A few weeks ago Rodney wrote a great post about the new XP mode in Windows XP. This is based on a new version of Virtual PC. I wanted to take a moment to talk about the new version which was released in beta along with the Windows 7 RC.

First this version of Virtual PC will only work with Windows 7, so earlier versions of Windows will have to stick with Virtual PC 2007.

Second, you can run Windows Vista and windows 7 in a virtual PC, what is really cool is that you can get full Aero glass compatibility in a virtual PC environment after you install the integration features. (notice that in Virtual PC it’s integration features not integration components as it is in Hyper-V) Notice the transparency effect in the screenshot below.

Another change is the integration of the virtual machine interface into Windows Explorer

Some additional things to keep in mind, in order to run Virtual PC for Windows 7 your CPU, chipset and BIOS need to support hardware virtualization.

Here is the link to download virtual PC

RSA is here again, and presents a great opportunity to discuss the security in Windows 7: specifically how certain features in the OS address key security-related enterprise scenarios. In today’s economic times, businesses and their shareholders need to know that when they make an investment in a product, they are doing so responsibly and securely, and the investment is sound. Windows 7 is this sound investment: it includes features that allow workers to work anywhere, while leaving IT Pros confident that business-related data and content are secure.

The world has changed a great deal in the last decade. Information workers interact with their computers in new ways and have incorporated technology into everything they do, as a result the security landscape has greatly evolved. For example, in 2001, mobile and wireless workers weren’t impacting IT decision making; today, they make up more than a quarter of the workforce. In 2008, laptops made up more than half of all devices purchased in the enterprise. With Windows Vista, we made significant investments to address many of these security concerns and developed the most secure OS to date. With Windows 7, we are carrying forward that investment.

When we began developing for Windows 7, we decided to approach our security feature enhancements in terms of user type and scenarios. We looked at a few types of workers - the mobile worker on the go, the remote worker in a branch office, the IT Pro and the security expert. All have unique needs, pain points, and styles of work - and we’re addressing each in Windows 7.

Consider being a mobile worker. The challenge for you is connectivity and access. Meanwhile, your IT Pro at the office is worried about balancing those with data protection and network security. With Windows 7, we focused on a few key features to address this scenario, and to build confidence in enterprises trying to get the most out of a mobile workforce.

• DirectAccess lets mobile workers connect quickly and securely to a corporate network over any Internet connection, without having to manually access their virtual private network. IT can leverage DirectAccess to manage the Group Policy settings and deliver updates to mobile computers, even if the user is not logged on.
• BitLocker, introduced in Windows Vista, now allows end users to right-click on a drive to quickly enable it, making it more intuitive and easier to use.
• BitLocker To Go now extends support of BitLocker drive encryption to USB removable storage devices – like our mobile worker’s flash drive (see this Springboard Series Video). Theft and loss of proprietary data from mobile devices is a great expense for businesses. However, the loss of integrity is even harder to recover.

The remote worker scenario has similar challenges to the mobile worker, but requires ease of access on a more regular basis. According to a recent study, 91% of employees work away from the corporate headquarters, with the bulk of these working in branch offices. These workers often face difficulties and long wait times accessing information off the corporate drive. With this pain point in mind, we introduced BranchCache, which lets users access information more quickly. For IT Pros, this means the assurance that branch machines maintain the same security protocols as the home office.

For home-use scenarios, employees expect the same level of connectivity and access they would have in the office. In Windows Vista, the firewall policy was based on the type of network connection established – such as Home or Work. This created an obstacle when workers logged on at home, using a Home connection and virtual private networking (VPN), because firewall settings were not set up appropriately for this scenario. So we made changes. With Windows 7, enterprises will be able to simplify their connectivity and security policies by maintaining a single set of rules for both remote clients and clients physically connected to the corporate network.

And businesses will have confidence that all remote users – whether branch office or mobile - will benefit from key improvements in IE8, including protection against XSS threats, identity theft, and new types of phishing attacks like Clickjacking. I think the work we did in IE 8 really helps put people in control of their online safety and privacy.

Finally, let’s take a look at issues people face when trying to manage these environments. Not surprisingly, IT Pros and security experts have daunting missions: they enable secure access to data for mobile, remote and local users; keep systems up to date; and track accessed data– all while attempting to drive new value for the business - it’s enough to cause IT Pro insomnia. As such, we continue to develop a range of security solutions to address evolving IT needs.

Some key examples of user scenarios empowering technology:

• AppLocker: We received feedback that workers today put software from home on their PCS, download applications from the Internet, and access programs through email. As a result, there’s a higher difficulty ensuring PCs in the enterprise environment are running only approved, licensed software. AppLocker solves this issue; it’s an administered mechanism that allows a business’ security expert to specify what is allowed to run on each user’s PC.
• Network Access Protection: This allows IT Pros to create solutions to validate computers that connect to their network and limit the access or communication of noncompliant computers.
• Microsoft Asset Inventory Service: Part of Microsoft Desktop Optimization, complements the OS security and compliance technologies by allowing our IT Pro a comprehensive view of the enterprise desktop software environment.
• User Account Control: We heard loud and clear that end-users wanted fewer UAC prompts and more control over what items they are prompted for, but we know IT Pros still need control over what’s installed or run on a machine. As a result, in Windows 7, we made specific changes to enhance the user experience, while still ensuring the same level of security.

The enterprise security features we’re discussing today are the product of hard engineering work coupled with an understanding of our customers and the security landscape. It’s important to keep in mind that some of these features only work when partnered with Windows Server; for an optimal experience, we recommend businesses use Windows 7 and Windows Server 2008 R2 together upon their availability.

We recognize the enterprise customer for Windows has evolved dramatically over the years and we’ve created solutions to address the needs of varying enterprise scenarios. It’s important to note our work is never finished! We are constantly hearing from our customers about ways to make their machines more secure and productive in their environments. We continue to listen to this feedback and apply it to our technologies. It’s our goal to build technology that lets businesses prosper in a consistently changing security landscape.

In a previous entry, guest blogger Sean Kearney shared a new feature in Windows Server 2008 R2 directory services called the Active Directory Recycle Bin.  Sean is back to show us how to recover those deleted objects.

-------------------------

So you’ve done it.  We all have.  Deleted a user, group, OU by accident but thankfully you have 2008 R2 in place and the AD Recycle Bin enabled.  To recover now is a breeze!  Start by launching Powershell V2 on Server 2008 R2 and run the following command

GET-ADOBJECT –filter {name –like “missingitem*”} –includedeletedobjects | RESTORE-ADOBJECT

That’s it.  Nothing harder than that. Was that so hard?  The great thing, is as long as it’s an object in Active Directory, it’s protected by this new feature for 180 days.  Also, this just does restore the object.  It’s restores the object, its security, its trusts!

If you’d like to learn more about the Active Directory Recycle Bin, Check out these great resources on Technet.com

Active Directory Recycle Bin - Instructional Video on Technet Edge

I’ve done it, I know people who have done it, and I bet you have done it before as well.  Right-click an object in Active Directory Users and Computers and instead of clicking the properties link you accidentally hit delete.  Boom, gone and the only way to get it back is via a restore from backup.  Restart the DC, boots into Directory Services Restore Mode (DSRM), restore the system state backup and apply either a authoritative or non-authoritative restore.

Guest author, Sean Kearney, covers this new feature in Windows Server 2008 R2.

-------------------------

One of the fantastic features provided in Server 2008 R2 is the new Recycle Bin for Active Directory.

I recognize that nobody here is going to intentionally mess up their own Active Directory.  But problems can happen.   A Junior technician misheard the phrase “Disable” with “Delete”, a malicious Administrator leaving the company, dumb luck.  Any number of problems can occur and this feature will save the day.

There are a few caveats to using this

• You must have the Domain functional level in Server 2008 R2 mode.
• You must enable the feature by using LDP.EXE or Powershell.
• It is managed and used 100% by Powershell.  There is no GUI version presently.
• Once enabled, you cannot disable it.  This is a one way trip folks
• The enabled Recycle Bin has a 180 day retention policy.

That’s it.  In Server 2008 R2, select the new Active Directory Powershell under Administrative Tools and type in the following command

GET-ADOPTIONALFEATURE –filter {name –like “*”}

You will be presented with a screen showing you

FeatureScope       : {Forest}
Name               : Recycle Bin Feature 
RequiredForestMode : Windows2008R2Forest 
IsDisableable      : False 
ObjectGUID         : 0599c1a6-6f8f-42d4-b9a0-ab2791d4719e 
ObjectClass        : msDS-OptionalFeature 
FeatureGUID        : 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a 
EnabledScopes      : 
RequiredDomainMode : 
DistinguishedName  : CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=energized,DC=energizedtech,DC=com

Looking at the information above, there are no enabled scopes which confirms that the AD Recycle Bin is presently disabled. So to make all this useful, I guess we should turn it on.  So in the same Powershell Window key in this command

ENABLE-ADOPTIONALFEATURE ‘Recycle Bin Feature’ –score forest –target ‘domainfqdn’

You will get a prompt warning you that it will make the change.   Choose “Yes” if you wish to enable this feature or CTRL-C to abort. Once you’re done, it’s active.  To confirm, run the following command again

GET-ADOPTIONALFEATURE –filter {name –like “*”}

And you’ll get a similar response but note

FeatureScope       : {Forest}
Name               : Recycle Bin Feature 
RequiredForestMode : Windows2008R2Forest 
IsDisableable      : False 
ObjectGUID         : 0599c1a6-6f8f-42d4-b9a0-ab2791d4719e 
ObjectClass        : msDS-OptionalFeature 
FeatureGUID        : 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a 
EnabledScopes      : {CN=Partitions,CN=Configuration,DC=energized,DC=energizedtech,DC=com} 
RequiredDomainMode : 
DistinguishedName  : CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=energized,DC=energizedtech,DC=com

You’ll see the “Enabled Scopes” is now covering the domain.

For more information see:

Active Directory Recycle Bin Step-by-Step Guide

PowerShell 2.0, included in Windows 7 and Server 2008 R2, includes a new Integrated Scripting Environment (ISE) which provides you with a GUI based tool to write your scripts and learn PowerShell.  To launch PowerShell 2.0 ISE simply drill down to Start –> All Programs –> Accessories –> Windows PowerShell.

Once that is launched you’ll see the ISE load and you are ready to begin.

The top portion, aka the Script Pane, is your scripting environment which allows you to write PS scripts.  The play and stop buttons are used to start and stop the running of a script.  The middle portion, aka the Output Pane, is where the script is executed and the results displayed.  Finally at the bottom is the Command Pane, where you can run individual Cmdlets and “one-liners”.  So besides a nice GUI editor why do I like the PowerShell ISE? 

• · ISE Features -  Tab completion, line numbering, indenting and the always useful search and replace.
• · Customizable ISE -  You can change the color, location and size of the various panes to suit your style.
• · Colored Syntax – Like other scripting environments different colors are used to highlight variables, strings, objects and Cmdlets.
• · Support for Unicode -  The PowerShell ISE supports Unicode.
• · Debugging.  I always make mistakes and the ability to set breakpoints, walk through the script step by step really helps find those errors.

If you are using Windows 7 or Server 2008 R2 give the ISE a try!  Compared to Notepad it is a dream to work with :)

For as long as we have had Active Directory domains, we have been required to to join client to the domain while they were online and connected to AD.  Without that the join would fail.  Now you always had the ability to join with a script using the NETDOM command but with Windows Server 2008 R2 we can now join a client to our AD domain while offline.  The real benefit hear is that there is no need to supply or enter domain admin credentials.  As you’ll see below a TXT file is created but just for fun open it up with notepad and see what you can make out :)

It is a simple three step process that requires you to run a new utility called DJOIN from an already joined Server 2008 R2 computer.

1. Create a text file with DJOIN that contains the required information for a computer to join AD
2. Import the text file using DJOIN on the target computer you wish to join AD
3. Once connected to the domain, reboot the computer and it will join AD

For joining a computer to the domain using DJOIN there are some switches you need to know about first.

• /provision – used when there is no existing AD account for the computer
• /reuse – if you already created a computer account in AD and would like to use it
• /domain – specifies the domain to join
• /machine – specifies the name of the machine, if the computer has a different name it will be renamed
• /machineou – specifies the OU to join, if you omit this it will automatically be placed in the default computers OU
• /savefile – saves the file to be imported.

A typical command would be…

djoin.exe /provision /domain thelazyadmin.com /machine client01 /machineou Desktops /savefile client01.txt

To join client01 to the domain we would next import client01.txt with the following command run with administrative privileges…

djoin /requestODJ /loadfile client01.txt /windowspath %systemroot% /localos

Reboot once the client is connected to the domain and the join will be made.