Components/Terminal Serviceshide
Policy Setting
Allow users to connect remotely using Terminal Services Enabled
Automatic reconnection Enabled
Enforce Removal of Remote Desktop Wallpaper Disabled
Remove Disconnect option from Shut Down dialog Enabled
Remove Windows Security item from Start menu Enabled
Restrict Terminal Services users to a single remote session Enabled
Set path for TS Roaming Profiles Enabled
Profile path \\server1\tsusers$
Specify the path in the form, \\Computername\Sharename
Do not append the user name to the profile path. Disabled


Policy Setting
Set the Terminal Server licensing mode Enabled
Specify the licensing mode for the terminal server. Per Device

Policy Setting
Sets rules for remote control of Terminal Services user sessions Enabled
Options: Full Control without user's permission

Windows Components/Terminal Services/Client/Server data redirectionhide
Policy Setting
Terminal Server Fallback Printer Driver Behavior Enabled
When Attempting to Find a Suitable Driver: Show both PCL and PS if one is not found.

Windows Components/Terminal Services/Sessionshide
Policy Setting
Set time limit for disconnected sessions Enabled
End a disconnected session 30 minutes

Policy Setting
Sets a time limit for active but idle Terminal Services sessions Enabled
Idle session limit: 1 day

Policy Setting
Sets a time limit for active Terminal Services sessions Enabled
Active session limit : Never

Policy Setting
Terminate session when time limits are reached Enabled

User Configuration (Enabled)hide
Windows Settingshide
Internet Explorer Maintenancehide
Connection/Proxy Settingshide
Enable proxy settings
Protocol Server Port
HTTP 127.0.0.1 80
Secure 127.0.0.1 80
FTP 127.0.0.1 80
Gopher 127.0.0.1 80
Socks 127.0.0.1 80

Exceptions: Do not use proxy server for addresses beginning with
Do not use proxy server for local (intranet) addresses Enabled

Administrative Templateshide
Control Panelhide
Policy Setting
Show only specified Control Panel applets Enabled
List of allowed Control Panel applets
desk.cpl
inetcpl.cpl
keymgr.cpl
main.cpl
MLCFG32.CPL
odbccp32.cpl

Desktophide
Policy Setting
Hide Internet Explorer icon on desktop Enabled
Hide My Network Places icon on desktop Enabled
Prohibit user from changing My Documents path Enabled
Remove the Desktop Cleanup Wizard Enabled

Desktop/Active Desktophide
Policy Setting
Active Desktop Wallpaper Enabled
Wallpaper Name: \\server1\wallpaper$\bozo.bmp
Example: Using a local path: C:\windows\web\wallpaper\home.jpg
Example: Using a UNC path: \\Server\Share\Corp.jpg
Wallpaper Style: Center

Policy Setting
Allow only bitmapped wallpaper Disabled
Disable Active Desktop Disabled
Enable Active Desktop Enabled
Allows HTML and JPEG Wallpaper
Policy Setting
Prohibit changes Disabled
Start Menu and Taskbarhide
Policy Setting
Add Logoff to the Start Menu Enabled
Hide the notification area Enabled
Remove and prevent access to the Shut Down command Enabled
Remove Network Connections from Start Menu Enabled
Remove Run menu from Start Menu Enabled
Systemhide
Policy Setting
Don't display the Getting Started welcome screen at logon Enabled
Windows Components/Microsoft Management Consolehide
Policy Setting
Restrict the user from entering author mode Enabled
Restrict users to the explicitly permitted list of snap-ins Enabled
Windows Components/Windows Explorerhide
Policy Setting
Hide these specified drives in My Computer Enabled
Pick one of the following combinations Restrict A, B, C and D drives only
Policy Setting
Hides the Manage item on the Windows Explorer context menu Enabled

2nd Terminal Server (dedicated for special app)

Computer Configuration (Enabled)hide
Windows Settingshide
Security Settingshide
Local Policies/Security Optionshide
Deviceshide
Policy Setting
Devices: Prevent users from installing printer drivers Disabled
Interactive Logonhide
Policy Setting
Interactive logon: Message text for users attempting to log on "blah blah blah"
Restricted Groupshide
Group Members Member of
BUILTIN\Remote Desktop Users mydomain\Domain Users
Administrative Templateshide
System/Group Policyhide
Policy Setting
User Group Policy loopback processing mode Enabled
Mode: Merge
System/User Profileshide
Policy Setting
Do not check for user ownership of Roaming Profile Folders Enabled
Windows Components/Terminal Serviceshide
Policy Setting
Allow users to connect remotely using Terminal Services Enabled
Automatic reconnection Enabled
Enforce Removal of Remote Desktop Wallpaper Enabled
Remove Disconnect option from Shut Down dialog Enabled
Remove Windows Security item from Start menu Enabled
Sets rules for remote control of Terminal Services user sessions Enabled
Options: Full Control without user's permission
Windows Components/Terminal Services/Sessionshide
Policy Setting
Set time limit for disconnected sessions Enabled
End a disconnected session 30 minutes
Policy Setting
Sets a time limit for active but idle Terminal Services sessions Enabled
Idle session limit: Never
Policy Setting
Terminate session when time limits are reached Enabled
User Configuration (Enabled)hide
Windows Settingshide
Internet Explorer Maintenancehide
Connection/Proxy Settingshide
Enable proxy settings
Protocol Server Port
HTTP 192.168.1.10 80
Secure 192.168.1.10 80
FTP 192.168.1.10 80
Gopher 192.168.1.10 80
Socks 192.168.1.10 80
Exceptions: Do not use proxy server for addresses beginning with
Do not use proxy server for local (intranet) addresses Enabled
Administrative Templateshide
Desktophide
Policy Setting
Do not add shares of recently opened documents to My Network Places Enabled
Hide Internet Explorer icon on desktop Enabled
Hide My Network Places icon on desktop Enabled
Prohibit user from changing My Documents path Enabled
Remove My Documents icon on the desktop Enabled
Remove Properties from the My Computer context menu Enabled
Remove Properties from the My Documents context menu Enabled
Remove Properties from the Recycle Bin context menu Enabled
Remove Recycle Bin icon from desktop Enabled
Remove the Desktop Cleanup Wizard Enabled
Start Menu and Taskbarhide
Policy Setting
Add Logoff to the Start Menu Enabled
Do not display any custom toolbars in the taskbar Enabled
Force classic Start Menu Enabled
Hide the notification area Enabled
Remove All Programs list from the Start menu Enabled
Remove and prevent access to the Shut Down command Enabled
Remove Balloon Tips on Start Menu items Enabled
Remove Clock from the system notification area Enabled
Remove common program groups from Start Menu Enabled
Remove Documents menu from Start Menu Enabled
Remove Favorites menu from Start Menu Enabled
Remove frequent programs list from the Start Menu Enabled
Remove Help menu from Start Menu Enabled
Remove links and access to Windows Update Enabled
Remove My Documents icon from Start Menu Enabled
Remove My Music icon from Start Menu Enabled
Remove My Network Places icon from Start Menu Enabled
Remove My Pictures icon from Start Menu Enabled
Remove Network Connections from Start Menu Enabled
Remove pinned programs list from the Start Menu Enabled
Remove programs on Settings menu Enabled
Remove Run menu from Start Menu Enabled
Remove Search menu from Start Menu Enabled
Remove Set Program Access and Defaults from Start menu Enabled
Remove user name from Start Menu Enabled
Remove user's folders from the Start Menu Enabled
Turn off notification area cleanup Enabled
Turn off personalized menus Enabled


logon.bat

@echo off

net use * /delete /y

net use O: \\server1\managerial$
net use u: \\server1\users$\%username%

REGEDIT /S \\server1\sysvol\access.reg
exit


outlooksetup.bat

@echo off

:check

REG QUERY "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles" /v DefaultProfile


IF ERRORLEVEL 1 goto out

ECHO Outlook profile found Exiting...
@ping 127.0.0.1 -n 5 -w 5000 > nul
@ping 127.0.0.1 -n %1% -w 5000> nul

exit

FOR /F "tokens=2* delims= " %%A IN ('REG QUERY "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles" /v DefaultProfile') DO SET DefaultProfile=%%B

If NOT %DefaultProfile% == Outlook

rem REG DELETE "HKLM\Software\Microsoft\Exchange\Client\Extensions" /v "Exchange Extensions"

:OUT

ECHO NO Valid Outlook Profile Found----- Creating....
@ping 127.0.0.1 -n 2 -w 1000 > nul
@ping 127.0.0.1 -n %1% -w 1000> nul



REG DELETE "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles" /va /f

REG DELETE HKCU\Software\Microsoft\office\12.0\outlook\setup /va /f


REG ADD HKCU\Software\Microsoft\office\12.0\outlook\setup /v UpdateProfiles /t REG_DWORD /d 0x0001c398 /f


REG ADD HKCU\Software\Microsoft\office\12.0\outlook\setup /v RegisterForms /t REG_DWORD /d 0x0001c398 /f


REG ADD HKCU\Software\Microsoft\office\12.0\outlook\setup /v MigratePrefs /t REG_DWORD /d 0x00000001 /f


REG ADD HKCU\Software\Microsoft\office\12.0\outlook\setup /v CreateWelcome /t REG_DWORD /d 0x0001c398 /f


REG ADD HKCU\Software\Microsoft\office\12.0\outlook\setup /v SetBalloonon /t REG_DWORD /d 0x0001c398 /f


REG ADD HKCU\Software\Microsoft\office\12.0\outlook\setup /v ImportSplus /t REG_DWORD /d 0x0001c398 /f

REG ADD HKCU\Software\Microsoft\office\12.0\outlook\setup /v ImportSRS /t REG_DWORD /d 0x0001c398 /f

REG ADD HKCU\Software\Microsoft\office\12.0\outlook\setup /v ImportPAB /t REG_SZ /f


REG ADD HKCU\Software\Microsoft\office\12.0\outlook\setup /v ImportPRF /t REG_SZ /d \\192.168.1.10\sysvol\newprof.prf /f

exit



ECHO Profile=%DefaultProfile%

pause
:Exit

 

[lumpusmaximus]

Yes, I couldnt find Best Practices Analyzer for other than Exchange or SQL. When run on Exchange, does it analyze the domain as well?