You can now download the RSAT toolkit for Windows Vista - go get the package right HERE (32-bit) or HERE (64-bit)...

Time to get Group Policy Preferences and all those other goodies up and running - cool stuff!

 

.

Many of you have asked us when the Remote Server Administration Tools (RSAT) would be available for download now that Windows Vista SP1 has been released. As of today, you can!

RSAT is an excellent set of tools for IT Pros wanting to manage their Windows Server environment right from their desktop. RSAT also includes an updated Group Policy Management Console (GPMC), which was previously removed in Windows Vista SP1.

Download: Remote Server Administration Tools (x86)
Download: Remote Server Administration Tools (x64)

RSAT is an updated version of what is called ADMINPAK.MSI and can be used by IT Pros to manage computers running Windows Server 2008. Because many of these tools also work for managing computers running Windows Server 2003, it is essentially "the next version" of ADMINPAK.MSI.

The following are a list of the tools you will find in RSAT:

Role Administration Tools:

• Active Directory Certificate Services Tools
• Active Directory Domain Services (AD DS) Tools
• Active Directory Lightweight Directory Services (AD LDS) Tools
• DHCP Server Tools
• DNS Server Tools
• File Services Tools
• Network Policy and Access Services Tools
• Terminal Services Tools
• Universal Description, Discovery, and Integration (UDDI) Services Tools

Feature Administration Tools:

• BitLocker Drive Encryption Tools
• Failover Clustering Tools
• Group Policy Management Tools
• Network Load Balancing Tools
• SMTP Server Tools
• Storage Manager for SANs Tools
• Windows System Resource Manager Tools

And these tools also fully supported managing Windows Server 2003 servers:

• Active Directory Domain Services (AD DS) Tools
• Active Directory Lightweight Directory Services (AD LDS) Tools
• Active Directory Certification Authority Tools
• DHCP Server Tools
• DNS Server Tools
• Terminal Services Tools
• Universal Description, Discovery, and Integration (UDDI) Services Tools
• Group Policy Management Tools
• Network Load Balancing Tools

Download RSAT today and start managing your servers!

If you have ever tried defining the Security Options policy setting called: "Interactive logon: Message text for users attempting to log on", you may have had some difficulties formatting the message the way you wanted it. This blog is about "how to" workaround a minor bug in the GPEDIT tool…

 

The issue:

First things first - the Group Policy setting is located here:

"Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\"

The value is a Multi-String registry value that allows you to make multiple lines in the message. The message pops up right after a users hits Ctrl+Alt+Del as a general warning to the user before actually logging on. But, unfortunately the formatting isn’t as perfect as it could be.

What happens is, that carriage returns are lost after formatting this "pre-logon message" with GPEDIT, imagine you would want a message like this (see Figure 3):

—>

I don’t know why this should be so hard? Jump next line please…

Let’s do a comma, and continue the line…
Line number 4 is ready, but let’s jump line 5 & 6 now…

Line 7 finishes up this story!

<—

Such a message would end up as (see Figure 5):

—>

I don’t know why this should be so hard? Jump next line please…
Let’s do a comma, and continue the line…
Line number 4 is ready, but let’s jump line 5 & 6 now…
Line 7 finishes up this story!

<—

So, basically the problem is: line feeds/carriage returns/empty lines disappear completely!

You can actually see this within the GPEDIT GUI, but only if you hit "Apply" before "OK" - if you just hit "OK" after typing in your message you cannot see that it’s actually changed by GPEDIT (so you think the formatting is working as it should). I tested this behavior with GPEDIT on Windows XP SP2 (local policy), Windows Server 2003 SP1 (domain policy), Windows Vista SP Pre-RC (local policy) and Windows Server 2008 RC1 (domain policy).

Figure 1 - I typed in my message with the format I wanted:

Figure 2 - I clicked Apply, and the formatting was changed:

If I had just click OK I wouldn’t have noticed the change - anyway it’s a bit annoying, right?

 

Solution/Workaround:

The solution I came up with is to modify the policy file directly/manually using Notepad. The file is located here:

"\\DOMAIN.local\SYSVOL\DOMAIN.local\Policies\{GPO-GUID}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"

Within that file we have the relevant registry value, called "LegalNoticeText":

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,I don’t know why this should be so hard? Jump next line please…," ",Let’s do a comma"," and continue the line…,Line number 4 is ready"," but let’s jump line 5 & 6 now…," "," ",Line 7 finishes up this story!

Notice the " " (<quote><space><quote>) sequences, which are the same as empty lines.

This is the relevant line from a working GptTempl.inf file (the correct syntax written manually), and it actually works great:

Figure 3 - Pre-logon message on a Windows Server 2003 SP1 Domain Controller: 

Figure 4 - The above inserted GptTmpl.inf line also works for Windows XP SP2 in the same domain:

So, this proves that the INI file can actually be correctly formatted so clients (tested w/WS2003 SP1 and XP SP2 in a domain) can show the message perfectly. Please notice that the behavior is similar with local policies, but my testing has been focused on domain environments so far.

If you try to modify the working policy setting using GPEDIT again - after changing just a tiny bit (or just hitting OK to an existing setting) within the GPO the formatting/syntax is ruined again unfortunately (when GPO is saved by GPEDIT)! Look here what came out of it when I tested it:

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,I don’t know why this should be so hard? Jump next line please…,Let’s do a comma"," and continue the line…,Line number 4 is ready"," but let’s jump line 5 & 6 now…,Line 7 finishes up this story!

Notice the " " (<quote><space><quote>) sequences are gone! This gives a wrong result (no empty lines) when clients get the pre-logon message.

Figure 5 - The formatting is lost (or wrong) when GPEDIT does the job:

 

Please notice, if you’re testing this you will have to define an additional policy setting for it to work, namely the "Interactive logon: Message title for users attempting to log on" setting.

Figure 6 - The title must be set for pre-logon message to appear

 

Conclusion

So, my conclusion is that (existing version of) GPEDIT doesn’t modify the GptTmpl.inf file properly (or the registry for local policies for that matter) - for this particular value at least… My best guess is that it doesn’t handle the quotes (") correctly, but I can’t be 100% sure. A bug report has been made for Microsoft - so hopefully it will be fixed before the final release of Windows Server 2008 and the Remote Server Administration Tools (RSAT).

However, as mentioned you can make it work with a workaround like this: Just perform the GptTmpl.inf (below SYSVOL) editing manually, make a backup of the file when it’s perfect - and never touch that GPO with GPEDIT again… Until Microsoft releases an updated version of GPEDIT anyway.

 

Related KB articles out there:
KB 330618
KB 238149
Technet article

 

.

Microsoft Remote Server Administration Tools (RSAT) are now in Beta, available on https://connect.microsoft.com/ - I just got hold on them!

The download contains:
Remote Server Administration Tools Beta Fact Sheet.docx
Windows6.0-KB941314-x64.msu
Windows6.0-KB941314-x86.msu

Still waiting to install on my Vista SP1 Beta…

[UPDATE]
Install went just fine - but some admin tools are still not included (se readme for more info).

This is the exact download location:
http://connect.microsoft.com/windows/Downloads/DownloadDetails.aspx?DownloadID=9561

More info:
http://blogs.technet.com/windowsserver/archive/2007/11/28/remote-server-administration-tools-rsat-beta-is-now-available.aspx