Είχα σταματήσει να γυρίζω μόνος μου στο σπίτι. Προσπαθώ να διαβάζω πολύ στα ΜΜΜ, καθώς περνάω μιάμιση με δύο ώρες σε αυτά. Καθώς γύριζα με παρέα, "έχασα" δύο ώρες ελαφρού διαβάσματος.

Το βιβλίο θάφτηκε στη στοίβα και σχεδόν το ξέχασα.

Η διαχείριση του χρόνου μου επίσης πήγε περίπατο. Δεν εγκατέλειψα την προσπάθεια, αλλά σίγουρα κατάφερνα λιγότερα από όσα μπορούσα και ήθελα.

Καιρό μετά πέτυχα στο Hacker News μια αναφορά για το "How to do Research at the MIT AI Lab". Ανάμεσα στα πολλά χρήσιμα και ενδιαφέροντα γράφει:

Read Alan Lakein's book How to Get Control of Your Time and Your Life, which is recommended even by people who hate self-help books. It has invaluable techniques for getting yourself into productive action.

Το βιβλίο το είχε η βιβλιοθήκη του ΤΕΕ και σκέφτηκα πως αφού δεν τα κατάφερα με το προηγούμενο, ας προσπαθήσω με αυτό. Το βιβλίο διαβάζεται γρήγορα, εύκολα και ευχάριστα (μου πήρε περίπου μία εβδομάδα και σε ώρες που παράλληλα έκανα baby sitting). Εντυπωσιακό για βιβλίο που γράφτηκε το 1973 και όμως περιέχει συμβουλές για το πως να αποφύγει κανείς τόσο το information overload, όσο και το email bankruptcy (snail mail στο βιβλίο, αλλά δεν αλλάζει κάτι).

Από τις πιο καλές συμβουλές του βιβλίου: Πάρε ένα χρονόμετρο κουζίνας (συνήθως μετράνε αντίστροφα μέχρι 60') και χρησιμοποίησέ το για το χρόνο που αφιερώνεις σε μια εργασία μέσα στο οκτάωρο (ή ως υπενθύμιση για εκείνη την εργασία που πρέπει να ελένξεις πως πάει μετά από 20').

Δύο μήνες μετά ξαναγύρισα στο κεφάλαιο 3 του Limoncelli. Οι ομοιότητες με το βιβλίο του Lakein είναι πολλές, άλλωστε το γράφει και ο ίδιος πως το έχει διαβάσει. Ο Κύκλος (The Cycle), το σύστημα του Limoncelli για την οργάνωση του χρόνου δεν διαφέρει πολύ από αυτά που προτείνει ο Lakein. Και οι δύο προτείνουν μια ιεράρχιση των δραστηριοτήτων με τις διαβαθμίσεις A, B και C (Α το πιο σημαντικό, C το λιγότερο σημαντικό) και προτείνουν να ασχολείται κανείς πάντα με τα A-items, ακόμα κι αν δεν έχει "παράθυρο χρόνου" που να τα χωράει. Τότε μπορεί να τα σπάει σε μικρότερα τμήματα που μπορούν να χωράνε στα διαθέσιμα time slots.

Με την εξαίρεση του τέλους του κεφαλαίου 13 (Automation), το βιβλίο δεν είναι μόνο για system administrators. Αρκεί άλλωστε να σκεφτεί κανείς το motto του Terrence Parr "Why program by hand in five days what you can spend five years of your life automating?" για να καταλάβει πως είναι για κάθε πληροφορικό που θέλει να βρει ένα τρόπο να οργανώσει το χρόνο του (επαγγελματικό και προσωπικό) καλύτερα. Και επειδή είναι και νεώτερο από το βιβλίο του Lakein, έχει μια πιο σύγχρονη ματιά (π.χ. έχει ειδικό κεφάλαιο για τη διαχείριση της ηλεκτρονικής αλληλογραφίας).

Από τα καλύτερα σημεία του βιβλίου είναι η σαφής προοτροπή να προστατεύει κανείς εκείνο το 1/3 της ημέρας που δεν είναι work-time ή ύπνος:

The wrong thing is to stay late. Your social life is valuable. You don't do your employer any favors by ignoring social time and becoming irritable. You work better when you eat right, get plenty of sleep regularly, exercise and participate in nonwork activities.

Οι Έλληνες εργοδότες βέβαια αγνοούν τον Νόμο του Parkinson ("work expands so as to fill the time available for its completion") και θεωρούν την (απλήρωτη) υπερωρία δεδομένη και υποχρεωτική.

Επανερχόμενος στα βιβλία, μπορώ να παρατηρήσω πως έχουν και τα δύο ένα μόνο μειονέκτημα: Δεν περιέχουν καμία ιδέα / συμβουλή για το πως μπορεί να οργανώσει το χρόνο του κάποιος που έχει μωρά παιδιά (μωρά, όχι μικρά, ο Lakein αφιερώνει μια σελίδα για το πως μπορείς "κλέψεις" 30 λεπτά από ένα τετράχρονο).

Bottom line: Το βιβλίο του Lakein είναι πολύ καλό. Εάν όμως η σχέση σας με τους υπολογιστές είναι επαγγελματική, τότε το βιβλίο του Limoncelli είναι σαφώς πιο χρήσιμο, πιο σύγχρονο, έχει δικό του wiki site και mailing list (TM4SA-fans).

I've seen Google search results redirect to these pages, meaning even well-intentioned users can stumble onto these pages. You'll want to cancel out of everything, not download anything, and closing your browser as soon as possible seems to be the easiest way to get out of this.

You'll certainly know if you're affected because your computer will misbehave and webpages will look different. For example:

A lot of times, after the legitimate page loads in Internet Explorer, it will redirect you to about:blank which has links to download AntiVirus 2009. Using Firefox will prevent you from these repurcussions, but you don't want this malware on your machine doing who knows what in the background even if you're not visually affronted by it.

We want to do two things at this point: Remove the malware from our machine and prevent ourselves and our users from stumbling on to these malware ridden sites.

Running a legitimate antivirus scan should remove the majority of things but there are still some slippery things that get by. Reboot in Safe Mode and run your virus scan for even better results.

Unfortunately my virus scan missed a few things left by this little bugger. Specifically, it missed the about:blank redirector and the additions made to Google. There is a browser helper object in IE that is allowing it to do this.

You have to take a guess, but it seems like this unnamed, random letters BHO is to blame. If you disable it, it just seems to come back enabled again next time you start up IE, very malware like behavior. It also shows it uses winsrc.dll. Doing a quick search for that file, finds that it is located in C:\Windows\System32. Checking the properties. It was created the same time as the initial incident occurred. Delete this file.

Deleting this file will prevent it from working. You can also find the entries in Internet Explorer's add-on menu in the registry. Open the registry and do a search for the random letter names. I found three entries and safely deleted them. The specific one that tied it to the Browser Helper Objects is seen below and removed its entry from the IE menu.

Delete the matching named key from HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{random letters}.

Also, run Spybot Search and Destroy. It turned up two results related to Antivirus XP 2009 on this machine.

That should remove the AntiVirus Xp 2009 threat from your machine. To prevent users from getting to the page where they might download the file or have it run for them we'll use an old trick of editting the HOSTS file. The HOSTS file is where your computer first looks to see how to resolve a URL to an IP. If there is no entry in the HOSTS file, it looks to the DNS server. In most cases these days, the HOSTS file contains a bunch of comments and one line: 127.0.0.1   localhost

This tells the machine that if the word localhost resolves to the IP address 127.0.0.1, which is your machine's local IP address (different than the IP address you'll get from your router or modem). We're going to add a few lines here to tell the computer that the domain name that is serving up these malicious programs actually lives on our machine. It doesn't so, it will just break the links instead.

Do not go to these sites! They are live and host malicious software!

Go to C:\Windows\System32\Drivers\etc\ and edit the HOSTS (no extension) with Notepad or Notepad++.

Add the following lines under the '127.0.0.1   localhost' entry:

127.0.0.1    av-check-online-scan.com
127.0.0.1    best-downloads-arch.com
127.0.0.1    masterspitetds09.com
127.0.0.1    onlineprivatescan.com
127.0.0.1    antispyware-free-scanner.com
127.0.0.1    scanner.ms-scan.com
127.0.0.1    scanner.micro-antivir-2009.com

It should look like the following screenshot. If you immunize with Spybot (recommended) you'll also notice a lot more websites listed.

You can save this file (remember, no file extension) and copy to your users' computers. This will prevent them from being accidentally redirected to a known site with malicious content. If you find more sites, simply add the URL to this same file in the same fashion and push it out to your users again.

The above sites were a compilation of the URLs I encountered while researching and trying to clean up an infected machine. If you know any other sites related to AntiVirus 2009 that should be filtered, I'd be very grateful to hear them to further reduce the likelihood of my users getting tricked into this site.

Update: I will add more addresses to the list to block as I unfortunately stumble upon them.

Quando a chave liga/desliga não existe, a solução natural é operar esse comportamento via software. Alguns notebooks possuem teclas de função para controlar esse comportamento. Para os que não tem e possuem Linux instalado, usando o módulo Synaptics do XOrg, há uma ferramente bastante útil para esse fim, o Gsynaptics, que fornece uma interface gráfica para configurar diversas opções do touchpad e, dentre elas, ligar/desligar o dispositivo. Apesar dessa facilidade, um incoveniente do Gsynaptics é a necessidade de abrir a janelinha da ferramenta para ligar/desligar o dispositivo.

Uma solução mais conveniente seria permitir que o touchpad fosse ligado/desligado através de uma tecla de atalho, emulando o comportamento de uma tecla de função do notebook. Poderíamos desenvolver um script que habilita/desabilita o touchpad e é chamado sempre que pressionamos uma combinação de teclas. Uma ferramenta que pode ajudar é o synclient, que funciona de forma similar ao Gsynaptics, porém na linha de comando. No Ubuntu Hardy, o synclient faz parte do pacote xserver-xorg-input-synaptics.

Com o synclient, para desligar o touchpad, executa-se o seguinte comando:

synclient TouchpadOff=1


E para ligar:

synclient TouchpadOff=0


Para automatizar o processo, o script em Perl a seguir chaveia o touchpad usando o synclient:

[sourcecode language='cpp']
#!/usr/bin/perl -w

use strict;
use warnings;

my $output = `synclient -l`;

if ($output =~ /TouchpadOff *= *(\d)/) {
if ($1 eq "1") {
`synclient TouchpadOff=0`;
print "Turned touchpad ON \n";
} else {
`synclient TouchpadOff=1`;
print "Turned touchpad OFF \n";
}
} else {
print "Failed to parse synclient output \n";
}
[/sourcecode]

Nesse script, se o touchpad estiver ligado, ele é desligado; se estiver ligado, é então desligado. Para tornar o script executável, supondo que foi nomeado como toggle-touchpad.pl:

chmod +x toggle-touchpad.pl

Agora falta associar o script a uma tecla de atalho. Para isso, temos diversas alternativas, como os atalhos do Gnome, Xbindkeys, etc, etc. Porém, se você usa Compiz Fusion, a configuração das teclas de atalho é bastante simples. No CCSM (Compiz Config Settings Manager), crie um comando e associe o comando com uma tecla de atalho. Para isso, abra o ccsm e, no plugin "General Options", clique na aba "Commands":

Note que há dois painéis deslizantes nessa tela: o painel "Commands" e o painel "Key bindings", que correspondem às definições de comando e atalhos, respectivamente. Expanda o painel "Commands" e encontre uma "Command line" livre. Nessa commandline, insira o caminho do script que criamos:

$CAMINHO$/toggle-touchpad.pl

Substitua $CAMINHO$ pela pasta onde você salvou o script. Agora é necessário associar o comando criado com um atalho de teclado. Expanda o painel "Key bindings" e escolha o campo "Run Command" adeqüado. Se você usou a "Command Line 0" no passo anterior, deverá usar o "Run command 0"; se usou o "Command line 1", deverá usar "Run Command 1" e assim, por diante.

No exemplo, foi configurada a combinação CTRL+F10 para habilitar/desabilitar o touchpad. Outra combinação é possível, basta mudar no CCSM.

Com isso, temos a tecla de atalho funcionando. Resta ainda um incoveniente: toda vez que dermos um boot, o touchpad estará ligado por padrão. Para evitar esse comportamento, podemos adicionar uma entrada no crontab.

crontab -e

E digite:

@reboot $CAMINHO$/toggle-touchpad.pl

Não esqueça de trocar $CAMINHO$ pela pasta onde o script está salvo.

Se você usa o GSynaptics, desabilite o touchpad nessa ferramenta também pois, do contrário, o touchpad será habilitado quando o Gnome iniciar.

Com isso, fazemos com que o touchpad fique desligado por padrão e temos uma tecla de atalho para controlá-lo.

PS:
Uma solução alternativa pode ser encontrada em: Kubuntu: How To Turn The Touchpad Off And On With One Shortcut Key

Setup is really simple. You just run through it while logged in as a local administrator. The only mark-down with the setup I'd give is the bundling of the Windows Live Toolbar with it. After installation, SteadyState runs as a background service with about a 10 Meg footprint from two processes: Bubble.exe and SCTSvc.exe.

Once you get into configuring SteadyState as a local administrator, you're into the meat of the program. You can set up global settings which affect all users of the computer or user-specific settings. These global settings, however, are over-ridden by any settings made in the Group Policy.

The user-specific settings are limited to local accounts and integrated within the SteadyState tool is the ability to easily create these accounts. They don't reach Active Directory accounts unfortunately, but for the local accounts they allow very specific control. The user-specific settings can be exported as a user in a .ssu file (SteadyState User) and imported for easier setup of a lab environment.

Some cool features of Windows SteadyState are the integration into Windows Update and the Protect Hard Disk. You can set when Windows updates are applied so that those changes are made. I have to believe that with better integration and shared information as a Microsoft product this has to behave better than DeepFreeze. We have often run into problems where a machine will thaw, install the updates, and freeze again so that it is constantly in a state of needing to restart after the updates were installed. The machine logs you out and puts a pop up window over the Ctrl+Alt+Del login screen explaining that it is busy running updates. The pop doesn't go away, even if you click 'Ok' on it until the machine completes updates and restarts.

The Protect Hard Drive features is also really handy for a public environment. The service takes a snapshot of your drive, just like DeepFreeze, and reverts back to this snapshot after every restart. This way users are not leaving behind confidential files, whatever they download or install is wiped out, and you create a consistent user experience no matter who has used the machine. This was also able to prevent a virus from creating havoc on the machine. Just for testing purposes, I intentionally downloaded the Antivirus 2009 trojan virus and let it infect the machine. As soon as I restarted the machine, it was operating nominally. The Protect Hard Drive has its own configuration where you can specify how much of the disk can be used. It defaults and maxes out at 50% of the hard drive space, but this can be lowered.

Get Windows SteadyState.

MediaWiki changed my mind mostly with two factors: the front page could be customized to attract people in instead of just funneling them to a search box. Secondly, the size and scale of the wikipedia project convinced me this would be a worth-while project.

Setting up MediaWiki was pretty painless. You need a SQL database and a http file server (Apache), so I was able to get by just fine with XAMPP for testing purposes. MediaWiki runs you through a configuration page to get account information for your database and naming all set up. It creates all the tables necessary after that.

After setting up, I did run into one error. It was listed in their FAQs and I solved the problem with a quick edit with Notepad++ of LocalSettings.php in the mediawiki folder.

The error:

Warning: domdocument::domdocument() expects at least 1 parameter, 0 given in C:\xampp\htdocs\w\includes\Preprocessor_DOM.php on line 566
Fatal error: Call to undefined method domdocument::loadXML() in C:\xampp\htdocs\w\includes\Preprocessor_DOM.php on line 568

The fix is to add this line in LocalSettings.php:

Unfortunately, while looking into the manual of WikiMedia, they recommended that I use other software to accomplish my goals. I was once again convinced that a wiki is going to have to be pretty well conceived for my plans for it to work or there will be many holes to plug to be confident in the security setup. It seems the ACLs is going to make or break a KB for me to be sold on it. The interface follows second. I've realized through my past experiences with trying to get more documentation to our processes that the system has to be easily accessible or else it is seen as too much of a hassle and the documentation never gets written.

Here are some interesting pages to read regarding user access and user access management in MediaWiki:

From http://www.mediawiki.org/wiki/Manual:Config_script:

User Rights: http://www.mediawiki.org/wiki/Manual:User_rights
-Control and create groups
-Control access (read, edit) permissions of groups

User Rights Management: http://www.mediawiki.org/wiki/Manual:User_rights_management
-Groups permissions to perform user management tasks

Preventing Access: http://www.mediawiki.org/wiki/Manual:Preventing_access
-Restricting edit & page creation rights

To have a page act normally for some users but be invisible to others, as is possible for instance in most forum software, is a very different matter. MediaWiki is designed for two basic access modes:

1. Everyone can view every single page on the wiki (with the possible exception of a few special pages). This is the mode used by Wikipedia and its sister projects.
2. Anonymous users can only view the Main Page and login page, and cannot edit any page. This is basically the same as the above, in terms of technical implementation (just an extra check for every page view), which is why it exists. This is the mode of operation used by certain private wikis such as those used by various Wikimedia committees.

Unfortunately this does not line up with how I want to operate my knowledge base. I am looking for:

1. Select individuals can view every single page on the wiki. These people would be the master editors that could read, write, and update articles.
2. Anonymous users can view most pages of the wiki, those that have been tagged or grouped to allow them access. These would be the typical users that are trying to search and solve their own problems.

Essentially this translates to:

1. Library IT users can view all pages and also read and edit them. There may also be sub-groups of this so that IT Workstation and Network Support can see all articles but IT Help Desk has some it can not see.
2. Library employees and users can search the kb to find information regarding any problems they might encounter to learn about workarounds, known problems, or assistance. There may also be a sub-group where only library employees can access regarding internal workings so as to not provide "security" leaks of internal systems to anonymous visitors.

I am definitely open to suggestions regarding where I should look next for a system that would provide an easily configurable ACL (access control list) to restrict general users from getting access to IT-only articles. Post any recommendations in the comments please.

Check out MediaWiki if it sounds right for you.

As we were using Exchange, Outlook was the primary Mail client with users suffering from the inevitable .pst corruptions that occur when mail folders exceed 2 Gig. As all Customer Support was run via email directly to people's personal email addresses there was a lot of email flowing around and a high likelihood of corruption.

The business also relied on a Visual Basic app installed on everyone's desktop which interacted with the customer database.

Looking at the Visual Basic application there was no way that could be replaced in a short period of time, so we decided to replace the machines as they hit their EOL with new leased Windows Desktops with on site support. This would turn out to be pretty much cost neutral as it cut out the need for local desktop support for the hardware. The (large) percentage of the Desktop Administrator's time could be redirected to more productive uses.

Given these machines would be consistent we were hoping we could achieve economies of scale with their management. In the event, we didn't want to pay Microsoft for a second copy of Windows licences (we already received OEM copies with the desktop lease) so we did not end up, as originally planned, with a single master image which could be deployed across the network.

We still wanted to install the software remotely however. A search around the Internet came up with OCS Inventory which looked to do what we needed. We installed this and while rather geeky, does indeed allow us to distribute software to all the Desktops remotely. It suffers from the same problem that so much Open Source software does - it has not been designed with usability in mind. Given this is an Administration tool, that wasn't a major concern, but it is something that would be good to improve on in the future. At time of writing, we had used it to install the initial software, but no upgrades as yet. Deleting software may also be a issue with this, however we will deal with that when we come to it.

Are we happy with this? Well it is not a bad solution. Given a choice of running thick clients and running thin clients with Terminal Services or Citrix we chose the thick clients. The setup, licencing and maintenance of the thin solution looked to be too hard given the huge amount of other tasks we had to deal with. Given that the VB app was a key requirement it was a good decision we feel, even if the desktop hardware was substantially more expensive.

It does leave us with desktop support issues - application support is still somewhat of an issue, however, when the lease is up (in 2 years or so), we plan to revisit this decision. More on this later...

Cheers,

David

If you don't want your bind to show the version you are currently running, on a ubuntu system you will add a version "[Secured]"; directive in the options section of the file /etc/bind/named.conf.options

That's it !

For the software we did have, we were only partially licenced and we obviously needed to resolve that situation as quickly as possible. The servers were outsourced at an outrageous cost to a third party whose service kept having issues. The firewalls were not spectacularly secure either  - there was no VPN functionality set up and the owners who travelled a lot were using Remote Desktop to access files on the network which was not at all secure.

We had to decide how to fix all that and not spend more money than we had to play with. At a personal level I loath dealing with Software Vendors - the licencing terms require a mammoth amount of time/brainpower to work out what you are and aren't allowed to do and in some cases, the licencing terms feel more like a way to gouge more money out of you than a reflection of their value. Then come the audits...

If car manufacturers tried to sell you a "cheap" car and then charge you extra to have a passenger, I wonder how quickly they would go out of business? Why do people put up with this from Software Vendors?

At a professional level, compliance costs to ensure that licences that are used are legal and that we are not breaking the terms of use can get expensive and in a small business you don't have someone to manage that for you. Having read the first 8 pages of Microsoft's Terminal Services Licencing documentation and still being unclear as to what we were actually allowed to use was just painful.

Lastly, I feel these days that Vendors are actively trying to lock you into their solutions and when running a business that is a major hidden cost to consider when selecting a solution. I would prefer to spend a little more on initial implementation if that saves running costs down the track than I would to buy something more cheaply up front which ends up costing much more in the log run.

So we decided to look at (free) Open solutions that would meet our needs. In some instances we went with proprietary solutions where we couldn't find a good alternative. We'll be sharing that with you over the coming months. We'll be focussing on two main areas - Systems Administration and Development. We will discuss the approach to both we took and the platforms we decided to work with.

Cheers,

David

The results that you get from running this scan can tell you the general health of your machine and how it's behaving in response to a WSUS (Windows Server Update Services) server, a group policy, Windows Updates, and system administration habits and practices.

One very useful thing to do with the MBSA is to run a scan of a machine before and after a group policy is put in place and see how it affects your machine's security. This should certainly allow you to get a good grasp on where your setup is weak and what needs improvement to reduce the risk and threat from your workstations. Combine this with the AccessChk utility to check file access permissions and you should know exactly where your machine stands and the capabilities of a person accessing them.

Download and learn more about Microsoft Baseline Security Analyzer.

Once I popped the cards in ran kudzu let the system find them I was off flying. I then decided to test the bonding built into openfiler. The setup was pretty easy and aside from an ip address conflict on my side everything went flawlessly. Although I did need to bounce the box to make everything work correctly. Restarting the services didn't seem to work correctly.

Now I just to find some low cost sata drives and a sata card. Slap those in and then start building my volume groups and finishing up with my iscsi configuration.

Instead, system administrators are left relying upon third party solutions to post .msi files. One of the most popular ones is using FrontMotion's Firefox MSI. (I'm intentionally not providing a link. I highly recommend you follow this post and create your own .MSI file instead.) I used the MSI file FrontMotion provided to deploy Firefox 3.0 throughout my organization. I later found out that this was a poor idea when Firefox 3.0.1 was released by Mozilla and my machines were no longer updating automatically. In fact, the Firefox I had deployed was not only configured to disable automatic updating. The setting was locked so I couldn't change it, even as a local administrator. This means I would have to deploy Firefox every time there was an update released from Mozilla instead of just deploying it the one time in order to stay up to date with security patches. This also makes me depending on FrontMotion for future releases of the MSI and their schedule. On a side note, the delay between Mozilla releasing Firefox 3.0.exe and FrontMotion releasing Firefox 3.0.msi was several weeks.

Along with the aforementioned downsides, we would also be subject to any additional files, settings, and extensions included in the MSI installation. Case in point, FrontMotion's Firefox 3.0 .msi includes a suspicious, random, and unrequested file: C:\test.txt. After deploying FF3, I noticed these test.txt files showing up on all of the machines. They had different created and modified dates because the software was deployed when the machines restarted and they all restart at different times and frequencies. It was just an empty text file this time, but it still proves that this has to be a trusted relationship. If we make our own MSI, we do not have to worry about this and perhaps with advanced configuration we can set our own settings and extensions to default for our users. This will come later.

Enough complaining and justifying making our own MSI for Firefox. I don't mean to rag on FrontMotion too much, that's not the point of this, but I want individuals to choose wisely and not waste their time with the current offerings of that site. I assume if you're still reading, you're already interested in creating one. So, let's begin!

We'll need:

• 2 computers
• WinINSTALL LE 2003 (mentioned in the Making Setup.exe into Setup.msi post. Direct link to download.)
• The latest Mozilla Firefox 3 setup file

The 2 computers are going to consist of a 'Setup' machine and a 'Host' machine. I'll just use these names to keep them straight. The 'Host' machine can be any machine on the network that the 'Setup' machine can reach and access its shares. The 'Setup' machine (this is important) is going to be a fresh install of Windows. You are going to install Windows, the network driver, and possibly the video card drivers. That is it. I recommend capturing an image of the 'Setup' machine at this point so you can quickly restore it to this point for conveniently capturing MSI files in the future. You want the bare minimum on this 'Setup' machine because you don't want anything going on in the background that would end up in your capture, your .msi, and then on all the machines this software is installed on.

The 'Host' machine can be the machine you use every day. Its only job in this process is to host the WinINSTALL software. After downloading the WinINSTALL application install it on the 'Host' machine. You can choose all of the defaults. You only really need to pay attention to this screen:

This tells you the share that you'll be accessing from the 'Setup' machine later. Whatever the hostname of the 'Host' machine is, you'll access the software from \\Host hostname\WinINSTALL (ex. My computer's name is ITStaff09. The share is located at \\ITStaff09\WinINSTALL\) or replace WinINSTALL with whatever you change the above screen to say (recommend leaving it with the default).

With WinINSTALL installed on the 'Host' computer, let's get the 'Setup' machine prepared. Log in as the local administrator and download the Firefox 3 setup.exe of whatever language and localization you want on your machines. Access the share on the 'Host' machine and create a shortcut on the 'Setup' machine's desktop to discover.exe. You now have your 'Setup' machine all configured with freshly installed Windows, network card driver installed, Firefox 3 setup downloaded to the desktop (DO NOT RUN IT YET!), and an icon to discover.exe on the desktop.

Close any open applications and windows on the 'Setup' machine. Wait for everything to close and launch the shortcut to discover.exe from the desktop. Follow the on-screen instructions. For the first time through, we'll stick with the defaults, with more familiarity and depending on the application you're installing you might tweak these settings. For now, go through the defaults. This is taking a snapshot of the machine so it knows which files and registry keys change during the installation and setup.
At the end, you'll be prompted for the installer.
Browse to the Firefox 3 setup.exe on the Desktop and click launch.
Complete Firefox 3's setup choosing all the settings you want to be in your deployment.

Once everything is setup how you want it to be close all windows and run the shortcut to discover.exe again. Follow the on-screen instructions to take the post-snapshot. This may take a while for the machine to process what differences were made, but just let it run and in the end you'll have a .msi ready for deployment. By default, the new package was stored in the WinINSTALL share, \Bin\Packages but you can specify this.

I would definitely recommend testing out your MSI before deployment multiple ways. You'll want to test:
+Running the MSI on its own
+Deploying the MSI on a test machine through Group Policy
+Deploying to a machine that has an older version of Firefox installed
+Deploying to a machine that has the same version of Firefox already installed

If you want to see what is going on inside of your MSI, you can use ORCA MSI Editor to view what directories and registry keys are changed in this MSI.

You should now have a working .msi file to deploy through group policy for Firefox 3. I want to point out that this process will work for any setup file to create an .msi, much more than Firefox.

You might check out FirefoxADM for controlling Firefox settings through the Group Policy (documentation) to make your system administration complete.

Problem: I am logged into my machine in my office and have something open I want to get to from another computer in the building, on the network, or VPN'd in from off the network. If I use Remote Desktop, I just get another session on my Windows Server 2003 machine and still don't get access to what I need. (If it were just a saved file, I could get to it through a file share.) Further more, if I have Firefox and Thunderbird open in my console session, I can't start them up remotely because of the error: "Firefox is already running, but is not responding. To open a new window, you must first close the existing Firefox process, or restart your system." (or substitute 'Thunderbird' in for 'Firefox' in that error message).

Possible solution: Install a VNC server on the machine and use that to connect. This requires a VNC viewer installed on all the machines I might be connecting from and another process on my machine to secure and be running at all times.

Real solution: Using Windows Remote Desktop there are switches that allow you to interact with the console session rather than starting a new one. The switch depends on what operating system you are connecting from, and is independent of which operating system you're connecting to.

From Windows XP Pro: At Start, Run... enter: mstsc /admin
Or change the target field in a shortcut to be mstsc.exe /admin

From Windows Server 2003: At Start, Run... enter mstsc /console
Or change the target field in a shortcut to be mstsc.exe /console

Some notes on behavior:
+ Whether you're connecting to XP or Server 2003, the machine you're connecting to will lock and hide what you're doing from anyone that might be watching the local machine.

+ An odd little quirk I've noticed is that you can't have both an interactive session of Remote Desktop running and a VNC session running. Not sure why at this point. Video mirror drivers? TCP ports conflicting?

+ For Windows XP, you can only interact with your own sessions. If you try logging in as another user, it will give you the following error message:
The user {username} is currently logged on to this computer. If you continue this user's Windows Session will end and any un-saved data will be lost. Do you want to continue?

+ For Windows Server 2003, you can only interact with your own sessions by default, like above, but you can change this behavior. *You only need to do this if you are going to want to interact with console sessions of a different user name logged into the machine than your own, or what user name you're logging into with Remote Desktop.*
Go to Start, Run...
Enter: mmc
Go to File, Add/Remove Snap-ins...

Click the Add button.

Scroll down to find 'Terminal Services Configuration'. Click the 'Add' button and then click 'Close'.

You should now see the Terminal Services Configuration listed. Expand Terminal Services Configuration and double-click on the Connections folder to open it.

In the right-side pane, you'll see below. Right-click on the RDP-Tcp connection and go to Properties.

Click to the 'Remote Control' tab and configure it behave how you want it; whether you want to be able to interact or just view any console sessions on this machine and whether you want to require the user's permission to grant access.

Of course, also check under the Permissions tab to make sure access is granted to those you want to be able to Remote Desktop into this local machine. Hit the OK button when everything is configured how you want it.

These settings can also be configured via the Group Policy Object Editor.

User Configuration\Administrative Templates\Terminal Services\Set rules for remote control of Terminal Services user sessions
-Allows you to configure View the session or interact with the session and require/don't require the user's permission.

Computer Configuration\Administrative Templates\Terminal Services

-Contains a lot more generic settings related to Remote Desktop behavior.

Update: Windows Server 2008 uses the same switch as Windows XP Pro: mstsc /admin

Feeback is always welcome: I'm particularly interested in hearing how this behaves in Windows Vista and Windows Server 2008. Different switches? Different behaviors? Please post in the comments so that others might benefit.

A computer repair technician is a person who repairs and maintains computers and servers. The technician's responsibilities may extend to include building or configuring new hardware, installing and updating software packages, and creating and maintaining computer networks. Computer repair technicians work in a variety of settings, encompassing both the public and private sectors. Because of the relative newness of the profession, institutions offer certificate and degree programs designed to prepare new technicians, but computer repairs are frequently performed by experienced and certified technicians who have little formal training in the field.

A repair technician might work in a corporate information technology department, a central service center, or a retail computer sales environment. A public sector technician might work in the military, national security or law enforcement communities, health or public safety field, or an educational institution. Despite the vast variety of work environments, all computer technicians perform similar physical and investigative processes, including technical support. Experienced technicians might specialize in fields such as data recovery, system administration, or information systems. Some technicians are self-employed or own a firm that provides services in a regional area. Some are subcontracted as freelancers or consultants. This type of technician ranges from hobbyists and enthusiasts that volunteer or make a little side money, to those who work professionally in the field.

The repair of problems can range from a minor setting that is incorrect, to spyware, viruses, and as far as replacing hardware or an entire operating system. Some technicians provide on-site services usually at an hourly rate. Others can provide services off-site, where the client can drop off at the repair shop. Some have pickup and drop off services for convenience. Some may also take back old equipment for recycling. While computer hardware configuration varies widely, a technician works with two basic types of hardware; units limited to a location (desktops, mainframes and supercomputers) and more portable (laptop and handheld) devices. Technicians also work with and occasionally repair a range of peripherals, including input devices like keyboards, mice, and scanners, output devices like displays, printers, and speakers, and data storage devices ranging from external hard drives to specialized high-storage desktop computers called servers. Technicians involved in system administration might also work with networking hardware, including routers, switches, fiber optics, and wireless networks.

When possible, repair technicians protect the computer user's data and settings, so that after repair, the user will not have lost any data and the technician can fully use the device with little interruption, and then diagnose the problem. So if you are having issues with your computer like I am having with mine, you should go to repairfinders.com and find a repair technician to solve the problem. Addressing the issue, the technician could take action as minor as adjusting one or several settings or preferences, but could also apply more involved techniques like installing, uninstalling, or reinstalling various software packages. A reliable, but somewhat more complicated, procedure for addressing software issues is known as a restore, in which the computer's original installation image (including operating system and original applications) is reapplied to a formatted hard drive. Well folks, Im about to hope on to repairfinders.com to fix the computer of mine. If yours is giving you problems, I suggest you do the same!

You might find that you're getting a lot of spam or malicious traffic from a spam-heavy country and find it easier to block the entire nation than fighting to keep up with the never-ending battle. You might also be concerned about export limitations to particular nations and block the country to keep their traffic out (unless they use a proxy). Simply go to BlockACountry.com and select the countries you want to block (hold down shift to select a group of countries or hold down Ctrl to individual pick out the countries). Hit the 'Go' button and your .htaccess file will be generated.

The resulting page will give you a text box that you can copy+paste into your current .htaccess file or a link to download a htaccess.txt file. If you choose the latter option, just rename that file on your server to .htaccess

BlockACountry.com

Where I'm at currently with this project is that I first tried WinInstall 2003LE and successfully created an MSI that worked on the first try. It was a very intuitive process and worked out really well. I'll be creating another post soon with step-by-step instructions on creating an MSI from Firefox 3.0.1's setup.exe. I have deployed this msi in a number of test locations around my organization and am planning on deploying it to the entire organization over the upcoming weekend.

I'm currently using WinInstall 2003LE with ORCA MSI Editor to review it. Here's the collection of links I was able to condense through my research. Hope it saves you some time and points you in promising directions.

Free Products:
WinInstall 2003LE - This software has a long, convoluted history as far as I can tell. Getting bought out by different companies multiple times, the software WinInstall 2000 was originally shipped with Windows Server 2000 to allow repacking of Setup executables into .msi's. Long story short, the LE edition is still free and available through Scalable, though they require you to register before downloading. The direct link to the download button here might work for a while and save you from having to register.

MAKEMSI

Free MSI Editor Utility:
ORCA MSI Editor - Free Utility to look at the internals of MSI packages. Helpful to review where registry keys and files are going and understand the MSI process.

Commercial Products:
InstallShield

WinInstall MSI Packager

WISE Installation Express 7

Advanced Installer - The components of this package related to MSI repackaging are only available as trials despite the freeware title. The Repackager component requires the Professional license but has a trial that shows it operates a lot like WinInstall 2003LE but with a little better interface. There is an MSI editor that is also a trial and seems to be a little more thorough than Orca MSI Editor. It puts a little note when launching the resulting MSI that it was created with a trial and is for evaluation purpose only.

For Developers:
Inno Setup - Package your install files into a single .exe (NOT .MSI)

Microsoft Installer SDK

Related Microsoft KB articles:
Overview of Windows Installer Technology

Using GPO to install software

Create 3rd party MSI

Post in the comments if you know any other alternatives that are worth listing or any poor experiences that you want to warn others away from.

With the Active Directory snap-in for the Microsoft Management Console open, go to View and click on Advanced Features so that there is a check mark to the left of it.

Now when you do a search double-click (or right-click, Properties) on the search result you want to investigate.

A new window will appear. This is the standard window that you would have gotten without enabling the Advanced Features except that now there is a tab called Objects. Click on this and it will show the hierarchy where you can find the object in your AD.

Now you can see the the libnonadmin object is located in the uc.edu\Library\Testing\ OU.

Now, what is wrong with this picture?

Table created with: TableMaker.

If you're a Systems Administrator and software deployment is one of your responsibilities, this site (and community) might become a valuable resource to you, saving time and providing great suggestions to smooth out operations. Of course, I recommend contributing any information and ideas you might have to the site so that many more might benefit from your insights and experience.

Visit AppDeploy.com

An SSH server can be set up in various ways, but in this document I’ll describe how it can be configured to:

• only support connections through the 2nd version of the SSH protocol (SSH-2)
• use DSA keys for user authentication, without permitting authentication with passwords
• allow only a specific group of users to connect

Continue reading Setup the SSH server to use keys for authentication.

¹ Quote courtesy of the phpMyAdmin Team website

The fix is to uninstall the wireless card from the device manager.

• Right-click My Computer and go to Manage.
• In the Computer Management window, select Device Manager in the left pane.
• Click the '+' (plus) next to Network Adapters to expand the category.
• Right-click on the wireless card (ex. Intel(R) Wireless WiFi Link 4965AG)
• Select 'Uninstall'
• After the device is removed, click the 'Scan for new hardware' button at the top.
• The device will be re-installed and should now detect wireless networks.

This can be scripted using the devcon tool that Microsoft provides as a command-line alternative to the device manager.

The script can be used in two places:

• Immediately before collecting the image, you can uninstall the device.
• After re-imaging, you can uninstall and re-install the device like above.

To uninstall the device before collecting the image, create a batch script (text file with the file extension .bat) with this command in it:

devcon remove "PCI\VEN_8086&DEV_4229&subsys_10008086"

The part in the quotes will change for you depending on what brand and model your wireless card is. You can find out what to replace it with by browsing the Device Manager:

• Right-click My Computer and go to Manage.
• In the Computer Management window, select Device Manager in the left pane.
• Click the '+' (plus) next to Network Adapters to expand the category.
• Right-click on the wireless card (ex. Intel(R) Wireless WiFi Link 4965AG)
• Select 'Properties'
• Click the 'Details' tab.
• There will be a drop-down menu, choose 'Matching Device ID' or 'Device Instance Id'
• The entry under there will be 'PCI\VEN_..." (followed by unique numbers to your device)
• Open a command prompt and run the command: devcon find "PCI\VEN_..." (add your unique numbers to the command)

As long as only one device is found (your wireless card), you can use that number. You may have to have more numbers or you might be able to reduce the numbers depending on how specific you have to be to find the wireless device. For example:

devcon find "PCI\VEN_8086"
21 matching devices found.

devcon find "PCI\VEN_8086&dev_4229"
1 matching device found.

devcon find "PCI\VEN_8086&dev_4229&subsys_10008086"
1 matching device found.

I can make my command use the second number if I'm lazy since only one device was found:

devcon remove "PCI\VEN_8086&dev_4229"

or the third number if I want to be most specific:

devcon remove "PCI\VEN_8086&dev_4229&subsys_10008086"

To implement the after-image scripting solution, we'll use the above command to uninstall and follow it by another to automatically scan for new hardware. Put the following two commands in a batch command and replace the "PCI\VEN_..." part with your numbers found above.

devcon remove "PCI\VEN_8086&dev_4229"
devcon rescan

This will uninstall and re-install the device, the exact same fix that we were using through the device manager but with only one double-click to implement the solution.

Download Devcon command-line tools from Microsoft.

The first way to list a directory is if you want to make a batch script and add this directory printing to a file.

dir "c:\documents and settings\all users\start menu\programs" /B /S > "H:\backup08\startmenu.txt"

This will put everything from the All Users Start Menu Folder into a file called startmenu.txt. It's simply using the dir command to specify the location and then using output redirection ( > ) to point to a file instead of the screen. If you wanted to append to a file instead of overwriting one just replace the greater than ( > ) with two of them ( >> ). There are a lot of options you can use with the simple dir command to filter down the results to make them appear as you need them. From the help page (dir /?):

Displays a list of files and subdirectories in a directory.

DIR [drive:][path][filename] [/A[[:]attributes]] [/B] [/C] [/D] [/L] [/N]
[/O[[:]sortorder]] [/P] [/Q] [/S] [/T[[:]timefield]] [/W] [/X] [/4]

[drive:][path][filename]
Specifies drive, directory, and/or files to list.

/A          Displays files with specified attributes.
attributes   D  Directories                R  Read-only files
H  Hidden files               A  Files ready for archiving
S  System files               -  Prefix meaning not
/B          Uses bare format (no heading information or summary).
/C          Display the thousand separator in file sizes.  This is the
default.  Use /-C to disable display of separator.
/D          Same as wide but files are list sorted by column.
/L          Uses lowercase.
/N          New long list format where filenames are on the far right.
/O          List by files in sorted order.
sortorder    N  By name (alphabetic)       S  By size (smallest first)
E  By extension (alphabetic)  D  By date/time (oldest first)
G  Group directories first    -  Prefix to reverse order
/P          Pauses after each screenful of information.
/Q          Display the owner of the file.
/S          Displays files in specified directory and all subdirectories.
/T          Controls which time field displayed or used for sorting
timefield   C  Creation
A  Last Access
W  Last Written
/W          Uses wide list format.
/X          This displays the short names generated for non-8dot3 file
names.  The format is that of /N with the short name inserted
before the long name. If no short name is present, blanks are
displayed in its place.
/4          Displays four-digit years

Switches may be preset in the DIRCMD environment variable.  Override
preset switches by prefixing any switch with - (hyphen)--for example, /-W.

If you'd prefer a graphical user interface, Karen's Directory Printer v5.3.0 might be what you're looking for. It has a lot more options than what the DIR command allows, and an easier interface to follow. The only downside seems to be that it can't quite be implemented into scripts so easily. The source code is provided though, so perhaps any other VB6 programmer could integrate that feature.

Download Karen's Directory Printer.

Here's the full list out from the help page (accesschk.exe /?).

usage: accesschk [-s][-e][-u][-r][-w][-n][-v][[-a]|[-k]|[-p [-f] [-t]][-o [-t <object type>]][-c]|[-d]] [username] <file, directory, registry key, process, service, object>
-a     Name is a Windows account right. Specify a username and '*' as the
name to show all rights assigned to a user
-c     Name is a Windows Service e.g. ssdpsrv. Specify '*' as the
name to show all services and 'scmanager' to check the security
of the Service Control Manager
-d     Only process directories or top level key
-e     Only show explicitly set Integrity Levels (Windows Vista only)
-f     Show full process token information including groups and privileges
-k     Name is a Registry key e.g. hklm\software
-n     Show only objects that have no access
-o     Name is an object in the Object Manager namespace (default is root).
Add -t and an object type (e.g. section) to see only objects of a
spefic type
-p     Name is a process name or PID e.g. cmd.exe (specify '*' as the
name to show all processes). Add -f to show full process
token information including groups and privileges. Add -t to show
threads
-q     Omit banner
-r     Show only objects that have read access
-s     Recurse
-t     Object type filter e.g. "section"
-u     Suppress errors
-v     Verbose (includes Windows Vista Integrity Level)
-w     Show only objects that have write access

If you specify a user or group name and path AccessChk will report the
effective permissions for that account; otherwise it will show the effective
access for accounts referenced in the security descriptor.

By default the path name is interpreted as a file system path (use the
"\pipe\" prefix to specify a named pipe path). For each object AccessChk
prints R if the account has read access, W for write access and nothing if
it has neither. The -v switch has AccessChk dump the specific
accesses granted to an account.

With a simple command like the following, I can confirm who has 'write' ability to a specific directory.

accesschk.exe -w -d "c:\program files"

Accesschk v4.20 - Reports effective permissions for securable objects
Copyright (C) 2006-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\Program Files
RW BUILTIN\Users
RW BUILTIN\Power Users
RW BUILTIN\Administrators
RW NT AUTHORITY\SYSTEM

Download and discover more about AccessChk from SysInternals.

Actually, I was thinking to use it as my main storage for my datas. I thought that because I'm working partly on plant, and partly in the office, I need something I can carry so I can work anywhere. And at the time, I lend my laptop to my sister. So I thought that an external harddisk would be sufficient for me.

So I copied all of my files to it, and I reformated my PC's harddisk to install Ubuntu Hardy Heron. I forgot to copy my datas back to my PC, and long time after that: today, the partition in which I stored my most important data is broken. "A disaster brother... Disaster... "

At first, I thought it was only filesystem corruption or bad sectors so that I could fix it with e2fs tools and badblock. But I was wrong. It seems that the disk is broken physically. The kernel sends "Buffer I/O error on device /dev/sd5, logical block x" messages.

Now I'm waiting for miracle for my harddisk...

The moral of the story is: Backup is backup. The external harddisk is designed to be a backup media, not to be used as main data storage. I was using it as my main data storage, so when it breaks... my heart breaks!