No Policies Applying, Temporary Login, Windows 7

No Policies Applying, Temporary Login, Windows 7 x64/x86

You have been logged in with a temporary profile..  even though the user in Active Directory (AD) is setup correctly and the NTFS/Share permissions are also.. setup correctly.

Whats going on? Hopefully this post will help.

Applies to: Windows 7 x86/x64, Windows 2008R2 Domain

Symptoms

• No Group Policies have applied to the profile
• No Mapped Drives/Printers
• No Preferences Applying
• Admin (like) control of the machine, no restrictions set
• An explanation mark (!) in a blue circle appears in the system tray
• A balloon appears/tries to appear notifying the user that they are logged in with a temporary profile
• The login is way too quick.
• If you log out and log back in sometimes the profile works fine, sometimes it logs back in again as a temporary profile. 
• The issue is intermittent with little/no pattern, sometimes does it, sometimes it does not. Not machine specific, not user specific.
• If you wait for a few seconds before logging in, the chances of the profile working correctly improves.
• Occurs more often on wireless devices than wired, but isn't limited to wireless.

Reasons

When Windows 7 was the new big thing, Microsoft had a page about all the cool new features of their brand new operating system.  There was one feature (which unfortunately I have forgotten the name of) but it boasted about priority, fast logins.  Essentially, it meant that if Windows 7 noticed there would be a delay in the logging in, it chose to prioritise just getting the user to the desktop rather than waiting to ensure the login was correctly done.

This is what you are encountering.  Some networks, particularily wireless ones take that little bit longer to establish a new IP address, down to poor signal strength or just generally the type of wireless card you have in your device.

So when a typical user, types in their username and password within seconds of the machine first booting, the chances are the computer hasn't yet got an IP address or stable connection with the server but still attempts to log them in regardless.  Windows 7, realising that there is a networking issue, rather than saying to the user, "Please wait a sec, I haven't fully established a trust with the server", it simply goes, "oh who needs a server, I know your credentials are correct, thats all I basically need, heres a desktop", perfect if you are a home user, really annoying if they are domain user.

Resolutions

Nice and Easy, theres a group policy for it.  Inside that needle in a haystack database there is a policy that ensures the computer (regardless of whether its wireless or not) will make sure the user will not be able to login until a stable connection is first established.

Located Here

Windows Server 2008R2
Computer Configuration -- Policies -- Administrative Templates -- System --  Logon

Windows Server 2003R2
Computer Configuration -- Administrative Templates -- System -- Logon

Policy Name

Always Wait For The Network At Computer Startup And Logon

Set to: Enable

How it works

This is a brilliant policy when applied as it ensures that when a computer is loading up and a user attempts to login the second they can type, it overrides the client operating system's decision to prioritise getting the user to the desktop. 

All policies will therefore come down to the client and apply to the user and computer, thus ensuring that their logins are correctly redirected and their resources (shared areas and Printers) are correctly applied in accordence to your ICT policy.



I hope this helps you all out, I understand that Windows 8 is out soon but for those looking to upgrade to Windows 7, this is a small bug i'm sure you will come across.

It is easy to ignore when testing as when it happens you log off and you log back in and it all seems fine, but bear in mind, you are a technician, you use computers in the way they should be used.  True testing comes from the end user and not the ICT department.

I'm happy to help out anyone with any more issues in relation to this, just leave a comment below.  Additionally, any other fancy features you may of found in the GPO Needle in a haystack database, which you feel will help optimise Windows 7's logging in speed and/or reliability, never hesitate to post a comment, we are all on the same team here, all help is much appreciated.

Speak to you all soon,

The ITMagician

Restart Pending? But I've restarted!

Cannot start/begin installation due to restart Pending on your machine.

Applies to Windows Vista, 7, Server 2008, Server 2008R2

This is an annoying issue.  You've recently uninstalled something or you've just updated the machine with the most recent windows updates, whatever the reason, you cannot install something because apparently, even after several restarts, the computer still wants a restart..

Nice and simple (and you don't even need to do another restart). 

Go to Run, type Regedit.

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager

Look for the key PendingFileRenameOperations

Right Click and edit.

See that list of random stuff in there, that's the stuff that is stuck "pending for install" and fails to remove itself once you have.

Highlight it all, Delete.

Press Ok and leave the registry.

Now, restart your software install.  Hopefully, fingers crossed, you should be pleasantly surprised that you can now start your installation successfully.

Keywords

Exchange 2007, 2010

System Center

DPM Data Protection Manager

SCCM System Center Configuration Manager

SQL Server 2008 R2, 2012

                     

Windows 8 ADK (The new WAIK)

Yes folks, Microsoft have updated their tools for working with windows images.

What was once known as the Windows Automated Installation Kit has now been merged with more utils and is now called the Assesment and Deployment Kit.

A quick look on Microsofts site only seems to proveide a bootloader to install from the internet however if you run this file you are presented with the option to download the files for offline installation.

Be warned though its a biggie coming in at around 3 and a bit Gig.

It can be downloaded from here

Creating a more useful Powershell prompt

 

 

As Microsoft are moving more and more functions for their products to be Powershell aware, we are starting to use PS more than VBScript in our daily lives. Although I often use Quest’s Powergui for my coding as the watches built into the interface make debugging easier, I do also make use of the Powershell itself, in these instances I have to import the relevant module manually, by editing your PS profile you can make these tools available every time you click on the little blue icon.  This walkthrough will install the Active Directory and Exchange tools.

 

Here are the steps to achieve this.

 

1. Create a profile (If you don’t already have one)

New-Item -Itemtype file -path $profile -force

2. Edit your profile with notepad

notepad $profile

3. Add the following code

import-module activedirectory

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
. $env:ExchangeInstallPath\bin\RemoteExchange.ps1
Connect-ExchangeServer –auto

4. Save the file and re-open Powershell

 

You will now have a Powershell which loads the AD and Exchange tools by default.

WMI Filters for Windows Operating Systems

For those of you wanting to filter your GPO's by OS here are the filters we use. The filter works against the root\CIMV2 namespace


Windows 8

Select * from Win32_OperatingSystem Where Version like "6.2%" and ProductType = "1"


Windows 7

Select * from Win32_OperatingSystem Where Version like "6.1%" and ProductType = "1"

Windows XP

Select * from Win32_OperatingSystem Where Version like "5.1%" and ProductType = "1"

PXE-E32 Error

If you get a PXE E-32 error on your client when using WDS on a 2008R2 server then it is due to DNS stealing a port which WDS needs, this will probably happen following an update.


It can be fixed however with a little tweak in Regedit,


Navigate to  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WDSServer\Parameters

Change the value of  UdpPortPolicy to 0, close Regedit

Restart WDS on the server.


This should allow you to PXE boot properly again.


Thanks to sted over at the edugeek forums for this fix.

Editing MDT 2012 Lite Touch Wizard Screens

At work we are still deploying Windows XP due to a need for our customers, we have automated the installation to a large extent however the biggest bugbear we have had is the need to select a task sequence and then to click next before giving the computer a name.

Here you can see where we are going from and to

Here is the original Task Sequence selection screen

Followed by the Name your computer screen

Followed by our modified screen which combines both Task Sequence and computer name into one pane.


We are aware that by prestaging machines we could avoid this issue however for our needs this would be overkill and an additional time overhead, what we wanted was the ability to unbox and name machines then walk away.

While poking around I found that the wizard you navigate around when using the Lite Touch Deployment is controlled using a collection of xml and vbs scripts, these are stored in the deploymentshare\scripts folder.

With a bit of copying and pasting between files I have been able to put the boxes for computer name and task sequence selection into a single pane, as we have used the deploymentshare rules settings to skip the other pages it means that we can pxe boot then simply enter a name and pick TS all in one page then walk away.
Apologies for this but this one is going to be a bit wordy

The files you will be modifying are

Deploywiz_Definition_ENU.xml
Deploywiz_SelectTS.xml
Deploywiz_ComputerName.xml

The files are named fairly well by Microsoft, the Definition file is the master file which guides you through the wizard, it calls the required files in turn. We will be making minor changes to this file but as always we should make a backup before we touch anything, just in case. The SelectTS file is the one which lists the task sequences available and allows us to choose one, the ComputerName file is self explanatory, however it also contains possibilities for you to enter domain join values, in our usage scenario we do not use these as the values are provided in the rules for the deploymentshare.

Open the ComputerName file and copy everything between the <body></body> tags, switch to the SelectTS file and paste all of this in just below the <body> tag and before the existing code, return to the ComputerName file and copy the <Initialization> and <Validation> section, again return to the SelectTS file and paste this in along with the existing values. Move to the top of the file and add the following as one line

<CustomScript>DeployWiz_ComputerName.vbs</CustomScript>

into the <global> section.

Change the <Pane id> values to something more appropriate such as

<Pane id="Name_Computer_and_SelectTaskSequence" title="Enter Name and pick a Task Sequence">

Save this file with your initials at the beginning and a more appropriate name, mine is called MHDeployWiz_Name_Computer_SelectTS.xml this will allow the deploymentshare files to be replaced in the future if an upgrade requires it but your files should remain in place.

You have now done the hard work.

Open the Definition file and edit the section 

<Pane id="SelectTaskSequence" reference="DeployWiz_SelectTS.xml">  <Condition><![CDATA[UCASE(Property("SkipTaskSequence"))<>"YES" ]]></Condition> </Pane>

to contain our newly made xml file so it should read 

<Pane id="SelectTaskSequence" reference="MHDeployWiz_Name_Computer_SelectTS.xml">  <Condition><![CDATA[UCASE(Property("SkipTaskSequence"))<>"YES" ]]></Condition> </Pane>

You can then remove completely the following section

<Pane id="ComputerName" reference="DeployWiz_ComputerName.xml">  <Condition><![CDATA[UCase(Property("SkipDomainMembership"))<>"YES" or UCase(Property("SkipComputerName"))<>"YES"]]></Condition>  <Condition><![CDATA[Property("DeploymentType")<>"REPLACE" and Property("DeploymentType")<>"CUSTOM" and Property("DeploymentType") <> "StateRestore" ]]></Condition> </Pane>

If you do not remove this then you will have another screen (which we are trying to remove) asking for the computer name, however its value will have been taken from the previous screen.

Save your file and test your deployment.

I have attached my modified files at the end of this post so you can see some which I have working in my test environment, feel free to play with them for your own use.I have used these modified files to deploy XP, "7 and W8 Consumer Preview,  I am sure that much more can be done with the xml files in MDT so there may be more posts to follow, but for now that’s it.

Good Luck

Reference Script Files

Windows XP SP3 DFS Network shares not refreshing

If you run a network where you connect Windows XP to DFS shares, you may encounter the issue whereby a user can create a new file/folder but not see it until they refresh the folder, this can lead to a large number of 'New Folder' entries if the user believes that they have not actually created a new folder.

The issue can also occur when moving or deleting items.

Microsoft list a fix which consists of a registry entry, apparently this was introduced in Windows XP SP2 but you can still get the issue with SP3.

The fix is a registry entry in the following path

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

It is a DWORD entry and is called 'NoSimpleNetIDList'

the value needs to be set to 1




Reference:

Microsoft Support Information

Kyocera Command Center default admin password

Just a quick heads up for those who are struggling to find the default web admin password for Kyocera printers, try accessing the printers IP address and using the code admin00

This has been tested on a fair few Kyocera printers but it took a lot of digging to find the code.

[Edit 22-05-2013]

Here is the list of additional printers which this password works for, collected from the comments section below.

FS-C5400DN

FS-1370DN

FS-1035DN

FS-6025MFP

FS-5250DN

FS-3920DN

TASKalfa 300ci

TASKalfa 552ci

FS-C5300DN

FS-C5350DN

FS-1370DN


[EDIT 01-06-2013]

I have been looking for a solution to the question below about a changed password and found a list of default passwords, the page I found this information on can be found here.


Command Centre Username and Password




Monochrome

Model	Username	Password
FS-2100DN	Admin	Admin
FS-4100DN	Admin	Admin
FS-4200DN	Admin	Admin
FS-4300DN	Admin	Admin
FS-1028MFP		admin00
FS-1030MFP		admin00
FS-1035MFP		admin00
FS-1128MFP		admin00
FS-1130MFP		admin00
FS-1135MFP		admin00
FS-3040MFP		admin00
FS-3140MFP		admin00
FS-3140MFP+		admin00
FS-3540MFP		admin00
FS-3640MFP		admin00
FS-6525MFP	Admin	Admin
FS-6530MFP	Admin	Admin
KM-2560
KM-3060
620
820
181
221
255		admin00
305		admin00
300i		admin00
420i		admin00
520i	No Default	admin00
3500i	Admin	Admin
4500i	Admin	Admin
5500i	Admin	Admin
6500i	Admin	Admin
8000i	Admin	Admin

Colour

Model	Username	Password
FS-C2526MFP		admin00
FS-C2626MFP		admin00
205c	Nothing when default	admin00
255c		admin00
250ci		admin00
300ci		admin00
400ci		admin00
500ci		admin00
552ci		admin00
2550ci	Admin	Admin
3050ci	Admin	Admin
3550ci	Admin	Admin
4550ci	Admin	Admin
5550ci	Admin	Admin
6550ci	Admin	Admin
7550ci	Admin	Admin

Machine Username and Password

Monochrome

Model	Username	Password
FS-2100DN	Admin	Admin
FS-4100DN	Admin	Admin
FS-4200DN	Admin	Admin
FS-4300DN	Admin	Admin
FS-1028MFP	2800	2800
FS-1030MFP	3000	3000
FS-1035MFP	3500	3500
FS-1128MFP	2800	2800
FS-1130MFP	3000	3000
FS-1135MFP	3500	3500
FS-3040MFP	4000	4000
FS-3140MFP	4000	4000
FS-3140MFP+	4000	4000
FS-3540MFP	Admin	Admin
FS-3640MFP	Admin	Admin
FS-6525MFP	2500	2500
FS-6530MFP	3000	3000
KM-2560	2500	2500
KM-3060	3000	3000
620		6200
820		8200
181		1800
221		2200
255	Admin	Admin
305	Admin	Admin
300i	3000	3000
420i	4200	4200
520i	5200	5200
3500i	3500	3500
4500i	4500	4500
5500i	5500	5500
6500i	6500	6500
8000i	8000	8000

Colour

Model	Username	Password
FS-C2526MFP	Admin	Admin
FS-C2626MFP	Admin	Admin
205c	Admin	Admin
255c	Admin	Admin
250ci	2500	2500
300ci	3000	3000
400ci	4000	4000
500ci	5000	5000
552ci	5500	5500
2550ci	2500	2500
3050ci	3000	3000
3550ci	3500	3500
4550ci	4500	4500
5550ci	5500	5500
6550ci	6500	6500
7550ci	8000	8000