Windows 2003/2008
Path: HKLM\System\CurrentControlSet\Services\W32Time\Config
Value: MaxPosPhaseCorrection
Default data: 0xFFFFFFFF (4,294,967,295)
(Note: there is an accompanying MaxNegPhaseCorrection value to control positive time changes.)

Windows 2000
Path:
HKLM\System\CurrentControlSet\Services\W32Time\Parameters
Value: MaxAllowedClockErrInSecs
Default data: 0xFFFFFFFF (4,294,967,295)
(Note: Windows 2000 has a single value to control both positive and negative time changes.)

The above values control the largest positive (and negative, for Windows 2000) time correction in seconds that the Windows Time service will allow. If a time change larger than these values is received the Windows Time service will reject it and log an error in the System event log. The default value for domain controllers is 0xFFFFFFFF, which effectively allows for any time change to be accepted.

The general recommendation is to use a lower value. The new default in Windows Server 2008 is a positive/negative value of 48 hours (0x2A300 or 172,800 seconds). An even lower value can be used however the lower the value the more important operational processes and monitoring becomes since there is an increased chance of domain controllers rejecting time changes.

A GPO can also be used to manage the value. Windows 2003 and above natively include GPO settings to control the relevant Windows Time service values. A custom administrative template would be needed to manage Windows 2000 based domain controllers.

For 2003 and above, the GPEditor exposes these settings under \Computer Configuration\Administrative Templates\System\Windows Time Service\Global Configuration Settings\.

The values that should also be modified for Domain Controlers
are below.

Value name / Default value in GPEditor / Default for a DC

LargePhaseOffset / 1,280,000 / 50,000,000
SpikeWatchPeriod / 90 / 900
MaxPollInterval / 5 / 10
MinPollInterval / 10 / 6
UpdateInterval / 30,000 / 100
PhaseCorrectRate / 1 / 7

Value name / Default value in GPEditor / New recomended value for a DC

MaxPosPhaseCorrection / 54000 / 172800

MaxNegPhaseCorrection / 54000 / 172800

To veryify that the settings have been applied open your regisry editor and check the following Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\Config

On your server open up you Group Policy Object Editor

Navigate to Computer Configuration\Windows Settings\Security Settings\Event Log

The following settings are to be done for each log separately.

Set your Maximum values in increments of 64kb. I decided to go as close to 5mb so I am using 4992kb.

Set your retention method to “as needed”

the Group Policy snap-in under Local Computer Policy\User Configuration\Administrative Templates\Control Panel\Display

Select Screen Saver Executable name and enter the location of the screen saver you are going to enforce.

Here you can specify the screen saver you want. I am using the blank screen saver

Select ok.

Next you need to enable Loop Back so that the computer OU can use the Users GPO.

Navigate to Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy Loopback processing mode\

While I was at a clients I came across some user folders that never had the proper NTFS rights assigned at setup. Subsequently they all had the default local users group assigned to them with read and execute. This effectively gave all users access to all folder. To make this even harder to resolve, someone had also removed the inheritance check mark and copied all the permissions. This now means that the only way to remove the ACL from the GUI is by removing it individually on each folder and file. Not a good solution considering there are over 4000 users. So time to use a script.

First you will need to download Xcacls.

Search Google for Xcacls, or for KB825751, or click on the link below

http://www.microsoft.com/downloads/details.aspx?FamilyID=0ad33a24-0616-473c-b103-c35bc2820bda&displaylang=en

Install Xcacls on the server first.

1. Double click on XCacls_Installer.exe
2. you will be asked for a path to extract to. I choose C:\
3. This will Extract a single file c:\xcacls.vbs

Get ready to run the script

1. Open a Command window and navigate to the root of C
2. Xcacls is is used with cscript.
3. Lets do an easy test and at the command prompt type
   1. cscript xcacls.vbs
4. If you see the related switch’s then you have done this step correct.

Run Xcacls to modify your permisions. Make sure you have a full backup first. And make sure your backups include ACLs.

Examples of the line

c:\cscript xcacls.vbs G:\user folder /t /e /f /s /r users /l c:\aclchange_log.txt

or

cscript xcacls.vbs G:\all users\user folder /t /e /f /s /r users /l c:\aclchange_log.txt

Remove the /t and /f switch to only change the root folder and one sub folder level down.

/F [Used with Directory or Wildcard] This will change all

files under the inputed directory but will NOT

traverse sub directories unless /T is also present.

If filename is a directory, and /F is not used, no

files will be touched.

/S [Used with Directory or Wildcard] This will change all

sub folders under the inputed directory but will NOT

traverse sub directories unless /T is also present.

If filename is a directory, and /S is not used, no

sub directories will be touched.

/T [Used only with a Directory] Traverses each

subdirectory and makes the same changes.

This switch will traverse directories only if the

filename is a directory or is using wildcards.

/E Edit ACL instead of replacing it.

/R user Revoke specified user’s access rights.

(Will remove any Allowed or Denied ACL’s for user)

/L filename Filename for Logging. This can include a path name

if the file isn’t under the current directory.

File will be appended to, or created if it doesn’t

exit. Must be Text file if it exists or error will occur.

If filename is obmitted the default name of XCACLS will

be used.

I hope this helps. Post with questions if you would like more info.

• Login to your filer using ssh or web browser at https:\\filername
• navigate to Volumes-Qtrees-Manage

• Select the effected Volume and

• Change the drop down from Unix to NTFS
• Apply and you are done.

Hope this helps

Tools needed…

1. Some knowledge of the netsh command
2. A text file with the ip address’s of the scopes to be modified
3. IP address’s of the DHCP servers to change
4. And a script of course.

The easiest way to obtain the ip address’s of the scopes to modify is to log onto the DHCP server itself and open your support tools command prompt

Step 1.

Go to netsh command line to understand more on this command. And make sure you create a test subnet to run my scripts agains to make sure this is right for you.

Step 2.

C:\Program Files\Support Tools>netsh dhcp server 172.x.x.x show scope > c:\scope.txt

At the command prompt enter the section above in red (insert the ip address of the DHCP server in place of 172.x.x.x. This will create a text file with the sope info on your c drive.

You will now want to open scope.txt and clean it up. You only want the IP address’s of the scopes to be changed. the text file should be in the following format

Step 3

for /f “tokens=1″ %%a in (c:\scope.txt) DO netsh dhcp server 172.x.x.x scope %%a set optionvalue 006 IPADDRESS DNS_Address_1 DNS_Address_2 DNS_Adress_3

172.x.x.x = Your DHCP server IP address

DNS_Address_#= DNS server IP address’s

Copy the above red text into a text file and save it as scope_edit.bat to the same folder as scope.txt. Run the bat file. This will run through each IP address changing the dns entires. does not append the scope option for DNS it overwrites it. However it will not effect any other options that are currently set.

You can now use the same script to change your wins optin by changing optioncalue 006 to optionvalue 044

 Good luck