Creating a Bootable USB Flash Drive for Installing Windows 7 or Windows Server 2008 R2

You might need to install Windows 7 or Windows Server 2008 R2 from an USB flash drive instead of the traditionally DVD. The process of creating a bootable USB is pretty straight forward as I will demonstrate in the following.

There are several reasons for using an USB flash drive for installation. First, it’s faster – with USB 3.0 it’s much faster than installing from a DVD. Second, it’s easier to bring around and more robust than a DVD.

All you need is an USB flash drive with at least 4 GB unallocated space and the Windows installation files.

If you got the installation files in an ISO file, you need a program to mount the ISO file. There are several free tools available on the internet. I use DAEMON Tools Light which you can download from this site: http://www.daemon-tools.cc/eng/downloads

Go through the following steps.

1. Insert the USB flash drive into a computer running Windows XP – 7.

2. Open an elevated command prompt (cmd.exe).

3. Now you need format and make the USB drive active. You can achieve this by using the Diskpart command-line utility. So in the prompt write the following command:

Diskpart and press Enter

4. Then you need to identify the USB disk among the other physical disks in your system. You do that by running the following command:

List Disk

When you run this command you will get a list of the physical disks including your USB disk. You need to identify the disk number. In my case it’s Disk 1.

5. Then you need to select the USB disk, clean the disk, create a primary partition, make the partition active and format it with NTFS. You can do all that by running the following commands:

Select Disk 1 (insert the actual disk number)

Clean

Create Partition Primary

Select Partition 1

Active

Format FS=NTFS (this might take some time!)

Assign

Exit

Minimize the command prompt

6. Insert the Windows installation DVD and identify the drive letter assigned. You also need to know the drive letter of the USB drive.

Enter the command prompt, and change the path to x:\boot> where x is the driver letter of your optical (DVD) drive. You can do that easily by running the following command

X: CD Boot

From this location you run the following command:

BOOTSECT.EXE /NT60 Y: 

Where Y is the drive letter of your USB drive.  

7. Now all you need to do is copying the content of the installation DVD to the USB flash drive, and you are ready to install Windows 7 or Windows Server 2008 (R2) directly from the USB device. You only need to make sure that your computer supports and is configured to boot from an USB device.

How to: Managing Fine-Grained Password Policy in Windows Server 2012

Now we have the possibility to look at the new features in Windows Server 2012, and I will in future posts describe some of them.

In this post you can see a demonstration of how to create and configure Fine-Grained Password Policy on a Windows Server 2012 domain controller through the Active Directory Administrative Center. You can get more detailed information of the Fine-Grained Password Policy configuration with Server 2008 (R2) in my previous post, http://masteringwindows.blogspot.com/2012/03/managing-fine-grained-password-policy.html

As described in the previous post, the creation and configuration of a Password Setting Object (PSO) was a little difficult and you needed the ADSI Editor to create the PSO in a graphically way.

Windows Server 2012 addresses this by making the creation and configuring possible through the Active Directory Administrative Center in an easy way, as I will demonstrate in the following.

1. There are several ways to start the Active Directory Administrative Center on a Windows Server 8 Beta domain controller. One way is by Start screen and in the Metro-style interface click on Active Directory Administrative Center.

2.  In the Active Directory Administrative Center you can change the left pane to show the traditional tree view. Expand your domain and then locate and expand the System container

3.   In the System container locate the Password Setting Container from where you can create and manage your PSO.

4. When you select the Password Setting Container you can create a PSO by selecting the New option the Task pane in the right side of the screen.

5. As you can see, you now have a single screen where you can configure all attributes in the PSO inclusive the user or group the PSO applies to – beautiful!

In this case I create a PSO that applies to the IT Managers group.

6. If you need to examine a specific user for an applied PSO you can do that easily in a GUI fashion, just by right-clicking the user and select View resultant password settings…

Summary

The Fine-Grained Password Policy feature offers you the ability to make dedicated password and account lockout policies in your enterprise and on a Windows Server 2012 domain controller the configuration is simple and straightforward. Actually I haven’t seen a 3.party tool that gives you the same intuitive GUI.    

How to: Managing Fine-Grained Password Policy in Server 2008

In this block I will explain and demonstrate the Fine-Grained Password Policy feature offered from Windows Server 2008 Active Directory.

From the earliest time of the Active Directory era, I have often been wondering why Microsoft made the password policy so inflexible: One domain, one Account policy (Password, Account lockout and Kerberos policy). This meant that if you needed more dedicated Account policies to different kind of employees; managers, administrators, standard users etc., you had to implement more than one domain in your enterprise, and that would generally result in more administration and a higher TCO.

To solve this issue, Microsoft introduced Fine-Grained Password policy in Windows Server 2008 Active Directory, which offers the ability to apply dedicated Password and Account Lockout policies to Users and Groups – not to OU’s unfortunately.

The requirement for using Fine-Grained Password policies is that the Domain Functional level is at least Windows Server 2008, and therefore all Domain Controllers in the Domain must at minimum be Windows Server 2008.

Fine-Grained Password policy is not configured through a Group Policy Object, GPO, where you traditionally configure Password and Account Lockout policies for the domain. Instead Fine-Grained Password policy is configured by creating an object in Active Directory called Password Setting Object (PSO). When you have created a PSO and configured the Password and Account Lockout settings, you can apply the PSO to users or groups in your domain.

As seen before when Microsoft introduce new features, the configuration of the Fine-Grained Password policy isn’t as smooth and straightforward as you might wish. In Windows Server 2008, you need to use the ADSIEdit console to create a PSO. Alternatively you can use PowerShell or third-party tools.  In Windows Server 8 Microsoft has addressed this issue by making the creation and configuring available through the Active Directory Administrative Center. I will demonstrate this in a future blog. 

In the following you can see the steps needed to create and configure a PSO in a Windows Server 2008 or Server 2008 R2 domain.

1. First you need to raise the domain functional level to at least Windows Server 2008. From the Active Directory Users and Computers console, right-click your domain and select Raise domain functional level…

2. Be aware that when you raise the domain functional level it is not possible to revert the action.

3. If you select the Advanced Features from the View tab in the console, you will now see the System part in the domain tree and in this section you can view and apply your existing PSO’s to users and groups. As you can see, it is not possible to create a PSO from this view. To create a PSO, you need to open the ADSI Editor.

4. In the ADSI Editor you first need to make an active connection

5. In this example I just make a default connection to the domain controller I’m logged on to.

6. As you can see, the structure is exactly the same as in Active Directory Users and Computers console, but in the ADSI Editor the structure is listed by the Distinguished Names. When you expand your domain and the CN=System container, you can right-click the CN=Password Setting Container and select New – Object…. This is where you create a new PSO. This will launch a wizard that will take you through the configuration of the password and account lockout settings you need to apply to a specific user or group.

7. First you need to give your PSO a descriptive name that you can relate to in the future. Design a good naming convention for your PSO’s before you create the first one.

8. Then you need to assign the PSO a precedence value, where 1 gives the PSO the highest priority in the case when a user is member of two groups which has both applied a PSO. Plan carefully the precedence values in your PSOs.

9. Normally you will not enable the reversible password encryption unless you have specific applications that need the reversible encryption enabled (the settings are true or false).

10. Here you define the password history

11. Then you enable or disable the password complexity (the settings are true or false).

12. Then you define the minimum password length.

13. The time format for the minimum password age, and all other time definitions is in the format of d:hh:mm:ss (days, hours, minutes, seconds).

14. Then you configure the maximum password age

15. Here you configure the lockout threshold value, defining the numbers of invalid logons before the users gets a lockout.

16. The Observation value represent the time elapsed after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts.

17. The Lockout duration value determines the time a lockout account remains locked out before automatically becoming unlocked. If you set the account lockout duration to 0, the account will be locked out until an administrator unlocks it. The Lockout duration value must be equal or greater than the Observation value described in the previous step.

18. When you have finished the wizard, you can see and edit the PSO from either the ADSI Editor or from the Active Directory Users and Computers console.

19. To apply the PSO to a user or group, right-click the PSO and select Properties. Select the Attribute Editor and scroll down to the msDS-PSOApplies To setting and click on Edit.

21. Here you can choose to locate the account either from direct search in the directory, or by specifying the account by its distinguished name. In this case I choose to apply the PSO to the IT Mangers group.

22. When look at the It Managers group properties sheet, and select the Attribute Editor, you can view or edit the msDS-PSOApplied attribute. You need select the Backlinks filter option first.

23. In this case Tom Heddelberg is a member of the IT Mangers group.

24. If you look at the Attribute Editor in Tom Heddelberg’s properties, you can see the applied PSO in the msDS_ResultantPSO attribute. You need select the Constructed filter option first.

25. To search for an applied PSO to a specific user you can use the dsget command utility, but the output only shows the applied PSO and not the specific settings in the PSO

26. If you use the Get-ADUserResultantPasswordPolicy cmdlet, you can see the applied PSO plus the actual settings applied.

Summary

The Fine-Grained Password Policy offered from Server 2008 Active Directory gives you the possibility to make more dedicated password and account lockout policies in your enterprise. But you need to be strict in your design and planning, because the PSO will have an immediate and enforced effect.

An advice could be, that you use the GPO based password and account lockout policy for all standard users in your enterprise, and dedicated PSOs on more restrictive accounts according to their group membership.