Microsoft’s Windows XP, as it’s configured on most computers from a vendor, has very few, if any, customizations applied. IST spent many months working together with Academic Support departments at UW to customize the operating system and departmental applications in a way preferred by most of our clients. We believe these changes not only improve aesthetics but also make the user more productive.
When we do this we install Windows XP Professional on a computer and customize it to our specifications. Then we install the required primary applications from previously IST-built executables that have also been customized accordingly. Lastly we make a few more minor changes and cut an image of the whole hard disk. This image was then put on most desktop PC’s in Academic Support. (Please note that this gives us a quick and easy way to replace broken hardware and software.) Then the computer is joined to the ADS domain where more changes are automatically applied (by domain policies). The combination of these two sets of changes gives our Academic Support clients what they see on their computers today.
On a notebook, or specialized desktop, there may be reasons an image is not preferred (as discussed in “Setting_up_a_Notebook_versus_a_Desktop.htm”). It is for this reason that this document has been created. First to help you decide if you could accept our image on your PC, and if not, so you can apply as many of the desired changes yourself.
The first section covers the manual changes discussed above. It is divided into several subsections including highly recommended Security and Usability changes. The next section covers changes applied via policy that can be applied by joining the ADS domain. The rest of the sections cover final customizations, cleanup and a few notes on backup.
Please note that most of the changes documented here require you to be an administrator. Apply them first and then create a “limited user” account that you should use from now on, whenever possible.
All of the links in this document reference very detailed instructions as to the steps required to customize an ADS workstation. A more general, less detailed reference is available at: http://winxp.uwaterloo.ca/Documentation/CM/XP_Changes.htm
1. Go to Start/Control Panel/User Accounts
a) Select Change the way users log on or off
b) Uncheck Use the welcome screen and click Apply Options. This also disables fast user switching. This is necessary in order to show the standard login window.
c) Click Switch to Classic View
d) Close the Control Panel
NOTEBOOK NOTE: Because this documentation only deals with desktops a hibernation password is not relevant. See notebook documentation to find out how to set a hibernation password as well. (It’s usually part of Power Management options.)
1. Go to Start/My Computer/Manage
2. Expand Local Users & Groups and select Users
3. Double-click Administrator and check its settings:
a) For Full Name, enter Administrator
b) Check Password doesn’t expire
c) Click the Members of tab. It should be a member of Administrators only. If not, add it, and remove any other groups it might be in.
d) Click Apply & OK
4. Double-click any other administrative account
a) For Full Name, enter something appropriate
b) Enter an appropriate Description
c) Click the Members of tab. It should be a member of Administrators only. If not, add it, and remove any other groups it might be in.
d) Click Apply & OK
NOTE: Remember to not use administrative accounts for everyday work. A backup as suggested above may be a good idea.
5. Double-click any other user accounts on your PC
a) For Full Name, enter the user name
b) For Description, enter Local Power User Account
c) Check Password Never Expires
d) Click the Members of tab. Add it to the Power Users group and remove it from all other groups (including Administrators)
e) Click Apply & OK
NOTE: Power user privilege may not be required for all that you do. It was required for some Academic Support applications so all “Users” were made Power Users.
6. All other accounts (guest, HelpAssistant, Support_xxx are all disabled and should not be modified)
7. Close up the Computer Management window
1. Press CTRL-ALT-DEL to get the Windows Security window.
2. Click the Change Password button and change the password for the accounts installed:
a) Administrator (use a different password than you use for everyday use)
b) username (set it to something you will remember later)
c) Click Cancel to return to the desktop
These changes alter the registration info over to the University, for University Owned PCs.
1. Run Regedit
2. Find the key HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion
3. Change the RegisteredOrganization to University Of Waterloo
4. Change the RegisteredOwner to IST Academic Support
This is a very important step to apply BEFORE connecting to the network. It will prevent the internet worms (like Blaster and Welchia) from causing problems. This filter may have to be removed for some later steps. NOTE: Windows XP SP2 automatically turns this on.
1. Go to Start/Control Panel/Network and Internet Connections
2. Select Network Connections
3. Right-click Local Area Connections/Properties
4. Select Internet Protocol & click Properties
5. Click Advanced
6. Enable the firewall
Only then plug in the network cable.
2. Go to Start/Control Panel
3. Double-click Network Connections
4. Double-click Local Area Connection
5. Click Properties button
6. Uncheck Show Icon in taskbar when connected
7. Uncheck File & Print Sharing
8. Double-click Internet Protocol (TCP/IP) list entry
a) Click the Advanced button to bring up the other network options
b) Click the DNS tab
i) Uncheck Register This Connection Address In DNS
ii) (not for off-campus machines) For DNS Suffix For This Connection enter uwaterloo.ca
c) Click the WINS tab
i) Uncheck Enable LMHOSTS Lookup
d) Click OK, OK
NOTE: In Windows XP SP2 Windows Firewall is turned on automatically. The menus are structured a little differently prior to SP2 than described below.
1. Assuming you are still in Network Connections (from the last step): Click the Advanced tab and click Settings (It should be on)
2. Click the Exceptions tag. Select Remote Desktop if required.
3. Uncheck File and Printer Sharing
4. Uncheck Remote Assistance (and anything else you know is not required!)
5. If you are running a Wireless Network card at UW
a) Click the Advanced tab
b) Within the ICMP box click the Settings button
c) Select Allow incoming echo request
d) Verify installation by pinging IST.UWATERLOO.CA
i) Go to Start -> Run and enter ping ist.uwaterloo.ca
ii) You should see some responses coming back from ist, and not an error message.
iii) You can check the network settings once they are setup by launching a command prompt (CMD) and typing ipconfig /all. All the network settings should be there.
6. Click OK, Close
7. Close the Network Connections window
For all on-campus machines including on-campus self-managed and ADS PCs:
UW has a WSUS server that mirrors the Microsoft one in terms of patches offered. We however delay distribution until they are properly tested with the applications used by Academic Support. Patches are expedited according to their importance.
To update your workstation to point to the UW WSUS server follow the steps outlined at:
For all home-bound machines & Notebooks that go off-campus:
There may be reasons to not have a PC call back to UW. In this case, since patching is still very important:.
1. Right-click My Computer/Properties/Automatic Updates
2. Check Keep My Computer Up To Date
3. Set to Automatically Download the Updates
Set the time to 5:00 AM everyday (IST chosen time. Another may be more appropriate.)
1. Right-click on the desktop and select Properties
2. Go to the Screen Saver tab
a) Set your favourite screen saver
b) Set the Wait time to 30 minutes (default is 10)
c) Check Password Protect. (default is no password)
d) Click Apply
The following changes make the PC more secure. Many are re-applied automatically if you join ADS as mandatory policies.
Go to Start Menu\Settings\Control Panel\Administrative Tools\Local Security Policy (shortcut: go to Start/Run and open secpol.msc)
1. Position the window so it is fully visible.
2. Under Account Policies\Password Policy, change the following options:
Maximum Password Age 0 (default is 42 days)
Minimum Password Length 7 (default is 0)
Passwords must meet complexity requirements Enabled (default is disabled)
3. Under Account Policies\Account Lockout Policy, change the following options:
Account Lockout Threshold 15 (default is 0)
Account Lockout Duration 5 (default is not applicable)
4. Under Local Policies\Audit Policy, change the following options:
Audit Account Logon Events Check the Success and Failure options (default is both unchecked)
Audit Logon Events Check the Success and Failure options (default is both unchecked)
5. Under Local Policies\User Rights Assignment, change the following options:
Access this computer from the Network Uncheck (or remove) all entries
Change system time Add Everyone
Log on locally Remove (or uncheck) the xxx/Guest account
6. Under Local Policies\Security Options, change the following options:
Interactive Login: Do Not Require CTRL+ALT+DEL requirement for logon Disabled
Microsoft Network Client: Send unencrypted password to connect to third-party SMB servers Enabled
Network Access: Do Not Allow Anonymous Enumeration of SAM Accounts Enabled
Network Access: Do Not Allow Anonymous Enumeration of SAM Accounts and Shares Enabled
Shutdown: Clear virtual memory pagefile Enabled
(SAM accounts are Anonymous connections from legacy Windows days)
7. Close the Local Security Settings window.
To compare the details of recommendations from various sources, compared with what IST has implemented see:
To see even more detail, including the default Windows XP setting see:
Always keep the Service Pack level of the operating system, and all applications, up-to-date. The latest service pack can be accessed at:
- WXP SP2 does not detect our Symantec Antivirus software so Disable Virus Protection Monitoring
1. Disconnect any network drives you may have connected. They will need to be manually reconnected later. Some critical updates do not install properly when a read-only network drive is present.
2. Launch Internet Explorer
3. Go to Tools menu/Windows Update.
a. If you receive a security warning from Windows asking you to Always Trust Content From Microsoft, read the contents of the window to make sure it is valid, and then click Yes
b. Check the Critical Updates area. Update to the latest Service Pack first (as described above). Then apply critical updates.
NOTE: Only apply critical patches unless you feel lucky. So-called “Recommended” patches are not fully regression tested and can break certain combinations of installed applications or hardware. Some can NOT be removed (without a rebuild). Many are frequently updated using the same name and number.
c. You will likely have to reboot.
d. You may have to do these last few steps several times, as not all patches can go in at the same time.
e. Review the other Windows Updates and Driver Updates areas to see if there are other things to patch and update. Install if you think they are necessary.
f. Some of the Windows Updates are new application versions like Movie Maker, Tablet PC programs, etc. Go ahead with these.
Windows XP SP2 introduced a stricter security model. Before this, and before restricting the many protocols we now block at the front-end router of the University network (see http://noc.uwaterloo.ca/cn/Stats/blocked ), we installed a local IPSEC policy to do some of what Windows Firewall does now.
If you wish to further lock down your workstation to restrict it to specific hosts or subnets see http://win2k/IP_Security/index.htm for notes on how.
In order to allow your workstation rights to access more secure internet sites on campus, as a trusted host, add the UW/IST Security Certificate.
1. Launch Internet Explorer and go to http://ist.uwaterloo.ca/security/IST-CA/
2. Click on Click Here
3. Click Open to execute certificate
4. Click Install Certificate
5. Click Next
6. Select Place All Certificates In The Following Store & click Browse
7. Check Show Physical Stores
8. Expand Trusted Root Certification Authorities & select Local Computer entry
9. Click OK, Next, Finish, OK, OK
10. Test by clicking on Secure Page Demonstration from the IST-CA page.
a. You should get a warning about viewing pages over a secure connection, and the padlock icon should be present in the taskbar of the browser window.
b. You should not get a warning about security alerts, and not being able to view this page securely. Without the certificate installed, you should always get Security Alert dialogs when viewing https secure pages.
This changes the permissions on all the elements under the Start Menu to be readable to all, but changeable only to Administrators. It does allow user-preference customization.
1. Go to C:\Documents and Settings\All Users
2. Right-click on the Start Menu icon, select Properties and go to the Security tab
3. Click on the Power Users entry under the Group or User Names field
4. Click Advanced button
5. Unselect Inherit from Parent the Permission Entries…
6. Click Copy in the window that pops up and OK
7. Click OK to the Advanced window
8. Unselect the Allow checkmark on Modify and Write. Read & Execute, List Folder Contents & Read should be checked.
9. Click Apply
10. Check that the settings for Users and Power Users settings are now the same, except for Special Permissions
11. Select Power User again
12. Click the Advanced tab
13. Remove any entry that starts with Deny – Power Users
14. Select Allow Power Users… entry
15. Click Edit button
16. Uncheck Delete Subfolders & Files & Delete under the Allow column
17. Click OK
18. Click Apply, OK, OK
19. Check that the power user permissions for an object inside a folder in the Start Menu only has Read & Execute and Read checked under the Allow column.
20. Close all windows.
NOTE: Be sure to read the descriptions associated with these services in case something special running on this PC requires them.
This disables some unnecessary services from running, taking up resources, and removing a potential security threat.
1. Right-click My Computer/Manage
2. Expand and reposition the window
3. Expand the Services & Applications tab
4. Select Services
5. (Shortcut: Go to Start/Run and open services.msc)
6. Double-click the following services listed (some are not installed, and hence don’t exist). Under Startup Type select Manual (if it isn’t already) and click the Stop button to stop the service if it is running.
Terminal services cannot be stopped via the Stop button. Set it to Disabled and reboot the system to get the service to stop.
Service Name Installed? Initial Status Started? Set to
Computer Browser installed automatic Yes disabled
Messenger installed automatic Yes disabled
SSDP Discovery installed manual Yes disabled
Terminal Services installed manual Yes disabled
Universal Plug & Play Device Host installed manual No disabled
Close this window
You would think that all the important patches were already applied in an earlier step and we are quite secure, but possibly not so. Microsoft only shows the critical patches when using Windows Update and there could still be possible security holes you don’t know about. All images must be checked for security flaws before they are deployed.
There are two tools that Microsoft provides for patch and security checking. The first one is HFNETCHK, and the second one is MBSA (Microsoft Baseline Security Analyzer). The first is a text-based tool, the second is GUI-based.
Using the MBSA and HFNETCHK tools, you might see many more patch recommendations for specific problems which are not considered critical. Review the documents referred to and patch the security holes accordingly. Always reboot after patch installations or either tool might not know that the patch was applied.
1. Go to http://www.microsoft.com and search for HFNETCHK (this is part of MBSA)
a) Download the HFNETCHK application to the desktop
b) Execute it and install it to c:\hfnetchk
c) Launch a cmd window, and go to the c:\hfnetchk folder
d) Enter hfnetchk –z –v (This will connect to Microsoft, download a security update & patch database)
e) It will scan the PC for non-critical patches which have not been installed, and tell you which ones are missing via a Q###### document number.
f) Check the document # (Q######) on http://www.microsoft.com/technet to see if it really necessary to install it.
g) Delete the HfNetChk folder when done
a) Download from http://www.microsoft.com
b) Accept the install defaults
c) Uncheck Place Shortcuts On The Desktop
d) Uncheck Show Readme File After Installation
e) Uncheck Launch Application After Installation
Run it and let it analyze your system. It analyzes some of what HFNETCHK does, but it also checks a whole lot more. If things come up flagged check with our senior technologist, security Reg Quinton (email@example.com).
1. Select Scan A Computer
2. Select Start Scan
3. Look for all Red and Yellow X markings. These indicate areas of concern.
NOTE: Due to the nature of our campus firewall now, many of these tests show nothing wrong.
a. Go to the Windows NT/2000/XP Hardening section and choose the Penetration Test option
b. Select Free On-Line Virus & Security Check (or go to http://security.symantec.com).
i. Under Security Scan, click Start
ii. From this page, select Scan For Security Risks
c. Select Gibson Research Corporation shields test (or go to http://grc.com)
i. Select the Shields Up test
ii. Do the Test My Shields test
iii. Do the Probe My Ports test
d. If anything comes back as bad, consult with Reg Quinton regarding how to fix it.
e. Ports like 135 (RPC), 139 (NetBios) & 445 (Windows SMB) might come back as exposed. However, with the IPSEC filtering which was installed earlier, these ports should now be closed to off-campus exposure.
2. Reg Quinton (firstname.lastname@example.org) can do a remote security scan of the machine. He will report if anything unusual or bad comes back.
3. Go to c:\windows\Downloaded Program Files, This is where the downloaded ActiveX components are kept.
a) Right-click on the Symantec RufSI icon & select Remove
Any others which also appear to not be needed should be removed.
Windows XP can be installed a variety of ways. If you are not sure all driver information is present on the hard drive it is possible to remove any possible dependency that Windows has to its source CD. This change can make the image totally independent from its install source. The only trouble is the i386 folder is rather large, ~400-500 Mb.
When working with a pre-installed OS or a Notebook upgrade, check the registry entry below first to see where it is pointing. If it is pointing to a location on the hard disk (c:\...) and not the CD-ROM drive letter, then this step does not need to be done.
I’m not so sure this step is necessary as Windows 2000/XP maintains a driver cache and driver.cab files in the local hard disk.
1) Insert the Windows install CD & cancel the auto-run.
2) Open up the CD and find the i386 folder.
3) Copy the i386 folder from the install CD to c:\windows
4) It is rather large so this takes a while.
5) Once done, go to Start/Run and type Regedit
6) Find the key HKEY_LOCAL_MACHINE/Software/Microsoft/Windows_NT/CurrentVersion
7) Change the SourcePath key to point to c:\windows\i386
1) Right-click on the desktop and select Properties
2) Go to the Settings tab.
a) (Notebook and other LCD screens (i.e. ALL flat screens)) Leave the settings as they are.
b) (For most CRT monitors) Change Screen Resolution to 1024x768
i) Set Color Quality to Medium (16 bit)
ii) Click Apply
iii) Set refresh rate to 75 Hz.
3) Go to the Appearance Tab
a) Click the Effects button
b) Check Use the following transition effect
i) Select the fade effect
c) Check Use The Following Method To Smooth Edges Of Screen Fonts
i) Select the Standard method
d) Uncheck Use Large Icons
e) Check Show shadows under menus
f) Check Show Window Contents While Dragging
g) Check Hide underlined letters for Keyboard Navigation
h) Click OK & Apply
4) Select Desktop tab
a) Select None for the Background and click Apply
b) Select Customize Desktop button
i) Check My Documents
ii) Check My Computer
iii) Uncheck My Network Places
iv) Uncheck Internet Explorer
v) Under Desktop Cleanup, uncheck Run Desktop Cleanup Wizard Every 60 Days
c) Click OK, Apply & OK
5) (not for Notebook builds) Go to Control Panel/Power Options (all options might not be visible)
a) Select Power Schemes tab.
i) Power Schemes should be set to Home/Office Desk
ii) Turn Off Monitor should be set to After 1 Hour
iii) Turn off Hard Disks should be set to Never (might not be there)
iv) System Standby should be set to Never (might not be there)
v) System Hibernates should be set to Never (might not be there)
b) Go to Hibernate Tab (might not be there)
i) (Not Notebook) Uncheck Enable Hibernation
ii) (for Notebooks) Leave setting as it is.
c) (Notebooks!) Set a Hibernation Password: This is usually set from whatever power-management tools were provided by the Laptop vendor, or Microsoft.
d) Click Apply & OK
6) Right click the Taskbar then select Properties
a) From the Taskbar tab set the following options
i) Uncheck Lock the taskbar
ii) Uncheck Auto-hide the taskbar
iii) Check Keep the taskbar on top
iv) Check Group similar taskbar buttons
v) Check Show Quick Launch
vi) Check Show the clock
vii) Check Hide Inactive Icons
b) From the Start Menu tab, click Customize in the Start Menu area and select the Advanced tab
i) Check My Network Places in the Start Menu Items list (default is unchecked)
ii) Set Display As A Menu for the following items in the Start Menu Items list: (default is no cascading for any)
(a) Control Panel
(b) My Computer
(c) My Documents
(d) My Music
(e) My Pictures
(f) Click OK, Apply, OK
7) Open up My Computer
a) Go to View menu
i) Under Toolbars menu, select Standard Buttons and Address Bar. Others should not be checked (like Lock The Toolbars) (default is locked)
ii) Check Status Bar (default is off)
iii) Select Icons (default is Tiled)
iv) Under Arrange Icons By… check Show In Groups (default)
b) Go to Tools menu, Folder Options, General tab
i) Select Show Common Tasks in Folders (default)
ii) Select Open Each Folder In The Same Window (default)
iii) Check Double-Click To Open An Item (default)
c) Go to View tab
i) Uncheck Automatically search for network folders and printers (default is checked)
ii) Check Display File Size Information In Folder Tips (default)
iii) Check Display Simple Folder View In Explorers Folders List (default)
iv) Uncheck Display The Contents Of System Folders (default)
v) Check Display The Full Path In The Address Bar (default)
vi) Uncheck Display The Full Path In The Title Bar (default)
vii) Uncheck Do Not Cache Thumbnails (default)
viii) Select Show Hidden Files And Folders (default is do not show)
ix) Unselect Hide Extensions For Known File Types (default is show extensions)
x) Check Hide Protected Operating System Files (default)
xi) Uncheck Launch Folder Windows In A Separate Process (default)
xii) Select Show And Manage The Pair As A Single File (default, if this option is showing)
xiii) Check Remember Each Folders View Setting
xiv) Uncheck Restore Previous Folder Windows At Logon (default)
xv) Uncheck Show Control Panel in My Computer (default)
xvi) Check Show Encrypted Or Compressed NTFS Files In Color (default)
xvii) Check Show Pop-Up Descriptions For Folders And Desktop Items (default)
xviii) Uncheck Use simple file sharing (so that we can see the Security tab on file properties) (default is enabled)
xix) Click Apply
xx) Click Apply To All Folders button to apply these setting to all folders
xxi) Click Yes
d) Go to Offline Files tab
NOTE: Offline files is only useful if you have directories (like a home directory) on a server and your PC regularly gets disconnected from the campus network (like a notebook).
i) (NOT for notebooks) Uncheck Enable Offline Files (default is enabled)
ii) Click Apply, OK
e) Go to My Computer/Properties/Advanced tab
i) Click the Error Reporting button
ii) Select Disable Error Reporting. (default is enable error reporting)
(a) Check But Notify Me When Critical Errors Occur (default)
iii) Click OK
f) Go to the System Restore tab
i) uncheck Turn off system restore (this enables it, and it likely is already unchecked)
g) Go to Remote tab
i) Uncheck Allow remote assistance (default is to allow)
ii) Uncheck Allow users to connect remotely. (default)
NOTE: These settings change between service packs. Only the recipient of the PC (or recipient’s departmental rep.) can properly decide if Remote Desktop if useful. We do not use remote assistance in Academic Support.
h) Click Apply & OK
These are additional steps applied to complete the usability, and the look and feel of the image.
1) Add a shortcut to Notepad & Wordpad in the SendTo folder in the Administrator profile
a) Copy the existing shortcuts from the Start/Programs/Accessories folder
b) Copy them to c:\documents and settings\administrator\sendto
2) Move Recycle Bin icon to be underneath the My Computer icon
3) OS Software Configuration
a) Go to Control Panel/Add & Remove Programs
b) Click on the Add/Remove Windows Components button
c) Uncheck MSN Explorer entry
d) Click Yes to MSN Explorer Uninstall
e) The component will be removed.
f) Click Finish
4) Set C Drive Label (Optional)
a) Open up My Computer
b) Check the label on C: We set ours to WINDOWS.
5) Remove LINKS Folder from the Favorites Directory
This procedure keeps this folder entry from coming back after you delete it.
a) Run Regedit
b) Go to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar
c) Find the string LinksFolderName
d) Modify it to a blank entry
e) Exit Rededit
f) Delete the LINKS folder from Favorites
6) Add TEMP folder
Some applications still want one of these, rather than using the local user’s temp space. It’s also handy as a temporary storage space for restricted users since access to the C: drive is limited.
a) Open up My Computer/C drive
b) Create a new folder called TEMP
This is necessary to reclaim the 20% of the network bandwidth that QoS (Quality Of Service) sets aside by default for itself. It has been reported that some machines won’t start up properly with QoS enabled.
1. Go to Start/Run and enter gpedit.msc. This launches the Microsoft Management Console and runs the Group Policy Editor
2. Expand Administrative Templates under Computer Configuration
3. Expand Network
4. Select QoS Packet Scheduler folder
5. Double-click Limit Reserve Bandwidth option
6. Click Enable and enter 0 in the bandwidth limit box.
7. Click Apply, OK and close the group policy window
This modifies the standard rule in the Search window to search all files, rather than only the registered file extensions.
1. Go to Start/Search
2. Click Turn Off Animated Character
3. Click Change Preferences
4. Click With Indexing Service (for Faster Local Searches)
5. Click Change Indexing Service Settings (advanced)
6. On the toolbar, click Show/Hide Console Tree icon
7. In the left pane, right-click Indexing Service On Local Machine/Properties
8. Select Generation tab, and check Index Files With Unknown Extensions box
9. Click OK
10. Close the Indexing Service console
This removes the Shared… group of folders that exist under My Computer.
1. Go to Start/Run & type gpedit.msc
2. Under User Configuration, expand Administrative Templates
3. Expand Windows Components
4. Click on Windows Explorer
5. Double-click Remove Shared Documents from My Computer
6. Select Enabled
7. Click OK
This procedure adds new time servers to local ones, sets Windows to use one of the new servers, and changes the poll interval to something more frequent.
NOTE: This procedure is only required outside of the ADS domain. (It won’t work inside ADS.) When you join ADS it automatically assigns a common domain-wide time server (and the Internet Time tab is removed from the Date & Time control panel).
1. Run Regedit
2. Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Datetime\Servers
3. Add a new String Value & name it to the next number in the time server list.
4. Modify the entry & add the name of the URL for the time server. Some local ones to choose from are:
1. Go to Control Panel/Date & Time
2. Make sure the date is correct.
3. Check that the Time Zone is set correctly
4. Select the Internet Time tab
5. Under Server, select a local one (ntp1.uwaterloo.ca)
6. Click Apply.
7. Click Update Now & OK
Change the Update (Poll) Interval (only if you want the time checked more often than every 7 days)
1. Run Regedit
2. Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NTPClient
3. Modify the SpecialPollInterval key (default is 6040800 seconds, or 7 days)
a) For every day, use 86400 (seconds)
b) For every two days, use 172800
Remove the Language Bar from the Toolbar (unless you want it)
1. Right-click on the Language Bar in the Toolbar and select Settings
2. Click Language Bar button
3. Uncheck Show The Language Bar On The Desktop
4. Uncheck Show Additional Language Bar Icons In The Taskbar
Convert Windows XP Desktop to Windows 2000 Classic Mode (CUSTOM & NOTEBOOK only, only if the customer wants the classic 2000 look)
There will be some clients that want Windows XP to look like Windows 2000, as that is the OS they are comfortable with. This procedure converts the look of Windows XP to a more classic style, but it won’t be identical to Windows 2000.
1. Right-click Desktop/Properties/Appearance tab
a) Under Windows & Buttons, select Windows Classic Style
2. Right-click Taskbar/Properties
a) Uncheck Lock the Taskbar
b) Uncheck Group Similar Taskbar Buttons
c) Check Show Quick Launch
d) Uncheck Hide Inactive Icons
e) Select the Start Menu tab
f) Select Classic Start Menu & click Customize button beside it
g) Check Display Logoff
h) Uncheck Use Personalized Menus
i) Click OK, Apply, OK
3. Open My Computer
a) From the View menu:
b) From the Toolbars entry, uncheck Lock The Toolbars
c) Check Status Bar
d) Select Icons
e) Under Arrange Icons By… uncheck Show In Groups
f) Under Arrange Icons By… select Name
g) From the Tools menu/Folder Options:
h) Select Use Windows Classic Folders
i) Select Open Each Folder In Its Own Window
4. Run Regedit
a) Find HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Theme Manager
b) Edit the DLLNAME entry, changing it to &SystemRoot%\Research\Themes\Windows Classic.theme
5. Run Regedit
a) Find HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
b) Add a new String Value called UseSearchAsst
Modify its Value Data to say no
1. Remove extra icons from the System Tray and Quick Launch bar.
a) Typically the Quick Launch bar should only have
i) Internet Explorer
ii) Show Desktop
b) Typically, the System Tray should only have:
i) Norton AV (the gold shield icon, if installed)
ii) Volume control
iii) Intellimouse (if installed, the arrow icon)
iv) If you are not connected to the network, then you will likely see the network connection icon with an X through it. Just ignore it.
v) There might be a sound card control panel. You can leave this one.
vi) If there is a red ATI icon, try to remove it.
2. Add Outlook Express icon to the Quick Launch bar
a) Copy it from Start/Programs
3. Remove all unnecessary icons & shortcuts from the Desktop, except for:
a) My Documents
b) My Computer
c) My Network Places
d) Recycle Bin
4. Check to see if Administrative Tools has re-appeared under the Start/Programs menu (sometimes it gets reenabled). If it is, turn it off.
a) Right-click the Taskbar/Properties/Start Menu tab/Customize/Advanced tab
b) Uncheck Display Administrative Tools
c) Click Apply & OK
a) Go to Start/Settings/Control Panel
b) Right-click on any entry in the Control Panel and select Sort by Name from the drop-down menu
a) Right-click Taskbar/Properties/Start Menu tab/Customize button
b) Under Programs, click Clear List button
a) Add a shortcut to c:\windows\winipcfg.exe to the Accessories folder. Rename it to Windows IP Configuration
b) Add a shortcut to c:\windows\system32\mplay32.exe to the Accessories folder. Rename it to Windows Media Player 5
c) Add a shortcut to c:\Programs Files\Windows Media Player\mplayer2.exe to the Accessories folder. Call it Windows Media Player 6.4
Put the Eudora shortcut in the Quick Launch bar
d) For ADS builds, put the shortcut to Eudora.CMD there instead
e) For HOME builds, put the shortcut to Eudora.EXE there instead
f) Rename the shortcut to Eudora when done
Re-arranging the Programs Folder can be a little difficult. It takes experimentation and some daring to get it right. This is what the layout of a generic build should look like. Move the items around until this is what it looks like.
Items that you see in the Programs folder are a combination of All Users and Administrator, and that’s why it is difficult to arrange. Opening just the Administrator Programs folder only gives you part of the whole picture. The rest is contained in All Users. The permissions (who can view, edit, execute, etc) are not the same between the two.
Look below in this section for the title called Programs Folder Layout Overview. This contains the overall layout of the Start Menu, and where the application shortcuts should be put. Study it to see what folders and shortcuts you have or need, depending on what software was installed.
Open the Administrator Programs folder
1. Right-click on the Start button & select Open
2. There should only be a Programs folder here. Any other icons should be deleted
3. Open the Programs folder, closing the previous window.
4. Position the Programs window in the top-left corner of the screen. This is the Administrator Programs folder, where things will be moving from.
Open the All Users Programs folder
1. Right-click on the Start button again & select Open All Users
2. There will likely be a few extra icons here, besides the Programs folder. Except for Programs, New Office Document & Open Office Document, delete all others.
3. Open the Programs folder, closing the previous window.
4. Position this Programs window to the top-right of the screen. This it the All Users Programs folder, where we will be doing most of the work.
Copy Items from Administrator folder
1. Except for the Accessories, Administrative Tools & Startup folders, copy & paste all others to the All Users folder, and then delete the original ones from the Administrator folder. Do not cut & paste or simply Move them as this will not work properly. The permissions between the Administrator folder and the All Users folder are not the same, and the only way to properly inherit the permissions in the destination folder (All Users) is to Copy & Paste.
2. Once the items are copied, close the Administrator Programs folder window. We will now focus our attentions on the All Users Programs folder.
Create custom UW folders
1. In the All Users window, look for or create the following folders:
a) Internet Tools
b) Microsoft Office (might already be there)
c) Planning & Organizing
d) Text & Document Tools
e) UW Admin Apps
f) Multimedia Tools
g) Security Tools
2. Inside of the Internet Tools folder, create the following folders
a) File Transfer
c) Remote Login
d) Web Browser
e) Web Authoring (if any of these applications are installed)
Re-arrange the icons in the All Users folder so that the folder structure is the same as that detailed below. Folders and entries that are hard to classify like system-board related items should be moved to appropriate folders under Accessories.
1. Accessories folder layout (contains default Microsoft support applications)
a) Accessibility (folder)
b) Communications (folder)
c) Entertainment (folder)
d) Games (folder)
e) System Tools (folder)
f) Windows 2000 Professional Resource Kit (folder)
g) Microsoft Intellipoint items
h) Address Book (shortcut)
i) Calculator (shortcut)
j) Command Prompt (shortcut)
k) Imaging (shortcut)
l) Notepad (shortcut)
m) Paint (shortcut)
n) Synchronize (shortcut, this is the Windows app, a blue-grey icon, not the admin one) NOTE: This is being replaced with Oracle Calendar!!
o) Windows Explorer (shortcut)
p) WinZIP (shortcut)
q) Wordpad (shortcut)
2. Corel Office Suite (only if any of these applications are installed)
a) Corel Startup group
b) WordPerfect, etc
3. Data Analysis (only if any of these applications are installed)
4. Graphics & Design (only if any of these applications are installed)
a) Corel Draw
b) Smart Draw
c) PhotoEditor (from Microsoft Office)
e) Desktop Publishing tools
f) Adobe Photoshop
g) Adobe Photoshop CS
h) Adobe Photoshop Elements
i) Adobe Photoshop Album
j) Microsoft Visio (shortcut)
k) Microsoft Visio 2003
l) Adobe ImageReady (part of Photoshop)
5. Internet Tools folder layout
a) File Transfer (folder)
i) Secure File Transfer Client (shortcut)
ii) WS_FTP (shortcut)
i) Eudora (shortcut, delete the original folder)
ii) Outlook Express (shortcut)
iii) Outlook (from Microsoft Office)
v) Netscape Mail (shortcut, it it’s installed)
d) Remote Login
i) Admmail (shortcut)
ii) Benefactor (shortcut)
iii) Finadm (shortcut)
iv) Fininqadm (shortcut)
v) IST (shortcut)
vi) MC1Adm (shortcut)
vii) Netterm (shortcut)
viii) Secure Shell Client (shortcut)
ix) Seepac (shortcut)
x) Universe (shortcut)
xi) X-Win32 (folder)
xii) QWS3270 Terminal Emulator
e) Web Browsers
i) Internet Explorer (shortcut)
ii) Netscape (shortcut)
f) Web Authoring (only if any of these applications are installed)
i) Macromedia Flash (folders, all applications)
ii) Macromedia Fireworks
iii) Macromedia Dreamweaver
iv) Microsoft Frontpage
v) Web Weaver 98 (folder)
vi) Macromedia Contribute
g) Java Tools
i) Sun Java Web Start
6. Math & Scientific (only if any of these applications are installed)
c) Mathsoft Apps (Mathcad & extras like VisSim, VoloView, SmartSketch, IBM TechExplorer)
e) Scientific Workplace
g) Plotting packages
7. Microsoft Office menu layout
a) Microsoft Office Tools (folder)
b) Microsoft Access (shortcut)
c) Microsoft Excel (shortcut)
d) Microsoft Powerpoint (shortcut)
e) Microsoft Word (shortcut)
8. Multimedia Tools
a) Quicktime Player
b) Windows Media Player
c) ATI Video
d) Advanced Audio
9. Planning - Organizing
a) Synchronize (shortcut, this is the red icon) Note: This is being replaced by Oracle Calendar
b) Microsoft Project
d) Meeting Maker
e) Oracle Calendar Client
f) Microsoft OneNote 2003
10. Security Tools
a) Symantec/Norton AV
c) TCP View
d) Windows IP Config
e) Spybot Search & Destroy
12. Text & Document Tools
a) Acrobat Reader 5.0 (shortcut)
b) Acrobat Creator
c) Acrobat Distiller
d) Ghostscript Viewer
f) NoteTab Lite
h) Reference Manager
i) ActivePDF Composer
13. UW Admin Apps
a) Web Access To UWDIR (shortcut)
b) Any non-webified corporate software or required tools
14. Once organized, arrange all levels of the start menu alphabetically
a) Right-click on Taskbar\Properties\Advanced tab
b) Click Re-sort & OK
15. Check that the Start menu is now sorted (all levels). If it’s not, you have to do it the hard way.
a) Right-click Start menu, open Programs
b) From each folder and subfolder, right-click on an entry and select Sort By Name
c) This procedure takes a while, but it works.
Windows Messenger Changes (if installed)
We don’t want this program launching every time Windows starts up after Outlook Express has been used.
a) Launch Windows Messenger (run MSMSGS.EXE if you can’t find the icon to launch)
b) Go to Tools menu/Options, Preferences tab
c) Uncheck Run This Program When Windows Starts
d) Exit Messenger
e) Right-click on the Messenger icon in the System Tray and select Exit
We also don’t want Messenger running each time Outlook Express is launched
a) Run Regedit
b) Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express
c) Create a new DWORD Value called Hide Messenger
d) Modify the Value Data to 2
e) When done, the new entry should be Hide Messenger REG_DWORD 0x00000002 (2)
Set Primary DNS (not for off-campus Notebook and HOME builds)
6. Go to Start/My Computer/Properties/Computer Name tab/Change/More button
7. For the entry area labeled Primary DNS Suffix Of This Computer
a) For an ADS build enter ads.uwaterloo.ca
b) For all other builds enter uwaterloo.ca
8. Uncheck Change Primary DNS Suffix When Domain Membership Changes
9. Click OK, OK. You don’t have to restart if you don’t want to.
Create UWDIR Access link
1. Right-click Start menu/Open All Users & open Programs folder
2. Create a new folder called UW Admin Apps and open it.
3. Create a new shortcut
a. For the entry called Type the location of the item enter http://ego.uwaterloo.ca/~uwdir
b. Click Next
c. For the entry called Type A Name For This Shortcut enter Web Access to UWDir
d. Click Finish
4. Right-click on the new shortcut and select Properties
a. Select Change Icon
b. In the File Name entry type in C:\Winnt\system32\shell32.dll
c. Select the Magnifying Glass on Paper icon
d. Click OK, Apply & OK
2. Execute the shortcut to make sure it works
Applications on computers joining ADS are installed from MSI (Microsoft Installer) files. These MSI’s have been built to “phone home” if updates or fixes are required.
1) Map Network Drives
a) Go to Start menu, open up My Computer.
b) Go to Tools menu and select Map Network Drive
c) If building an ADS image, map another drive to \\uwfile\apps$ using drive letter F. This drive contains the MSI files for most of the ADS applications.
i) Enable reconnect at logon
ii) Click on different user name and use ads\!username and the proper password for access.
iii) Click OK & Finish to create the network drive
This installs all the core applications via the Active Directory Software Policy. All the standard applications will get installed automatically.
1. Check that the PC name is correct, registered & pre-staged in the ADS domain & the Ethernet card speed & duplex is properly set (not auto-detect). If any of these steps are wrong, the software policy likely won’t run and the packages won’t install.
2. Add the machine to the ADS domain.
3. Once added to ADS, the Administrator account will be renamed to istAdministrator. Remember this because the login window will still say Administrator and you won’t likely be able to login.
4. Reboot the system and let the software policy run. This will install all the standard deployed applications. Before the login window appears, you should see some messages regarding Applying Software Policy Settings which will take several minutes to complete.
5. If the policy didn’t run (software definitely didn’t install, no messages before the login window) wait for a time and reboot again. If it really doesn’t look like the policy is running, check all the criteria from the first step.
6. If the policy is trying to run, but it runs very fast (less than a minute), contact someone in the NTMAINT support group. It is possible that the network source for the software is having a communications problem, and someone will have to look at it.
7. Once all deployed software has installed and the system is sitting at the login window, login as Administrator.
8. Launch each application to get them completely installed. Some applications like to check with their MSI install source before fully functioning. You will likely have to map a network drive manually to \\uwfile\apps$ for some of the MSI packages to run at all.
9. If the language bar comes up in either the System Tray, Taskbar or on the Desktop after launching one of the Office products, remove it.
a) Right-click on the language bar & get settings
b) Click Langauge Bar button
c) Uncheck Show Language Bar on Desktop
10. Remove the machine from the ADS domain and put it back into the WORKGROUP workgroup. Windows XP will demand authentication to remove the machine. An ads Administrators account will be required.
11. You can check the state of the ADS software policy by running gpresult /z from a cmd window. It can be rather wordy, but it’s worth a look. The Core Application List for Dec. 2004 is:
a) Acrobat Reader 5.1
b) Eudora 6.1
c) Microsoft Office XP with SP3
d) SSH 3.2.9
e) Oracle calendar 9.0.4
f) Oracle Connector 9.0.4
g) Windows 2000 Resource Kit
12. Once the machine is removed from ADS, rename the istAdministrator account back to Administrator.
a) Right-click My Computer/Manage/Local Users and Groups/Users
b) Right-click on istAdministrator and select Rename
c) Change the name back.
d) Close the Computer Management window
As mentioned elsewhere we encourage all workstations, and that includes desktops and notebooks, in Academic Support to join the ADS domain. We do this not only to provide easier access to Academic Support computing resources but also the allow IT staff to be able to help manage these PC’s in case of trouble.
Many policies are available, as discussed in the Security Section, to be applied to workstations that join ADS. Most are applied for security reasons, and updated if new concerns, software or services packs require it (or allow enhanced features).
Software, as seen below, is applied from central file shares on managed machines. This allows the applications to repair themselves if key files get deleted or additional features are enabled. Applications on non-managed PCs is typically installed from the manufactures CDs or web site. Allowing distribution from on-campus file servers is being discussed.
Usability is a big issue with most managed clients. See the Usability Features section to see what changes you can apply to help make you more productive.
TO BE CONTINUED AS ANSWERS BECOME AVAILABLE
The following section is documented the way we in IST add applications to a workstation. We offer the applications to be installed in a customized installer package called an MSI (Microsoft Installer). These are slightly different than the versions installed from the original manufacturer’s CDs in that they have some UW customizations applied. Another advantage is: Installing from MSI files does allow the application to self-heal in the event that they get damaged, so long as the source files remain.
At the moment the only way these MSI’s can be accessed is with an administrative account that has been granted access. Changing this is being discussed.
If building an ADS image, map a drive to \\uwfile\apps$ using another drive letter. This drive contains the MSI files for most of the ADS applications.
a. Enable reconnect at logon
b. Click on different user name and use ads\!username and the proper password for access.
c. Click OK & Finish to create the network drive
Windows XP comes pre-installed with version 8.1 It is likely a good idea to verify what version is installed before download and installing another one. You can determine what version is installed by starting a command prompt and running dxdiag.exe. Look for the DirectX Version line.
If there is a newer version, install it now. Download it from http://www.microsoft.com. Check for and install any sub-revision updates (like 9.0B).
This software is used by sound & video cards, which are installed after this. Once installed, verify that it installed properly. Execute the dxdiag.exe application from the RUN box to check the install.
Adobe Acrobat Reader (homepage: http://www.adobe.com)
Note: As the Oracle Government Financials (OGF) is only compatible with Acrobat 5.1, stick with this version for now. This applies to all versions of the image build.
Eudora (homepage: http://www.eudora.com)
Secure Shell Client (SSH) (homepage: http://www.ssh.com)
i. Execute Secure Shell Client
ii. Go to Help menu/Import License File
iii. Browse to the SSH folder on the install CD and point to the license.dat file.
Windows 2000 Resource Kit
NOTE: A Windows 2003 Resource kit is also available from Microsoft. (No Windows XP Resource kit was released.)
IST uses some of the features of the Windows 200 Resource Kit on occasion, for management. It is not a necessity for notebooks or home computers.
Second NOTE: The install location mentioned is available to ADS administrators only. Others are encouraged to download this from Microsoft.
1. Install from the MSI files from \\depot$\SupportSoftware_IST_Only\W2K\W2K Professional
2. Accept the license agreement and install defaults
Install Microsoft Office XP Pro (non-ADS)
1. For HOME, CUSTOM & NOTEBOOK, install from the CD set.
a) Create a folder under C:\WINNT (or C:\WINDOWS) called OfficeXPSrc.
b) Insert the OfficeXP CD.
c) Make sure the Show Hidden Files and Folders is enabled. If not, not all the files on the CD will be visible to be copied in the next step and the installation will fail with an “Office Source is Corrupted” message.
d) Copy the entire contents of the Office XP installation CD to OfficeXPSrc. Remove the CD when done.
e) Select all the files now copied on the hard disk, get properties and uncheck the read-only flag.
f) For a full install, including Front Page, launch the installer by double-clicking SETUPPLS.EXE from the OfficeXPSrc directory, not the CD
g) For an install not including Front Page, launch the installer by double-clicking SETUPPRO.EXE from the OfficeXPSrc directory, not the CD.
h) Use the license BVGM7 - QGD2F - TK7MT - V6YPK - 97PMY if needed (UW license)
i) Select Custom install
j) Select Choose Details Installation Options For Each Application
i) Expand the Word for Windows entry (click on the +)
ii) Expand the Wizards & Templates entry.
(a) Click on box beside the More Templates & Macros entry & select Run from My Computer
iii) Expand the Office Tools entry
(a) Click on the box beside the Equation Editor entry & select Run From My Computer
(b) Click on the box beside the Microsoft Photoeditor entry & select Run From My Computer
k) If other features are needed (like the shortcut bar under Office Tools) or not needed (like Frontpage or Outlook) select the box beside the option and select the appropriate option from the drop-down box
l) Click Next & Install
2. Launch Internet Explorer and go to Tools menu/Windows Update.
a) Click the Office Update button.
b) You will be brought to a page where you can check for and install Office patches and service packs.
c) The install of Office patches might take several reboots and you will have to go back to Office Update each time and check for more patches.
Symantec/Norton Anti-Virus Corporate Edition Client
Symantec confirmed a problem with screen flickering in Windows Explorer with SAV versions 8.0x and 7.61 that appear when mapping drives on Netapps file servers. Install the newest version available. (For some this flickering is not noticeable.)
1. For ADS builds, install as managed using the server Aspen as the manager
2. For HOME & Notebook, install from CD as managed from the server ANTIVIRUS
3. For CUSTOM, you could schedule Live Updates directly form Symantec. Note these will not be tested by UW staff first and may affect some applications.
When the bugs are fixed in future versions, use the following install procedure for SAV 8.x:
1. For ADS install directly off of an AntiVirus Server.
a. The install is located at \\aspen\vphome\clt-inst\win32\setup.exe.
i. Use your ads\!username account when asked for authentication
b. Accept the install defaults
2. For HOME builds, install from CD. The CHIP usually has the latest version licensed for campus use.
a. Install as managed from the server ANTIVIRUS
b. Do not schedule any scans
c. Uncheck Run LiveUpdate
d. Once installed, double-click on the Shield icon in the System Tray and click on the Live Update button to download the latest updates.
3. For CUSTOM builds, check with the client if this is necessary or needed
If there is ever a need to remove a managed NAV/SAV install, use Add/Remove Programs to remove it, and use the Installer password for authentication.
Notes: If SAV/NAV will not install, uncheck the Lotus Notes option and try again. If this doesn’t work, reboot and try again.
These applications provide added functionality for the image. The multimedia plugins are installed later.
Windows Media Player & Codecs
f) For CUSTOM builds, check with the client to see if this is necessary
g) XP comes with version 8.0
h) Download the latest from http://www.microsoft.com
i) Accept the install defaults
j) Don’t allow icons on the desktop, Quick Launch bar or Start Menu.
k) Uncheck all options but Retrieve Media Information For CD’s & DVD’s…
Microsoft Intellipoint Drivers (latest stable version is 4.12)
l) For CUSTOM builds, check with the client to see if this is necessary
m) Download from http://www.microsoft.com
n) Run the installer
o) Select Canada as where the product was acquired
p) Accept the license agreement
q) Select the Basic Mouse pointing device
r) Uncheck Place Microsoft Intellipoint Shortcuts On My Desktop
s) Drivers will install
t) Uncheck I Want To Register This Product…
u) Restart system to complete the install
v) Once rebooted, close the Microsoft Intellipoint Quick Start Guide window
w) Download it from http://www.sysinternals.com. An older version is also available on \\uwfile\ps_nt$\Workstation_Building\Common Software\Page Defrag
x) Copy the Page Defrag folder into the C:\Drivers folder. This program will be used later to defrag some of the files which Windows cannot do (like the paging file and active system files)
Perfect Disk (latest is 6.0, only if you want to use this later for image Defragmentation)
y) Download a 30 day trial copy from http://www.raxco.com
z) A 30 day trial copy also resides on \\uwfile\ps_nt$\Workstation_Building\common_software\Perfect_Disk
aa) Once installed, execute it
bb) Go to Tools menu/Advanced Configuration
cc) Under General Settings tab select Stand Alone option
dd) Under Auto-Update tab uncheck Automatically Check For Updates
ee) From inside Perfect Disk, right-click on the C: drive and select Properties
ff) Go to the Offline Defrag Settings tab
gg) Check System Files and Paging Files
Microsoft Baseline Security Analyzer
hh) Download from http://www.microsoft.com
ii) Accept the install defaults
jj) Uncheck Place Shortcuts On The Desktop
kk) Uncheck Show Readme File After Installation
ll) Uncheck Launch Application After Installation
Download from http://www.sysinternals.com. A copy also resides under \\uwfile\ps_nt$\Workstation_Building\common_software\tcpview
mm) Unpack the download and copy the program folder to Program Files
nn) Create a shortcut to tcpview.exe, rename it to something better (TCP View) and put it under c:\documents and settings\all users\start menu
WINIPCFG executable (download from Microsoft)
This is a utility which use to be in the Win9x world, and Microsoft has released a version compatible with the NT kernel, but it is not included on the Windows install CD.
oo) Copy this from \\uwfile\ps_nt$\Workstation_Building\common_software\winipcfg to c:\winxxx\system32
Run Windows Update again, to see if any Microsoft Products that were just installed need updates
These are done here instead of during the application install because sometimes one application affects others. It would be better to complete the software customizations once everything is installed.
a. Execute Acrobat and accept the license agreement. It should never ask for this again. There is no campus license for this as it is for general use.
b. Go to the Edit menu/Preferences
c. Select the Update option
d. Under the Check For Updates drop-down box select Manually
e. Uncheck Show Auto-update Confirmation Dialog
f. Select Web Buy option.
g. Uncheck Enable Web Buy
h. Exit the Preferences window
i. Exit the application. Browse to c:\program files\adobe\acrobat\help\enu and double-click on any of the PDF files there.
f) Execute both the Secure Shell Client and Secure File Transfer Client shortcuts
i) Position the windows so they are centered & fully visible on the screen.
ii) Go to the File menu/Save Layout (or Save Settings)
g) Launch Secure Shell Client
i) Go to Help menu/About Secure Shell
ii) If this version needed a license file, verify that the license key is valid, that is non-expiring, and registered to someone (like Jeff Voskamp)
h) Add a series of Profiles (SSH version 3.2x and higher only) for
i) admmail (admmail.uwaterloo.ca)
ii) benefactor (imagine.uwaterloo.ca)
iii) finadm (fin.adm.uwaterloo.ca)
iv) fininqadm (fininq.adm.uwaterloo.ca)
v) info (info.uwaterloo.ca)
vi) ist (ist.uwaterloo.ca)
vii) mc1adm (mc1adm.uwaterloo.ca)
viii) universe (universe.uwaterloo.ca)
i) Click the Profiles button/Add Profile
ii) Enter the name of the profile
iii) Do this for all the servers needed
i) Click the Profiles button/Edit Profile
ii) Select the Connection tab
iii) Select the Profile name (in the left pane)
iv) Under Host Name, enter the full server address (from the above list, entry in brackets)
v) Click OK
vi) Do this for all the Profiles (except for defaultftp)
i) Click the Profiles button and select the first name
ii) Enter a fictitious login name
iii) Accept the download of the Host Identification Public Key
iv) Cancel the password window
v) Do this for each of the Profiles
i) Exit SSH and save settings if asked.
j) Execute Word to activate the product.
k) Launch Word, Excel and Powerpoint:
i) For each one, go to Tools menu/Customize
ii) Check Show Standard Formatting Toolbars on two rows
iii) Check Always Show Full Menus
iv) Close the Customize window
v) Close the language bar if it has become visible.
l) Fix for Clipart Issues with Office2003
i) Launch Powerpoint XP
ii) Go to Insert/Picture/Clipart
iii) Click on Now to build the Clipart database
m) Fix for Equation Editor
This changes the Equation Editor to work in its own window, rather than inline in the document. This change made as per Carol Vogt’s recommendation.
i) Double-click the file c:\program files\microsoft office\office 10\macros\support.doc
ii) Check Always Trust Macros From This Source
iii) Check Enable Macros
iv) Click Registry Options button
v) Select the Equation Editor Options tab
vi) Select Force Open option
vii) Select Full Window
viii) Click Change button. The Force Open setting should now be set to 1
ix) Close the Registry Options window and exit Word
n) Test Equation Editor changes
i) Execute Word
ii) Go to Insert menu/Object
iii) Under Object Type, select Microsoft Equation 3.0
iv) Click OK
v) You should get a separate window for the Equation Editor
vi) Exit Word
Set Default Home Page
a) Go to Control Panel/Internet Options
b) Select the General tab
c) In the Address field under the Home Page area, enter http://www.uwaterloo.ca
Set Default Programs
a) Select the Programs tab
b) In the E-mail box under the Internet Programs area, select Outlook Express as the default mailer
Set Browsing Options
a) Select the Advanced tab
b) Under the Browsing section uncheck Automatically Check For Internet Explorer Updates
c) Under the Microsoft VM section check Java Console Enabled (only if Sun Java not installed)
d) Under the Security section check Empty Temporary Internet Files Folder When Browser Is Closed
Set Security Levels
o) Select the Security tab
p) Click on each zone entry (Internet, Local Intranet, Trusted Sites, Restricted Sites) and click Default Level
q) Click Apply & OK
Set Default Text Size
a) Launch Internet Explorer
b) Go to View menu/Text Size and select Medium
c) Quit IE
Change Internet Explorer download directory
a) Run Regedit
b) Go to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
c) Create a new String Value called Download Directory
d) Modify the value to C:\TEMP
a) Execute Notepad & Wordpad
b) Position each window so it is a good size, and fully visible
c) For Notepad, enable Word Wrap (under Format menu/Word Wrap)
a) Execute Regedit
b) Resize & reposition the window so it is all visible and comfortable to work in.
c) Close all the open + tabs
d) Click on the My Computer entry at the top of the left list.
e) Exit Regedit
f) This leaves regedit in a clean state
a) Test them on the Macromedia web site (http://www.macromedia.com). The site should not complain about your browser not having everything it needs to play all the animations, like the Flash player.
r) Execute Outlook
s) Cancel the Setup Wizard
t) Quit Outlook
u) Remove any extra icons from the Desktop and Quick Launch bar
This procedure checks all the applications, making sure they work, and any necessary license files exist in the correct location
1. Execute all applications & test them
2. Run Internet Explorer last to make sure it is set as the default browser
3. Especially important to test are Acrobat, Office and Internet Explorer
4. Run Windows Update again
5. Run Office Update again
6. (not ADS) Run Symantec AntiVirus Live Update again
NOTE: Running all the time as an administrator is strongly discouraged.
SECOND NOTE: We are currently researching whether-or-not we can scale back the permissions most of our clients have on their workstations from Power User to User. If you know already that you need a power user account, this step is for you.
1. Select Action menu/New User
a) For both User Name and Full Name enter a user name you will remember
b) For Description, enter Local Power User Account
c) For both password fields, enter a password you will remember later.
d) Check Password Never Expires
e) Click Create & close the New User window
f) Right-click the user name entry & select Properties
g) Go to the Members Of tab
h) Click Add
i) Select Power Users
j) Click Add & OK
k) Select the Users entry & click Remove
l) Click Apply & Close
This problem was reported by Cathy Cooper of ODAA, Apr 14/04. Apparently without doing this, Windows doesn’t think the Lucida font is fully installed.
v) Open up C:\Windows\Fonts
w) Move out the Lucida Console font file to the desktop
x) Move back the LUCIDA.TTF file back into Fonts
y) A message saying Installing Font should come up.
As discussed in the Introduction more customizations to your Windows XP operating system occur when you join your PC to the ADS domain. Please note that very few policies are considered mandatory. Most are desired by the departments you may be part of and are applied by virtue of departmental (or Organizational Unit) membership.
Advantages to joining your computer to the ADS domain are discussed in “Setting_up_a_Notebook_versus_a_Desktop.htm”. If there is not enough benefit cited there to join the domain the subsections below identify exactly what changes are applied. The example workstation (and user) in the detailed list has been joined to the IST Organizational Unit and has all changes required of that department listed.
These are the policies applied to all workstations that join the ADS domain. The primary reason for most of them is security.
These are the policies applied to a computer joined to a departmental organizational unit, specifically IST in this example.
To see a less detailed summary of policies applied go to: http://winxp.uwaterloo.ca/Documentation/CM/Remote_Changes_Applied_to_Managed_ADS_Workstations.htm
Final, optional, customizations change between releases of Service Packs. None are documented at this time but this section has been left in for now.
This cleans up the area under C:\Documents and Settings, where all the user profiles are stored, as well as removes any unnecessary and potentially dangerous accounts that should not be there. Deleting a profile doesn’t delete the userid that created it, and deleting the userid doesn’t remove the profile associated with it. They must be done separately.
1. Go to Start\Settings\Control Panel\System\Advanced tab
a) Click Settings from the User Profiles area
2. Delete all profiles except for Administrator (you can’t anyways!)
a) If some won’t delete because the Delete button is greyed out, reboot the system
3. Right-click My Computer\Manage\Local Users And Groups\Users
a) Remove all accounts but Administrator, Guest, !uwadmin
b) Windows XP also has the accounts HELP_ASSISTANT & SUPPORT_xxx. Don’t remove these.
4. Close all open windows and do the Remove the Junk procedure again.
Empty the Recycle Bin if there’s anything in it.
This cleans out all the useless files that get left after installing an OS and software. There can be a lot of things left behind. We don’t want any of it to clutter up a new image, and take up value space and installation time on the install CD’s.
1. Go to Control Panel/Internet Options/General tab
a) Click Delete Cookies button
b) Click Delete Files button (and check Include Offline Content)
c) Click Clear History button
d) Close the window
2. Execute Netscape (if installed)
a) Go to Edit menu/Preferences
b) Delete Internet History, Internet Cache (including off-line content) & Cookies
3. Delete NAV Logs under C:\Documents And Settings\All Users\Application Data\Symantec\Norton AV\7.5\logs
4. Open C:\Document & Settings\Administrator
a) Delete everything in the Favorites folder
b) Delete everything in the My Documents folder
c) Delete everything in the Local Settings\Temp folder
d) Delete everything in the Local Settings\Temporary Internet Files
5. Delete System Event Logs
a) Right-click My Computer/Manage
b) Open (+) the Event Viewer entry
c) Right-click on each log (application, security, system) & select Clear All Events from the drop-down menu.
d) Say No to saving the logs
e) Close the Computer Management window
6. Delete Recent Documents and Recent Applications list entries
a) Right-click on Taskbar\Properties\Start Menu tab\Customize button & click the Clear List button
b) Select the Advanced tab & click the Clear List button
c) Click OK, Apply, OK
7. Delete contents of the c:\windows\prefetch directory
8. Delete all PQI and 0xx (PQDI) files from the BACKUP partition (unless they are needed)
9. Delete the WUTemp folder from c:\. This is left over from using Windows Update
10. Delete all *.LOG files from c:\ (from application installations, like Norton AV)
11. Delete everything in the c:\winnt\temp (or c:\windows\temp) folder
12. Delete unnecessary folders from c:\drivers
13. Delete everything in c:\temp
14. Empty Recycle Bin
This sets the profile that all new user accounts will receive. Any new user will receive the same look and layout that the Administrator account was set up for. What actually happens is all the contents of the default user folder are deleted and the contents of the administrator folder are copied there, and the appropriate permissions set. Thus, anybody logging into the machine for the first time will inherit the default user profile, which we have customized.
Under Windows XP, you can’t copy the profile of the active account like we could under Windows 2000 so we need to do a few extra steps:
1. Logoff Administrator and logon to a backup administrators account
2. Right click on My Computer/Properties/Advanced tab/Settings under User Profiles
3. Select the xxx/Administrator profile and click the Copy To button
4. Copy it to C:\Documents and Settings\Default User (if this folder is not visible using the browse button, just type it into the entry box. It will be faster than trying to do a Show on hidden files).
5. Click OK, OK, Yes
6. Exit the System Properties window
7. Logoff the backup and logon with Administrator again.
Backup is important. We recommend you create a backup of your workstation contents at appropriate times if your computer is not based on the IST image.
When we are finished customizing our computers we back them up by creating an image of the contents that we can restore if problems happen. This image is a compressed copy of everything found in a disk partition and when replaced onto the computer sets it back to exactly the same state when the image was made. The compressed image can be made onto another disk partition on your hard disk. It can also be made onto writable CD’s or DVDs. Removable media gives the added security of allowing you to restore the contents of a failed hard disk should the only one you have fail although a second partition on your only hard drive (or a second hard drive) can get you out of trouble if it were to contain an image of the primary partition.
Several products can be used to create a partition. The one we use is PowerQuest Drive Image/Deploy Center. Other products like Symantec Ghost will also work.
o Select Customize on Regional & Language Options
o Select English (Canada) in Standards & Formats
o Select Canada for Location.
o Click Apply
o Select the Languages tab & click Details
o Set Default Input Language to English Canada (US)
o Click OK & Apply
o Select Advanced tab
o Under Language for Non-Unicode Programs select English (Canada)
o Click Apply & OK
o Click the Details button.
o Remove the English (US) Keyboard item
o Click Apply, OK
o Click Next
o Select time-zone (GMT -05:00) Eastern Time (US & Canada)
o Check that the time is correctly set
It is wise to keep device drivers current. Occasionally check to see if newer versions exist before applying a new Service Pack.
Also check to make sure all current hardware is supported before installing the latest Service Pack or operating system.
Maintained by: Manfred Grisebach, IST – Systems, Text extracted and reorganized from documents maintained by Peter Schepers. Last modified Mar 30th 2005