Skip to the content of the web site.

Training for IT Professionals

ADS/Client Managed PCs

(e.g. Client Managed laptops)

This document is based on Windows XP but can also be applied to Windows 2000

Please contact your IST Liaison Person for assistance.

  1. Add the pc/laptop to the ADS/Client Managed group for your department at least 2 business days ahead of time:
  2. Add the PC to ADS after you have heard back from IST that it has been added to the ADS/Client Managed group for your department:
    • Log onto the PC with an administrator account
    • Right click on My Computer and choose Properties
    • Click on the Computer Name tab
    • Click on the Change button
    • Select Domain under Member of
    • Type ads.uwaterloo.ca beside Domain
    • Click on the OK button
    • Restart the PC
    • The above process causes the local "administrator" account to be renamed “istadministrator”. The password for the account does not change from what it was before.
  1. Set up the following administrators on the PC (your IST Liaison person will have to help with this step):
    • ADS\acsup-computer support
    • ADS\(your department administrators group)
    • istadministrator -set the password properly
    • local administrator account for your computer support person (e.g. !userid) and put it in the administrator's group
  2. DHCP the PC (have it pick up the IP address automatically). This should be done on all PCs. If step 1. (above) was done, the PC information will be in DHCP. If you are unsure if the PC information is in DHCP, please provide IST (via request@rt.uwaterloo.ca) with the pc name, ip and mac address of the PC and ask to make sure the PC is in DHCP.
    • Start/Control Panel/Network Connections,
    • Right click on Local Area Connection and choose Properties
    • Click on Internet Protocol(TCP/IP) and click on the Properties button
    • Set the settings to pick up the IP address and DNS addresses automatically
    • Restart the PC
    • If the PC does not connect to the network, the local duplex and speed may be incompatible with the switch port. Try having the switch port set via IST Network services (via request@rt.uwaterloo.ca ) both ends to 100/full explicitly (or 10/half explicitly) depending on your network. If this fails try 10/full. Some NICs can't t run at 100 properly.
    • Initially, before the pc is connected to the network, critical Windows updates can be added via the Home and Security CD, available from the IST CHIP, MC1052, for $5.
    • From Manual_WSUS_Workstation_Configuration.asp, run the wsus.reg file. (This allows critical SUS updates to be installed automatically as long as the computer is connected to the network quite often. If the machine is not connected to the network very often, you may want to do the updates manually via the Home and Security CD or via Tools/Windows Update in Internet Explorer.)
  4. Install Symantec AntiVirus from http://ist.uwaterloo.ca/download/package_info/nav.html. Installing Symantec AntiVirus from this site requires you to enter your UWdir userid and password. Once installed, live updates will be done automatically as long as the computer is left on and connected to the network for at least an hour at a time. More information on this service can be found at http://ist.uwaterloo.ca/ps/services/antivirus.html
  5. Make sure that all installed network printers are pointing to active print servers.
  6. Blocked access to certain ports via the XPfilter.cmd file. (If Remote Desktop is used, this file will need to be modified to not block RDP ports. If PCAnyWhere is used, this file will need to be modified not to block UDP ports). Your IST Liaison person can help with this if necessary.
  1. The following explains how to 'undo' step 8. if you think it caused a problem.

Undoing ‘XPfilter.cmd'

  1. Start/Control Panel/Administrative Tools/Local Security Policy
  2. Double click on ‘IP Security Policies on Local Computer' in the left pane.
  3. Right click on ‘UW Filter Policy' in the right pane; choose ‘Un-assign'. It can take up to 90 minutes for this to completely take effect.
  4. If this fixes the problem, then we need to:
    1. Right click on ‘UW Filter Policy' in the right pane, and choose ‘Delete'.
    2. Right click on ‘IP Security Policies on Local Computer' in the left pane and choose ‘Manage IP filter lists and filter actions …'
      • delete filter lists that don't have a description
      • delete filter actions that don't have a description
    3. re-run XPfilter.cmd with some commands ‘@rem ‘ commented out (e.g. put @rem at the front of lines that contain commands blocking out ports that are needed)

** Step 4. c. above is very very important. Blocking some ports is safer than not blocking any. Please contact IST (Lisa Tomalty or Manfred Grisebach if you need help with this step.)

 

Redoing the ‘XPfilter.cmd'

  1. Go to the web site: http://winxp .
  2. Under 'Academic Support', 'Security', click on 'Workstation Security'.
  3. On the page that comes up, you might want to read the first page of information and then click on 'http://winxp.uwaterloo.ca/Security/IPSec_Cmds' under 'How?'.
  4. Download the file 'IPSECfilter.zip'.
  5. Expand the above file with WinZip.
  6. Double click on the file 'XPfilter.cmd'. (Before running the ‘XPfilter.cmd', comment out (@rem) the lines that block RDP ports (used for remote desktop) and UDP ports (used with PCAnywhere) if necessary.) (NOTE that the file ipseccmd.exe must be there for this to run properly.)

** More details on ‘Hardening' your Windows XP workstation can be found at: http://winxp under Security, Hardening Windows XP

This page was last updated by Lisa Tomalty on May 20, 2010