Creating Windows Domain With Win7 and Windows 2008 Server

These are some of the things that I have encountered past weeks when creating the Windows domain using Windows 2008 Server and Windows 7 clients.

Internet Explorer 9 cannot be customized via GPP

Group Policy Preferences are only enabled for Internet Explorer 5 … Internet Explorer 8. MS has said somewhere that GPP is not and will never be supported for IE9. Great, the only way to configure it is the ADM/ADMX templates and Internet Explorer Administration Kit.

Have used the IEAK to create he custom MSI with reasonable predefined settings. All the fancy tuning is done from GPO.

Internet Explorer 9 security warnings cannot be disabled

There are no reasonable option to disable IE9 security warnings Warn if changing between secure and non secure mode and You are about to leave a secure internet connection. There are no GPO policy settings for that. The only way it can be disabled is to hack registry and enter WarnonZoneCrossing key into proper place.

Error connecting to DFS entry that points to Windows 7 machine

The error occurs when Entry points to Windows 7 share and the same machine is used to browse the share. The problem is, Windows 7 does not allow loopback DFS connections by default. So, registry must be hacked:

To allow a client computer access to folder targets located on the local computer (the default behavior on servers), open Registry Editor, navigate to the following location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Mup\Parameters, create a DWORD (32-bit) value named EnableDfsLoopbackTargets, and then set the value to 1.
After changing the value, restart the computer.

Members of Remote Desktop Users cannot log on to workstations via RDP

The domain security group DOMAIN\Remote Desktop Users are designated to provide access to domain controllers only. Putting any user into that group allows the user to connect to Terminal Servers. Every workstation has the local group with the same where all the users should be put to enable remote login into the workstation.

My solution was to create another security group into AD with a different name (i.e. Remote Users). Then create GPO Restricted Group object and add the new Remote Users security group to Remote Desktop Users group.

No Default Domain Policy hacking

This time I have decided not to make practically any changes to Default Domain Policy definitions. Instead I created some of my own policy definitions. That’s because Default Domain Policy affects all the users, all the servers and all the workstations. I found it better leaving the way it is. Only some of the very general definitions are activated from there.

Internet Explorer 9 does not download to Samba share

The currently new glorious IE9 cannot download to the Samba shares using its built-in download manager. No matter what permissions the user have, it fails and only saves a .partial file. The only solution to download to Samba share is to run the Internet Explorer as administrator (left-click on icon, then Run as administrator). This is not a solution of course. Note, that saving to Windows 2008 R2 server shares works perfectly.

Update: This was caused by the new versions of Samba. The solution is currently to stick to the 3.4.7 version. The later branches 3.5 and 3.6 did not work. There were some discussions about the similar issue in Samba mailing lists so hopefully it gets fixed.

Internet Explorer 9 does not download from HTTPS site when saving encrypted pages to disk is disabled

Long description, but fixable problem if relaxing the security concept of handling files from HTTPS sites is acceptable. The problem occurred when the IE9 advanced option Do not save encrypted pages to disk was checked. When user accessed the webmail (Roundcube in our case) and tried to download an attachment from their e-mail message, the IE presented the filename as full URL to the download script. The file could not be downloaded whatever the name was entered into Save As dialog box.

The solution was to un-tick the Do not save encrypted pages to disk was checked option and let IE9 to save those pages. Insecure, but since all users had their own account and profile, it was the easiest approach at this time.

Canon iR multifunctional printer and firewalls

Here is the link the page where I found the ports that must be opened in order for this machine to work properly.