Install the Active Directory Schema snap-in

To install the Active Directory Schema snap-in

1. Open Command Prompt.
   
2. Type:
   regsvr32schmmgmt.dll
   This command will register Schmmgmt.dll on your computer. For more information about using regsvr32, see Related Topics.
   
3. Click Start, click Run, type mmc /a, and then click OK.
   
4. On the File menu, click Add/Remove Snap-in, and then click Add.
   
5. Under Available Standalone Snap-ins, double-click Active Directory Schema, click Close, and then click OK.
   
6. To save this console, on the File menu, click Save.
   
7. In Save in, point to the systemroot\system32 directory.
   
8. In File name, type schmmgmt.msc, and then click Save.
   
9. To create a shortcut on your Start menu:
   
   • Right-click Start, click Open All Users, double-click the programs folder, and then double-click the Administrative Tools folder.
     
   • On the File menu, point to New, and then click Shortcut.
     
   • In the Create Shortcut Wizard, in Type the location of the item, type schmmgmt.msc, and then click Next.
     
   • On the Select a Title for the program page, in Type a name for this shortcut, type Active Directory Schema, and then click Finish.
     

Caution

Modifying the schema is an advanced operation best performed by experienced programmers and system administrators.

Create a Vista password reset disk using a USB flash drive

If you were an early adopter of USB flash drives, you may still have a 128 MB or a 256 MB USB flash drive in the back of your desk drawer. Even though the dusty drive may seem too small to be of any real use, you can put it back to work as a password reset disk for Windows Vista.

In this edition of the Windows Vista Report, I’ll show you how to create and use a password reset disk in Vista using a USB flash drive rather than a floppy disk.

The USB flash drive

First, let’s take a moment to talk about the USB flash drive. The reason that I’m spotlighting your old small-capacity USB flash drive is that it is really too small to be of much use in today’s world due to that fact that portable storage needs are now reaching more towards the GB range. However, that’s not to say that you couldn’t use a 1 GB USB flash drive for a password reset disk. Some might consider that to be a waste of disk space because the password reset file only weighs in at 2 KB, but flash drives are inexpensive — you can pick up a 1 GB USB flash drive for under $20 or a 128 MB USB flash drive for under $5.

Creating a password reset disk

Follow these steps to create a password reset disk:

1. Insert your USB flash drive and wait for it to initialize and receive a drive letter.

2. Once the drive is ready to use, click the Start button and type User Accounts in the Start Search box.

3. Press [Enter] or click User Accounts in the Results panel. Either way, you’ll see the User Accounts dialog box. You will need to locate and click Create A Password Reset Disk in the Tasks panel (Figure A).

Figure A

When the User Accounts dialog box appears, click Create A Password Reset Disk in the Tasks panel.

4. When you see the Forgotten Password Wizard’s Welcome screen, take a look at the information and click Next.

5. On the next screen, you’ll receive a prompt to choose your USB flash drive’s drive letter (Figure B). To continue, click Next.

Figure B

Choose the drive letter assigned to your USB flash drive.

6. On the next screen, type your Currrent User Account Password (Figure C) and then click Next.

Figure C

When prompted, type your current user account password and click Next.

7. You’ll see a rapidly moving progress bar. Once it reaches 100 percent, click Next, and you will see the last screen in the Forgotten Password Wizard. To complete the operation, click Finish.

8. Click the Safely Remove Hardware icon, choose your USB flash drive’s drive letter, and remove the drive when prompted to do so.

9. Label the drive and put it away in a safe place.

While you may be tempted to label the drive Password Reset, remember that anyone who happens upon this drive can use it to bypass your password and break into your computer. Try a label that will help you recognize the drive but that isn’t so obvious.

Using a password reset disk

If you type an incorrect password in Vista, The User Name Or Password Is Incorrect error message will appear on the login screen (Figure D). Click OK.

Figure D

At this point, the only thing you can do is click OK.

Follow these steps:

1. Return to the login screen, where you will reset your password below the Password box (Figure E).

Figure E

To launch the Password Reset Wizard, click the Reset Password message.

2. Insert your USB flash drive and wait for it to initialize and receive a drive letter.

3. To launch the Password Reset Wizard, click Reset Password.

4. When you see the Password Reset Wizard’s Welcome screen, take a look at the information and click Next.

5. Choose your USB flash drive’s drive letter (Figure F) on the next screen and click Next.

Figure F

Choose the drive letter assigned to your USB flash drive.

6. The Password Reset Wizard will open the saved file, read your saved password, and perform a few operations in the background.

7. The wizard will then prompt you to create and confirm a new password. You’ll also have to create a new password hint (Figure G).

Figure G

Create a new password, confirm it, and create a new hint.

8. Clicking Next will take you to the Success screen. Click Finish to complete the operation.

You can now use the new password to log on to your Vista system.

Reset user passwords with Windows Server 2003’s DSMod command-line tool

Windows Server 2003 features a command-line tool for modifying the properties of Active Directory (AD) objects called DSMod.exe. This is most useful for quick user password resets and other similar tasks. The GUI interface does the same thing, but being able to change these items from the command line opens up a host of options.

Say a user forgets the password for his Windows account. You can reset his password to a given default and set the password to require a change at the next logon. Follow these steps:

1. Open a command prompt on a Windows Server 2003 machine by entering cmd.exe in the Run box.

2. To reset a user’s password to the default of password, enter the following:
Dsmod user -pwd password -mustchpwd yes

specifies the user account by distinguished name, for example: CN=Jim Jones, OU=Windows Updates, DC=Microsoft, DC=com.

This tells DSMod to set the password for the user object referenced by the distinguished name to password, and to set the User Must Change Password At Next Logon value to True. This will require the user to select a new password when he logs on. When the command succeeds, a message will display on the command line that lets you know the modification was successful. This process is much faster than sifting through the AD Users And Computers snap-in to find the user.

Bonus tip: For a list of attributes and other items associated with DSMod, enter DSMod.exe ? in the Run box.

If you do not know a user’s distinguished name, you can look it up using two commands: DSQuery and DSget. Enter the following command on one line to get the user’s distinguished name:

DSQuery user -name Derek | DSGet user -distinguishedname

How to Enable Tools - Folder Options and Registry Editor in Windows

If you find that in your windows “Tools -> Folder Options“ is not visible and you can’t access it from the Control Panel too. Also if you can’t access Registry Editor in Windows, then follow this tutorial to fix the problem:

1.) You can enable Folder Options by simply editing the Windows Registry. Just type regedit in RUN dialog box and it’ll open Registry Editor, now goto following keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Policies\Explorer

And in right-side pane, check whether a DWORD value named NoFolderOptions exists or not? If it exists then either change its value to 0 or delete it.

2.) If you are not familiar with Editing the registry, then you can simply download following file, extract it and then run the .REG file

Download

3.) If its not a virus problem and someone disabled Registry Editor in your system, then you can enable it again by following any of following methods:

a.) Type gpedit.msc in RUN dialog box and goto:

User Configuration - Administrative Templates - System

in right-side pane, set “Prevent access to Registry editing tools” to either Not Configured or Disabled.

b.) Just type following in RUN dialog box and press :

REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f "

Now after enabling Registry Editor, you can enable Folder Options again by using 1st or 2nd step.

Accessing banned sites (Orkut).

If you are in office or school or university campus where Orkut is blocked, either by the office administrator or by your organization then you can access it easily without any hassles. This can also be tried by users living in countries where Orkut is blocked by their ISP. There are 2 sites that can help:

***#### Just GO to http://www.robtex.com/dns/kproxy.com.html
Best site 4 ## PROXY

1.Just go to www.mathtunnel.com and type in the name of any site you want to access. This works for Orkut and other blocked sites too.

2.There is one more site www.gravitywars.com .This is very good as it is updated regularly.

Even though the blocked sites can be accessed through proxy servers as I have discussed in my earlier post, but i have noticed that the sites for proxy servers is blocked at various places.

How to Remove Windows XP's Messenger..?

Theoretically, you can get rid of it (as well as a few other things). Windows 2000\xp power users should already be familiar with this tweak.

Fire up the Windows Explorer and navigate your way to the %SYSTEMROOT% \ INF folder. What the heck is that thingy with the percentage signs? It's a variable. For most people, %SYSTEMROOT% is C:\Windows. For others, it may be E:\WinXP. Get it? Okay, on with the hack! In the INF folder, open sysoc.inf (but not before making a BACKUP copy first). Before your eyes glaze over, look for the line containing "msmsgs" in it. Near the end of that particular line, you'll notice that the word "hide" is not so hidden. Go ahead and delete "hide" (so that the flanking commas are left sitting next to one another). Save the file and close it. Now, open the Add and Remove Programs applet in the Control Panel. Click the Add / Remove Windows Components icon. You should see "Windows Messenger" in that list. Remove the checkmark from its box, and you should be set. NOTE: there are other hidden system components in that sysoc.inf file, too. Remove "hide" and the subsequent programs at your own risk.

Control Panel Restrictions..

There are many general restrictions you can make to the Control Panel

1. Start Regedit
2. Go to HKEY_Current_User / Software / Microsoft / Windows / CurrentVersion / Policies
3. Create a new keys under Policies called System
4. You can then add DWORD values set to 1 in the appropriate keys
5. To re-enable them, either delete the key or set the value to 0

Windows XP shortcuts on your keyboard...

Keyboard shortcuts are a great way to keep things moving when you're using your computer, and they let you perform tasks without lifting your hands from the keyboard. These are some of the basics that you should know--at least if you want to cut down on the number of times you reach for the mouse every day.

1. Ctrl Alt Del is the mother of all keyboard shortcuts, affectionately known as the "three-fingered salute," since it's so useful when your Windows box locks up. Pressing the combo once (simultaneously) opens the Windows Task Manager. (From within the Task Manager, you can force-quit a crashed program, see a list of processes or applications running on your machine, check performance parameters such as how hard your CPU is working, or track your network usage.) Is your machine totally locked up? Reach over, grab the mouse and click Shut Down.
   
   
2. Ctrl S saves the file you're working on. Ever lost your homework, a spreadsheet at work, or some video you've been editing? Hit Ctrl S (simultaneously) to save. Hit it early and often! (Want to open a file from within the program you're running? Ctrl O universally opens the File/Open window.)
   
   
3. Ctrl C copies text, files, or icons that you've highlighted, Ctrl V pastes them where you point your mouse (hey, you can't completely eliminate using it), and Ctrl X cuts whatever you've highlighted out of the document (or folder, photo, movie clip, or whatever it is you're working on). Ctrl A highlights the entire file you're working on or everything in a folder or on your desktop.
   
   
4. Alt Tab lets you switch on the fly between all of your open windows. Press the combination once to switch to your last open window or multiple times to switch to any other open window. Holding down Alt Tab will bring up a system window that shows you what apps are running and which one you're switching to.
   
   
5. Ever wonder why almost every Windows program has the F in File underlined, not to mention the E in Edit, and so on so forth across the top of the Window? Hit Alt that letter to open that particular menu; you can either use the arrow keys to move around within that window, or keep your eyes peeled for more underlined letters to use more Alt key combinations.
   
   
6. The Windows key (the one that looks like the Windows logo, or a flag) R opens the Run dialog. From here, you can launch a command-line window by typing cmd, but you can do a lot more. You can, for example, paste in a folder path, such as C:\Documents and Settings\[username]\My Documents\Expenses, and Windows will open it automatically. You can also use the Run dialog to open Microsoft applications such as Word, Excel, or Notepad. Just type winword to launch Word, type excel to launch Excel, and notepad to launch Notepad.
   
   
7. Windows E launches Windows Explorer, defaulting to My Computer.
   
   
8. F2 renames a selected file or folder. (This is so much easier than right-clicking!)
   
   
9. F3 launches Search if you're on the desktop or in a folder.
   
   
10. Windows M minimizes all open windows, and Windows D shows your desktop. (These results look similar, but they're slightly different; Windows M minimizes all windows that support the command, while Windows D actually raises the desktop to the top.) This is a great one for when the boss pops up in your cubicle. Once the boss gone, hit Shift Windows M to bring up your minimized windows, or Windows D to drop your desktop back down again.

Disabling Drives in My Computer

To turn off the display of local or networked drives when you click on My Computer:

1. Start Regedit
2. Go to HKey_Current_User \ Software \ Microsoft \ Windows \ Current Version \ Policies \ Explorer
3. Add a New DWORD item and name it NoDrives
4. Give it a value of 3FFFFFF
5. Now when you click on My Computer, none of your drives will show

Hiding All Icons from the Desktop

1. Start Regedit
2. Go to HKey_Current_User \ Software\ Microsoft \Windows \ Current Version \ Policies \ Explorer
3. Right click on the right panel and add a New / DWORD
4. Name it NoDesktop
5. Give it a value of 1
6. Logoff or Reboot the computer
7. Now all icons are hidden on the desktop.

Networking Restrictions

1. Start Regedit
2. Go to HKEY_Current_User / Software / Microsoft / Windows / CurrentVersion / Policies
3. Create a new key under Policies called Network
4. You can then add DWORD values set to 1 in the appropriate keys
5. To re-enable them, either delete the key or set the value to 0

Restricting Logon Access

If you work in a multiuser computing environment, and you have full (administrator level) access to your computer, you might want to restrict unauthorized access to your "sensitive" files under Windows 95/98.
One way is to disable the Cancel button in the Logon dialog box.
Just run Regedit and go to:

HKEY_LOCAL_MACHINE/Network/Logon

Create the "Logon" subkey if it is not present on your machine: highlight the Network key -> right-click in the left hand Regedit pane -> select New -> Key -> name it "Logon" (no quotes) -> press Enter. Then add/modify a DWORD value and call it "MustBeValidated" (don't type the quotes). Double-click it, check the Decimal box and type 1 for value.
Now click the Start button -> Shut Down (Log off UserName) -> Log on as a different user, and you'll notice that the Logon Cancel button has been disabled.

Add a picture to a folder..

Microsoft Windows XP usually shows icons for folders like My Music and My Pictures. If a folder contains pictures, Windows XP displays random thumbnails from within the folder. You can replace these icons with custom pictures to make browsing your files more fun, and to make it easier for children to find and open files.

Note: Your picture is visible only when you're browsing folders with the Thumbnails view. To access the Thumbnails view, click Thumbnails on the View menu.

To add a picture to a folder

1.	In Windows Explorer (the program that appears when you open folders such as My Computer, My Documents, My Pictures, or My Music), right-click the folder you want to add a picture to, and then click Properties.
2.	In the Properties dialog box, click the Customize tab. If there is no Customize tab, you cannot add a picture to that folder. You can add pictures to other folders, however.
3.	On the Customize tab, click Choose Picture.
4.	In the Browse dialog box, click the picture you want to use, and then click Open.
5.	Click OK.

When you view the folder using Thumbnails view, Windows displays a thumbnail of the picture you selected.

Change the picture on your Welcome screen..

By default, each user account in Microsoft Windows XP has a standard picture (such as a chess set, a dog, or an astronaut) associated with it. If you'd like to make the picture more personal, you can add your own image for each account. Changing pictures is fun, and it makes it easier for young children to use your computer.

To change the picture on the Welcome screen

1.	Log on to your computer as an administrator.
2.	Click Start, and then click Control Panel.
3.	Under Pick a category, click User Accounts.
4.	Under or pick an account to change, click the account you want to choose a picture for.
5.	Under What do you want to change..., click Change the picture.
6.	Click Browse for more pictures.
7.	Click the picture you want to display for that account, and then click Open.

Windows XP displays the picture on the Welcome screen for the account you selected. To choose pictures for other accounts, return to step 3.

Backing Up the Registry..

There are many backup programs for the registry but if the computer goes down and you can't fire off Win95 because of the registry problem.

Backup to a directory the following files:

• SYSTEM.DATA
• SYSTEM.DA0 (Yes seem to be the same size)
• USER.DAT
• USER.DA0 (Same size likely)
• WIN.INI
• CONTROL.INI
• SYSTEM.INI

These files can be copied to the windows directory from Win95 or DOS to help correct problems.

Setting the Recycle Bin to Always Delete..

You can set the recycle bin to always delete items (like holding down the shift key when dragging files to the recycle bin)

1. Start Regedit
2. Go to HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ BitBucket
3. Set the key NukeOnDelete to 1

Add an item to the Send To menu..

When you right-click a file name or a thumbnail in Microsoft Windows XP, you see a shortcut menu for that file. One of the items on the menu is Send To, which enables you to quickly e-mail a file, copy it to your desktop, or copy it to a floppy disk.

Sometimes what you really want to do is to save a copy of the file to a specific folder on your computer. If you have a folder where you frequently place files, you can add that folder’s name to the list of locations on the Send To menu. This can save you the time of opening another Windows Explorer window and copying the file from one folder to another.

For example, you could create a My Pictures folder and then use the Send To menu to copy your best pictures to that folder.

To add a folder to the Send To menu

1.	Click Start. Make note of your user name ("Administrator" in the example below) which is displayed at the top of the Start menu. Then, click My Computer.
2.	In the My Computer window, click the Tools menu, and then click Folder Options.
3.	Click the View tab. Under Hidden files and folders, click Show hidden files and folders, and then click OK.
4.	In the My Computer window, double-click Local Disk (C:), double-click Documents and Settings, double-click your user name, and then double-click SendTo.
5.	Click the File menu, click New, and then click Shortcut.
6.	The Create Shortcut Wizard appears. Click the Browse button.
7.	In the Browse For Folder dialog box, click the folder you want to add to your Send To menu, and then click OK.
8.	Click Next.
9.	Click Finish.

Now when you right-click a file and click Send To, the destination you selected will be an option on the Send To menu. You can create shortcuts to local or network programs, files, folders, computers, or Internet addresses.

Add your Photos in My Computer Properties..

Add your Photos in My Computer Properties

Todo this:

1. Open Notepad.

2. Type the following:

[General]

Manufacturer="ASHIF"

Model=Intel® Core™2 Duo

[Support Information]

Line1= 9961000310

Line2= Dhishna Calicut

.....

3. Save as "oeminfo.ini" in the System32 folder.(Without Quote)

4. Create a bmp file(Your Photo) and save it the System32 folder as "oemlogo.bmp"(Without Quote).

5. Now Check your My Computer Properties.

How To Set Up and Configure Remote Installation Services in Windows 2000

Description of Remote Installation Services

You can use Remote Installation Services (RIS) for Windows 2000 to install a local copy of the operating system to other computers from remote locations. You can start up your computer, contact a Dynamic Host Configuration Protocol (DHCP) server for an Internet Protocol (IP) address, and then contact a boot server to install the operating system.

RIS requires several other services. These services can be installed on individual servers, or all of these services can be installed on a single server. The type of installation depends upon your network design:

•	DNS server: RIS relies on DNS for locating the directory service and client computer accounts. You can use any Windows 2000 Active Directory service-compliant DNS server, or you can use the DNS server that is provided with Windows 2000 Server.
•	Dynamic Host Configuration Protocol (DHCP) server: RIS requires an active DHCP server on the network. The remote boot-enabled clients receive an IP address from the DHCP server before they contact RIS.
•	Active Directory: RIS relies on Windows 2000 Active Directory for locating existing clients as well as existing RIS servers. RIS must be installed on a Windows 2000-based server that has access to Active Directory, for example, a domain controller or a server that is a member of a domain with access to Active Directory.

Using RIS

To ensure a successful installation, you must install and configure the additional services previously described for RIS to function. Also, ensure that you have both the Windows 2000 Server and Windows 2000 Professional CD-ROMs available. The following steps are an overview of how to set up and configure the RIS process.

Installing RIS

1.	On Windows 2000 Server, click Start, point to Settings, and then click Control Panel.
2.	Double-click Add/Remote Programs.
3.	Double-click Add/Remove Windows Components.
4.	Scroll down and click Remote Installation Services, and then click Next.
5.	Insert the Windows 2000 Server CD-ROM into the CD-ROM drive, and then click OK. The necessary files are copied to the server. NOTE: After you insert the CD-ROM, a dialog box is displayed that prompts you to upgrade the operating system. Click No, and then close this screen.
6.	Click Finish to end the wizard.
7.	When you are prompted to restart your computer, click Yes.
8.	When the server has restarted, log on to the computer as a local administrator.

Setting up RIS

1.	Click Start, click Run, and then type: risetup.exe to start the Remote Installation Services Setup Wizard.
2.	When the Welcome screen is displayed, which indicates some of the requirements to successfully install RIS, click Next.
3.	The next screen prompts you to enter the server drive and folder where you want to install the RIS files. The default drive and folder are going to be on the largest NTFS-formatted drive that is neither a system nor a boot drive. In this example, this drive is: E:\RemoteInstall. Then, click Next. NOTE: The drive on which you want to install RIS must be formatted with the NTFS file system. RIS requires a significant amount of disk space and cannot be installed on the same drive or partition on which Windows 2000 Server is installed. Ensure that the selected drive contains enough free disk space for at least 1 full Windows 2000 Professional CD-ROM. That CD-ROM must contain a minimum of 800 megabytes (MB) to 1 gigabyte (GB) of disk space.
4.	The next screen enables you to configure client support. By default, the RIS server does not support clients until you have set up RIS and configured the server. If you want the server to begin supporting clients immediately after the setup of RIS, select the Respond to clients requesting service option. If you select this option, the server can respond to clients and provide them with operating system installation options. If you do not select this option, the RIS server does not respond to the clients that request service.
5.	The Setup Wizard prompts you for the location of the Windows 2000 Professional installation files. RIS supports only the remote installation of Windows 2000 Professional. Insert the Windows 2000 Professional CD-ROM into the CD-ROM drive of the server, and then enter the drive letter that contains the CD-ROM or browse to a network share that contains the installation source files. Then, click Next.
6.	The wizard prompts you to enter the folder name that contains the workstation files on the RIS server. This folder is created beneath the folder that is specified in the preceding step 3. The folder name must reflect its contents, for example, Win2000.pro. Click Next to accept the default name of Win2000.pro.
7.	You are prompted for a "friendly" description and help text that describes this operating system image. For this example, click Next to accept the default name of Microsoft Windows 2000 Professional.
8.	You are presented with a summary screen that indicates the choices that you have made. Click Finish to confirm your choices. When the installation wizard is complete, you can either service clients, or configure the RIS settings.
9.	The wizard installs the service and settings that you have selected. This process takes several minutes. When this process is finished, click Done.

When RIS is successfully installed, you must authorize the RIS server in Active Directory. If you do not authorize the RIS server, it cannot service clients that request a network service boot. The next section outlines these steps.

Authorizing RIS in Active Directory

To authorize an RIS server in Active Directory, you must be logged on to your computer as an enterprise administrator or a domain administrator of the root domain. You can complete the following steps on any domain controller, member server of the domain, or a Windows 2000 Professional-based workstation that has installed the Administrator Tools Package that contains the DHCP Server Management snap-in. This section describes the authorization process on a domain controller:

1.

Click Start, point to Programs, point to Administrative Tools, and then click DHCP to activate the DHCP snap-in.

2.

Right-click DHCP in the upper-left corner of the DHCP screen, and then click Manage Authorized Servers. If your server is not already listed, click Authorize, and then enter the IP address of the RIS server. Click Yes when you are prompted to verify that the address is correct.NOTE: If you authorize the RIS server on a computer that is not a domain controller, use the following steps to install the Administrator Tools Package: Click Start, click Run, and then type: adminpak.msi on a server network. From a Windows 2000 Professional-based computer, run the Adminpak.msi program from the Windows 2000 Server CD-ROM.

Setting the Required User Permissions

The permissions that are granted by using the following steps can enable users to create computer accounts anywhere in the domain:

1.	Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2.	Right-click the domain name that is listed at the top of the snap-in, and then select the Delegate Control option. After a wizard starts, click Next.
3.	Click Add to add the users who are able to install their own computers by using Microsoft Windows 2000 Remote OS Installation.
4.	Select the necessary users, click Add, and then click OK.
5.	Click Next to continue.
6.	Select the Join a Computer to the Domain option, and then click Next.
7.	Click Finish. Users can create computer account objects during the operating system installation by using the RIS service. NOTE: You can either use the default RIS settings and immediately begin servicing clients, or you can make changes to the RIS settings first.

Installing Clients By Using Remote Installation

This section describes the steps that are required to successfully install Windows 2000 Professional on a network computer, a managed computer, or a computer that contains a network adapter that is supported by the remote installation boot floppy disk:

1.	Restart your client from either the remote floppy disk or the Pre-Boot Execution Environment (PXE) boot CD-ROM. When you are prompted, press the F12 key to start the download of the Client Installation Wizard.
2.	At the Welcome screen, press ENTER.
3.	For the username, enter a username from the domain. Enter the password and domain name, and then press ENTER to continue.
4.	After you receive a warning message that all data on the client hard disk is going to deleted, press ENTER to continue.
5.	After a computer account and a global unique identification (ID) for this workstation are displayed, press ENTER to begin Setup. Windows 2000 Setup starts.
6.	If you are prompted, type the product key (which is located on the back of the Windows 2000 Professional CD-ROM case), and then click Next. NOTE: This step can be avoided by specifying the product key in the .sif file. You have successfully configured and installed a remote operating system by using RIS. Refer to the following section for additional information about configuration options.

Prestaging

By prestaging the client, the administrator can define a specific computer name, and optionally, the RIS server that can service the client:

1.	Locate the container in the Active Directory service in which you want your client accounts to be created.
2.	Right-click the container, click New, and then click Computer. The New Object-Computer dialog box is displayed.
3.	Enter the computer name and authorize domain-join permissions for the user or security group that contains the user who is going to use the computer that this computer account represents.
4.	In the next dialog box, you are prompted for either the globally unique identifier (GUID) or universally unique identifier (UUID) of the computer itself and whether you intend to use this computer as a managed (Remote OS Installation-enabled) client. Enter either the GUID or UUID, and then click to select the This is a managed computer check box.

The GUID or UUID is a unique 32-character number that is supplied by the manufacturer of the computer, and is stored in the system basic input/output system (BIOS) of the computer. This number is written on the case of the computer, or on the outside of the box that the computer had been shipped in. If you cannot locate this number, run the system BIOS configuration utility. The GUID is stored as part of the system BIOS. Contact your OEM for a VBScript (created with Visual Basic Scripting Edition) that can be used to prestage newly purchased clients in Active Directory for use with Remote OS Installation.

The next screen prompts you to indicate the RIS server that this computer is serviced by. This option can be left blank to indicates that any available RIS server can answer and service this client. If you know the physical location of the specific RIS server and where this computer can be delivered, you can use this option to manually load clients in the RIS servers in your organization as well as segment the network traffic. For example, if a RIS server had been located on the fifth floor of your building, and you are delivering these computers to users on that floor, you can assign this computer to the RIS server on the fifth floor.

Understanding E-mail Spoofing

Spam and e-mail-laden viruses can take a lot of the fun and utility out of electronic communications, but at least you can trust e-mail that comes from people you know – except when you can’t. A favorite technique of spammers and other “bad guys” is to “spoof” their return e-mail addresses, making it look as if the mail came from someone else. In effect, this is a form of identity theft, as the sender pretends to be someone else in order to persuade the recipient to do something (from simply opening the message to sending money or revealing personal information). In this article, we look at how e-mail spoofing works and what can be done about it, examining such solutions as the Sender Policy Framework (SPF) and Microsoft’s Sender ID, which is based on it.

The Problem

If you receive a snail mail letter, you look to the return address in the top left corner as an indicator of where it originated. However, the sender could write any name and address there; you have no assurance that the letter really is from that person and address. E-mail messages contain return addresses, too – but they can likewise be deliberately misleading, or “spoofed.” Senders do this for various reasons, including:

• The e-mail is spam and the sender doesn’t want to be subjected to anti-spam laws
• The e-mail constitutes a violation of some other law (for example, it is threatening or harassing)
• The e-mail contains a virus or Trojan and the sender believes you are more likely to open it if it appears to be from someone you know
• The e-mail requests information that you might be willing to give to the person the sender is pretending to be (for example, a sender might pose as your company’s system administrator and ask for your network password), as part of a “social engineering” attack
• The sender is attempting to cause trouble for someone by pretending to be that person (for example, to make it look as though a political rival or personal enemy said something he/she didn’t in an e-mail message)

Note:
“Phishing” – the practice of attempting to obtain users’ credit card or online banking information, often incorporates e-mail spoofing. For example, a “phisher” may send e-mail that looks as if it comes from the bank’s or credit card’s administrative department, asking the user to log onto a Web page (which purports to be the bank’s or credit card company’s site but really is set up by the “phisher”) and enter passwords, account numbers, and other personal information.

Whatever the motivation, the objective of spoofed mail is to hide the real identity of the sender. This can be done because the Simple Mail Transfer Protocol (SMTP) does not require authentication (unlike some other, more secure protocols). A sender can use a fictitious return address or a valid address that belongs to someone else.

Receiving mail from spoofed addresses ranges from annoying to dangerous (if you’re taken in by a “phisher”). Having your own address spoofed can be even worse. If a spammer uses your address as the return address, you may suddenly find yourself inundated with angry complaints from recipients or even have your address added to “spammer” lists that results in your mail being banned from many servers.

How Spoofing Works

In its simplest (and most easily detected) form, e-mail spoofing involves simply setting the display name or “from” field of outgoing messages to show a name or address other than the actual one from which the message is sent. Most POP e-mail clients allow you to change the text displayed in this field to whatever you want. For example, when you set up a mail account in Outlook Express, you are asked to enter a display name, which can be anything you want, as shown in Figure 1.

Fig 1: Setting the display name in your e-mail client

The name you set will be displayed in the recipient’s mail program as the person from whom the mail was sent. Likewise, you can type anything you like in the field on the following page that asks for your e-mail address. These fields are separate from the field where you enter your account name assigned to you by your ISP. Figure 2 shows what the recipient sees in the “From” field of an e-mail client such as Outlook.

Fig 2: The recipient sees whatever information you entered

When this simplistic method is used, you can tell where the mail originated (for example, that it did not come from thewhitehouse.com) by checking the actual mail headers. Many e-mail clients don’t show these by default. In Outlook, open the message and then click View | Options to see the headers, as shown in Figure 3.

Fig 3: Viewing the e-mail headers

In this example, you can see that the message actually originated from a computer named XDREAM and was sent from the mail.augustmail.com SMTP server.

Unfortunately, even the headers don’t always tell you the truth about where the message came from. Spammers and other spoofers often use open relays to send their bogus or malicious messages. An open relay is an SMTP server that is not correctly configured and so allows third-parties to send e-mail through it that is not sent from nor to a local user. In that case, the “Received from” field in the header only points you to the SMTP server that was victimized.

Note:
For more information about open relays, see http://www.menandmice.com/9000/9221_mail_relay.html.

There Ought to be a Law

In fact, several U.S. states do have laws against e-mail spoofing. Many state anti-spam laws, such as those of Washington, Maryland and Illinois, specifically prohibit using third party mail servers or a third party’s domain name without the permission of the third party. The federal CAN SPAM Act also makes it illegal to send unsolicited e-mail with false or misleading headers or deceptive subject lines.

The problem with such legislation is that by its very nature, spoofing conceals the identity of the sender and thus makes it difficult to sue or prosecute. Nonetheless, it’s a good idea to report deceptive e-mail to the Federal Trade Commission, which has a special e-mail account set up for that purpose at uce@ftc.gov. You can also go to the Commission’s Web site at http://www.ftc.gov/bcp/conline/edcams/spam/ and click the “File a Complaint” link.

Technological Solutions

Although legislation may help to deter some spoofing, most agree that it is a technological problem that requires a technological solution. One way to control spoofing is to use a mechanism that will authenticate or verify the origins of each e-mail message.

The Sender Policy Framework (SPF) is an emerging standard by which the owners of domains identify their outgoing mail servers in DNS, and then SMTP servers can check the addresses in the mail headers against that information to determine whether a message contains a spoofed address.

The downside is that mail system administrators have to take specific action to publish SPF records for their domains. Users need to implement Simple Authentication and Security Layer (SASL) SMTP for sending mail. Once this is accomplished, administrators can set their domains so that unauthenticated mail sent from them will fail, and the domain’s name can’t be forged.

Note:
For more information about SPF, see http://spf.pobox.com. The specifications for SASL are available in RFC 2222 at http://www.ietf.org/rfc/rfc2222.txt.

Microsoft and others in the industry are working on the Sender ID Framework, which is based on SPF and is under review by the Internet Engineering Task Force (IETF). The technology has been the source of some controversy. AOL recently withdrew its support for Sender ID and went back to SPF, and the Apache Software Foundation announced in September that they were rejecting Sender ID. Most of the controversy is due to patent and licensing issues, but there are some technical differences in the two mechanisms: Sender ID uses RFC 2822 specifications for checking header information in e-mail messages, while SPF uses those of RFC 2821 (“mailfrom” verification).

Note:
You can read more about the Sender ID Framework here: http://www.microsoft.com/mscorp/twc/privacy/spam_senderid.mspx

Other technological solutions, such as digitally signed e-mail, with either desktop or gateway verification, have been proposed by such bodies as the Anti-Phishing Working Group (www.antiphishing.org).

Whichever mechanism becomes the standard, introducing a technological solution is a step in the right direction that will allow you to know who is sending mail to you, just as the telephone company’s Caller ID allows you to know who is calling.

Configure a VPN with XP

If you want to configure a VPN connection from a Windows XP client computer you only need what comes with the Operating System itself, it's all built right in. To set up a connection to a VPN, do the following:

1. On the computer that is running Windows XP, confirm that the connection to the Internet is correctly configured.

• You can try to browse the internet
• Ping a known host on the Internet, like yahoo.com, something that isn’t blocking ICMP

2. Click Start, and then click Control Panel.

3. In Control Panel, double click Network Connections

4. Click Create a new connection in the Network Tasks task pad

5. In the Network Connection Wizard, click Next.

6. Click Connect to the network at my workplace, and then click Next.

7. Click Virtual Private Network connection, and then click Next.
8. If you are prompted, you need to select whether you will use a dialup connection or if you have a dedicated connection to the Internet either via Cable, DSL, T1, Satellite, etc. Click Next.

9. Type a host name, IP or any other description you would like to appear in the Network Connections area. You can change this later if you want. Click Next.

10. Type the host name or the Internet Protocol (IP) address of the computer that you want to connect to, and then click Next.
11. You may be asked if you want to use a Smart Card or not.

12. You are just about done, the rest of the screens just verify your connection, click Next.

13. Click to select the Add a shortcut to this connection to my desktop check box if you want one, if not, then leave it unchecked and click finish.
14. You are now done making your connection, but by default, it may try to connect. You can either try the connection now if you know its valid, if not, then just close it down for now.

15. In the Network Connections window, right-click the new connection and select properties. Let’s take a look at how you can customize this connection before it’s used.
16. The first tab you will see if the General Tab. This only covers the name of the connection, which you can also rename from the Network Connection dialog box by right clicking the connection and selecting to rename it. You can also configure a First connect, which means that Windows can connect the public network (like the Internet) before starting to attempt the ‘VPN’ connection. This is a perfect example as to when you would have configured the dialup connection; this would have been the first thing that you would have to do. It's simple, you have to be connected to the Internet first before you can encrypt and send data over it. This setting makes sure that this is a reality for you.

17. The next tab is the Options Tab. It is The Options tab has a lot you can configure in it. For one, you have the option to connect to a Windows Domain, if you select this check box (unchecked by default), then your VPN client will request Windows logon domain information while starting to work up the VPN connection. Also, you have options here for redialing. Redial attempts are configured here if you are using a dial up connection to get to the Internet. It is very handy to redial if the line is dropped as dropped lines are very common.

18. The next tab is the Security Tab. This is where you would configure basic security for the VPN client. This is where you would set any advanced IPSec configurations other security protocols as well as requiring encryption and credentials.

19. The next tab is the Networking Tab. This is where you can select what networking items are used by this VPN connection.

20. The Last tab is the Advanced Tab. This is where you can configure options for configuring a firewall, and/or sharing.

Connecting to Corporate

Now that you have your XP VPN client all set up and ready, the next step is to attempt a connection to the Remote Access or VPN server set up at the corporate office. To use the connection follow these simple steps. To open the client again, go back to the Network Connections dialog box.

1. One you are in the Network Connection dialog box, double-click, or right click and select ‘Connect’ from the menu – this will initiate the connection to the corporate office.

2. Type your user name and password, and then click Connect. Properties bring you back to what we just discussed in this article, all the global settings for the VPN client you are using.

3. To disconnect from a VPN connection, right-click the icon for the connection, and then click “Disconnect”

Configure Windows XP Professional to be a VPN server

Find out how to configure a Windows XP Professional computer to accept incoming VPN connections.

For the Small Office/Home Office (SOHO), Windows XP Professional VPN features are a real boon.

Traveling users with laptops or handheld computers will inevitably want files on the home network; you just can't bring everything with you. This is where the beauty of the Windows XP Professional computer connected to an always-on connection, such as DSL or cable modem, shines. That always-on link can be used to accept incoming VPN connections and allow your mobile users to access shared folders and files on your private network.

In this article, I’ll explain how to configure a Windows XP Professional computer to accept incoming VPN connections and discuss some tips on improving the remote access experience for the VPN client computer user.

Windows XP’s all-in-one VPN solution
Windows XP Professional is designed as the one-stop solution for the SOHO, taking all the usability features available to Windows Me users and adding the powerful networking features available in Windows 2000. The combination lets you create the ideal remote access solution for the SOHO.

The Windows XP Professional remote access server capabilities are very similar to those available in Windows 2000 Professional. A Windows XP computer can accept a single incoming connection on each interface that can accept a connection. For example, a Windows XP machine can accept incoming connections on each of the following interfaces:

Dial-up modem serial interface

Infrared interface

Parallel port interface

VPN interface

While it’s unlikely, a Windows XP Professional machine with the above configuration could conceivably accept up to four simultaneous RAS connections. However, the typical configuration consists of a single RAS client connection, either through a dial-up modem interface or a VPN interface.

Create an incoming connection with the New Connection Wizard
Like Windows 2000 Professional, Windows XP Professional includes a New Connection Wizard. I’ll show you how to use the New Connection Wizard to create the new VPN server interface. In this example, I’ll assume the Windows XP Professional machine is not a member of a Windows NT 4.0 or Windows 2000 domain. The machine has two network interface cards; one is directly connected to the Internet, and the other is connected to the internal LAN. In addition, the external interface of the machine is configured for Internet Connection Sharing (ICS). While ICS changes the IP address of the LAN interface of the ICS computer to 192.168.0.1 through 16, it's easy to change the IP address to one that fits the existing network environment. The IP address of the LAN interface of the ICS computer was changed to 10.0.0.1 through 24 to fix the preexisting network configuration.

How to create the VPN server interface, step-by-step

1. Click Start | Control Panel.
2. In the Control Panel, open the Network Connections applet.
3. In the Network Connections window (see Figure A), open the New Connection Wizard.

Figure A

The Network Connections window

4. On the Welcome To The New Connection Wizard page, click Next.
5. On the Network Connection Type page (see Figure B), select the Set Up An Advanced Connection option.

Figure B

On the Advanced Connection Options page (see Figure C), select the Accept Incoming Connections option and click Next.

Figure C

Configuring XP to accept incoming connections

7. On the Devices For Incoming Connections page (see Figure D), you can select optional devices on which you want to accept incoming connections.

Figure D

Note that you are not presented with any of the network interfaces on the computer.

8. On the Incoming Virtual Private Network (VPN) Connection page (see Figure E), select the Allow Virtual Private Connections option and click Next.

Figure E

9. On the User Permissions page (see Figure F), select the users that are allowed to make incoming VPN connections. Click Next.

Figure F

Any user that isn’t selected won’t be able to initiate an incoming connection.

10. On the Networking Software page (see Figure G), click on the Internet Protocol (TCP/IP) entry and click the Properties button.

Figure G

Configuring TCP/IP properties

11. In the Incoming TCP/IP Properties dialog box (see Figure H), place a check mark in the Allow Callers To Access My Local Area Network check box. This will allow VPN callers to connect to other computers on the LAN. If this check box isn’t selected, VPN callers will only be able to connect to resources on the Windows XP VPN server itself. Click OK to return to the Networking Software page and then click Next.

Figure H

Granting LAN access to callers

12. On the Completing The New Connection Wizard page, click Finish to create the connection.

After the Incoming Connection is complete, right-click on the connection in the Network Connections window and select the Properties command (see Figure I).

Figure I

Accessing the properties of the VPN server link