Howto: Delegate the enable/disable accounts permission in Active Directory

To delegate the ability to enable and disable user accounts in Active Directory:

  1. Launch Active Directory Users and Computers with adminsitrative credentials
  2. Right click on the OU where you want to delegate the ability to enable and disable user accounts
  3. Select the Active Directory security group that you want to delegate the ability to and press Next
  4. Select Create Custom Task to Delegate and press Next
  5. Under Delegate Control Of select the Only the following objects in the folder radio button
  6. Select the User objects check box and press Next
  7. Under Show these permissions uncheck General and select Property-specific
  8. Select the Read userAccountControl and Write userAccountControl check boxes and press Next and Finish
You’ve now delegated the ability to enable and disable AD user accounts to a security group.
Additional References

How to completely disable DEP in Windows Server 2003

To completely disable DEP in Windows Server 2003, perform the following with administrative credentials:

1. Open Windows Explorer

2. Tools > Folder Options > View

3. Uncheck Hide Protected operating system files (Recommended) and Hide extensions for known file types

4. Click apply > OK

5. Browse to C:\

6. Right click on boot.ini, select properties and ensure the “read-only” tab is unchecked and click OK

7. Edit boot.ini

8. Modify the  /noexecute=

For example, set  /noexecute=AlwaysOff to disasble DEP entirely

9. File > Save, close boot.ini file

10. Right click on boot.ini, select properties and ensure the “read-only” tab is checked and click OK

11. Reboot the computer

For more about DEP see MS KB875352

Fix: Groupwise won’t install on Windows Server 2003

Groupwise typically will not install on Windows Server 2003 due to DEP incompatibilities.  Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system.

To resolve this issue:

1) Right click on My Computer > Properties

2) Select Advanced > Performance Settings > Data Execution Prevention

3) Select Turn on DEP for essential Windows programs and services only  > OK > OK

4) Reboot the Windows 2003 Server

See TID 3131386 for details on the Groupwise client crashing, TID 3564700 for details about not being able to install the Groupwise agents or administration files on Windows Server 2003.

For more details on DEP, see MS KB 875352.

Microsoft Active Directory Topology Diagrammer

The Microsoft Active Directory Topology Diagrammer is a really useful tool when documenting Active Directory domains of any size.

With the Active Directory Topology Diagrammer tool, you can read your Active Directory structure through Microsoft ActiveX Data Objects (ADO). The Active Directory Topology Diagrammer tool automates Microsoft Visio to draw a diagram of the Active Directory Domain topology, your Active Directory Site topology, your OU structure or your current Exchange 200X Server Organization.

With the Active Directory Topology Diagrammer tool, you can also draw partial information from your Active Directory, like only one Domain or one site. The objects are linked together, and arranged in a reasonable layout that you can later interactively work with the objects in Microsoft Visio.

The Diagrammer is very flexible and allows the user to include and exclude granular information such as the following:

  1. domain(s) (child etc.)
  2. Site(s )
  3. OUs
  4. Administrative Groups
  5. Exchange connectors (Routing, SMTP, X.400, Notes etc.)
  6. Users in the domain(s)
  7. Trusts
  8. User Count
  9. Global Catalog servers
  10. IP and SMTP Site links
  11. Subnets
  12. Inter/Intra Site Replication Connections
  13. Number of Mailboxes
  14. Application Partitions
  15. Servers and OS version information (with color coding)


In order for the tool to do a Active Directory discover you need to configure the tool to point to a Global Catalog server in the environment.

Supported operating systems are Windows 2000, XP, Server 2003, and Vista. You’l need .NET 2.0 and Visio 2003 or 2007. The Active Directory team has a nice tutorial on how to use this tool, along with the Group Policy Management Console, to document your Active Directory infrastructure.

Cannot Uninstall IE7 from Windows Server 2003

When trying to uninstall Internet Explorer 7 on a Windows Server 2003 SP2 machine, the Remove button may not be visible in Add/Remove programs. Sometimes the button is visible, but clicking it displays the following:

“An error occurred while trying to remove Windows Internet Explorer 7. It may have already been uninstalled.
Would you like to remove Windows Internet Explorer 7 from the Add or Remove programs list?”

KB 948093 explains “This behavior occurs if Internet Explorer 7 was installed on Windows Server 2003 Service Pack 1. Service pack 2 was installed later than that.”

Microsoft’s resolution is to

  1. Uninstall SP2 and reboot
  2. Uninstall IE7 and reboot
  3. Reinstall SP2 and reboot

Personally, if I was Microsoft I would have included step 4, go directly to Microsoft Update and apply all applicable patches and updates, then reboot again.

Hacking ntbackup.exe and bkprunner.exe for better performance in Windows Server 2003 SP1

I was perusing Susan’s blog today and came across her link to Chris’s great description of how to modify the bkprunner.exe process to improve backup performance in Windows Server 2003 SP1.

Chris details how to use a hex editor and modify the registry to increase ntbackup performance. He also mentions that you can now use the /FU switch with SP1’s ntbackup, which according to KB 814583 enables a “file unbuffered” setting to bypass the cache manager. This change provides a number of benefits during the disk-to-disk backup process:

  • Sustainable throughput over time
  • Reduction in processor utilization: on average, peak utilization is reduced to 30 percent
  • Elimination of impacts to the system process during the backup job

If for some reason you are running a pre Service Pack 1 version of Windows Server 2003, KB 839272 describes a hotfix version of ntbackup.exe you can download that supports the /FU switch.