Maintaining a common user profile across different Windows versions

I wish I could take the credit for this, but I can’t: last week one of my colleagues (Brad Mallard) showed me a trick he has for creating a single user profile for multiple Microsoft operating systems. Michael Pietroforte wrote about the different user profile formats for Windows XP and Vista back in 2007 but Brad’s tip takes this a step further…

Using Group Policy Preferences, Brad suggests creating a system variable to record the operating system version for a given client computer (e.g. %osversion%) and assign it to the computer account. Then in Active Directory Users and Computers (ADUC/dsa.msc), set the user’s profile path to \\servername\sharename\%username%.%osversion%. ADUC will resolve the %username% portion but not the %osversion% part so what remains will be something like \\bigfileserver\userprofiles\mark.wilson.%osversion%.

Using this method, one user can hotdesk between several locations with different desktop operating systems (e.g. Windows XP and Windows 7). Each time they log on to a machine with a different operating system, a new profile will be created in a subfolder of their user name. Technically, that’s two profiles – but at least they are in one location for management purposes. Combine this with folder redirection for documents, IE favorites, etc. and it should be possible to present a consistent view between two operating system releases.

Mark Russinovich explains “the machine SID duplication myth”

One of my colleagues just flagged a blog post I’d been meaning to read when I have a little more time from Microsoft (ex-SysInternals) Technical Fellow Mark Russinovich in which he discusses “the machine SID duplication myth“. It seems that all of the effort we put into de-duplicating SIDs on Windows NT-based systems (NT, 2000, XP, 2003, Vista, 2008, 7 and 2008 R2) over the years was not really required…

To be honest, I don’t think anyone ever said it was required – just that having multiple machines with the same security identifier sounded like a problem waiting to happen and that generating unique SIDs was best practice.

The full post is worth a read but, in summary, the new best practice is:

“Microsoft’s official policy on SID duplication will also now change and look for Sysprep to be updated in the future to skip SID generation as an option. Note that Sysprep resets other machine-specific state that, if duplicated, can cause problems for certain applications like Windows Server Update Services (WSUS), so Microsoft’s support policy will still require cloned systems to be made unique with Sysprep.”

As you were then…

So how, exactly, should a company license a hosted VDI solution with Windows?

Late last night, I got myself involved in a Twitter conversation with @stufox, who works for Microsoft in New Zealand. I’ve never met Stu – but I do follow him and generally find his tweets interesting; however, it seems that we don’t agree on Microsoft’s approach to licensing Windows for virtual desktop infrastructure.

It started off with an article by Paul Venezia about the perfect storm of bad news for VDI that Stu thought was unfairly critical of Microsoft (and I agree that it is in many ways). The real point that upset Stu is that the article refers to “Microsoft’s draconian licensing for Windows XP VDI” and I didn’t help things when I piled in and said that, “at least from a managed service perspective. Windows client licensing makes VDI prohibitively expensive“.

Twitter’s 140 character messages don’t help much when you get into an argument, so I said I’d respond on this blog today. Let me make one thing clear – I’m not getting into a flame war with Stu, nor am I going to disclose anything from our conversation that isn’t already on our Twitter streams, I just want to explain, publicly, what one of my colleagues has been struggling with and for which, so far at least, Microsoft has been unable to provide a satisfactory solution. Hopefully Stu, someone else at Microsoft, or someone else in the virtualisation world will have an answer – and we can all be happy:

Stu asked me if I thought Microsoft should give away Windows for free. Of course not, not for free (but then I remembered that, after all, that is what they do with Windows Server if I buy Datacenter Edition). I understand that Microsoft is in business to make money. I also understand that all of those copies of Windows used for VDI need to be licensed but there also needs to be a way to do it at a reasonable price (perhaps the price that OEMs would pay to deploy Windows on physical hardware).

Stu’s final (for now) public comment on the subject was that “Blaming VECD licensing for ruining VDI is like saying ‘I’d buy the Ferrari if the engine wasn’t so expensive’“. Sure, VDI is not a cheap option (so a supercar like a Ferrari is probably the right analogy). It requires a significant infrastructure investment and there are technical challenges to overcome (e.g. for multimedia support). In many cases, VDI may be more elegant and more manageable but it presents a higher risk and greater cost than a well-managed traditional desktop solution (many desktop deployments fail in the well-managed part of that). So, the real issue with VDI is not Windows licensing – but Windows Licensing is, nevertheless, one of the “engine” components that needs to be fixed before this metaphorical Ferrari becomes affordable. Particularly when organisations are used to running a fleet of mid-priced diesel saloons.

VDI is not a “silver bullet”. I believe that VDI is, and will continue to be, a niche technology (albeit a significant niche – in the way that thin client/server-based computing has been for the last decade). What I mean by this is that there will be a significant number of customers that deploy VDI, but there will be many more for whom it is not appropriate, regardless of the cost. For many, the traditional “thick” client, even on thinner hardware, and maybe even running virtualised on the desktop, will continue to be the norm for some time to come. But if Microsoft were to sort out their licensing model, then VDI might become a little more attractive for some of us. Let’s give Microsoft the benefit of the doubt here – maybe they are not sabotaging desktop virtualisation – but how, exactly, is a company supposed to license a hosted VDI solution with Windows?

Licensing does tend to follow technology and we’ve seen instances in the past where Microsoft’s virtualisation licensing policies have changed as a result of new technology that they have introduced. Perhaps when Windows Server 2008 R2 hits the streets and Remote Desktop Services allows provides a Microsoft product to act as a VDI broker, we’ll see some more sensible licensing policies for VDI with Windows…

Microsoft makes Storage Server 2008 (including the iSCSI software target) available to MSDN and TechNet subscribers

I was doing some work yesterday with the Microsoft iSCSI target software and noticed a post on Jose Barteto’s blog, indicating that Windows Storage Server 2008 is now available to TechNet and MSDN subscribers. Previously it was for OEMs only (or you could extract the iSCSI Target from an evaluation copy of Storage Server) but this will help out IT administrators looking to set up an iSCSI target using software only (alternatives are available, but they are not free – at least not the ones that support persistent reservations, which are needed for Windows Server 2008 failover clustering).

Now, if only I could get an add-on for my Netgear ReadyNAS Duo to support iSCSI…

Spotting strange connections on the network

A few nights back, I was sorting the pile of books, newspapers and magazines in the bedside reading pile into two more piles: “no time to read so send for recycling”; and “I really must read that”. As I did so, I came across a copy of .net magazine that included an article on using netstat.exe to detect spyware. This is a well-known, but often forgotten tool in the IT administrator’s arsenal:

netstat -a

will give a list of all network and Internet connections, detailing the protocol (e.g. TCP or UDP), local IP address (and port), foreign (remote) IP address (and port) and the state of the connection.

netstat -an

will display addresses in numeric form, so it’s pretty easy to spot those that are listening from another network and a whois lookup will help work out who’s listening in who shouldn’t be (often it will turn out to be something intentional).

netstat -abnv

will take it a step further and show you the applications and components used to initiate the connection – look out on this list and you should be able to spot any strange applications and google them to find out what they are.

Incidentally, netstat is not just for Windows, but the command switches I gave above are. If you are using Windows and you don’t like the command line, then TCPView is a former Sysinternals tool (now owned by Microsoft) that provides a GUI front end for netstat, including whois lookups and process properties. Another useful tool is Nir Sofer’s CurrPorts, which displays the list of all open TCP and UDP ports along with information about the process that opened the port (including highlighting suspicious processes) and the ability to close unwanted TCP connections, kill the process that opened the ports, and save the information to a file.

I’m a what?

Yesterday evening, I was watching Channel 4‘s satirical political show, “Bremner, Bird and Fortune“, when a Microsoft “I’m a PC” ad ran in one of the breaks. I was surprised – firstly because I thought the campaign was US-only (although I must confess that I don’t watch much commercial TV anyway) but also because it seemed to miss the point that 1 billion PC users run Windows. All we got was Sean the Apple PC guy lookalike, followed by lots of people saying “I’m a PC” and the final “Windows – Life without Walls” graphic.

As for this being effective or not – for me the question was answered when my wife – a middle class 30-something marketing professional (presumably in the demographic that these ads are aimed at) – said something to the effect of “I don’t understand! Why I’m a PC?”

That’s just one example of why these ads don’t work: the Mojave Experiment made a point (until Microsoft shot themselves in the foot with all the Windows 7 news and speculation about a 2009 release effectively killing Vista off prematurely); Windows without Walls works (especially with the recent web services announcements); Gates and Seinfeld – probably best not yo go there; but as for I’m a PC? It’s fine to be highlighing all the things that a billion people do with PCs… but this campaign is just not hitting the mark.

[Update: 11 November 2008]: In conversation, Garry Martin made a very good point that I failed to comment on in the original post: if you’ve seen the Apple ads, then I’m a PC makes sense and show that PCs are not dull and boring but that they are used for many exciting and worthwhile things across the globe; however, many people in the UK have not seen those ads.

As far as I know, Apple’s Mac vs. PC ads didn’t run on TV here (although there were some UK versions produced which may have done for a short while) – either way they are more of an Internet thing for geeks/Mac fanboys and so most people miss the point entirely – resulting in a confused response to I’m a PC.

Access denied when echoing files using SyncToy

Whilst Windows Live Mesh and FolderShare provide me with an effective means to keep files and folders in sync, some of my devices do not run Windows or OS X (e.g. my NetGear ReadyNAS) and I’ve been using the SyncToy v2.0 tool for data that I just want to copy from one location to another (e.g. backing the file data on the notebook PC that I use for work up to a file share).

Unlike FolderShare/Live Mesh, which automatically keep folders in sync, SyncToy is intended for performing on-demand tasks (e.g. backups), as described by Gina Trapani at Lifehacker (and by yours truly a couple of years back when it was still at v1.2).

A few days ago, I was echoing the contents of a large directory to a remote share, but was mystified by some files which would not write to the remote volume. I had full NTFS access to the files but SyncToy produced an error which said:

Error: Cannot write to the destination file. Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) Copying C:\Users\username\filename

After a while, I worked out that the problem files all had the read-only attribute set and that removing this allowed SyncToy to copy the files successfully. I can only assume that the problem was the echo (i.e. file copy, rather than two-way sync) and that the file attributes were being written before the file copy took place, resulting in insufficient permissions to write the file contents.

Working out when Windows updates the clocks as daylight saving begins and ends

I can’t always answer e-mails for help through this blog (I simply don’t have the time) but, a few days ago, I received an e-mail from a reader with a question that intrigued me – at what time did Windows update the system clock when British Summer Time ended last weekend? I knew that the official end time was 02:00 (and it’s 01:00 when the clocks go forward again in the spring) but there was nothing in the logs to indicate the time when Windows applied the changes.

After a bit of research I found that this information is written to the registry when the time zone is selected at setup time, or via the Control Panel date and time applet. On my Windows Server 2008 system, reg query hklm\system\currentcontrolset\control\timezoneinformation returned:

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\timezoneinformation
    Bias    REG_DWORD    0x0
    DaylightBias    REG_DWORD    0xffffffc4
    DaylightName    REG_SZ    @tzres.dll,-261
    DaylightStart    REG_BINARY    00000300050001000000000000000000
    DynamicDaylightTimeDisabled    REG_DWORD    0x0
    StandardBias    REG_DWORD    0x0
    StandardName    EG_SZ    @tzres.dll,-262
    StandardStart    EG_BINARY    00000A00050002000000000000000000
    TimeZoneKeyName    REG_SZ    GMT Standard Time
    ActiveTimeBias    REG_DWORD    0x0

It’s the daylightstart and standardstart values that are of interest here – reg query hklm\system\currentcontrolset\control\timezoneinformation /v daylightstart returns:

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\timezoneinformation
    daylightstart    REG_BINARY    00000300050001000000000000000000

and reg query hklm\system\currentcontrolset\control\timezoneinformation /v standardstart shows:

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\timezoneinformation
    standardstart    REG_BINARY    00000A00050002000000000000000000

Although I can’t work out the format of the binary data, I can see the differences. Ignoring the second 8 bytes (which is all zero) I can see that the differences are:

00 00 03 00 05 00 01 00

00 00 0A 00 05 00 02 00

That looks to me like 03 might be March and 0A (decimal 10) might be October, whilst and 01 may represent 1am in which case 02 would be 2am.

There’s also some more information in Microsoft knowledge base article 914387 including a link to the Windows Time Zone Editor (tzedit.exe) utility that is used to create timezones (as well as to another utility for combing event logs).Windows Time Zone Editor showing the settings for GMT The Windows Time Zone Editor is written for Windows 2000 and I’ve not been able to get the resulting time zone that I defined to load on my 64-bit copy of Windows Server 2008 in order to work out the resulting registry changes but I’m pretty sure that the 05 in the registry values for daylightstart and standardstart represents the last day (the options are 1st, 2nd, 3rd, 4th and last) and that one of the 00s is Sunday. One thing that it does do is to confirm that daylight saving for Greenwich Mean Time (British Summer Time) starts on the last Sunday of March at 01:00 and ends on the last Sunday in October at 02:00 – as shown in the accompanying image.

If anyone knows any more about the bytes I haven’t tracked down yet, I’d be pleased to hear your comments!

A quick look at Windows PowerShell 2

Richard Siddaway‘s recent TechNet presentation (around the datacentre in 80 scripts) was a first opportunity for me to have a look at what’s coming in the next version of Windows PowerShell.

I’ve written previously about PowerShell (as an introduction to the concept and from an IT administrator standpoint) but, just to summarise, in a logical diagram of the Windows Server System, PowerShell would sit between Windows Server and the rest of the Windows Server System as the integration and automation engine (and PowerShell support is part of Microsoft’s common engineering criteria for 2009 – it’s already widely used by Exchange Server, SQL Server and by recent System Center products – and there is growing third party support too).

Whilst PowerShell is really an automation engine, it’s commonly expressed as a command shell and scripting language which underlies the graphical user interface. PowerShell is based on the Microsoft.NET Framework but does not require a knowledge of .NET programming. As for whether it will eventually replace cmd.exe as the CLI in Windows – maybe one day but not for a while yet (maybe not at all – Unix has several shells to chose from for administration).

Key PowerShell features include:

  • cmdlets – small piece of functionality which perform a single function (and use a verb-noun naming structure).
  • Providers -functaionality to open a data store as if it were a file system (e.g. certificate store, registry, etc.).
  • Extensiblity – there are around 130 cmdlets in the PowerShell base and functionality can be added as required (Exchange, SQL, etc.) in the same way that Microsoft Management Consoles are built up from various snap-ins. A Windows Installer file registers a DLL and PowerShell accesses it as a snap-in (using the add-pssnapin command in the profile) and from that point on the additional functionality is available in PowerShell.
  • Pipeline – the pipeline is used to pass .NET objects between cmdlets (non-programmers – think of objects as “blobs of stuff” with methods and properties to do things with them!)

Windows PowerShell was originally released in November 2006 and was finally included within Windows Server 2008 this year (it wasn’t ready in time for Vista). At the time of writing, PowerShell 2.0 is still a community technical preview (there have been two releases – CTP and CTP2) so there may be changes before release, but some of the improvements we can expect to see (and this list is not exhaustive), based on CTP2, are:

  • Remoting. New remoting capabilities require PowerShell to be installed on both the client and the server and use Windows Remote Management (WinRM), which is based on WS-Management (check that winrm is running with get-service winrm). At present, remoting requires administrator rights for both configuration and use.
  • Jobs. PowerShell jobs run asynchronously and can be started using the psjob cmdlets (get-command *.psjob to list available cmdlets), some cmdlets support the -asjob parameter (get-help * -parameter asjob) where that option is provided.
  • Runspaces. Jobs can also be used with PowerShell’s remoting capabilities in RunSpaces, which create a persistent connection between the local and remote machines in order to speed up the response. Remote commands are invoked using invoke-command. For example, to create a runspace and execute a script as a job, I might use the following code:
    $r = new-runspace -computername mycomputer
    invoke-command -runspace $r -scriptblock {remotescript} -asjob

    after which I could use get-psjob and other cmdlets to manipulate the job (e.g. check on progress, receive data, etc.).
  • Script cmdlets. Cmdlets can now be written in PowerShell, rather than being compiled from a .NET language.
  • Transactions. In the same manner as SQL Server, Exchange Server and Active Directory apply a database transaction-logging mechanism, PowerShell now has the potential for transaction-based processing (i.e. carry out an action, if it completes then OK, if not then roll back). This functionality is implemented at the provider level so is not universally available (at the time of writing, only the registry supports this).
  • Graphical PowerShell. A new tool, with script editor, interactive prompt and results pane.
  • WMI. Improved support for Windows management instrumentation (WMI) through type accelerators ([WMI], [WMIClass] and [WMISearcher]), the ability to pass credentials with get-wmiobject and new wmi-focused cmdlets (invoke-wmimethod, set-wmiinstance, remove-wmiobject). In a simple example to launch a process using WMI I might use the following code:
    $c = [WMIClass]”Win32_Process”
    $c.create(“win32program.exe”)
    and to clear up afterwards I might use:
    get-wmiobject -class win32_process -Filter "Name='win32program.exe'" | remove-wmiobject

It should be stressed that PowerShell 2.0 is still under development (it’s a community technology preview – not even a beta) and that things may change. It may also break things – there are also some naming clashes (e.g. with the PowerShell Community Extensions), new keywords (e.g. data) and it’s more complicated than the original version. Even so, PowerShell 1.0 already has tremendous potential and I’d be using it more often if I was doing more administration work. As more products use PowerShell for automation then knowing how to use it will become an ever-more important skill for Windows administrators – version 2 is definitely worth a look and if you want to know more about PowerShell then I recommend checking out the PowerShell UK user group and the PowerShell team blog.

More on Microsoft’s ad campaign – are you a PC?

So, were the Gates/Seinfeld ads canned? Who knows – right from the start they were supposed to be teasers, something to get a conversation started – and they sure did that – the ‘net is awash with people (like me) saying how lame they are (although I’ve seen a few comments from people saying that they were starting to get into things with the second ad). PC
Now the blogosphere (and mainstream industry sites) are awash with people saying how Microsoft has come up with “I’m a PC” to take a swipe back at Apple – but without being funny. Hang on guys… you’re missing the point! I’m a PC is just a soundbite – saying how (Windows) PCs have been stereotyped as dull things from the office, things that are unreliable, things that can’t do anything exciting – but that over a billion real people use (Windows) PCs to do real things and showing some of those people. Personally, I don’t like the “I’m a PC” statement from the myriad users featured in the ads (“I use a PC” would be fine) but, then again, I come from the country that invented the English language (England) and these ads are targeted at people who speak American (there is no such thing as US English!).

Then there is the Life without Walls campaign – showing how many things can be done on a PC and how one operating system transcends so many devices used throughout the world.

Windows - Life Without Walls

And the Mojave Experiment, which basically said “come and look at Windows before writing it off as a disaster”.

I can see that this campaign is multifaceted. It seems to lack something to link the disparate themes of Mojave, Seinfeld/Gates, I’m a PC, Life without Walls and the manufacturer-focused Vista Velocity but I do at least understand where this is heading now. And I think it’s a smart move inviting consumers to add their own videos to the campaign, further underlining the fact that ordinary people use Windows PCs (a PC is not a stereotype).

As for the Microsoft-bashers, well, they’ll always find something to poke at, like that the ads were apparently made on a Mac Apple PC – but really, so what? (Many professional design studios do use Macs but that doesn’t mean a Windows PC is not perfectly good enough for home movies).

At last, this campaign seems to be going somewhere, but I can’t help thinking there are a bunch more Bill and Jerry ads waiting to slip out one day.

An alternative view

The links below highlight the views on this subject from a few well-known Microsoft-watchers: