Longhorn Troubles: Does Anybody Care?

[AD.]

Could you elaborate a bit on the "fast user switch" - how is it
practically done in Win XP pro?

Don't quote me on this (we've stuck to W2K and Linux here), but I think it
only works for workgroup networks, not domain based networks. There was
some security model justification for it, but I forget what it was.

I could be wrong though, it was just something I heard.

Cheers
Anton

 

[Tony Hill]

Could you elaborate a bit on the "fast user switch" - how is it
practically done in Win XP pro?

When you click on Log Off, WinXP will pop up a dialog asking if you
want to log off or if you want to Switch User. If you click on
"Switch User", any applications you are currently running will remain
active, you'll stay logged in, but you can log in as a different user.
I've always got two users logged in, my regular User account that for
everyday usage and a second user with Administrator privileges. Any
time I need to do something with admin privileges I just use that
Switch User thing above to pop over to the other account, run what I
need and then switch back.

It's almost along the lines of having multiple virtual terminals in
*nix world. Not quite as quick (unless there is some keyboard
shortcut I haven't found yet), but it still only takes a couple
seconds. Both users are fully logged in so you don't need to worry
about loading up your profile (after the first login) or even exiting
applications.

Note that you may need at least *two* user accounts (any permission
level) before this option appears. Under the default install of WinXP
there is only one user account and it always automatically logs in
that user.

 

[Carlo Razzeto]

On Thu, 04 Mar 2004 13:59:11 -0600, Evgenij Barsukov
It's almost along the lines of having multiple virtual terminals in
*nix world. Not quite as quick (unless there is some keyboard
shortcut I haven't found yet), but it still only takes a couple
seconds. Both users are fully logged in so you don't need to worry
about loading up your profile (after the first login) or even exiting
applications.

If you download powertoys for WindowsXP it will install a utility call
"fastswitch", which when installed allows you to cycle through different
user accounts with a windows + q key combination. One limitation is that it
seems to me that non-adminitrator accounts can't fastswitch to administrator
accounts. At least I can't on my system.

Carlo

 

[The little lost angel]

Could you elaborate a bit on the "fast user switch" - how is it
practically done in Win XP pro?

Well, basically, you logged into one account and things get started
up, say like your firewall. Then you can just choose the switch user
to do normal stuff in a limited user account... and wonder why the
hell your internet connection isn't working when everything seems in
order.

Then you realize the firewall running off the first logged in account
has an alert flag waiting for you to click Block/Allow... or whatever
variation of modal alert box requiring user intervention but you will
never find until you switch over...


--
L.Angel: I'm looking for web design work.
If you need basic to med complexity webpages at affordable rates, email me
Standard HTML, SHTML, MySQL + PHP or ASP, Javascript.
If you really want, FrontPage & DreamWeaver too.
But keep in mind you pay extra bandwidth for their bloated code

 

[The little lost angel]

[email protected] (The little lost angel) wrote

Sorry, but you need MSCE, MSCA and MS_other_crap_12_year_would_pass to
do that.

Sorry, I thought some 8yr old Indian boy just did that recently?

--
L.Angel: I'm looking for web design work.
If you need basic to med complexity webpages at affordable rates, email me
Standard HTML, SHTML, MySQL + PHP or ASP, Javascript.
If you really want, FrontPage & DreamWeaver too.
But keep in mind you pay extra bandwidth for their bloated code

 

[George Macdonald]

Unfortunately, most of them don't care. Ever tried informing any
normal John Doe or Jane Smith about these things? When I told friends
to avoid IE, avoid Messenger, use a free alternative like Trillian
non-Pro or GAIM, use OpenOffice, use Mozilla, or that they have got
spyware and such... the typical response after a moment of gasping
is... "but I need this! I like it this way!"

They don't care much if the Yahoo toolbar is also sending stuff to
Yahoo or to Microsoft or their cutsy new software is a trojan, at
least not until their system crashes.

Isn't aggravating though, that when you send them an interesting URL and
they come back and tell you that your URL took them to a nasty porn
site?:-(

Rgds, George Macdonald

"Just because they're paranoid doesn't mean you're not psychotic" - Who, me??

 

[George Macdonald]

You probably have to go into the Advanced dialog to set the
directory's read/write/execute permissions. It might be that the
permissions where being inherited from a parent directory, or it could
be that there are multiple sets of permissions.

With NTFS, the only way I found to "get by" was to just give Users full
access to all drives/folders except the WINDOWS installation folder.

That part was a bit odd, changed from Win2K to be more difficult for
some reason! Perhaps the new interface is a bit easier in a VERY
large domain or something.. I dunno.

In a Domain it gets a little easier to manage with some things but you lose
fast User Switching... so you don't want users getting used to it with a
Workgroup and then switching to a Domain at some later date. For some of
us the whole thing is a royal PITA. For instance I want to keep our "main
server" private (not visible to the Gateway) so I need a private DNS Server
for the Domain but AFAICT you can't have a private Domain *and* have
Internet access with an external DNS Server.

I think the problem is that you're trying to make a Power User account
with *almost* administrator privileges. The easy way to do it is to
make just a regular user account for actual use and than have a second
administrator account that you use for all the elevated privilege
stuff. I'm sure this isn't the only way of doing things, but it's the
way I'm used to doing stuff from using Linux, so it sort of seemed
natural.

Oh another thing: there *are* software installs I've come across which
insist on being installed only by the user name "administrator".

Rgds, George Macdonald

"Just because they're paranoid doesn't mean you're not psychotic" - Who, me??

 

[George Macdonald]

Don't quote me on this (we've stuck to W2K and Linux here), but I think it
only works for workgroup networks, not domain based networks. There was
some security model justification for it, but I forget what it was.

I could be wrong though, it was just something I heard.

No you're absolutely correct - no fast user switching with domain logins.

Rgds, George Macdonald

"Just because they're paranoid doesn't mean you're not psychotic" - Who, me??

 

[Tony Hill]

If you download powertoys for WindowsXP it will install a utility call
"fastswitch", which when installed allows you to cycle through different
user accounts with a windows + q key combination. One limitation is that it
seems to me that non-adminitrator accounts can't fastswitch to administrator
accounts. At least I can't on my system.

Thanks Carlo! That sounds pretty much like what I'm looking for
(assuming there's some way to get switching between non-admin and
admin accounts working). I'll go have a look for that and see what if
I can get it working.

 

[Tony Hill]

In a Domain it gets a little easier to manage with some things but you lose
fast User Switching... so you don't want users getting used to it with a
Workgroup and then switching to a Domain at some later date. For some of
us the whole thing is a royal PITA. For instance I want to keep our "main
server" private (not visible to the Gateway) so I need a private DNS Server
for the Domain but AFAICT you can't have a private Domain *and* have
Internet access with an external DNS Server.

Can you just run a caching DNS server on the private domain? ie have
your private DNS server satisfy all local requests and then forward
all external requests the external domain? Might even speed DNS
queries up for you along with getting past this problem.

Alternatively there's probably some obscure, undocumented way of
fixing this using the 'netsh' interface (the extremely powerful but
extraordinarily poorly documented network configuration tool for
Windows).

Oh another thing: there *are* software installs I've come across which
insist on being installed only by the user name "administrator".

Hmm, I don't think I've ever encountered an application like that,
even when I used to run all programs as a user in the Administrator
group. Actually I used to have it setup that my "Administrator"
account was not even my actual Administrator, but rather a fake user
with absolutely no privileges at all.

 

[Dale Pontius]

I'm sure you caught me blatantly M$-bashing, but, in this case, I
think the bashing is fully justified.

Microsoft talks out of both sides of its mouth. On the one hand,
there is much public hand-wringing and finger-pointing about security,
and on the other they have created, enabled, and encouraged invasive
software that cannot really be used safely by anyone, never mind by
the average user.

My only experience with OS X is from playing with it at CompUSA, so I
can't say much there.

The Linux security model is far from perfect, it requires some skill
to set it up properly, and Linux will be much better off when the
all-powerful superuser is gone for good. If Linux is beyond the
capabilities of the average user, it isn't beyond the skills of help
that can easily be obtained by the average user willing to make a
small investment of time.

Or one could get Lindows, removing the security model from Linux.
(always run as root, by default)

Dale Pontius

 

[George Macdonald]

Can you just run a caching DNS server on the private domain? ie have
your private DNS server satisfy all local requests and then forward
all external requests the external domain? Might even speed DNS
queries up for you along with getting past this problem.

I don't see any mechanism for that - two DNS Servers which the OS knows to
route requests to.

Alternatively there's probably some obscure, undocumented way of
fixing this using the 'netsh' interface (the extremely powerful but
extraordinarily poorly documented network configuration tool for
Windows).

Hmmm, can't find anything and I've looked. I guess I need to post a Q in
some "expert" group or forum.

Hmm, I don't think I've ever encountered an application like that,
even when I used to run all programs as a user in the Administrator
group. Actually I used to have it setup that my "Administrator"
account was not even my actual Administrator, but rather a fake user
with absolutely no privileges at all.

I saw it just last week - can't remember exactly what but maybe a Lexmark
printer software install.

Rgds, George Macdonald

"Just because they're paranoid doesn't mean you're not psychotic" - Who, me??

 

[Tony Hill]

I don't see any mechanism for that - two DNS Servers which the OS knows to
route requests to.

Err, you can definitely define two DNS servers, though I think they
are simply checked sequentially, which might cause problems.

However that wasn't what I was getting at. What I was thinking of is
to setup the private DNS server for your domain to act as a caching
DNS server for ALL DNS request. That way all the PCs in your domain
ONLY look to your private DNS server for all DNS queries. I think all
DNS server applications have the ability to do this.

Maybe I'm totally misunderstanding the question though.

I saw it just last week - can't remember exactly what but maybe a Lexmark
printer software install.

Could be.. I wouldn't touch a Lexmark printer with a 10 foot pole, so
I don't know much about their drivers.

 

[George Macdonald]

Err, you can definitely define two DNS servers, though I think they
are simply checked sequentially, which might cause problems.

They are... checked sequentially... but only for the first request on
startup and then one of the two is established as the DNS server.

However that wasn't what I was getting at. What I was thinking of is
to setup the private DNS server for your domain to act as a caching
DNS server for ALL DNS request. That way all the PCs in your domain
ONLY look to your private DNS server for all DNS queries. I think all
DNS server applications have the ability to do this.

Maybe I'm totally misunderstanding the question though.

This is our one and only "Main Server" and, as previously noted, it is not
"visible" to the Gateway, meaning it doesn't know about the Gateway... so
can't pass on DNS requests up the DNS chain. I just don't want this thing
having Internet "conversations" with anything, be it attackers, M$,
competitors or "security" companies.

On a side note, I've discovered recently that a couple of "security"
companies have Telneted into our router and I've no idea how - it *is*
passworded... unless there's some mfr's backdoor they know about. I've
tweaked the firewall now so only my home IP subnet has external access...
but I'm kinda pissed about it all the same.

Could be.. I wouldn't touch a Lexmark printer with a 10 foot pole, so
I don't know much about their drivers.

Interesting - I've had reasonably good luck with Lexmark laser printers.
What else is there?... HP?... for years I ignored them as long as they
ignored PS but really... talk about driver hell - everything they sell is a
driver nightmare.<UGH>

BTW it was not the drivers but the management software.

Oh, I would say Lexmark's pricing on the network connection "option" really
sucks but there's so much garbage out there in laser printers.

Rgds, George Macdonald

"Just because they're paranoid doesn't mean you're not psychotic" - Who, me??

 

[Tony Hill]

This is our one and only "Main Server" and, as previously noted, it is not
"visible" to the Gateway, meaning it doesn't know about the Gateway... so
can't pass on DNS requests up the DNS chain. I just don't want this thing
having Internet "conversations" with anything, be it attackers, M$,
competitors or "security" companies.

Ok, I follow you now, that makes more sense. Only thing I can think
of here is either to put up a second server just to handle the DNS
(seems like a bit of a waste) or maybe to have a static 'hosts' file
on each of the PCs.

Interesting - I've had reasonably good luck with Lexmark laser printers.
What else is there?... HP?... for years I ignored them as long as they
ignored PS but really... talk about driver hell - everything they sell is a
driver nightmare.<UGH>

Driver nightmare perhaps, but I've had FAR better luck with their
printers than just about anything else when it comes to actually
printing. I haven't used Lexmark laser printers much, but the
absolutely abysmal quality of their inkjet printers was enough to kind
of sour me towards the company. Not to mention all the games that
they like to play with ink cartridges (not that HP, Epson, et. al
don't play the same sorts of games as well, Lexmark just seems more
adept at them).

 

[George Macdonald]

Ok, I follow you now, that makes more sense. Only thing I can think
of here is either to put up a second server just to handle the DNS
(seems like a bit of a waste) or maybe to have a static 'hosts' file
on each of the PCs.

Yeah well we're kinda tight on IP addresses anyway and it could be a waste
to have a separate server... which I think would have to be our PDC, if I
understand things right. I'm not sure how the static hosts file would help
to allow one DNS for domain logon lookup and another for Internet address
resolution. The whole thing could be done better IMO.

Driver nightmare perhaps, but I've had FAR better luck with their
printers than just about anything else when it comes to actually
printing. I haven't used Lexmark laser printers much, but the
absolutely abysmal quality of their inkjet printers was enough to kind
of sour me towards the company. Not to mention all the games that
they like to play with ink cartridges (not that HP, Epson, et. al
don't play the same sorts of games as well, Lexmark just seems more
adept at them).

In the inkjet sector that Lexmark has a presence, all the mfr's efforts
seem cheap 'n' cheerful to me. If you want to go upscale with inkjet then
HP seems to be the only one who really plays there. Mind you I've heard of
people who happily run banks of Lexmark inkjets... and then there's the CD
printing systems which seem to use the Lexmark engines, I think because the
Lexmark ink is slightly less water soluble than HP's.

For laser printers though it's a different ball game - the low-end HP
lasers with what looks like sheets of paper sprouting vertically from them
are a joke IMO; at the higher end they're probably competitive laser
engine-wise but I've had good luck with Lexmarks so I'll probably stick
with them.... until??

Rgds, George Macdonald

"Just because they're paranoid doesn't mean you're not psychotic" - Who, me??

 

[The little lost angel]

For laser printers though it's a different ball game - the low-end HP
lasers with what looks like sheets of paper sprouting vertically from them
are a joke IMO;

Why? Admittedly some of their newer designs aren't as pretty as the
older ones, my experience with them has been pretty good across
several offices including my home and friends. They are good enough
that even rival Canon uses their design if I'm not mistaken. I sorely
regret going for a cheaper one due to budget constrains... my older HP
*is* still better than my "newer" Epson.

--
L.Angel: I'm looking for web design work.
If you need basic to med complexity webpages at affordable rates, email me
Standard HTML, SHTML, MySQL + PHP or ASP, Javascript.
If you really want, FrontPage & DreamWeaver too.
But keep in mind you pay extra bandwidth for their bloated code

 

[Tony Hill]

Yeah well we're kinda tight on IP addresses anyway and it could be a waste
to have a separate server... which I think would have to be our PDC, if I
understand things right. I'm not sure how the static hosts file would help
to allow one DNS for domain logon lookup and another for Internet address
resolution.

Static hosts file which does all of the translation for your private
domain, so no actual DNS queries would be required (the PCs all know
the addresses already). The problem is, of course, that this is all
static. If you want to change the address of any of the systems than
you need to update all of the hosts files.

The whole thing could be done better IMO.

The entire idea of DNS could be done better! Regardless of whether
you're talking Microsoft, Linux or anyone else, it's all a little bit
kludge-like if you ask me. Of course, I haven't a clue how it could
be done better, so I'll stick with it for now.

 

[George Macdonald]

Why?

In a word: dirt... or more accurately dust. It just looks to me like a
poor design. It hits the low-end consumer market where accumulated dust,
on the paper and intermittent use are a problem.

Admittedly some of their newer designs aren't as pretty as the
older ones, my experience with them has been pretty good across
several offices including my home and friends. They are good enough
that even rival Canon uses their design if I'm not mistaken. I sorely
regret going for a cheaper one due to budget constrains... my older HP
*is* still better than my "newer" Epson.

I believe it's actually HP who buys the Canon engines. IMO a proper laser
printer hides its paper in a drawer or tray and I'm, umm, quite inflexible
on this point.

Rgds, George Macdonald

"Just because they're paranoid doesn't mean you're not psychotic" - Who, me??

 

[George Macdonald]

Static hosts file which does all of the translation for your private
domain, so no actual DNS queries would be required (the PCs all know
the addresses already). The problem is, of course, that this is all
static. If you want to change the address of any of the systems than
you need to update all of the hosts files.

Yeah I know what a hosts file is. So the hosts file would supply the
address for only the domain logon, i.e. the PDC... and Internet DNS would
go through the Primary or Secondary DNS Server defined in the IP
Properties? Are you sure about this?

The entire idea of DNS could be done better! Regardless of whether
you're talking Microsoft, Linux or anyone else, it's all a little bit
kludge-like if you ask me. Of course, I haven't a clue how it could
be done better, so I'll stick with it for now.

The problem with M$ is that they have half-assed layered their own legacy
stuff on top of the IETF IP rules. For a while, a few years ago, they kept
trying to get IETF to accept their way of doing things and kept getting
laughed out of the meetings.

Rgds, George Macdonald

"Just because they're paranoid doesn't mean you're not psychotic" - Who, me??