Group Policy Management Console incompatibility with Windows XP Service Pack 2

I may have missed the boat on Windows XP Service Pack 2 (SP2) reports (had a lot of other stuff going on to create this post), but I hope this helps someone having the same problem I was. I have been using Group Policy Management Console (GPMC) SP1 to configure policies that are deployed via Active Directory to our Windows XP and Windows Server 2003 machines. The settings are largely based on the Windows XP Security Guide and the Windows Server 2003 Security Guide When configuring settings for System Services (i.e. NT Services) in GPMC SP1, an incompatibility is created for a few (that I have found) specific services in SP2. This incompatibility stops, at least, Automatic Updates and the Windows Firewall services from starting even when set to automatically start. With XP SP2, the Automatic Updates service is required for access to Windows Update. Tracking this fact down alone took some time, because I hadn't seen it mentioned publicly anywhere. When you configure a Service in GPMC, it prompts you to define an Access Control List (ACL). An ACL you ask, Services don't have ACLs! I had no idea on this either until this incident, but yes Services have ACLs. Of course you can't look at the ACL on a service (e.g. by looking at the Properties on a Service and viewing the Security tab like on every other OS object with an ACL), you can only see the ACL in a binary value in the Registry. Here is the ACL for the Automatic Updates service in XP SP2: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Security\Security How do you see these binary value ACLs in human readable format? I can't find anything to do this, and the only tool that allows you to set the ACL is GPMC. This MS Knowledge Base article has the details on this and the steps needed to configure your machine: How To Configure Group Policies to Set Security for System Services The article has one critical flaw though. It says the default ACL GPMC creates for your services contains the permission of Everyone - Full Control. Under XP SP2, this is not true. The default ACL looks like this: Administrator - Full Control Interactive - Read System - Full Control For Automatic Updates pre-SP2, this setting does not present a problem. Under SP2, it would appear that both the Automatic Updates and Windows Firewall services are configured to run as Local System, but in fact launch threads running as Network Service. What clue do I that this in fact happening? I happen to have failure audits on through Group Policy, and the Network Service account on the Object Name wuauserv was generating a failure that it didn't have Accesses: READ_CONTROL... As soon as you add Network Service - Read to the ACL for Automatic Updates, everything operates flawlessly. Windows Firewall would seem to operate the same way. If I hadn't turned on failure audits, Windows just silently fails the Automatic Updates service since it actually starts, then kills the process once the thread logging the failure can't read to service configuration. My main machine is in a Windows domain of course, so the Security Center would not normally be enabled to notify users that the Windows Firewall is disabled, but I enables this XP SP2 feature to look the screens. This took close to an entire day to debug. It halted my companies XP SP2 rollout until I figured out what was causing the problem with Windows Update. I just happened to stumble on the Windows Firewall having the same problem because we wanted to set that to Automatically start like Automatic Updates, and it started failing on my test machine in the domain. This is one of those gnarly problems that is just not obvious while testing on a single machine, you need all the pieces together to expose the issue. Nasty.

Airport Express...More Impressions

I have had the Airport Express now for a few months and been using it a pretty good amount. I finally settled on using it connected to my stereo in conjunction with my existing Microsoft MN-700. I had to change the wireless channel on one of the devices to use them sitting right next to each other. I read this in a forum somewhere that I can't find the link to right now. The wireless channel I guess should have been obvious, just like a cordless phone, but I just never had to do this before so it wasn't obvious to me. One of the things the AE was touted as was a portable network solution, and I have really been using it like this and it rocks! First I took it to a friends house to use their broadband with the iBook. This worked very well once I reset AE to wipe out my existing home configuration, which was configured to join a wireless network, not create one. Then I took it to the Reno Hilton and plugged it into their ethernet connection in the hotel room. This worked really well, as I could use the iBook from an adjoining room flawlessly. I used the same configuration from my friends house without incident. Good thing I had the extension cord from the iBook that is interchangable with the AE since the Ethernet connection was nowhere near a power outlet. Here is a tip though, if you setup AE to use the 'net access in the hotel room, don't disconnect AE and use your laptop directly or you might get double billed. A lot of hotel rooms authorize based on MAC address. I switched to the Ethernet port on the iBook to see if this would happen and it did, but the hotel was kind enough to wipe out the double charge and all other Internet charges for my "inconvenience". Sweet!!!

World of Warcraft....WoW

MMORPG's as a genre have always intrigued me, but I could never justify paying $50 for a game that I have to pay $10-$15 a month extra for to play. The game is a total paperweight if you don't like it. That said, I tried Star Wars Galaxies because I am a huge Star Wars fan and I just couldn't resist the concept. The price was always a sticking point for me though. I played for about a month, and I just couldn't get into the game. Things didn't feel done, player cities felt busted to me since no one ever had a reason to go there, and the mission grind felt just like that, a grind. But WoW feels different. I only played the game for a couple days, but I am impressed and I am defiinitely getting the game. First the graphics, character and world, just feel polished. SWG never felt awe inspiring, occasionally that was true, but in general I was not completely impressed. WoW really stands out. In one of the early Orc cities, I climbed to the top of a structure just to look out on the landscape, it was that good. Character models are equally fantastic. But the part that really stood out in WoW was the way the newbie area leads you into missions. Everything is well laid out, and you just don't kill monsters on the landscapel, you actually get into a dungeon on like the fifth mission! Maybe other MMO's are like this, but after SWG this felt like a revelation. The friend that got me into the Stress Test got to a lot higher levels than I did, so he got to experience the PvP, and he sounded like a heroin addict that can't score another fix for a long time :)

Mac Gaming: Better Than Expected

I loaded up my first Mac only game experience this weekend. This means I never played the game on the PC, I only played it on the iBook. That would be World of Warcraft (WoW), Blizzards upcoming MMORPG. I got into the Stress Test Beta for a days from a friend at work. First off, the minimum CPU for the game is a 1 GHz G4, this iBook has a 933 MHz, so the game tells me things may not work. My first thought is, I didn't buy the iBook for gaming, so let's just give this a try. WoW launches and just like everything on the Mac, the attention to detail stands out. I am talking about the transition from Desktop to Game and Game to Desktop. On Windows, this transition is almost always seen with crazy painting problems. Explorer slowly repaints the desktop, the disk grinds for a while as apps come back into memory and repaint themselves. In a word: ugly. Not so on the Mac, transitions are nicely faded or without repaint problems. Moving out of Full Screen to Windowed mode is also seamless. In Blizzard games anyway (I don't have any others to test) the command is Apple-M. WoW itself ran pretty good once I turned down the graphical detail. The only thing that was absolutely necessary was a 2 or more button mouse. I have been using my Microsoft IntelliMouse Optical with the iBook pretty much since I got the iBook, it worked nicely in WoW. Since all the PC propoganga goes out of it's way to suggest there are no games for the Mac and that they suck anyway, I was pleasently surprised by my experience. Blizzard rocks.

Fixed .Mac iDisk Syncing with....Windows XP

I previously blogged about my .Mac iDisk synchronization problems I finally fixed my issue with Windows XP. This is not a Mac slam, but it does show what happens when you hid stuff from users sometimes and the software can't fix itself. I installed the iDisk utility for Windows XP to upload an image to my iDisk's Public Folder while I was at work on my XP box. You could say I was surprised when I saw a hidden .Something file in the Public folder. In my previous post, I mentioned that I was trying to upload a large file, and the upload timed out at one point. Well it seems pretty clear that the .Mac iDisk sync engine can't sort itself out in some cases, because it left this dead file behind and on the Mac as a regular user, wouldn't tell me about it. I deleted the file from Windows XP and got all my space back. I could have solved this on the Mac too by telling the Finder to show me hidden files or using Terminal, but I just expected this to work, even the failure cases, and it never occured to me the iDisk sync wouldn't keep a record of the attempted file upload and clean-up after itself. I suppose a transactional file system would have solved this too, perhaps "Tiger" will match the transactional NTFS in Longhorn, if it isn't cut :)

I finally got Quicken 2004 for Mac to work with Citibank

In my campaign to go Mac only at home, the last piece of data to get migrated was my MS Money data. I thought this would be a no brainer since Quicken 2004 for Mac was included with the iBook and everybody reads QIF files. I read in a Macworld forum that with Quicken I could directly download transactions from Citibank from within the program and pay bills, I didn't have to use the Citibank website and no double data entry like I had with Money!!!! This may not seem like a big deal, but I started using direct online banking with First Union (nee Wachovia) in PA. When I moved to CA, no bank offered direct banking and I hate double entry, in Money and on the Citibank website. I stayed with First Union for months to avoid double entry. But with Quicken 2004 for Mac and Citibank, single data entry was again a reality. I enrolled in the Citibank Direct Connect program ($9.95 a month, no double entry is worth it) and patiently waited for my connection kit. I got that in early July, promptly did the setup, but no transactions would download. A call to Citibank revealed I was using the wrong Customer Number, they wanted my wife's SSN, and it wasn't specified on the setup document. With that problem solved, I was making a connection to Citibank, but still no transactions. Citibank didn't understand the problem, so I couldn't get my transactions. I resigned myself to either falling back to using Web statements or switching to another program on the Mac. Web statements looked unpromising, because the Quicken Web Connect format wouldn't import and I had to use the Quicken '98 QIF format. This meant no transaction matching on import, which is totally unacceptable. I started researching why Quicken Web Connect, which does have transaction matching, wouldn't import. The Web Connect file is an XML file, how hard could this be to suck into Quicken? I opened the file to have a look, and I was also seriously thinking of started my own develop effort, and I noticed my Citibank account number looked a bit dodgy, but I couldn't put my finger on it, maybe too short, it didn't hit me yet. I installed and setup another finance program on the Mac (here is a list on Macworld) called Moneydance. This too can download transactions directly from Citibank. I picked up a Citibank statement since I couldn't find the checkbook, but the info in Moneydance, and in a John Madden BOOM, I had transactions. And then all the pieces fell into place in my head. When I had entered my Citibank account number in Quicken, I happened to have the checkbook handy and read the number directly off of that. The account number on my checks looks like this: 0123 4567 8912 In the Quicken Web Connect file and on my paper Citibank statement, the account number looks like this: 123 4567 8912 You will immediately notice there is no leading 0. I changed the account number on the Checking account in Quicken, and now I have every transaction with, so far, really good matching on already entered items. What a timesink. In total, it took me 2 months to debug this and I never saw anyone else online mention this when having problems getting transactions from Citibank with Quicken.

Switching to the Mac at home

Even though my job is as a Windows Software Developer, I am switching over completely at home to Macs and using MS Remote Desktop Connection on the Mac to get to my work desktop or use my work provided laptop. I never develop on my home PC, and the experience on the Mac has been so good for all the things that are important to me, digital photos, music, home movies, that I am just going to completely switch. As for games, one of my big leisure time activities, since I got an Xbox, I hardly ever play PC games. Doom 3 is the first I have played in a long time, and it is going to be the last because my hardware has already fallen behind the curve for the best experience. I intend on posting me experience here, as I have already started, about the switch. I hope you enjoy.

Framed My First Comment

When I started the blog, I didn't know what to expect with regard to number of visitors or people commenting. I was happy to receive my first comment the other day from the Blog Bloke In the tradition of businesses framing their first dollar, I have "framed" my first comment. Seeing this comment also spured me to add Site Meter stats to my blog. Thanks Blog Bloke

I want to invoke the right of parley, or: how MS missed an opportunity with SP2

The title of this article was insprired by the excellent article on Daring Fireball XP SP2 is absolutely an essential upgrade, everyone should install it, even though there might be some problems with it (more on that later). The opportunity MS missed was shipping the .NET Framework standard with SP2. The redistributable installer is on the SP2 CD, but the SP2 installer does not install the framework. As a developer, I have given up all hope of seeing Windows Forms as a viable deployment platform. This was the last best opportunity to push these bits onto the client platform and they just didn't do it. I would love to know why we ended up in this mess. And I just don't buy the arguement that this is because of the legal stuff with the DOJ, Europe, and Japan. If that were true, why does SP2 update my media player to Windows Media Player 9? A sad day for .NET developers. The platform may rock, but if I can't depend on the bits being on the client, and I want to minimize my installers size, I am stuck in VB6 or Win32 for client apps...*sigh*

.Mac iDisk Synchronization in Panther

When I got my iBook, I signed up for Apple's .Mac service for my wife because we wanted drop dead easy photo publishing of our, at the time (Dec '03) upcoming son. We love that functionality and it works beautifully from iPhoto. iPhoto uses your iDisk to store the photos and HTML pages that are visible from http://homepage.mac.com/[membername] This weekend I pushed .Mac and the Panther synchronization capabilities to the limits and I am not impressed. I added a large, 47.5 MB file, to my iDisk. With my other stuff and the default limit of 100 MB, the iDisk sync with my local copy basically ended up in an infinite loop. OS X 10.3.4 would try and synch the file, fail with an out of space error which was very pretty, and then just keep trying again. The out of space error was particularly frustrating, since I should have had 13.3 MB of free space after I uploaded the file. I pushed out over 1.26 GB of data as of my last attempt. Even more frustrating, since I have a local copy of the iDisk, I can't see if the copy on .Mac is out of storage, OS X just redirects me to my local version (using the Finder -> Go -> iDisk -> My iDisk). I hope they fix this stuff in 10.3.5 or Tiger, but this is a disappointment.