1. how you can prevent users from accessing the Schedule Tasks created by Admini strators or users.

As an example: You have a schedule task created on all the client computers. The schedule task name is BackupJob. You need to prevent users and local administra tors from accessing this. Create a script and add the following lines in the script. Script name would Hid eJob.CMD * @Echo Off * setlocal enabledelayedexpansion * Echo Y| C:\Windows\System32\Cacls.EXE C:\Windows\Tasks\BackupJob.JOB /G SY STEM:F * IF !ErrorLevel! == 0 ( * Echo Done > C:\Windows\System32\Result.TXT * ) ELSE ( * Echo BackupJob not found on local computer > C:\Windows\System32\Resul t.TXT * ) Next, create a GPO or edit the existing GPO > Computer Configuration > Startup S cript > and configure the HideJob.CMD. Note: All the computers must be restarted for this to work.

2. User Account Control has its place in some scenarios, but you may find it bes t to disable it in certain situations. This can be done globally with Group Poli cy. User Account Control is one of Windows Vista s most touted and noticeable features . Designed to alert users when an action is being performed that makes a modific ation to the system, UAC has its place in several situations. However, you may r un into occasions where application compatibility issues require that UAC be dis abled. Rather than painstakingly changing this setting on each individual computer, the change can be made in Group Policy. In order to do this, create a new Group Pol icy Object and browse to Computer Configuration/Windows Settings/Security Settin gs/Local Policies/Security Options. On the right hand side of the screen there a re a few options we want to configure that will disable UAC. They are: * User Account Control: Behavior of the elevation prompt for administrators - Elevate without prompting * User Account Control: Detect application installations and prompt for elev ation Disabled * User Account Control: Run all administrators in Admin Approval Mode Disabl ed You will notice there are quite a few other configurable options for UAC here. W hen possible, you should try to toy around with these configuration options rath er than just disabling UAC when dealing with an application compatibility issue. One last important note, once these settings are applied a computer restart wil l be required. 3. Windows Server 2008 Group Policy provides several new features that ease netw

ork administration. In order to apply these new settings to your Windows XP devi ces a couple of extra steps will need to be taken.

One of the most exciting things Windows Sever 2008 has to offer are its new Grou p Policy preference features. These features such as mapping drives or installin g printers will work just fine on Windows Vista devices, but your Windows XP wor kstations and Windows 2003 Servers will need one more thing before you can expec t to leverage Group Policy for their administration. The reason for the issue is that the Preference settings now configurable in Group Policy require the installation of Group Policy Client Side Extensions (CSE) on Windows XP and Windows 2003 Server machines. Once these are installed, the GP p references will apply as they should. Alternatively, these updates can be pushed to cntioned in the Servers.txt file. 4. This article explains a simple command you can use to modify the "Log On Loca lly" rights on all the server remotely. Log On Locally rights allows your users to log on locally on the server. By defa ult, all the users in the Active Directory Forest are able to log on to any serv er except domain controllers. The Local Users Security Group is added to the "Al low Log On Locally" rights on local server and this security group contains the Domain Users security local group. If you have created a security group and want to allow only the members of this Security Group should be able to log on local ly on specified servers then you must do it manually, using a Group Policy or us ing a script. In this example, I have created a domain security group named: RDP Access and me mbers of this security group should be able to log on locally on 100 servers out of 500 servers in my environment. Steps: * Create a text file: Servers.txt * Copy all the 100 server names in this text file. * Run the following command: For /F "Tokens=*" %a in (Servers.txt) Do Ntrights.exe -m \\%a -u "Domain_Name\RD P Access" +r SeInteractiveLogonRight The above command will assign the Log On Locally rights to RDP Access which is a domain local security group on the servers mentioned in the Servers.txt file. 5. This article explains a command which you can use to get the members of secur ity group or security groups mentioned in a text file. The below command can be used to get the list of members of a security groups me ntioned in a text file. This is very useful when you want a list of user account s for Security Groups. Steps: 1. 2. name. 3. Create a text file: GroupNames.txt Copy all the group names (do not copy the DN of the Group, only the group For example, Administrator) Run the following command:

For /f "Tokens=*" %a in (GroupNames.txt) Do DsQuery group -name "%a" | DsGet gro up -members -expand > GroupName_%a.txt The above command will create a file by that group name and all the members of t hat group will be saved in that group file. Required files: Please make sure you have the below mentioned files on the computer where you ar e running the above command. * DSQuery * DsGet 6. This article explains a quick tip you can use to get the list of Security Gro ups a user or users belong/s to. There is no any Windows native command which can be used to get a list of securi ty groups a user or users belong to. The below command can help you achieve this . You need to download the ADFind.exe, a tool developed by Joeware, from http:// www.joeware.net/downloads/files/AdFind.zip. This tool can also be scripted. I wi ll give two examples of this tool as mentioned below: * Use this tool to get the security groups of a user. To accomplish the above mentioned goal, you need to run the following command: ADFind.exe -b "CN=Peter, OU=Finance, DC=Contoso,DC=com" -s base -tokengroups -re solvesids -sddl+ The above command will get the list of Security Groups Peter belongs to. You nee d to know the DN of the Peter so that you can get the Security Groups. In the se cond example, you don't need to know the DN of the user to achieve the same goal . * Use this tool to get the security groups of users from a text file. Steps: Run the following command to get the DNs of all users of a Security Group. DsQery group -name "SecurityGroupName" | DsGet group -members -expand > AllUserN ames.txt The above command will get the list of user accounts from Security Group "Securi tyGroupName" and the output of this will be stored in the AllUserNames.txt file with the DN of that user. Now, you have got the DN of all the users. Next, run the following command to ge t the Security Groups of each user account mentioned in the AllUserNames.txt and the output of each user's security group will be stored in UserName text file. For /F "Tokens=*" %a in (AllUserNames.txt) Do ADFind.exe -b %a -s TokenGroups -r esolvesids -sddl+ > UserName_ %a.txt

7.