Microsoft have just published a website that allows you to search for a group policy setting.  This is much easier than having to open an existing Group Policy Object to see what policy settings are available.  URL is http://gps.cloudapp.net/
 
 

I’ve recently come across a nifty tool that will automate the installation of popular software. It automatically says No to toolbars, detects either 32 or 64 bit versions and generally saves you a heap of time. The application is called Ninite Easy PC Setup and is available here –> http://ninite.com/ 

It is similar to the Google Updater software but covers many more applications and saves a bunch of time.
 
 

BitLocker Drive Encryption is a full disk encryption feature included with the Ultimate and Enterprise editions of Windows 7 (and Vista and Server 2008). On my recent travels, I knew there would be times when I would need to leave my laptop unattended (like in a hotel or baggage dropoff area) and I wanted to ensure that my data would be safe if the laptop was stolen or lost.

The solution – use BitLocker Drive Encryption in conjunction with Windows 7 and a USB key – put simply – if the USB key is not plugged into the laptop, Windows will not start and the entire drive is encrypted.  This means that if I need to leave my laptop in a hotel, I can take the USB key with me and know that if my laptop is stolen, although highly inconvienient, my data will be safe and the thief cannot use my laptop.

So how do we do it?

First, ensure that you have either Enterprise or Ultimate versions of Windows 7 and a USB stick (any size will do, the BitLocker keys are very small files). You will also need a BIOS that supports USB devices during bootup – this will be common on any machine that is less than 4 or 5 years old. The USB stick that you use does not need to be dedicated to hosting the BitLocker keys, it can also be used for normal document storage or for ReadyBoost.

Next you need to open the Local Group Policy Editor (gpedit.msc). Head to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.  Open ‘Require additional authentication at startup’:

Set this to ‘Enabled’ and ensure the Options section has ‘Allow BitLocker without a compatible TPM’ ticked:

At this point I would recommend you run the ‘gpupdate /force’ command and restart your computer. Once restarted, ensure your USB stick is inserted into the computer, then head to ‘My Computer’. Right click on your system hard drive (usually C:) to encrypt and select ‘Turn on BitLocker’ (alternatively this can be done from the Control Panel):

Select ‘Require a Startup key at every startup’ as shown below:

Select the USB drive that you had previously inserted:

Select the ‘Save the recovery key to a USB flash drive’ option:

It is recommended to run the BitLocker system check on the next page. Your hard drive will now start to encrypt and you can continue working on the computer during this process. It may prompt you to restart and it will give you a progress bar as shown below. The encyption can take up to a few hours, it will depend on the size of the disk volume. As a rough guide, I would say a 30GB volume takes around 30 minutes.

Once the process is complete, as you can see below, if the USB stick is plugged in, the machine will start successfully. At this point you can remove the USB stick or leave it in and configure it for extra storage or with ReadyBoost as I do.

If you attempt to start the machine without the USB stick inserted, you will be the below error message and Windows will not load (just as you want!).

If you look at the new files on your USB stick, you will see 2 files as shown below. These are the ‘key’ files that the system will look for when booting up (actually one is the recovery file, the other is the actually key file). I would highly recommend that you copy these files to another location incase you lose your USB stick. These 2 files can simply be copied like any other files. I would recommend to copy these to another USB stick (you can then boot up with either of the sticks plugged in) and save a copy elsewhere, like your email or give to a friend.

That is it! You can now be comfortable that your system will be encrypted and unusable if it is stolen. The important thing is to keep the USB sticks safe! Always store the USB stick and the laptop separately, otherwise this whole exercise is pointless!!
 
 
 

You’ll often need a quick way to get the names of users in a particular Active Directory group into a text or Excel file for reporting or other reasons. You can use dsquery to achieve this easily:

dsquery group -name "group name" | dsget group -members -expand | dsget user -fn -ln

Of course you can also change the ‘dsget user -fn -ln’ to display or remove attributes, eg ‘dsget user -samid’ will show the username. You can also pipe this into a text file.

I’ve often used a very simple query to find if a processor is 64 bit capable. Open up a command prompt and enter the following:
wmic cpu get datawidth
I doesn’t matter the version of the Operating System you are running, this WMI query will return the actually hardware processor capability. If it returns a value of 64, this means that the hardware is 64-bit capable, so you can go ahead and load up a 64-bit version of the OS. If the value is returned as 32 then unfortunately your hardware is only 32-bit capable and you are stuck with the 32-bit version of the OS.

An oldie but a goodie – this came about again when creating Windows 7 WIM files for SCCM. It really does save a lot of time – otherwise you would need to deploy your image, make changes to the registry and then recapture. This process is much quicker! I use the DISM tool from the WAIK toolkit but you could also use imageX to mount the image.

Steps:

Mount the WIM

Open the Deployment Tools Command prompt and enter:

dism /mount-wim /wimfile:d:\temp\test.wim /index:1 /mountdir:c:\mount

Load the registry hive

From a command prompt enter:

reg load HKLM\test c:\mount\windows\system32\config\software

Result:

D:\>reg load HKLM\test c:\mount\windows\system32\config\software
The operation completed successfully.

Open regedit

You will then see the registry that is contained in the WIM file, in this case it is called test. Make your changes, then exist regedit.

Unload the registry hive

From a command prompt enter:

reg unload HKLM\test

Result:
D:\>reg unload HKLM\test
The operation completed successfully.

Unmount the image

Open the Deployment Tools Command prompt and enter:

dism /unmount-wim /mountdir:c:\mount /commit

Result:

D:\>dism /unmount-wim /mountdir:c:\mount /commit
Deployment Image Servicing and Management tool
Version: 6.1.7600.16385
Image File : d:\temp\test.wim
Image Index : 1
Saving image
[==========================100.0%==========================]
Unmounting image
[==========================100.0%==========================]
The operation completed successfully.