How to Configure Your PC to Academic Support Standards

Introduction

March 2005

Microsoft’s Windows XP, as it’s configured on most computers from a vendor, has very few, if any, customizations applied. IST spent many months working together with Academic Support departments at UW to customize the operating system and departmental applications in a way preferred by most of our clients. We believe these changes not only improve aesthetics but also make the user more productive.

 

When we do this we install Windows XP Professional on a computer and customize it to our specifications. Then we install the required primary applications from previously IST-built executables that have also been customized accordingly. Lastly we make a few more minor changes and cut an image of the whole hard disk. This image was then put on most desktop PC’s in Academic Support. (Please note that this gives us a quick and easy way to replace broken hardware and software.) Then the computer is joined to the ADS domain where more changes are automatically applied (by domain policies). The combination of these two sets of changes gives our Academic Support clients what they see on their computers today.

 

On a notebook, or specialized desktop, there may be reasons an image is not preferred (as discussed in “Setting_up_a_Notebook_versus_a_Desktop.htm”). It is for this reason that this document has been created. First to help you decide if you could accept our image on your PC, and if not, so you can apply as many of the desired changes yourself.

 

The first section covers the manual changes discussed above. It is divided into several subsections including highly recommended Security and Usability changes. The next section covers changes applied via policy that can be applied by joining the ADS domain. The rest of the sections cover final customizations, cleanup and a few notes on backup.

 

Please note that most of the changes documented here require you to be an administrator. Apply them first and then create a “limited user” account that you should use from now on, whenever possible.

 

Less Detailed Reference

All of the links in this document reference very detailed instructions as to the steps required to customize an ADS workstation. A more general, less detailed reference is available at: http://winxp.uwaterloo.ca/Documentation/CM/XP_Changes.htm

Manual Changes Applied

Security Customizations (highly recommended)

Administrative Accounts Setup

Change Logon Procedure

1.       Go to Start/Control Panel/User Accounts

a)      Select Change the way users log on or off

b)      Uncheck Use the welcome screen and click Apply Options. This also disables fast user switching. This is necessary in order to show the standard login window.

c)      Click Switch to Classic View

d)      Close the Control Panel

 

NOTEBOOK NOTE: Because this documentation only deals with desktops a hibernation password is not relevant. See notebook documentation to find out how to set a hibernation password as well. (It’s usually part of Power Management options.)

 

Check Account Membership

1.       Go to Start/My Computer/Manage

 

2.       Expand Local Users & Groups and select Users

 

3.       Double-click Administrator and check its settings:

a)      For Full Name, enter Administrator

b)      Check Password doesn’t expire

c)      Click the Members of tab. It should be a member of Administrators only. If not, add it, and remove any other groups it might be in.

d)      Click Apply & OK

 

4.       Double-click any other administrative account

a)      For Full Name, enter something appropriate

b)      Enter an appropriate Description

c)      Click the Members of tab. It should be a member of Administrators only. If not, add it, and remove any other groups it might be in.

d)      Click Apply & OK

 

NOTE: Remember to not use administrative accounts for everyday work. A backup as suggested above may be a good idea.

 

5.       Double-click any other user accounts on your PC

a)      For Full Name, enter the user name

b)      For Description, enter Local Power User Account

c)      Check Password Never Expires

d)      Click the Members of tab. Add it to the Power Users group and remove it from all other groups (including Administrators)

e)      Click Apply & OK

 

NOTE: Power user privilege may not be required for all that you do. It was required for some Academic Support applications so all “Users” were made Power Users.

 

6.       All other accounts (guest, HelpAssistant, Support_xxx are all disabled and should not be modified)

 

7.       Close up the Computer Management window

 

 

Change Account Passwords

1.       Press CTRL-ALT-DEL to get the Windows Security window.

 

2.       Click the Change Password button and change the password for the accounts installed:

a)      Administrator (use a different password than you use for everyday use)

b)      username (set it to something you will remember later)

c)      Click Cancel to return to the desktop

 

 

Change Windows Registration

These changes alter the registration info over to the University, for University Owned PCs.

1.       Run Regedit

 

2.       Find the key HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion

 

3.       Change the RegisteredOrganization to University Of Waterloo

 

4.       Change the RegisteredOwner to IST Academic Support

 

 

Set TCP/IP Filtering for Virus/Worm Protection

 

This is a very important step to apply BEFORE connecting to the network. It will prevent the internet worms (like Blaster and Welchia) from causing problems. This filter may have to be removed for some later steps. NOTE: Windows XP SP2 automatically turns this on.

 

1.       Go to Start/Control Panel/Network and Internet Connections

2.       Select Network Connections

3.       Right-click Local Area Connections/Properties

4.       Select Internet Protocol & click Properties

5.       Click Advanced

6.       Enable the firewall

Only then plug in the network cable.

 

Setup Network Access

 

2.       Go to Start/Control Panel

 

3.       Double-click Network Connections

 

4.       Double-click Local Area Connection

 

5.       Click Properties button

 

6.       Uncheck Show Icon in taskbar when connected

 

7.       Uncheck File & Print Sharing

 

8.       Double-click Internet Protocol (TCP/IP) list entry

a)      Click the Advanced button to bring up the other network options

b)      Click the DNS tab

i)        Uncheck Register This Connection Address In DNS

ii)       (not for off-campus machines) For DNS Suffix For This Connection enter uwaterloo.ca

 

c)      Click the WINS tab

i)        Uncheck Enable LMHOSTS Lookup

 

d)      Click OK, OK

Windows Firewall (Internet Connection Firewall prior to WXP SP2)

NOTE: In Windows XP SP2 Windows Firewall is turned on automatically. The menus are structured a little differently prior to SP2 than described below.

 

1.       Assuming you are still in Network Connections (from the last step): Click the Advanced tab and click Settings (It should be on)

 

2.       Click the Exceptions tag. Select Remote Desktop if required.

 

3.       Uncheck File and Printer Sharing

 

4.       Uncheck Remote Assistance (and anything else you know is not required!)

 

5.       If you are running a Wireless Network card at UW

 

a)      Click the Advanced tab

 

b)      Within the ICMP box click the Settings button

 

c)      Select Allow incoming echo request

 

d)      Verify installation by pinging IST.UWATERLOO.CA

i)        Go to Start -> Run and enter ping ist.uwaterloo.ca

ii)       You should see some responses coming back from ist, and not an error message.

iii)     You can check the network settings once they are setup by launching a command prompt (CMD) and typing ipconfig /all. All the network settings should be there.

 

6.       Click OK, Close

7.       Close the Network Connections window

 

 

Setting Microsoft Patching Options

 

For all on-campus machines including on-campus self-managed and ADS PCs:

UW has a WSUS server that mirrors the Microsoft one in terms of patches offered. We however delay distribution until they are properly tested with the applications used by Academic Support. Patches are expedited according to their importance.

 

To update your workstation to point to the UW WSUS server follow the steps outlined at:

            http://windows.uwaterloo.ca/Security/wsus/Manual_WSUS_Workstation_Configuration.asp

 

 

For all home-bound machines & Notebooks that go off-campus:

There may be reasons to not have a PC call back to UW. In this case, since patching is still very important:.

1.         Right-click My Computer/Properties/Automatic Updates

2.       Check Keep My Computer Up To Date

3.       Set to Automatically Download the Updates

Set the time to 5:00 AM everyday (IST chosen time. Another may be more appropriate.)

 

Set a Screen Saver Password

1.       Right-click on the desktop and select Properties

 

2.       Go to the Screen Saver tab

a)      Set your favourite screen saver

b)      Set the Wait time to 30 minutes (default is 10)

c)      Check Password Protect. (default is no password)

d)      Click Apply

 

Security Policy Changes

 

The following changes make the PC more secure. Many are re-applied automatically if you join ADS as mandatory policies.

 

Go to Start Menu\Settings\Control Panel\Administrative Tools\Local Security Policy (shortcut: go to Start/Run and open secpol.msc)

 

1.       Position the window so it is fully visible.

 

2.       Under Account Policies\Password Policy, change the following options:

 

Name                                                                                                   Setting

Maximum Password Age                                                              0 (default is 42 days)

Minimum Password Length                                                        7 (default is 0)

Passwords must meet complexity requirements                Enabled (default is disabled)

 

 

3.       Under Account Policies\Account Lockout Policy, change the following options:

 

Name                                                               Setting

Account Lockout Threshold                  15 (default is 0)

Account Lockout Duration                     5 (default is not applicable)

 

 

4.       Under Local Policies\Audit Policy, change the following options:

 

Name                                                                 Setting

Audit Account Logon Events                   Check the Success and Failure options (default is both unchecked)

Audit Logon Events                                     Check the Success and Failure options (default is both unchecked)

 

 

5.       Under Local Policies\User Rights Assignment, change the following options:

 

Name                                                                                       Setting

Access this computer from the Network                    Uncheck (or remove) all entries

Change system time                                                          Add Everyone

Log on locally                                                                      Remove (or uncheck) the xxx/Guest account

 

 

6.        Under Local Policies\Security Options, change the following options:

 

Name                                                                                                                                                                              Setting

Interactive Login: Do Not Require CTRL+ALT+DEL requirement for logon                                       Disabled

Microsoft Network Client: Send unencrypted password to connect to third-party SMB servers                Enabled

Network Access: Do Not Allow Anonymous Enumeration of SAM Accounts                                     Enabled

Network Access: Do Not Allow Anonymous Enumeration of SAM Accounts and Shares             Enabled

Shutdown: Clear virtual memory pagefile                                                                                                        Enabled

(SAM accounts are Anonymous connections from legacy Windows days)

 

7.       Close the Local Security Settings window.

 

 

To compare the details of recommendations from various sources, compared with what IST has implemented see:

http://ist.uwaterloo.ca/cs/w2kclient/GroupPoliciesUW.html

 

To see even more detail, including the default Windows XP setting see:

http://ist.uwaterloo.ca/cs/w2kclient/GroupPolicies.html

 

 

 

Install Windows Service Packs

 

 Always keep the Service Pack level of the operating system, and all applications, up-to-date. The latest service pack can be accessed at:

            http://ist.uwaterloo.ca/download

            - WXP SP2 does not detect our Symantec Antivirus software so Disable Virus Protection Monitoring

Install Critical OS Updates

 

1.       Disconnect any network drives you may have connected. They will need to be manually reconnected later. Some critical updates do not install properly when a read-only network drive is present.

 

2.       Launch Internet Explorer

3.       Go to Tools menu/Windows Update.

 

a.       If you receive a security warning from Windows asking you to Always Trust Content From Microsoft, read the contents of the window to make sure it is valid, and then click Yes

 

b.       Check the Critical Updates area. Update to the latest Service Pack first (as described above). Then apply critical updates.

 

NOTE: Only apply critical patches unless you feel lucky. So-called “Recommended” patches are not fully regression tested and can break certain combinations of installed applications or hardware. Some can NOT be removed (without a rebuild). Many are frequently updated using the same name and number.

 

c.       You will likely have to reboot.

 

d.       You may have to do these last few steps several times, as not all patches can go in at the same time.

 

e.       Review the other Windows Updates and Driver Updates areas to see if there are other things to patch and update. Install if you think they are necessary.

 

f.        Some of the Windows Updates are new application versions like Movie Maker, Tablet PC programs, etc. Go ahead with these.

 

 

Install IPSEC Policy (not for HOME, CUSTOM or NOTEBOOK)

 

Windows XP SP2 introduced a stricter security model. Before this, and before restricting the many protocols we now block at the front-end router of the University network (see http://noc.uwaterloo.ca/cn/Stats/blocked ), we installed a local IPSEC policy to do some of what Windows Firewall does now.

If you wish to further lock down your workstation to restrict it to specific hosts or subnets see http://win2k/IP_Security/index.htm for notes on how.

 

Add UW/IST Security Certificate

 

In order to allow your workstation rights to access more secure internet sites on campus, as a trusted host, add the UW/IST Security Certificate.

1.       Launch Internet Explorer and go to http://ist.uwaterloo.ca/security/IST-CA/

2.       Click on Click Here

3.       Click Open to execute certificate

4.       Click Install Certificate

5.       Click Next

6.       Select Place All Certificates In The Following Store & click Browse

7.       Check Show Physical Stores

8.       Expand Trusted Root Certification Authorities & select Local Computer entry

9.       Click OK, Next, Finish, OK, OK

 

10.   Test by clicking on Secure Page Demonstration from the IST-CA page.

a.       You should get a warning about viewing pages over a secure connection, and the padlock icon should be present in the taskbar of the browser window.

b.       You should not get a warning about security alerts, and not being able to view this page securely. Without the certificate installed, you should always get Security Alert dialogs when viewing https secure pages.

 

Set Start Menu Security

 

This changes the permissions on all the elements under the Start Menu to be readable to all, but changeable only to Administrators. It does allow user-preference customization.

 

1.       Go to C:\Documents and Settings\All Users

 

2.       Right-click on the Start Menu icon, select Properties and go to the Security tab

 

3.       Click on the Power Users entry under the Group or User Names field

 

4.       Click Advanced button

 

5.       Unselect Inherit from Parent the Permission Entries…

 

6.       Click Copy in the window that pops up and OK

 

7.       Click OK to the Advanced window

 

8.       Unselect the Allow checkmark on Modify and Write. Read & Execute, List Folder Contents & Read should be checked.

 

9.       Click Apply

 

10.   Check that the settings for Users and Power Users settings are now the same, except for Special Permissions

 

11.   Select Power User again

 

12.   Click the Advanced tab

 

13.   Remove any entry that starts with Deny – Power Users

 

14.   Select Allow Power Users… entry

 

15.   Click Edit button

 

16.   Uncheck Delete Subfolders & Files & Delete under the Allow column

 

17.   Click OK

 

18.   Click Apply, OK, OK

 

19.   Check that the power user permissions for an object inside a folder in the Start Menu only has Read & Execute and Read checked under the Allow column.

 

20.   Close all windows.


Stopping Windows Services

NOTE: Be sure to read the descriptions associated with these services in case something special running on this PC requires them.

 

This disables some unnecessary services from running, taking up resources, and removing a potential security threat.

 

1.       Right-click My Computer/Manage

2.       Expand and reposition the window

3.       Expand the Services & Applications tab

4.       Select Services

5.       (Shortcut: Go to Start/Run and open services.msc)

6.        Double-click the following services listed (some are not installed, and hence don’t exist). Under Startup Type select Manual (if it isn’t already) and click the Stop button to stop the service if it is running.

 

Terminal services cannot be stopped via the Stop button. Set it to Disabled and reboot the system to get the service to stop.

 

Service Name                                      Installed?          Initial Status        Started?      Set to

Computer Browser                                installed              automatic              Yes               disabled

Messenger                                             installed              automatic              Yes               disabled

SSDP Discovery                                    installed              manual                  Yes               disabled

Terminal Services                                  installed              manual                  Yes               disabled

Universal Plug & Play Device Host        installed              manual                  No                 disabled

 

Close this window

 

MBSA Patch Check & Security Tests

 

You would think that all the important patches were already applied in an earlier step and we are quite secure, but possibly not so. Microsoft only shows the critical patches when using Windows Update and there could still be possible security holes you don’t know about. All images must be checked for security flaws before they are deployed.

 

There are two tools that Microsoft provides for patch and security checking. The first one is HFNETCHK, and the second one is MBSA (Microsoft Baseline Security Analyzer). The first is a text-based tool, the second is GUI-based.

 

Using the MBSA and HFNETCHK tools, you might see many more patch recommendations for specific problems which are not considered critical. Review the documents referred to and patch the security holes accordingly. Always reboot after patch installations or either tool might not know that the patch was applied.

 

Install HFNETCHK

1.       Go to http://www.microsoft.com and search for HFNETCHK (this is part of MBSA)

a)      Download the HFNETCHK application to the desktop

b)      Execute it and install it to c:\hfnetchk

c)      Launch a cmd window, and go to the c:\hfnetchk folder

 

d)      Enter hfnetchk –z –v (This will connect to Microsoft, download a security update & patch database)

e)      It will scan the PC for non-critical patches which have not been installed, and tell you which ones are missing via a Q###### document number.

f)       Check the document # (Q######) on http://www.microsoft.com/technet  to see if it really necessary to install it.

 

g)      Delete the HfNetChk folder when done

 

 

Install Microsoft Baseline Security Analyzer

a)      Download from http://www.microsoft.com

b)      Accept the install defaults

c)      Uncheck Place Shortcuts On The Desktop

d)      Uncheck Show Readme File After Installation

e)      Uncheck Launch Application After Installation

 

Run it and let it analyze your system. It analyzes some of what HFNETCHK does, but it also checks a whole lot more. If things come up flagged check with our senior technologist, security Reg Quinton (reggers@ist.uwaterloo.ca).

1.       Select Scan A Computer

2.       Select Start Scan

3.       Look for all Red and Yellow X markings. These indicate areas of concern.

 

 

 

Security Tests

NOTE: Due to the nature of our campus firewall now, many of these tests show nothing wrong.

1.       Go to http://ist.uwaterloo.ca/security/howto

a.       Go to the Windows NT/2000/XP Hardening section and choose the Penetration Test option

b.       Select Free On-Line Virus & Security Check (or go to http://security.symantec.com).

i.         Under Security Scan, click Start

ii.       From this page, select Scan For Security Risks

c.       Select Gibson Research Corporation shields test (or go to http://grc.com)

i.         Select the Shields Up test

ii.       Do the Test My Shields test

iii.      Do the Probe My Ports test

d.       If anything comes back as bad, consult with Reg Quinton regarding how to fix it.

e.       Ports like 135 (RPC), 139 (NetBios) & 445 (Windows SMB) might come back as exposed. However, with the IPSEC filtering which was installed earlier, these ports should now be closed to off-campus exposure.

2.       Reg Quinton (reggers@ist.uwaterloo.ca) can do a remote security scan of the machine. He will report if anything unusual or bad comes back.

 

 

3.       Go to c:\windows\Downloaded Program Files, This is where the downloaded ActiveX components are kept.

a)      Right-click on the Symantec RufSI icon & select Remove

Any others which also appear to not be needed should be removed.

 

 

 

 

 

 

Usability Changes (optional but strongly encouraged)

 

Redirect Windows Install Source Path

 

Windows XP can be installed a variety of ways. If you are not sure all driver information is present on the hard drive it is possible to remove any possible dependency that Windows has to its source CD. This change can make the image totally independent from its install source. The only trouble is the i386 folder is rather large, ~400-500 Mb.

 

When working with a pre-installed OS or a Notebook upgrade, check the registry entry below first to see where it is pointing. If it is pointing to a location on the hard disk (c:\...) and not the CD-ROM drive letter, then this step does not need to be done.

 

I’m not so sure this step is necessary as Windows 2000/XP maintains a driver cache and driver.cab files in the local hard disk.

 

1)      Insert the Windows install CD & cancel the auto-run.

 

2)      Open up the CD and find the i386 folder.

 

3)      Copy the i386 folder from the install CD to c:\windows

 

4)      It is rather large so this takes a while.

 

5)      Once done, go to Start/Run and type Regedit

 

6)      Find the key HKEY_LOCAL_MACHINE/Software/Microsoft/Windows_NT/CurrentVersion

 

7)      Change the SourcePath key to point to c:\windows\i386

 

System & Visual Customizations

 

1)      Right-click on the desktop and select Properties

 

 

2)      Go to the Settings tab.

a)      (Notebook and other LCD screens (i.e. ALL flat screens)) Leave the settings as they are.

b)      (For most CRT monitors) Change Screen Resolution to 1024x768

i)        Set Color Quality to Medium (16 bit)

ii)       Click Apply

iii)     Set refresh rate to 75 Hz.

 

 

3)      Go to the Appearance Tab

a)      Click the Effects button

b)      Check Use the following transition effect

i)        Select the fade effect

c)      Check Use The Following Method To Smooth Edges Of Screen Fonts

i)        Select the Standard method

d)      Uncheck Use Large Icons

e)      Check Show shadows under menus

f)       Check Show Window Contents While Dragging

g)      Check Hide underlined letters for Keyboard Navigation

h)      Click OK & Apply

 

 

4)      Select Desktop tab

a)      Select None for the Background and click Apply

b)      Select Customize Desktop button

i)        Check My Documents

ii)       Check My Computer

iii)     Uncheck My Network Places

iv)     Uncheck Internet Explorer

v)      Under Desktop Cleanup, uncheck Run Desktop Cleanup Wizard Every 60 Days

c)      Click OK, Apply & OK

 

 

5)      (not for Notebook builds) Go to Control Panel/Power Options (all options might not be visible)

a)      Select Power Schemes tab.

i)        Power Schemes should be set to Home/Office Desk

ii)       Turn Off Monitor should be set to After 1 Hour

iii)     Turn off Hard Disks should be set to Never (might not be there)

iv)     System Standby should be set to Never (might not be there)

v)      System Hibernates should be set to Never (might not be there)

 

b)      Go to Hibernate Tab (might not be there)

i)        (Not Notebook) Uncheck Enable Hibernation

ii)       (for Notebooks) Leave setting as it is.

 

c)      (Notebooks!) Set a Hibernation Password: This is usually set from whatever power-management tools were provided by the Laptop vendor, or Microsoft.

 

d)      Click Apply & OK

 

 

6)      Right click the Taskbar then select Properties

a)      From the Taskbar tab set the following options

i)        Uncheck Lock the taskbar

ii)       Uncheck Auto-hide the taskbar

iii)     Check Keep the taskbar on top

iv)     Check Group similar taskbar buttons

v)      Check Show Quick Launch

vi)     Check Show the clock

vii)   Check Hide Inactive Icons

 

b)      From the Start Menu tab, click Customize in the Start Menu area and select the Advanced tab

i)        Check My Network Places in the Start Menu Items list (default is unchecked)

ii)       Set Display As A Menu for the following items in the Start Menu Items list: (default is no cascading for any)

(a)    Control Panel

(b)    My Computer

(c)    My Documents

(d)    My Music

(e)    My Pictures

(f)     Click OK, Apply, OK

 

 

7)      Open up My Computer

a)      Go to View menu

i)        Under Toolbars menu, select Standard Buttons and Address Bar. Others should not be checked (like Lock The Toolbars) (default is locked)

ii)       Check Status Bar (default is off)

iii)     Select Icons (default is Tiled)

iv)     Under Arrange Icons By… check Show In Groups (default)

 

b)      Go to Tools menu, Folder Options, General tab

i)        Select Show Common Tasks in Folders (default)

ii)       Select Open Each Folder In The Same Window (default)

iii)     Check Double-Click To Open An Item (default)

 

c)      Go to View tab

i)        Uncheck Automatically search for network folders and printers (default is checked)

ii)       Check Display File Size Information In Folder Tips (default)

iii)     Check Display Simple Folder View In Explorers Folders List (default)

iv)     Uncheck Display The Contents Of System Folders (default)

v)      Check Display The Full Path In The Address Bar (default)

vi)     Uncheck Display The Full Path In The Title Bar (default)

vii)   Uncheck Do Not Cache Thumbnails (default)

 

viii)  Select Show Hidden Files And Folders (default is do not show)

ix)     Unselect Hide Extensions For Known File Types (default is show extensions)

x)      Check Hide Protected Operating System Files (default)

xi)     Uncheck Launch Folder Windows In A Separate Process (default)

 

xii)   Select Show And Manage The Pair As A Single File (default, if this option is showing)

xiii)  Check Remember Each Folders View Setting

xiv) Uncheck Restore Previous Folder Windows At Logon (default)

xv)   Uncheck Show Control Panel in My Computer (default)

xvi) Check Show Encrypted Or Compressed NTFS Files In Color (default)

xvii)       Check Show Pop-Up Descriptions For Folders And Desktop Items (default)

xviii)      Uncheck Use simple file sharing (so that we can see the Security tab on file properties) (default is enabled)

 

xix) Click Apply

xx)   Click Apply To All Folders button to apply these setting to all folders

xxi) Click Yes

 

d)      Go to Offline Files tab

NOTE: Offline files is only useful if you have directories (like a home directory) on a server and your PC regularly gets disconnected from the campus network (like a notebook).

i)        (NOT for notebooks) Uncheck Enable Offline Files (default is enabled)

ii)       Click Apply, OK

 

e)      Go to My Computer/Properties/Advanced tab

i)        Click the Error Reporting button

ii)       Select Disable Error Reporting. (default is enable error reporting)

(a)    Check But Notify Me When Critical Errors Occur (default)

iii)     Click OK

 

f)       Go to the System Restore tab

i)        uncheck Turn off system restore (this enables it, and it likely is already unchecked)

 

g)      Go to Remote tab

i)        Uncheck Allow remote assistance (default is to allow)

ii)       Uncheck Allow users to connect remotely. (default)

NOTE: These settings change between service packs. Only the recipient of the PC (or recipient’s departmental rep.) can properly decide if Remote Desktop if useful. We do not use remote assistance in Academic Support.

 

h)      Click Apply & OK

 

 

Extra Visual Customizations

These are additional steps applied to complete the usability, and the look and feel of the image.

 

1)      Add a shortcut to Notepad & Wordpad in the SendTo folder in the Administrator profile

a)      Copy the existing shortcuts from the Start/Programs/Accessories folder

b)      Copy them to c:\documents and settings\administrator\sendto

 

 

2)      Move Recycle Bin icon to be underneath the My Computer icon

 

 

3)      OS Software Configuration

a)      Go to Control Panel/Add & Remove Programs

b)      Click on the Add/Remove Windows Components button

c)      Uncheck MSN Explorer entry

d)      Click Yes to MSN Explorer Uninstall

e)      The component will be removed.

f)       Click Finish

 

 

4)      Set C Drive Label (Optional)

a)      Open up My Computer

b)      Check the label on C: We set ours to WINDOWS.

 

 

5)      Remove LINKS Folder from the Favorites Directory

This procedure keeps this folder entry from coming back after you delete it.

a)      Run Regedit

b)      Go to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar

c)      Find the string LinksFolderName

d)      Modify it to a blank entry

e)      Exit Rededit

f)       Delete the LINKS folder from Favorites

 

6)      Add TEMP folder

Some applications still want one of these, rather than using the local user’s temp space. It’s also handy as a temporary storage space for restricted users since access to the C: drive is limited.

a)      Open up My Computer/C drive

b)      Create a new folder called TEMP

 

 

Disable QoS Packet Scheduler

This is necessary to reclaim the 20% of the network bandwidth that QoS (Quality Of Service) sets aside by default for itself. It has been reported that some machines won’t start up properly with QoS enabled.

 

1.       Go to Start/Run and enter gpedit.msc. This launches the Microsoft Management Console and runs the Group Policy Editor

2.       Expand Administrative Templates under Computer Configuration

3.       Expand Network

4.       Select QoS Packet Scheduler folder

5.       Double-click Limit Reserve Bandwidth option

6.       Click Enable and enter 0 in the bandwidth limit box.

7.       Click Apply, OK and close the group policy window

 

 

 

Text Searching Rule Change & Remove the Animated Dog

This modifies the standard rule in the Search window to search all files, rather than only the registered file extensions.

 

1.       Go to Start/Search

2.       Click Turn Off Animated Character

3.       Click Change Preferences

4.       Click With Indexing Service (for Faster Local Searches)

5.       Click Change Indexing Service Settings (advanced)

6.       On the toolbar, click Show/Hide Console Tree icon

7.       In the left pane, right-click Indexing Service On Local Machine/Properties

8.       Select Generation tab, and check Index Files With Unknown Extensions box

9.       Click OK

10.   Close the Indexing Service console

 

 

 

Remove Shared Folders from My Computer

This removes the Shared… group of folders that exist under My Computer.

1.       Go to Start/Run & type gpedit.msc

2.       Under User Configuration, expand Administrative Templates

3.       Expand Windows Components

4.       Click on Windows Explorer

5.       Double-click Remove Shared Documents from My Computer

6.       Select Enabled

7.       Click OK

 

 

 

Time Server Change

This procedure adds new time servers to local ones, sets Windows to use one of the new servers, and changes the poll interval to something more frequent.

NOTE: This procedure is only required outside of the ADS domain. (It won’t work inside ADS.) When you join ADS it automatically assigns a common domain-wide time server (and the Internet Time tab is removed from the Date & Time control panel).

Add New Time Servers

1.       Run Regedit

2.       Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Datetime\Servers

3.       Add a new String Value & name it to the next number in the time server list.

4.       Modify the entry & add the name of the URL for the time server. Some local ones to choose from are:

a)      ntp1.uwaterloo.ca

b)      ntp2.uwaterloo.ca

 

Change the Time Server

1.       Go to Control Panel/Date & Time

2.       Make sure the date is correct.

3.       Check that the Time Zone is set correctly

4.       Select the Internet Time tab

5.       Under Server, select a local one (ntp1.uwaterloo.ca)

6.       Click Apply.

7.       Click Update Now & OK

 

Change the Update (Poll) Interval (only if you want the time checked more often than every 7 days)

1.       Run Regedit

2.       Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NTPClient

3.       Modify the SpecialPollInterval key (default is 6040800 seconds, or 7 days)

a)      For every day, use 86400 (seconds)

b)      For every two days, use 172800

 

 

Language Bar

Remove the Language Bar from the Toolbar (unless you want it)

1.       Right-click on the Language Bar in the Toolbar and select Settings

2.       Click Language Bar button

3.       Uncheck Show The Language Bar On The Desktop

4.       Uncheck Show Additional Language Bar Icons In The Taskbar

 

 

 

Convert Windows XP Desktop to Windows 2000 Classic Mode (CUSTOM & NOTEBOOK only, only if the customer wants the classic 2000 look)

 

There will be some clients that want Windows XP to look like Windows 2000, as that is the OS they are comfortable with. This procedure converts the look of Windows XP to a more classic style, but it won’t be identical to Windows 2000.

 

Change Window Style

1.       Right-click Desktop/Properties/Appearance tab

a)      Under Windows & Buttons, select Windows Classic Style

 

Change Taskbar and Start Menu Style

2.       Right-click Taskbar/Properties

a)      Uncheck Lock the Taskbar

b)      Uncheck Group Similar Taskbar Buttons

c)      Check Show Quick Launch

d)      Uncheck Hide Inactive Icons

 

e)      Select the Start Menu tab

f)       Select Classic Start Menu & click Customize button beside it

g)      Check Display Logoff

h)      Uncheck Use Personalized Menus

i)        Click OK, Apply, OK

 

Change My Computer Icon Display

3.       Open My Computer

a)      From the View menu:

b)      From the Toolbars entry, uncheck Lock The Toolbars

c)      Check Status Bar

d)      Select Icons

e)      Under Arrange Icons By… uncheck Show In Groups

f)       Under Arrange Icons By… select Name

 

g)      From the Tools menu/Folder Options:

h)      Select Use Windows Classic Folders

i)        Select Open Each Folder In Its Own Window

 

Change Login Window Style

4.       Run Regedit

a)      Find HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Theme Manager

b)      Edit the DLLNAME entry, changing it to &SystemRoot%\Research\Themes\Windows Classic.theme

 

Change Search Window Style

5.       Run Regedit

a)      Find HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState

b)      Add a new String Value called UseSearchAsst

Modify its Value Data to say no

 


Desktop Cleanup

 

1.       Remove extra icons from the System Tray and Quick Launch bar.

a)      Typically the Quick Launch bar should only have

i)        Internet Explorer

ii)       Show Desktop

iii)     Eudora

 

b)      Typically, the System Tray should only have:

i)        Norton AV (the gold shield icon, if installed)

ii)       Volume control

iii)     Intellimouse (if installed, the arrow icon)

iv)     If you are not connected to the network, then you will likely see the network connection icon with an X through it. Just ignore it.

v)      There might be a sound card control panel. You can leave this one.

vi)     If there is a red ATI icon, try to remove it.

 

2.       Add Outlook Express icon to the Quick Launch bar

a)      Copy it from Start/Programs

 

 

3.       Remove all unnecessary icons & shortcuts from the Desktop, except for:

a)      My Documents

b)      My Computer

c)      My Network Places

d)      Recycle Bin

 

 

4.       Check to see if Administrative Tools has re-appeared under the Start/Programs menu (sometimes it gets reenabled). If it is, turn it off.

a)      Right-click the Taskbar/Properties/Start Menu tab/Customize/Advanced tab

b)      Uncheck Display Administrative Tools

c)      Click Apply & OK

 

 

Control Panel Cleanup

a)      Go to Start/Settings/Control Panel

b)      Right-click on any entry in the Control Panel and select Sort by Name from the drop-down menu

 

 

Clear Start Menu Application List entries

a)      Right-click Taskbar/Properties/Start Menu tab/Customize button

b)      Under Programs, click Clear List button

 

 

Add Extra Shortcuts

a)      Add a shortcut to c:\windows\winipcfg.exe to the Accessories folder. Rename it to Windows IP Configuration

b)      Add a shortcut to c:\windows\system32\mplay32.exe to the Accessories folder. Rename it to Windows Media Player 5

c)      Add a shortcut to c:\Programs Files\Windows Media Player\mplayer2.exe to the Accessories folder. Call it Windows Media Player 6.4

 

 

Eudora

Put the Eudora shortcut in the Quick Launch bar

d)      For ADS builds, put the shortcut to Eudora.CMD there instead

e)      For HOME builds, put the shortcut to Eudora.EXE there instead

f)       Rename the shortcut to Eudora when done

 


Programs Folder Layout Changes

 

Re-arranging the Programs Folder can be a little difficult. It takes experimentation and some daring to get it right. This is what the layout of a generic build should look like. Move the items around until this is what it looks like.

 

Items that you see in the Programs folder are a combination of All Users and Administrator, and that’s why it is difficult to arrange. Opening just the Administrator Programs folder only gives you part of the whole picture. The rest is contained in All Users. The permissions (who can view, edit, execute, etc) are not the same between the two.

 

Look below in this section for the title called Programs Folder Layout Overview. This contains the overall layout of the Start Menu, and where the application shortcuts should be put. Study it to see what folders and shortcuts you have or need, depending on what software was installed.

 

Open the Administrator Programs folder

1.       Right-click on the Start button & select Open

2.       There should only be a Programs folder here. Any other icons should be deleted

3.       Open the Programs folder, closing the previous window.

4.       Position the Programs window in the top-left corner of the screen. This is the Administrator Programs folder, where things will be moving from.

 

 

Open the All Users Programs folder

1.       Right-click on the Start button again & select Open All Users

2.       There will likely be a few extra icons here, besides the Programs folder. Except for Programs, New Office Document & Open Office Document, delete all others.

3.       Open the Programs folder, closing the previous window.

4.       Position this Programs window to the top-right of the screen. This it the All Users Programs folder, where we will be doing most of the work.

 

 

Copy Items from Administrator folder

1.       Except for the Accessories, Administrative Tools & Startup folders, copy & paste all others to the All Users folder, and then delete the original ones from the Administrator folder. Do not cut & paste or simply Move them as this will not work properly. The permissions between the Administrator folder and the All Users folder are not the same, and the only way to properly inherit the permissions in the destination folder (All Users) is to Copy & Paste.

 

2.       Once the items are copied, close the Administrator Programs folder window. We will now focus our attentions on the All Users Programs folder.

 

 

 

Create custom UW folders

1.       In the All Users window, look for or create the following folders:

a)      Internet Tools

b)      Microsoft Office (might already be there)

c)      Planning & Organizing

d)      Text & Document Tools

e)      UW Admin Apps

f)       Multimedia Tools

g)      Security Tools

 

2.       Inside of the Internet Tools folder, create the following folders

a)      File Transfer

b)      Mail

c)      Remote Login

d)      Web Browser

e)      Web Authoring (if any of these applications are installed)

 

 

 

Programs Folder Layout Overview

 

Re-arrange the icons in the All Users folder so that the folder structure is the same as that detailed below. Folders and entries that are hard to classify like system-board related items should be moved to appropriate folders under Accessories.

 

1.       Accessories folder layout (contains default Microsoft support applications)

a)      Accessibility (folder)

b)      Communications (folder)

c)      Entertainment (folder)

d)      Games (folder)

e)      System Tools (folder)

f)       Windows 2000 Professional Resource Kit (folder)

g)      Microsoft Intellipoint items

 

h)      Address Book (shortcut)

i)        Calculator (shortcut)

j)        Command Prompt (shortcut)

k)      Imaging (shortcut)

l)        Notepad (shortcut)

m)    Paint (shortcut)

n)      Synchronize (shortcut, this is the Windows app, a blue-grey icon, not the admin one) NOTE: This is being replaced with Oracle Calendar!!

o)      Windows Explorer (shortcut)

p)      WinZIP (shortcut)

q)      Wordpad (shortcut)

 

2.       Corel Office Suite (only if any of these applications are installed)

a)      Corel Startup group

b)      WordPerfect, etc

 

3.       Data Analysis (only if any of these applications are installed)

a)      SAS

b)      SPSS

i)        AMOS

ii)       DeltaGraph

c)      Cognos

 

4.       Graphics & Design (only if any of these applications are installed)

a)      Corel Draw

b)      Smart Draw

c)      PhotoEditor (from Microsoft Office)

d)      AutoCad

e)      Desktop Publishing tools

f)       Adobe Photoshop

g)      Adobe Photoshop CS

h)      Adobe Photoshop Elements

i)        Adobe Photoshop Album

j)        Microsoft Visio (shortcut)

k)      Microsoft Visio 2003

l)        Adobe ImageReady (part of Photoshop)

m)    Camtasia

n)      Snag-it

 

5.       Internet Tools folder layout

a)      File Transfer (folder)

i)        Secure File Transfer Client (shortcut)

ii)       WS_FTP (shortcut)

 

b)      Mail

i)        Eudora (shortcut, delete the original folder)

ii)       Outlook Express (shortcut)

iii)     Outlook (from Microsoft Office)

iv)     Pine

v)      Netscape Mail (shortcut, it it’s installed)

 

c)      News

i)        NewsExpress

 

d)      Remote Login

i)            Admmail (shortcut)

ii)           Benefactor (shortcut)

iii)         Finadm (shortcut)

iv)         Fininqadm (shortcut)

v)          IST (shortcut)

vi)         MC1Adm (shortcut)

vii)       Netterm (shortcut)

viii)      Secure Shell Client (shortcut)

ix)         Seepac (shortcut)

x)          Universe (shortcut)

xi)         X-Win32 (folder)

xii)       QWS3270 Terminal Emulator

 

e)      Web Browsers

i)        Internet Explorer (shortcut)

ii)       Netscape (shortcut)

 

f)       Web Authoring (only if any of these applications are installed)

i)        Macromedia Flash (folders, all applications)

ii)       Macromedia Fireworks

iii)     Macromedia Dreamweaver

iv)     Microsoft Frontpage

v)      Web Weaver 98 (folder)

vi)     Macromedia Contribute

 

g)      Java Tools

i)        Sun Java Web Start

 

6.       Math & Scientific (only if any of these applications are installed)

a)      Femlab

b)      Maple

c)      Mathsoft Apps (Mathcad & extras like VisSim, VoloView, SmartSketch, IBM TechExplorer)

d)      Matlab

e)      Scientific Workplace

f)       CMAP

g)      Plotting packages

 

7.       Microsoft Office menu layout

a)      Microsoft Office Tools (folder)

b)      Microsoft Access (shortcut)

c)      Microsoft Excel (shortcut)

d)      Microsoft Powerpoint (shortcut)

e)      Microsoft Word (shortcut)

 

8.       Multimedia Tools

a)      Quicktime Player

b)      Windows Media Player

c)      ATI Video

d)      Advanced Audio

 

9.       Planning - Organizing

a)      Synchronize (shortcut, this is the red icon) Note: This is being replaced by Oracle Calendar

b)      Microsoft Project

c)      Mindman

d)      Meeting Maker

e)      Oracle Calendar Client

f)       Microsoft OneNote 2003

 

10.   Security Tools

a)      Symantec/Norton AV

b)      MBSA

c)      TCP View

d)      Windows IP Config

e)      Spybot Search & Destroy

 

11.   Startup

 

12.   Text & Document Tools

a)      Acrobat Reader 5.0 (shortcut)

b)      Acrobat Creator

c)      Acrobat Distiller

d)      Ghostscript Viewer

e)      Ghostscript

f)       NoteTab Lite

g)      MikTEX

h)      Reference Manager

i)        ActivePDF Composer

 

13.   UW Admin Apps

a)      Web Access To UWDIR (shortcut)

b)      Any non-webified corporate software or required tools

 

14.   Once organized, arrange all levels of the start menu alphabetically

a)      Right-click on Taskbar\Properties\Advanced tab

b)      Click Re-sort & OK

 

15.   Check that the Start menu is now sorted (all levels). If it’s not, you have to do it the hard way.

a)      Right-click Start menu, open Programs

b)      From each folder and subfolder, right-click on an entry and select Sort By Name

c)      This procedure takes a while, but it works.

 

 

Windows Messenger Changes (if installed)

We don’t want this program launching every time Windows starts up after Outlook Express has been used.

a)      Launch Windows Messenger (run MSMSGS.EXE if you can’t find the icon to launch)

b)      Go to Tools menu/Options, Preferences tab

c)      Uncheck Run This Program When Windows Starts

d)      Exit Messenger

e)      Right-click on the Messenger icon in the System Tray and select Exit

 

We also don’t want Messenger running each time Outlook Express is launched

a)      Run Regedit

b)      Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express

c)      Create a new DWORD Value called Hide Messenger

d)      Modify the Value Data to 2

e)      When done, the new entry should be Hide Messenger     REG_DWORD    0x00000002 (2)

 

Set Primary DNS (not for off-campus Notebook and HOME builds)

 

6.       Go to Start/My Computer/Properties/Computer Name tab/Change/More button

 

7.       For the entry area labeled Primary DNS Suffix Of This Computer

a)      For an ADS build enter ads.uwaterloo.ca

b)      For all other builds enter uwaterloo.ca

 

8.       Uncheck Change Primary DNS Suffix When Domain Membership Changes

 

9.       Click OK, OK. You don’t have to restart if you don’t want to.

 


Create UWDIR Access link

 

1.       Right-click Start menu/Open All Users & open Programs folder

 

2.       Create a new folder called UW Admin Apps and open it.

 

3.       Create a new shortcut

a.       For the entry called Type the location of the item enter http://ego.uwaterloo.ca/~uwdir

b.       Click Next

c.       For the entry called Type A Name For This Shortcut enter Web Access to UWDir

d.       Click Finish

 

4.       Right-click on the new shortcut and select Properties

a.       Select Change Icon

b.       In the File Name entry type in C:\Winnt\system32\shell32.dll

c.       Select the Magnifying Glass on Paper icon

d.       Click OK, Apply & OK

 

2.       Execute the shortcut to make sure it works

 

Changes applied assuming Computer will join ADS

 

Applications on computers joining ADS are installed from MSI (Microsoft Installer) files. These MSI’s have been built to “phone home” if updates or fixes are required.

 

1)      Map Network Drives

a)      Go to Start menu, open up My Computer.

b)      Go to Tools menu and select Map Network Drive

c)      If building an ADS image, map another drive to \\uwfile\apps$ using drive letter F. This drive contains the MSI files for most of the ADS applications.

i)        Enable reconnect at logon

ii)       Click on different user name and use ads\!username and the proper password for access.

iii)     Click OK & Finish to create the network drive

 


Core Application Installation

 

This installs all the core applications via the Active Directory Software Policy. All the standard applications will get installed automatically.

 

1.       Check that the PC name is correct, registered & pre-staged in the ADS domain & the Ethernet card speed & duplex is properly set (not auto-detect). If any of these steps are wrong, the software policy likely won’t run and the packages won’t install.

 

2.       Add the machine to the ADS domain.

 

3.       Once added to ADS, the Administrator account will be renamed to istAdministrator. Remember this because the login window will still say Administrator and you won’t likely be able to login.

 

4.       Reboot the system and let the software policy run. This will install all the standard deployed applications. Before the login window appears, you should see some messages regarding Applying Software Policy Settings which will take several minutes to complete.

 

5.       If the policy didn’t run (software definitely didn’t install, no messages before the login window) wait for a time and reboot again. If it really doesn’t look like the policy is running, check all the criteria from the first step.

 

6.       If the policy is trying to run, but it runs very fast (less than a minute), contact someone in the NTMAINT support group. It is possible that the network source for the software is having a communications problem, and someone will have to look at it.

 

7.       Once all deployed software has installed and the system is sitting at the login window, login as Administrator.

 

8.       Launch each application to get them completely installed. Some applications like to check with their MSI install source before fully functioning. You will likely have to map a network drive manually to \\uwfile\apps$ for some of the MSI packages to run at all.

 

9.       If the language bar comes up in either the System Tray, Taskbar or on the Desktop after launching one of the Office products, remove it.

a)      Right-click on the language bar & get settings

b)      Click Langauge Bar button

c)      Uncheck Show Language Bar on Desktop

 

10.   Remove the machine from the ADS domain and put it back into the WORKGROUP workgroup. Windows XP will demand authentication to remove the machine. An ads Administrators account will be required.

 

11.   You can check the state of the ADS software policy by running gpresult /z from a cmd window. It can be rather wordy, but it’s worth a look. The Core Application List for Dec. 2004 is:

 

a)      Acrobat Reader 5.1

b)      Eudora 6.1

c)      Microsoft Office XP with SP3

d)      SSH 3.2.9

e)      Oracle calendar 9.0.4

f)       Oracle Connector 9.0.4

g)      Windows 2000 Resource Kit

 

12.   Once the machine is removed from ADS, rename the istAdministrator account back to Administrator.

a)      Right-click My Computer/Manage/Local Users and Groups/Users

b)      Right-click on istAdministrator and select Rename

c)      Change the name back.

d)      Close the Computer Management window

 

 

Suggested Changes to be applied if Computer will NOT join ADS

 

As mentioned elsewhere we encourage all workstations, and that includes desktops and notebooks, in Academic Support to join the ADS domain. We do this not only to provide easier access to Academic Support computing resources but also the allow IT staff to be able to help manage these PC’s in case of trouble.

 

Many policies are available, as discussed in the Security Section, to be applied to workstations that join ADS. Most are applied for security reasons, and updated if new concerns, software or services packs require it (or allow enhanced features).

 

Software, as seen below, is applied from central file shares on managed machines. This allows the applications to repair themselves if key files get deleted or additional features are enabled. Applications on non-managed PCs is typically installed from the manufactures CDs or web site. Allowing distribution from on-campus file servers is being discussed.

 

Usability is a big issue with most managed clients. See the Usability Features section to see what changes you can apply to help make you more productive.

 

TO BE CONTINUED AS ANSWERS BECOME AVAILABLE

 

Application Installation

 

The following section is documented the way we in IST add applications to a workstation. We offer the applications to be installed in a customized installer package called an MSI (Microsoft Installer). These are slightly different than the versions installed from the original manufacturer’s CDs in that they have some UW customizations applied. Another advantage is: Installing from MSI files does allow the application to self-heal in the event that they get damaged, so long as the source files remain.

 

 

At the moment the only way these MSI’s can be accessed is with an administrative account that has been granted access. Changing this is being discussed.

 

If building an ADS image, map a drive to \\uwfile\apps$ using another drive letter. This drive contains the MSI files for most of the ADS applications.

a.       Enable reconnect at logon

b.       Click on different user name and use ads\!username and the proper password for access.

c.       Click OK & Finish to create the network drive

 

 

Microsoft DirectX

Windows XP comes pre-installed with version 8.1 It is likely a good idea to verify what version is installed before download and installing another one. You can determine what version is installed by starting a command prompt and running dxdiag.exe. Look for the DirectX Version line.

 

If there is a newer version, install it now. Download it from http://www.microsoft.com. Check for and install any sub-revision updates (like 9.0B).

 

This software is used by sound & video cards, which are installed after this. Once installed, verify that it installed properly. Execute the dxdiag.exe application from the RUN box to check the install.

 

Install Latest Internet Explorer 6.0

 

  1. IE Version 6.0 comes installed with WXP SP1 is already installed.

 

  1. Once Internet Explorer is installed, launch it

 

  1. Reposition and resize the browser window manually (don’t use the maximize button) so that the window is a good size, and fully visible.

 

  1. Exit IE and then re-launch. This makes IE remember the window size and position

 

Adobe Acrobat Reader (homepage: http://www.adobe.com)

Note: As the Oracle Government Financials (OGF) is only compatible with Acrobat 5.1, stick with this version for now. This applies to all versions of the image build.

 

  1. For HOME images, check the Adobe web site for the newest version, and install the full version with the SVG Viewer. If you wish to use the MSI files, copy the install folder down to the local hard disk under the folder c:\MSIAPPS and install from there.

 

  1. For CUSTOM builds, check with the client to see if this is necessary

 

 

Eudora (homepage: http://www.eudora.com)

 

  1. For HOME builds, download the latest version from their homepage
    1. Install Eudora in advertising (non-paid) mode. This way it is free to use. There is no campus license.
    2. Select User’s Application Data Folder for where the Eudora mailbox files are stored
    3. Accept all other defaults
    4. Don’t create a desktop shortcut.

 

  1. For CUSTOM builds, check with the client to see if this is necessary

 

 

Secure Shell Client (SSH) (homepage: http://www.ssh.com)

 

  1. For HOME, get the latest licensed CD version on the HOME CD in the CHIP
    1. To make it a licensed version (if the version requires a license)

                                                               i.      Execute Secure Shell Client

                                                             ii.      Go to Help menu/Import License File

                                                            iii.      Browse to the SSH folder on the install CD and point to the license.dat file.

 

  1. For CUSTOM builds, check with the client to see if this is necessary

 

  1. This software is also available the manufacturers’ site, but it won’t be licensed unless you have the license file from our existing copy of SSH

 

 

 

Windows 2000 Resource Kit

NOTE: A Windows 2003 Resource kit is also available from Microsoft. (No Windows XP Resource kit was released.)

IST uses some of the features of the Windows 200 Resource Kit on occasion, for management. It is not a necessity for notebooks or home computers.

Second NOTE: The install location mentioned is available to ADS administrators only. Others are encouraged to download this from Microsoft.

1.       Install from the MSI files from \\depot$\SupportSoftware_IST_Only\W2K\W2K Professional  

2.       Accept the license agreement and install defaults


Install Microsoft Office XP Pro (non-ADS)

 

 

1.       For HOME, CUSTOM & NOTEBOOK, install from the CD set.

a)      Create a folder under C:\WINNT (or C:\WINDOWS) called OfficeXPSrc.

b)      Insert the OfficeXP CD.

c)      Make sure the Show Hidden Files and Folders is enabled. If not, not all the files on the CD will be visible to be copied in the next step and the installation will fail with an “Office Source is Corrupted” message.

d)      Copy the entire contents of the Office XP installation CD to OfficeXPSrc. Remove the CD when done.

e)      Select all the files now copied on the hard disk, get properties and uncheck the read-only flag.

 

f)       For a full install, including Front Page, launch the installer by double-clicking SETUPPLS.EXE from the OfficeXPSrc directory, not the CD

g)      For an install not including Front Page, launch the installer by double-clicking SETUPPRO.EXE from the OfficeXPSrc directory, not the CD.

h)      Use the license BVGM7 - QGD2F - TK7MT - V6YPK - 97PMY if needed (UW license)

i)        Select Custom install

j)        Select Choose Details Installation Options For Each Application

i)        Expand the Word for Windows entry (click on the +)

ii)       Expand the Wizards & Templates entry.

(a)    Click on box beside the More Templates & Macros entry & select Run from My Computer

iii)     Expand the Office Tools entry

(a)    Click on the box beside the Equation Editor entry & select Run From My Computer

(b)    Click on the box beside the Microsoft Photoeditor entry & select Run From My Computer

k)      If other features are needed (like the shortcut bar under Office Tools) or not needed (like Frontpage or Outlook) select the box beside the option and select the appropriate option from the drop-down box

 

l)        Click Next & Install

 

 

2.       Launch Internet Explorer and go to Tools menu/Windows Update.

a)      Click the Office Update button.

b)      You will be brought to a page where you can check for and install Office patches and service packs.

c)      The install of Office patches might take several reboots and you will have to go back to Office Update each time and check for more patches.


Symantec/Norton Anti-Virus Corporate Edition Client

 

Symantec confirmed a problem with screen flickering in Windows Explorer with SAV versions 8.0x and 7.61 that appear when mapping drives on Netapps file servers. Install the newest version available. (For some this flickering is not noticeable.)

 

1.       For ADS builds, install as managed using the server Aspen as the manager

2.       For HOME & Notebook, install from CD as managed from the server ANTIVIRUS

3.       For CUSTOM, you could schedule Live Updates directly form Symantec. Note these will not be tested by UW staff first and may affect some applications.

 

 

When the bugs are fixed in future versions, use the following install procedure for SAV 8.x:

 

1.       For ADS install directly off of an AntiVirus Server.

a.       The install is located at \\aspen\vphome\clt-inst\win32\setup.exe.

i.         Use your ads\!username account when asked for authentication

b.       Accept the install defaults

 

2.       For HOME builds, install from CD. The CHIP usually has the latest version licensed for campus use.

a.       Install as managed from the server ANTIVIRUS

b.       Do not schedule any scans

c.       Uncheck Run LiveUpdate

d.       Once installed, double-click on the Shield icon in the System Tray and click on the Live Update button to download the latest updates.

 

3.       For CUSTOM builds, check with the client if this is necessary or needed

 

 

SAV/NAV Removal of the Managed Install

If there is ever a need to remove a managed NAV/SAV install, use Add/Remove Programs to remove it, and use the Installer password for authentication.

 

 

 

Notes: If SAV/NAV will not install, uncheck the Lotus Notes option and try again. If this doesn’t work, reboot and try again.


Auxiliary & Support Application Installation

 

These applications provide added functionality for the image. The multimedia plugins are installed later.

 

Windows Media Player & Codecs

f)       For CUSTOM builds, check with the client to see if this is necessary

g)      XP comes with version 8.0

h)      Download the latest from http://www.microsoft.com

i)        Accept the install defaults

j)        Don’t allow icons on the desktop, Quick Launch bar or Start Menu.

k)      Uncheck all options but Retrieve Media Information For CD’s & DVD’s…

 

 

 

Microsoft Intellipoint Drivers (latest stable version is 4.12)

l)        For CUSTOM builds, check with the client to see if this is necessary

m)  Download from http://www.microsoft.com

n)      Run the installer

o)      Select Canada as where the product was acquired

p)      Accept the license agreement

q)      Select the Basic Mouse pointing device

r)       Uncheck Place Microsoft Intellipoint Shortcuts On My Desktop

s)       Drivers will install

t)        Uncheck I Want To Register This Product…

u)      Restart system to complete the install

v)      Once rebooted, close the Microsoft Intellipoint Quick Start Guide window

 

 

Page Defrag

w)    Download it from http://www.sysinternals.com. An older version is also available on \\uwfile\ps_nt$\Workstation_Building\Common Software\Page Defrag

x)      Copy the Page Defrag folder into the C:\Drivers folder. This program will be used later to defrag some of the files which Windows cannot do (like the paging file and active system files)

 

 

Perfect Disk (latest is 6.0, only if you want to use this later for image Defragmentation)

y)      Download a 30 day trial copy from http://www.raxco.com

z)       A 30 day trial copy also resides on \\uwfile\ps_nt$\Workstation_Building\common_software\Perfect_Disk

aa)   Once installed, execute it

bb)   Go to Tools menu/Advanced Configuration

cc)   Under General Settings tab select Stand Alone option

dd)   Under Auto-Update tab uncheck Automatically Check For Updates

 

ee)   From inside Perfect Disk, right-click on the C: drive and select Properties

ff)     Go to the Offline Defrag Settings tab

gg)   Check System Files and Paging Files

 

 

 

Microsoft Baseline Security Analyzer

hh)   Download from http://www.microsoft.com

ii)       Accept the install defaults

jj)       Uncheck Place Shortcuts On The Desktop

kk)   Uncheck Show Readme File After Installation

ll)       Uncheck Launch Application After Installation

 

 

TCPView

Download from http://www.sysinternals.com. A copy also resides under \\uwfile\ps_nt$\Workstation_Building\common_software\tcpview

mm)                       Unpack the download and copy the program folder to Program Files

nn)   Create a shortcut to tcpview.exe, rename it to something better (TCP View) and put it under c:\documents and settings\all users\start menu

 

 

WINIPCFG executable (download from Microsoft)

This is a utility which use to be in the Win9x world, and Microsoft has released a version compatible with the NT kernel, but it is not included on the Windows install CD.

oo)                       Copy this from \\uwfile\ps_nt$\Workstation_Building\common_software\winipcfg to c:\winxxx\system32

 

Final Step

Run Windows Update again, to see if any Microsoft Products that were just installed need updates

 

 

Application Customizations

 

These are done here instead of during the application install because sometimes one application affects others. It would be better to complete the software customizations once everything is installed.

 

If during and ADS build a dialog comes up complaining tat a network resource cannot be found (like \\uwfile), the map a drive to \\uwfile\apps$ and try the application again.

 

 

 

Adobe Acrobat Reader

a.       Execute Acrobat and accept the license agreement. It should never ask for this again. There is no campus license for this as it is for general use.

 

b.       Go to the Edit menu/Preferences

c.       Select the Update option

d.       Under the Check For Updates drop-down box select Manually

e.       Uncheck Show Auto-update Confirmation Dialog

f.        Select Web Buy option.

g.       Uncheck Enable Web Buy

h.       Exit the Preferences window

i.         Exit the application. Browse to c:\program files\adobe\acrobat\help\enu and double-click on any of the PDF files there.

 

 

 

Secure Shell Client

f)       Execute both the Secure Shell Client and Secure File Transfer Client shortcuts

                          i)      Position the windows so they are centered & fully visible on the screen.

                         ii)      Go to the File menu/Save Layout (or Save Settings)

 

g)      Launch Secure Shell Client

                          i)      Go to Help menu/About Secure Shell

                         ii)      If this version needed a license file, verify that the license key is valid, that is non-expiring, and registered to someone (like Jeff Voskamp)

 

h)      Add a series of Profiles (SSH version 3.2x and higher only) for

                          i)      admmail (admmail.uwaterloo.ca)

                         ii)      benefactor (imagine.uwaterloo.ca)

                       iii)      finadm (fin.adm.uwaterloo.ca)

                       iv)      fininqadm (fininq.adm.uwaterloo.ca)

                        v)      info (info.uwaterloo.ca)

                       vi)      ist (ist.uwaterloo.ca)

                     vii)      mc1adm (mc1adm.uwaterloo.ca)

                    viii)      universe (universe.uwaterloo.ca)

 

                       i)      Click the Profiles button/Add Profile

                      ii)      Enter the name of the profile

                    iii)      Do this for all the servers needed

 

                       i)      Click the Profiles button/Edit Profile

                      ii)      Select the Connection tab

                    iii)      Select the Profile name (in the left pane)

                    iv)      Under Host Name, enter the full server address (from the above list, entry in brackets)

                     v)      Click OK

                    vi)      Do this for all the Profiles (except for defaultftp)

 

                       i)      Click the Profiles button and select the first name

                      ii)      Enter a fictitious login name

                    iii)      Accept the download of the Host Identification Public Key

                    iv)      Cancel the password window

                     v)      Do this for each of the Profiles

 

i)        Exit SSH and save settings if asked.

 

 

Microsoft Office XP

j)        Execute Word to activate the product.

k)      Launch Word, Excel and Powerpoint:

                          i)      For each one, go to Tools menu/Customize

                         ii)      Check Show Standard Formatting Toolbars on two rows

                       iii)      Check Always Show Full Menus

                       iv)      Close the Customize window

                        v)      Close the language bar if it has become visible.

 

l)        Fix for Clipart Issues with Office2003

                          i)      Launch Powerpoint XP

                         ii)      Go to Insert/Picture/Clipart

                       iii)      Click on Now to build the Clipart database

 

m)    Fix for Equation Editor

This changes the Equation Editor to work in its own window, rather than inline in the document. This change made as per Carol Vogt’s recommendation.

                          i)      Double-click the file c:\program files\microsoft office\office 10\macros\support.doc

                         ii)      Check Always Trust Macros From This Source

                       iii)      Check Enable Macros

                       iv)      Click Registry Options button

                        v)      Select the Equation Editor Options tab

                       vi)      Select Force Open option

                     vii)      Select Full Window

                    viii)      Click Change button. The Force Open setting should now be set to 1

                       ix)      Close the Registry Options window and exit Word

 

n)      Test Equation Editor changes

                          i)      Execute Word

                         ii)      Go to Insert menu/Object

                       iii)      Under Object Type, select Microsoft Equation 3.0

                       iv)      Click OK

                        v)      You should get a separate window for the Equation Editor

                       vi)      Exit Word

 

 

Internet Explorer Options

Set Default Home Page

a)      Go to Control Panel/Internet Options

b)      Select the General tab

c)      In the Address field under the Home Page area, enter http://www.uwaterloo.ca

 

Set Default Programs

a)      Select the Programs tab

b)       In the E-mail box under the Internet Programs area, select Outlook Express as the default mailer

 

Set Browsing Options

a)      Select the Advanced tab

b)      Under the Browsing section uncheck Automatically Check For Internet Explorer Updates

c)      Under the Microsoft VM section check Java Console Enabled (only if Sun Java not installed)

d)      Under the Security section check Empty Temporary Internet Files Folder When Browser Is Closed

 

Set Security Levels

o)      Select the Security tab

p)      Click on each zone entry (Internet, Local Intranet, Trusted Sites, Restricted Sites) and click Default Level

q)      Click Apply & OK

 

Set Default Text Size

a)      Launch Internet Explorer

b)      Go to View menu/Text Size and select Medium

c)      Quit IE

 

Change Internet Explorer download directory

a)      Run Regedit

b)      Go to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer

c)      Create a new String Value called Download Directory

d)      Modify the value to C:\TEMP

 

 

 

Notepad & Wordpad

a)      Execute Notepad & Wordpad

b)      Position each window so it is a good size, and fully visible

c)      For Notepad, enable Word Wrap (under Format menu/Word Wrap)

 

 

Regedit

a)      Execute Regedit

b)      Resize & reposition the window so it is all visible and comfortable to work in.

c)      Close all the open + tabs

d)      Click on the My Computer entry at the top of the left list.

e)      Exit Regedit

f)       This leaves regedit in a clean state

 

 

Flash & Shockwave Plugins

a)      Test them on the Macromedia web site (http://www.macromedia.com). The site should not complain about your browser not having everything it needs to play all the animations, like the Flash player.

 

 

Remove Outlook Desktop Icons (if Office installed)

r)       Execute Outlook

s)       Cancel the Setup Wizard

t)        Quit Outlook

u)      Remove any extra icons from the Desktop and Quick Launch bar

 


Validate All Applications

 

This procedure checks all the applications, making sure they work, and any necessary license files exist in the correct location

 

1.       Execute all applications & test them

 

2.       Run Internet Explorer last to make sure it is set as the default browser

 

3.       Especially important to test are Acrobat, Office and Internet Explorer

 

4.       Run Windows Update again

 

5.       Run Office Update again

 

6.       (not ADS) Run Symantec AntiVirus Live Update again

 

 

Optional Changes

 

Add custom power user account

NOTE: Running all the time as an administrator is strongly discouraged.

SECOND NOTE: We are currently researching whether-or-not we can scale back the permissions most of our clients have on their workstations from Power User to User. If you know already that you need a power user account, this step is for you.

1.       Select Action menu/New User

a)      For both User Name and Full Name enter a user name you will remember

b)      For Description, enter Local Power User Account

c)      For both password fields, enter a password you will remember later.

d)      Check Password Never Expires

e)      Click Create & close the New User window

 

f)       Right-click the user name entry & select Properties

g)      Go to the Members Of tab

h)      Click Add

i)        Select Power Users

j)        Click Add & OK

k)      Select the Users entry & click Remove

l)        Click Apply & Close

 

Ludica Console font fix

This problem was reported by Cathy Cooper of ODAA, Apr 14/04. Apparently without doing this, Windows doesn’t think the Lucida font is fully installed.

v)      Open up C:\Windows\Fonts

w)    Move out the Lucida Console font file to the desktop

x)      Move back the LUCIDA.TTF file back into Fonts

y)      A message saying Installing Font should come up.

 

Changes Applied Remotely by joining ADS

As discussed in the Introduction more customizations to your Windows XP operating system occur when you join your PC to the ADS domain. Please note that very few policies are considered mandatory. Most are desired by the departments you may be part of and are applied by virtue of departmental (or Organizational Unit) membership.

 

Advantages to joining your computer to the ADS domain are discussed in “Setting_up_a_Notebook_versus_a_Desktop.htm”. If there is not enough benefit cited there to join the domain the subsections below identify exactly what changes are applied. The example workstation (and user) in the detailed list has been joined to the IST Organizational Unit and has all changes required of that department listed.

Mandatory Policies Applied

These are the policies applied to all workstations that join the ADS domain. The primary reason for most of them is security.

Optional Policies Applied to departmental PCs

These are the policies applied to a computer joined to a departmental organizational unit, specifically IST in this example.

Affect of Policies Applied

A detailed view of all policies applied in ADS and their effect on the OS can be viewed by clicking here.

 

Less Detailed Reference

To see a less detailed summary of policies applied go to: http://winxp.uwaterloo.ca/Documentation/CM/Remote_Changes_Applied_to_Managed_ADS_Workstations.htm

Final Customization, if desired

 

Final, optional, customizations change between releases of Service Packs. None are documented at this time but this section has been left in for now.

Final Cleanup

Remove Excess Profiles & Users

 

This cleans up the area under C:\Documents and Settings, where all the user profiles are stored, as well as removes any unnecessary and potentially dangerous accounts that should not be there. Deleting a profile doesn’t delete the userid that created it, and deleting the userid doesn’t remove the profile associated with it. They must be done separately.

 

1.       Go to Start\Settings\Control Panel\System\Advanced tab

a)      Click Settings from the User Profiles area

 

2.       Delete all profiles except for Administrator (you can’t anyways!)

a)      If some won’t delete because the Delete button is greyed out, reboot the system

 

3.       Right-click My Computer\Manage\Local Users And Groups\Users

a)      Remove all accounts but Administrator, Guest, !uwadmin

b)      Windows XP also has the accounts HELP_ASSISTANT & SUPPORT_xxx. Don’t remove these.

 

4.       Close all open windows and do the Remove the Junk procedure again.

 

Empty the Recycle Bin if there’s anything in it.

 

Clear Out the Junk (Optional, but helpful)

 

This cleans out all the useless files that get left after installing an OS and software. There can be a lot of things left behind. We don’t want any of it to clutter up a new image, and take up value space and installation time on the install CD’s.

 

1.       Go to Control Panel/Internet Options/General tab

a)      Click Delete Cookies button

b)      Click Delete Files button (and check Include Offline Content)

c)      Click Clear History button

d)      Close the window

 

2.       Execute Netscape (if installed)

a)      Go to Edit menu/Preferences

b)      Delete Internet History, Internet Cache (including off-line content) & Cookies

 

3.       Delete NAV Logs under C:\Documents And Settings\All Users\Application Data\Symantec\Norton AV\7.5\logs

 

4.       Open C:\Document & Settings\Administrator

a)      Delete everything in the Favorites folder

b)      Delete everything in the My Documents folder

c)      Delete everything in the Local Settings\Temp folder

d)      Delete everything in the Local Settings\Temporary Internet Files

 

5.       Delete System Event Logs

a)      Right-click My Computer/Manage

b)      Open (+) the Event Viewer entry

c)      Right-click on each log (application, security, system) & select Clear All Events from the drop-down menu.

d)      Say No to saving the logs

e)      Close the Computer Management window

 

6.       Delete Recent Documents and Recent Applications list entries

a)      Right-click on Taskbar\Properties\Start Menu tab\Customize button & click the Clear List button

b)      Select the Advanced tab & click the Clear List button

c)      Click OK, Apply, OK

 

7.       Delete contents of the c:\windows\prefetch directory

 

8.       Delete all PQI and 0xx (PQDI) files from the BACKUP partition (unless they are needed)

 

9.       Delete the WUTemp folder from c:\. This is left over from using Windows Update

 

10.   Delete all *.LOG files from c:\ (from application installations, like Norton AV)

 

11.   Delete everything in the c:\winnt\temp (or c:\windows\temp) folder

 

12.   Delete unnecessary folders from c:\drivers

 

13.   Delete everything in c:\temp

 

14.   Empty Recycle Bin


Set the Default Profile

 

This sets the profile that all new user accounts will receive. Any new user will receive the same look and layout that the Administrator account was set up for. What actually happens is all the contents of the default user folder are deleted and the contents of the administrator folder are copied there, and the appropriate permissions set. Thus, anybody logging into the machine for the first time will inherit the default user profile, which we have customized.

 

Under Windows XP, you can’t copy the profile of the active account like we could under Windows 2000 so we need to do a few extra steps:

 

1.       Logoff Administrator and logon to a backup administrators account

 

2.       Right click on My Computer/Properties/Advanced tab/Settings under User Profiles

 

3.       Select the xxx/Administrator profile and click the Copy To button

 

4.       Copy it to C:\Documents and Settings\Default User (if this folder is not visible using the browse button, just type it into the entry box. It will be faster than trying to do a Show on hidden files).

 

5.       Click OK, OK, Yes

 

6.       Exit the System Properties window

 

7.       Logoff the backup and logon with Administrator again.


 

 

Create a Backup Image

 

Backup is important. We recommend you create a backup of your workstation contents at appropriate times if your computer is not based on the IST image.

When we are finished customizing our computers we back them up by creating an image of the contents that we can restore if problems happen. This image is a compressed copy of everything  found in a disk partition and when replaced onto the computer sets it back to exactly the same state when the image was made. The compressed image can be made onto another disk partition on your hard disk. It can also be made onto writable CD’s or DVDs. Removable media gives the added security of allowing you to restore the contents of a failed hard disk should the only one you have fail although a second partition on your only hard drive (or a second hard drive) can get you out of trouble if it were to contain an image of the primary partition.

 

Several products can be used to create a partition. The one we use is PowerQuest Drive Image/Deploy Center. Other products like Symantec Ghost will also work.

 

Appendix A: Changes that may have to be applied if your computer was not purchased in Canada

Customizing regional settings:

o        Select Customize on Regional & Language Options

o        Select English (Canada) in Standards & Formats

o        Select Canada for Location.

o        Click Apply

o        Select the Languages tab & click Details

o        Set Default Input Language to English Canada (US)

o        Click OK & Apply

o        Select Advanced tab

o        Under Language for Non-Unicode Programs select English (Canada)

o        Click Apply & OK

o        Click the Details button.

o        Remove the English (US) Keyboard item

o        Click Apply, OK

o        Click Next

 

Set Date & Time

o        Select time-zone (GMT -05:00) Eastern Time (US & Canada)

o        Check that the time is correctly set

 

Appendix B: Final check of hardware and device drivers

 

It is wise to keep device drivers current. Occasionally check to see if newer versions exist before applying a new Service Pack.

Also check to make sure all current hardware is supported before installing the latest Service Pack or operating system.

 

 

 


UW Home | IST Home

Maintained by: Manfred Grisebach, IST – Systems, Text extracted and reorganized from documents maintained by Peter Schepers. Last modified Mar 30th 2005