Windows Server 2008 – 7 Naughty, But Nice Settings

Windows Server 2008 Naughty, But Nice Settings

I developed these nice ideas while testing Windows Server 2008 machines.  It goes without saying that employing many of these ideas on a production network would be naughty.  However, I bet that at least one setting is nice to use in even the most secure organization.

Incidentally, a few people are using Server 2008 as their desktop instead of Vista, in which case these settings could be nice.

Windows Server 2008 – 7 Naughty But Nice Settings:

1. Disable the Shutdown Event Tracker
2. Turn Off Windows Server 2008’s Nagging UAC (User Account Control)
3. Server 2008 Registry Setting – AutoAdminLogon
4. Windows Server 2008 Remote Desktop
5. IE7 Tools, Internet Options
6. Screen Saver (None)
7. How to Activate or Deactivate the ‘Administrator’ Account

 ♦

1. How to Disable the Shutdown Event Tracker

The purpose of the Shutdown Event Tracker is worthy, namely to help you troubleshoot Windows server problems.  Yet there is a general feeling that this interface is more bother than it’s worth.  What happens by default is that anytime you restart a Windows Server, up pops an irritating menu.  If this is a planned shutdown then you are resentful for having to take the time to type in a message, if there is something wrong, you are too busy thinking of a solution to waste time grappling with extra menus.  As a result you probably want to get rid of this Shutdown Event Tracker dialog box, especially on a test machine.

How to Disable the Shutdown Event Tracker

Disabling the Shutdown Event Tracker is a job for group policy, thus the easiest way to launch the editor is to click on Taskbar’s Start button, then in the Start Search dialog box type: gpedit.msc. Note: you must include the .msc extension.  Next, navigate along this path:

Computer Configuration
  Policies
    Administrative Templates
      System:- Display Shutdown Event Tracker

The crucial point is that ‘Display Shutdown Event Tracker’ is an actual group policy setting in the root of the System folder, and not a sub folder.

Once selected, it’s a trivial task to double click the Shutdown Event Tracker, and select, ‘Disable’.

Trap: If you use the Group Policy Management Editor instead of the Local Group Policy editor (gpedit), then make sure that you are aware of the Domain Controller Group Policy, in addition to the Default Domain Policy.

2. How to Turn Off the Nagging UAC (User Account Control)

Here is the problem: every time you want Windows Server 2008 to perform an administrative task you get a nagging UAC dialog box.  You have to interrupt your train of thought and click, ‘Continue’.  Now it is naughty to turn off this security feature, but nice to have your instructions completed that bit quicker and without a frustrating distraction.

Stage 1) Preliminary task: Launch the Local Security Policy. 
Method A) Begin by clicking on Server 2008’s Start button, then in the Start Search dialog box type: secpol.msc.  Note: you must include the .msc extension.

Method B) Display Server 2008’s Administrative Tools.  From the Administrative Tools, select the Local Security Policy.

Stage 2)  The situation is that you have now opened the Local Security Policy.  Using either method A or B, select the Local Policies folder, then expand the Security Options folder.   You should see the screen shot opposite.  Scroll down and locate the family of settings beginning with ‘User Account Control’.

You should now see the policies shown below:-

Double click this policy: ‘User Account Control: Behavior of the elevation prompt for administrators’
Set to: ‘Elevate without prompting’.

While you have taken the trouble to visit the Security Options, check to see if the other group policy settings are to your liking.

Guy Recommends : SolarWinds’ Free VM Monitor

The best feature of this new this new version of SolarWinds VM Monitor is that it checks Windows Hyper-V.  Naturally, it still works with virtual machines on VMware ESX Servers.  VM Monitor is a clever desktop tool that not only tests that your server is online, but also displays the CPU and memory utilization for each node.

It’s easy to install and to configure this virtual machine monitor, all you need the host server’s IP address or hostname and the logon info. Give this virtual machine monitor a try – it’s free.

Download your free copy of SolarWinds VM Monitor.

UAC Method Using the Control Panel

For a Server 2008 Machine, Microsoft also provides a menu in the Control panel whereby you can turn off UAC for the logged on user.  If you too would like to remove this nagging interface, then navigate thus:

Control Panel -> User Accounts -> Turn User Account Control On or Off.  Now decide if you want to untick the box which says: ‘Use User Account Control (UAC) to help protect your computer’.  Sadly, this requires a restart.

3. Server 2008 Registry Setting – AutoAdminLogon

When experimenting with test machines what speeds up a restart is if you have a user logon automatically without having to type a complex password.  If you spend 2 minutes enabling AutoAdminLogon, it will save you having to wait after a restart.  The trick, which also its liability, is you have to expose the password in the registry.

Instructions for Setting AutoAdminLogon

1. Type ‘regedit’ in the Start Search dialog box.
2. Next navigate to:
   HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon
   AutoAdminLogon = 1
   (1 = on, enabled.  0 = zero, disabled)
3. Created a new String Value called DefaultPassword
   DefaultPassword = "P@ssw0rd"
4. Check the existence of a REG_SZ called DefaultUserName.  The value should reflect the user who you wish to logon automatically.  If this value does not exist, then right-click in the right regedit pane, ‘New’, REG_SZ, name it precisely, DefaultUserName  (not DefaultAnyOtherName).
5. Optional Item: If your Windows Server 2008 has joined a domain, created a String Value called DefaultDomainName.  Set
   DefaultDomainName = "OnlyYouKnowDomain"

Addendum for Windows Server 2008 User Accounts

I have been using AutoAdminLogon since NT 3.5.  However, in Windows Server 2008 there is a much easier alternative in the Control Panel.

Launch the Control Panel, navigate to User Accounts, Users, now remove the tick in:
Users must enter a user name and password.  All you need to do next is type the password twice in the, ‘Automatically Log On’ dialog box.  Once Server 2008 restarts it will logon that user automatically.   

See more on AutoAdminLogon

4. How to ConfigureWindows Server 2008 for Remote Desktop

What Remote Desktop does is permit you to connect to Server Windows 2008 from Vista, or even XP machine.  This ability is useful if you suddenly forget a setting, or remember that you have made a configuration mistake. 

There is one problem, by default Remote Desktop is disabled; the solution requires foresight, you have to enable Remote Desktop before you leave the server room.

To enable Remote Desktop, open the System Properties. My favorite method is to hold down the Windows Key , then press the Pause / Break key.  Alternatively, you could navigate via the Control Panel, Support and Maintenance, System and then Remote Settings.  Naturally, add your own account in the Select Users dialog box, because in this scenario, you will be the person taking advantage of Remote Desktoping to this machine.  If in doubt, select the link ‘Help me choose’

Trap: Confusing Remote Desktop with Remote Assistance.

Remote Desktop Connection.

To activate the client side of the connection, i.e. on the remote machine, go to Start, All Programs, Accessories and Remote Desktop Connection.

Trap: Don’t confuse Remote Desktop with Remote Assistance

There you have it, naughty if you set Remote Desktop incorrectly in high security company, nice if you regularly travel around a large office and need access to your Server 2008 desktop remotely.

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM) v12

SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

Perhaps the NPM’s best feature is the way it suggests solutions to network problems.  Its second best feature is the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.

Download your free trial of SolarWinds Network Performance Monitor.

5. Control IE7 (Internet Explorer) IE ESC

The general reaction to IE7 is that it is strange, quirky, even ‘funny’ when you first try the new interface.  Then, like so many of Windows Server 2008 features, you don’t want to go back to the old ways of IE6.

What can be annoying is the ESC (Enhanced Security Configuration), fortunately, there is a way to control this ‘IE ESC’ behaviour.  What you need is the Server Manager.  From the Start button, right-click on ‘Computer’ on the menu and select ‘Manage’.

Once the Server Manager launches scroll down the Security Information section, select configure IE SEC in the right-hand panel.

Other Nice Settings Tools (menu) Internet Options

One nice setting is having multiple home pages.  I love the idea of IE7 opening 3 or 4 tabs when I launch this browser.  One annoying setting is the Tabs, when I open a new tab, I prefer my topmost home page to open rather than a blank page.  Another annoying setting is ‘Warn me when closing multiple tabs’.  I disable this tab feature. However, it does not matter what I do, my hidden agenda is to persuade you to check out the IE7, Tools, Internet Option, 6 tabs and umpteen Settings menus.  See How to disable IE ESC in Windows Server 2012.

6.Screen Saver (None)

I added this setting as a reminder that in Windows Server 2008 it’s worth checking out the ‘Personalize’ menu.

The security feature of the Windows screen saver is designed to lock the keyboard when you leave your computer for more than 10 minutes.  In some offices Psycho** jumps on any unattended computer and performs puerile pursuits, such as sending obnoxious emails to your superiors from your email account.

However, if you are testing a machine with no security threat, then it’s tempting to disable the screen saver.  right-click on the Server 2008 desktop, select Personalize from the short cut menu and Screen Saver is the third item on the next menu.

Now if you are feeling naughty select (None) from the list of possible screen savers.

Incidentally, while you have the Personalize menu open, take the opportunity to adjust your Display Settings in general and your Refresh rate in particular.  I recommend a value of 90 MHz, provided your monitor supports this nice, flicker-free value. 

** Every organization has at least one Psycho user.  Amongst their characteristics are: a belief that they know more than they really do, they often read computer articles, but invariable get the wrong end of the stick.   Psychos are invariably male and they have the knack of breaking systems that normally work perfectly well, single-handedly they account for 80% of all computer problems in your department.

7. How to Activate or Deactivate the ‘Administrator’ Account

When you install Vista you are prompted for an initial account.  Thus Vista may not have an account called ‘Administrator’, which is visible.  However, in Windows Server 2008 the traditional ‘Administrator’ account is created during setup.  My point is that in Vista you probably want to Activate a previously hidden Administrator account, whereas in Windows Server 2008, you may want to deactivate the Administrator account for security.

I will show you how to activate this Server 2008 Administrator account via a ‘Net User’ command.  One benefit of logging on as this super account is that you will never be prompted for the nagging UAC dialog box.

The procedure is straightforward, just head for the cmd prompt and type:
Net user administrator /active:yes

Naturally, to achieve the opposite and deactivate, replace ‘yes’ with ‘no’, thus:
Net user administrator /active:no

The only trap is that many domains insist on a complex password, therefore before the account can logon, you need to assign a password with an UPPER case letter, a numbers and a special character, here is an example of the command:-
Net user administrator P@ssw0rd /active:yes

N.B. Any problem with this command try Net Help User.

See more about the Hidden Administrator Account

Summary of Windows Server 2008 – Naughty But Nice Settings

Like the whole of life, you have to know when to be nice and when it’s OK to be naughty.  Turning on settings such as AutoAdminLogon is nice in training rooms, or on test networks, but naughty in medium security environments.  Remote Desktop could be nice for you, but naughty if you add the office Psycho to the ‘Select Users’ list.

Microsoft Windows Server 2008 Topics:

• Server 2008 Home   • Overview   • What’s New?   • Migration Advice   • Install   • Group Policy

• Server 2008 SP1   •Server Shutdown Command   • Hyper-V   • UAC   • IPv6   • ipMonitor

 • Review of Network Performance Monitor   • Upgrade W2k8 R2   • Windows Server 2012