Author: Andreas Stenhall

It seems a fairly common misconception is that to be able to use Windows 7 in a Windows or should I say Active Directory environment one need to have either Windows Server 2008 or Windows Server 2008 R2 domain controllers. There are also misconceptions about the need to raise the forest and domain functional levels to be able to use the full power of Windows 7. Neither of these are true.

You can get all the same features if you are using Windows Server 2003 domain controllers and that is also regardless of which forest or domain functional levels you are running with. The most common misconceptions are:

• Group Policy Preferences. Work very well in a 2003 domain. However you need to manage the group policies from a Windows 7 or Windows Server 2008 R2 machine using Group Policy Management Console found in the Remote Server Administration Tools.
• BitLocker. To store recovery keys in AD you need to extend the schema. If you have a domain controller that is running Windows Server 2008 or later you have what it takes, if you are running Windows Server 2003 on your domain controllers you simply extend the schema.

I must add that you get stronger encryption for Kerberos by using Windows Server 2008 domain functional level though but the bottom line is that the functionality of the Windows 7 client is the same regardless of forest or domain functional levels.

When testing application compatibility when moving to Windows 7 you can use ACT (Application Compatibility Toolkit) and the tools in there to test and fix applications. Another tool that you can use to learn about dependencies when compatibility testing your applications is a tool called Dependency Walker.

With this tool you basically open a system file, for instance a DLL or an OCX file, and it will list its dependencies to other files on the system. This can be good for finding what is causing registration of for instance DLL or OCX files to fail on Windows 7 while it works fine on Windows XP. There can be runtimes missing.

Today I visited a customer site where the customer had setup a central store, meaning all group policy defintion files and language files are placed in the SYSVOL share for better management of group policies. One benefit of that central store is that all administrators managing and editing group policies are using the same templates.

The problem in this case was that whenever they started editing a group policy they got tens and tens of warning about various admx files along with for example resource errors. I looked into PolicyDefinitions folder in the SYSVOL share and immediately noticed that there was admx and adml files missing and that there were mismatch between the version of the admx and adml files.

I took a Windows 7 with SP1 client and added/replaced all admx files from there. After that I took the en-us folder and replaced what was in the SYSVOL folder with that one, followed by doing the same for the sv-se, i.e. the Swedish language files. While at it I installed IE9 and put in the inetres.admx and respective adml files for each language to have the capabilities of editing Internet Explorer 9 policies as that is to be included in the Windows 7 image. Voila!

So the bottom line is; keep the central store consistent and make sure that when you create the store that you populate it with admx and adml files from the latest client OS with service pack when managing Windows 7, and that you do make sure that you have the same version of all admx and adml files or else you will get errors due to mismatching files.

When companies deploy Windows 7 most of them are looking at the 64-bit version of Windows 7. This architecture of Windows does not support running 16-bit applications, which unfortunately still is widely in use. If you do an inventory with ACT (Application Compatibility Toolkit) it will inventory all executables as well as CMD files and some other stuff and it will contain information about 16-bit applications lying around and being used by the users in your business.

The trick is that the GUI does not provide a way to view these applications so you have to turn to doing a SQL query using for instance the SQL Management Studio Express tools. Use the SQL Query below to get information on any none 32- or 64-bit executable. The query (thanks to Chris Jackson) will return for instance WOW (Windows on Windows) or DOS applications and that will/might indicate a 16-bit app which you should prioritize to test and handle as necessary.

USE ACTDATABASE
GO

SELECT DISTINCT Applications.appName, Static_App_Properties.fileName, fileModuleType

FROM Static_App_Properties
INNER JOIN Application_Instance_Files
ON Static_App_Properties.identity_hash = Application_Instance_Files.filePropertyID
INNER JOIN Applications
ON Application_Instance_Files.appID = Applications.identity_hash

WHERE fileModuleType<>'32BIT' AND fileModuleType<>'64BIT' AND propertyType='File'

ORDER BY appName
GO

Happy hunting for 16-bit applications! :)

Mapping printers using Group Policy Preferences is a really nice feature and it is supposed to be working much better than using traditional scripting technologies. Let me tell you about an interesting day troubleshooting why printers didn’t want to map using Group Policy Preferences. In the logs it just stated “catastrophic failure” which does not sound good at all nor makes much sense.

Log Name: Application
Source: Group Policy Printers
Event ID: 4098
Description: The user 'X' preference item in the 'Y {3EE4E80F-17CB-4E56-9237-4FC8B9FA090A}' Group Policy object did not apply because it failed with error code '0x8000ffff Catastrophic failure' This error was suppressed.

Logging in as the user on another machine did not produce the same problem and the mapping of printers work fine, as did mapping the printers when logging in using an administrator account.

This got me thinking that I should try mapping a printer manually as the standard user so I did. It got me a “You do not have permission to use the selected printer” which made me turn to the classic tool Process Monitor and to start a trace. It didn’t take long to see that after filtering all logs for a result of “denied” resulted in the following line:

Operation: CreateFile
Result: ACCESS DENIED
Path: \\printserver\print$\w32x86\3\OPLO_UM.dll
Desired access: Generic Read

Note that CreateFile does not necessarily mean to create a file, it can mean “read file” as documented by Microsoft for the CreateFile function. 

So the conclusion was that after investigating with the printer department the printer share “print$” security permissions did not match the user and the user actually did not have read permissions to read the driver which is an absolute requirement for the printer to be mapped (as the print driver is actually installed when the printer is mapped).

Also one setting that affected the behavior was that one have to set “Run in logged-on user’s security context” in the Common tab of the printer mapping Properties. This is an essential part of the solution…

Case closed!

I get many questions about the confusing problem with mapped network connections not being available when running for instance cmd.exe as an administrator even though the account is the same one being used when the cmd.exe is run with standard rights and everything works splendid.

The cause of this is UAC and the fact that you have multiple security tokens and that the mapped network drives are linked to the standard user token and not the administrator token. The solution is to enable “Linked Connections”, see the KB article 937624 for more information on how to set this value.

Also read the case of some other mysterious problems or behaviors when UAC is en effect.

During the deployment roadshow me and Johan did recently a recurring question was if it is possible to set the default boot image in WDS if one have multiple boot images.

Well of course you can set it, just go to Properties for the WDS server and go to the boot tab and choose a default boot image for the architecture you want to set a default image. Note: This sets the default boot image to the one you choose but you will still be able to choose another boot image in the list of boot images.

Right smack in the middle of the deployment roadshow talking about deploying Windows 7. Tomorrow it is time for the fourth city (Linköping) and it will be our pleasure to announce that USMT 4.0 now finally migrates Office 2010 settings, as of a few hours ago. Download and install from http://support.microsoft.com/kb/2023591 and follow the instructions for updating the USMT components if you ar eusing LiteTouch or ZeroTouch deployments.

Looking at some stats for last year it seems that the most popular posts were actually from 2009. How to clean out the Windows\Installer folder along with the guide on how to install Nvidia drivers on laptops when all else fails were the most popular ones. The guide on how to troubleshoot blue screens of death is as always popular as well.

Some of my favorite posts are:

• Case of the mysterious issues caused by UAC in Windows 7 and Windows Server 2008 R2
• Standard users installing applications: Say welcome to the new reality
• How to list performance issues with your Vista or Windows 7 machine
• Beware of saved credentials
• Guide on how to replace WinRE with DaRT
• Case of the AppLocker default rules issue

In January and February next year me and Johan Arwidmark will go on a tour visiting eight cities all over Sweden, talking but foremost demoing and guiding you to a successful Windows 7 deployment and project. More information (in Swedish) can be found here!