Tuesday, April 8, 2008

Restrict shutdown but not restart

Users at my company like to shut their systems down when they leave. That's all well and good, but it prevents late-night virus scanning and windows update... updates. So, I found a good way to stop this nonsense.

1. Using a User GPO, set the "Add Logoff to the Start Menu" and "Remove and prevent access to the Shut Down command" to "enabled". This is under User, Admin templates, Start menu and taskbar.

2. Using a Computer GPO, set the "Shutdown: Force shutdown from a remote system" and "Shutdown: Shut down the system" user right assignments to "INTERACTIVE". That's in Computer, Windows Settings, Security Settings, Local Policies/User Rights Assignment".

3. Make a shortcut to "%WINDIR%\System32\Shutdown.EXE -r -t 00". Make a startup script that will copy that shortcut to "%ALLUSERSPROFILE%\Start Menu".

4. Add the startup script to the Computer GPO and put the files in that GPO's startup script directory. The syntax of the file path for the shortcut that the script should reference is something like "\\mydomain.local\sysvol\mydomain.local\Policies\{GUID-OF-POLICY}\Machine\Scripts\Startup"

The vital piece was adding the "Shutdown: Force shutdown from a remote system" entry. Apparently this is a bug. I found the answer at Aaron Margosis's blog. Link

Wednesday, April 2, 2008

Good lord...

For the last few days I've been struggling to get a user's Moto Q working with the ActiveSYNC over SSL. 0x80072F17, 0x80072f7d, 0x85010014, etc. Many error codes. As it turns out, the first stupid post I read about this was the answer, but it didn't fit my understanding of the situation so I didn't implement it.

Essentially, Microsoft says that ActiveSYNC won't work with ssl, so you have to disable it. Not a good solution, right? I need that data to be encrypted, not having it ssl is just not an option. Besides, the phone itself has an option in the account settings, "This server requires SSL", so it must be implemented, right?

Well, the activesync virtual directory doesn't like to communicate with the exchange virtual directory over SSL, that is, INSIDE THE FRIGGIN' SERVER. You can enable SSL on the activesync directory and the default website, but not the exchange virtual directory itself. ARGH. Three days to figure that out.

Also, you have to import the root cert into the phone if you're not using a "public" root cert, and the activesync virtual directory has to be in the exchange application pool, or you'll get "the shared memory heap could not be created" errors in the application log.