Although the specifics of being a system administrator may change from platform to platform, there are underlying themes that do not. These themes make up the philosophy of system administration.

The themes are:

Automate everything

Document everything

Communicate as much as possible

Know your resources

Know your users

Know your business

Security cannot be an afterthought

Plan ahead

Expect the unexpected

The following sections explore each theme in more detail.

Automate Everything

Most system administrators are outnumbered — either by their users, their systems, or both. In many cases, automation is the only way to keep up. In general, anything done more than once should be examined as a possible candidate for automation.

Here are some commonly automated tasks:

·         Free disk space checking and reporting

·         Backups

·         System performance data collection

·         User account maintenance (creation, deletion, etc.)

·         Business-specific functions (pushing new data to a Web server, running monthly/quarterly/yearly reports, etc.)

This list is by no means complete; the functions automated by system administrators are only limited by an administrator's willingness to write the necessary scripts. In this case, being lazy (and making the computer do more of the mundane work) is actually a good thing.

Automation also gives users the extra benefit of greater predictability and consistency of service.

Document Everything

If given the choice between installing a brand-new server and writing a procedural document on performing system backups, the average system administrator would install the new server every time. While this is not at all unusual, you must document what you do. Many system administrators put off doing the necessary documentation for a variety of reasons:

"I will get around to it later."

Unfortunately, this is usually not true. Even if a system administrator is not kidding themselves, the nature of the job is such that everyday tasks are usually too chaotic to "do it later." Even worse, the longer it is put off, the more that is forgotten, leading to a much less detailed (and therefore, less useful) document.

"Why write it up? I will remember it."

Unless you are one of those rare individuals with a photographic memory, no, you will not remember it. Or worse, you will remember only half of it, not realizing that you are missing the whole story. This leads to wasted time either trying to relearn what you had forgotten or fixing what you had broken due to your incomplete understanding of the situation.

"If I keep it in my head, they will not fire me — I will have job security!"

While this may work for a while, invariably it leads to less — not more — job security. Think for a moment about what may happen during an emergency. You may not be available; your documentation may save the day by letting someone else resolve the problem in your absence. And never forget that emergencies tend to be times when upper management pays close attention. In such cases, it is better to have your documentation be part of the solution than it is for your absence to be part of the problem.

In addition, if you are part of a small but growing organization, eventually there will be a need for another system administrator. How can this person learn to back you up if everything is in your head? Worst yet, not documenting may make you so indispensable that you might not be able to advance your career. You could end up working for the very person that was hired to assist you.

Hopefully you are now sold on the benefits of system documentation. That brings us to the next question: What should you document? Here is a partial list:

Policies

Policies are written to formalize and clarify the relationship you have with your user community. They make it clear to your users how their requests for resources and/or assistance are handled. The nature, style, and method of disseminating policies to your a community varies from organization to organization.

Procedures

Procedures are any step-by-step sequence of actions that must be taken to accomplish a certain task. Procedures to be documented can include backup procedures, user account management procedures, problem reporting procedures, and so on. Like automation, if a procedure is followed more than once, it is a good idea to document it.

Changes

A large part of a system administrator's career revolves around making changes — configuring systems for maximum performance, tweaking scripts, modifying configuration files, and so on. All of these changes should be documented in some fashion. Otherwise, you could find yourself being completely confused about a change you made several months earlier.

Some organizations use more complex methods for keeping track of changes, but in many cases a simple revision history at the start of the file being changed is all that is necessary. At a minimum, each entry in the revision history should contain:

·   The name or initials of the person making the change

·   The date the change was made

·   The reason the change was made

This results in concise, yet useful entries:

ECB, 12-June-2002 — Updated entry for new Accounting printer (to support the replacement printer's ability to print duplex)

Communicate as Much as Possible

When it comes to your users, you can never communicate too much. Be aware that small system changes you might think are practically unnoticeable could very well completely confuse the administrative assistant in Human Resources.

The method by which you communicate with your users can vary according to your organization. Some organizations use email; others, an internal website. Still others may rely on Usenet news or IRC. A sheet of paper tacked to a bulletin board in the breakroom may even suffice at some places. In any case, use whatever method(s) that work well at your organization.

In general, it is best to follow this paraphrased approach used in writing newspaper stories:

1.        Tell your users what you are going to do

2.        Tell your users what you are doing

3.        Tell your users what you have done

The following sections look at these steps in more depth.

1. Tell Your Users What You Are Going to Do

Make sure you give your users sufficient warning before you do anything. The actual amount of warning necessary varies according to the type of change (upgrading an operating system demands more lead time than changing the default color of the system login screen), as well as the nature of your user community (more technically adept users may be able to handle changes more readily than users with minimal technical skills.)

At a minimum, you should describe:

·         The nature of the change

·         When it will take place

·         Why it is happening

·         Approximately how long it should take

·         The impact (if any) that the users can expect due to the change

·         Contact information should they have any questions or concerns

Here is a hypothetical situation. The Finance department has been experiencing problems with their database server being very slow at times. You are going to bring the server down, upgrade the CPU module to a faster model, and reboot. Once this is done, you will move the database itself to faster, RAID-based storage. Here is one possible announcement for this situation:

System Downtime Scheduled for Friday Night

Starting this Friday at 6pm (midnight for our associates in Berlin), all financial applications will be unavailable for a period of approximately four hours.

During this time, changes to both the hardware and software on the Finance database server will be performed. These changes should greatly reduce the time required to run the Accounts Payable and Accounts Receivable applications, and the weekly Balance Sheet report.

Other than the change in runtime, most people should notice no other change. However, those of you that have written your own SQL queries should be aware that the layout of some indices will change. This is documented on the company intranet website, on the Finance page.

Should you have any questions, comments, or concerns, please contact System Administration at extension 4321.

A few points are worth noting:

·         Effectively communicate the start and duration of any downtime that might be involved in the change.

·         Make sure you give the time of the change in such a way that it is useful to all users, no matter where they may be located.

·         Use terms that your users understand. The people impacted by this work do not care that the new CPU module is a 2GHz unit with twice as much L2 cache, or that the database is being placed on a RAID 5 logical volume.

2. Tell Your Users What You Are Doing

This step is primarily a last-minute warning of the impending change; as such, it should be a brief repeat of the first message, though with the impending nature of the change made more apparent ("The system upgrade will take place TONIGHT."). This is also a good place to publicly answer any questions you may have received as a result of the first message.

Continuing our hypothetical example, here is one possible last-minute warning:

System Downtime Scheduled for Tonight

Reminder: The system downtime announced this past Monday will take place as scheduled tonight at 6pm (midnight for the Berlin office). You can find the original announcement on the company intranet website, on the System Administration page.

Several people have asked whether they should stop working early tonight to make sure their work is backed up prior to the downtime. This will not be necessary, as the work being done tonight will not impact any work done on your personal workstations.

Remember, those of you that have written your own SQL queries should be aware that the layout of some indices will change. This is documented on the company intranet website, on the Finance page.

Your users have been alerted; now you are ready to actually do the work.

3. Tell Your Users What You Have Done

After you have finished making the changes, you must tell your users what you have done. Again, this should be a summary of the previous messages (invariably someone will not have read them.)

However, there is one important addition you must make. It is vital that you give your users the current status. Did the upgrade not go as smoothly as planned? Was the new storage server only able to serve the systems in Engineering, and not in Finance? These types of issues must be addressed here.

Of course, if the current status differs from what you communicated previously, you should make this point clear and describe what will be done (if anything) to arrive at the final solution.

In our hypothetical situation, the downtime had some problems. The new CPU module did not work; a call to the system's manufacturer revealed that a special version of the module is required for in-the-field upgrades. On the plus side, the migration of the database to the RAID volume went well (even though it took a bit longer than planned due to the problems with the CPU module.

Here is one possible announcement:

System Downtime Complete

The system downtime scheduled for Friday night (refer to the System Administration page on the company intranet website) has been completed. Unfortunately, hardware issues prevented one of the tasks from being completed. Due to this, the remaining tasks took longer than the originally-scheduled four hours. Instead, all systems were back in production by midnight (6am Saturday for the Berlin office).

Because of the remaining hardware issues, performance of the AP, AR, and the Balance Sheet report will be slightly improved, but not to the extent originally planned. A second downtime will be announced and scheduled as soon as the issues that prevented completion of the task have been resolved.

Please note that the downtime did change some database indices; people that have written their own SQL queries should consult the Finance page on the company intranet website.

Please contact System Administration at extension 4321 with any questions.

With this kind of information, your users will have sufficient background knowledge to continue their work, and to understand how the changes impact them.

Know Your Resources

System administration is mostly a matter of balancing available resources against the people and programs that use those resources. Therefore, your career as a system administrator will be a short and stress-filled one unless you fully understand the resources you have at your disposal.

Some of the resources are ones that seem pretty obvious:

·         System resources, such as available processing power, memory, and disk space

·         Network bandwidth

·         Available money in the IT budget

But some may not be so obvious:

·         The services of operations personnel, other system administrators, or even an administrative assistant

·         Time (often of critical importance when the time involves things such as the amount of time during which system backups may take place)

·         Knowledge (whether it is stored in books, system documentation, or the brain of a person that has worked at the company for the past twenty years)

It is important to note is that it is highly valuable to take a complete inventory of those resources available to you and to keep it current — a lack of "situational awareness" when it comes to available resources can often be worse than no awareness at all.

Know Your Users

Although some people bristle at the term "users" (perhaps due to some system administrators' use of the term in a derogatory manner), it is used here with no such connotation implied. Users are those people that use the systems and resources for which you are responsible — no more, and no less. As such, they are central to your ability to successfully administer your systems; without understanding your users, how can you understand the system resources they require?

For example, consider a bank teller. A bank teller uses a strictly-defined set of applications and requires little in the way of system resources. A software engineer, on the other hand, may use many different applications and always welcomes more system resources (for faster build times). Two entirely different users with two entirely different needs.

Make sure you learn as much about your users as you can.

Know Your Business

Whether you work for a large, multinational corporation or a small community college, you must still understand the nature of the business environment in which you work. This can be boiled down to one question:

What is the purpose of the systems you administer?

The key point here is to understand your systems' purpose in a more global sense:

·         Applications that must be run within certain time frames, such as at the end of a month, quarter, or year

·         The times during which system maintenance may be done

·         New technologies that could be used to resolve long-standing business problems

By taking into account your organization's business, you will find that your day-to-day decisions will be better for your users, and for you.

Security Cannot be an Afterthought

No matter what you might think about the environment in which your systems are running, you cannot take security for granted. Even standalone systems not connected to the Internet may be at risk (although obviously the risks will be different from a system that has connections to the outside world).

Therefore, it is extremely important to consider the security implications of everything you do. The following list illustrates the different kinds of issues you should consider:

·         The nature of possible threats to each of the systems under your care

·         The location, type, and value of the data on those systems

·         The type and frequency of authorized access to the systems

While you are thinking about security, do not make the mistake of assuming that possible intruders will only attack your systems from outside of your company. Many times the perpetrator is someone within the company. So the next time you walk around the office, look at the people around you and ask yourself this question:

What would happen if that person were to attempt to subvert our security?

1. The Risks of Social Engineering

While most system administrators' first reactions when they think about security is to concentrate on the technological aspects, it is important to maintain perspective. Quite often, security breaches do not have their origins in technology, but in human nature.

People interested in breaching security often use human nature to entirely bypass technological access controls. This is known as social engineering. Here is an example:

The second shift operator receives an outside phone call. The caller claims to be your organization's CFO (the CFO's name and background information was obtained from your organization's website, on the "Management Team" page).

The caller claims to be calling from some place halfway around the world (maybe this part of the story is a complete fabrication, or perhaps your organization's website has a recent press release that makes mention of the CFO attending a tradeshow).

The caller tells a tale of woe; his laptop was stolen at the airport, and he is with an important customer and needs access to the corporate intranet to check on the customer's account status. Would the operator be so kind as to give him the necessary access information?

Do you know what would your operator do? Unless your operator has guidance (in the form of policies and procedures), you very likely do not know for sure.

Like traffic lights, the goal of policies and procedures is to provide unambiguous guidance as to what is and is not appropriate behavior. However, just as with traffic lights, policies and procedures only work if everyone follows them. And there is the crux of the problem — it is unlikely that everyone will adhere to your policies and procedures. In fact, depending on the nature of your organization, it is possible that you do not even have sufficient authority to define policies, much less enforce them. What then?

Unfortunately, there are no easy answers. User education can help; do everything you can to help make your user community aware of security and social engineering. Give lunchtime presentations about security. Post pointers to security-related news articles on your organization's mailing lists. Make yourself available as a sounding board for users' questions about things that do not seem quite right.

In short, get the message out to your users any way you can.

Plan Ahead

System administrators that took all this advice to heart and did their best to follow it would be fantastic system administrators — for a day. Eventually, the environment will change, and one day our fantastic administrator would be caught flat-footed. The reason? Our fantastic administrator failed to plan ahead.

Certainly no one can predict the future with 100% accuracy. However, with a bit of awareness it is easy to read the signs of many changes:

·         An offhand mention of a new project gearing up during that boring weekly staff meeting is a sure sign that you will likely need to support new users in the near future

·         Talk of an impending acquisition means that you may end up being responsible for new (and possibly incompatible) systems in one or more remote locations

Being able to read these signs (and to respond effectively to them) makes life easier for you and your users.

Expect the Unexpected

While the phrase "expect the unexpected" is trite, it reflects an underlying truth that all system administrators must understand:

There will be times when you are caught off-guard.

After becoming comfortable with this uncomfortable fact of life, what can a concerned system administrator do? The answer lies in flexibility; by performing your job in such a way as to give you (and your users) the most options possible. Take, for example, the issue of disk space. Given that never having sufficient disk space seems to be as much a physical law as the law of gravity, it is reasonable to assume that at some point you will be confronted with a desperate need for additional disk space right now.

What would a system administrator who expects the unexpected do in this case? Perhaps it is possible to keep a few disk drives sitting on the shelf as spares in case of hardware problems. A spare of this type could be quickly deployed on a temporary basis to address the short-term need for disk space, giving time to more permanently resolve the issue (by following the standard procedure for procuring additional disk drives, for example).

By trying to anticipate problems before they occur, you will be in a position to respond more quickly and effectively than if you let yourself be surprised.

当前的磁带机（库）支持的存储技术主要有DAT、8mm、DLT、LTO、AIT及VXA等。

DAT技术
    DAT（Digital Audio Tape）技术又可以称为数码音频磁带技术，也叫4mm磁带机技术，最初是由惠普公司（HP）与索尼公司（SONY）共同开发出来的。这种技术以螺旋扫描记录（Helical Scan Recording）为基础，将数据转化为数字后再存储下来，早期的DAT技术主要应用于声音的记录，后来随着这种技术的不断完善，又被应用在数据存储领域里。4mm的DAT经历了DDS-1、DDS-2、DDS-3、DDS-4几种技术阶段，容量跨度在1GB-12GB。目前一盒DAT磁带的存储量可以达到12GB，压缩后则可以达到24GB。DAT技术主要应用于用户系统或局域网。

8mm技术
    8mm技术由Exabyte（安百特）公司在1987年开发，采用螺旋扫描技术，其特点是磁带容量大，传输速率高，它在较高的价位上提供了相对较高容量的存储解决方案。8mm磁带机的发展经历了8200、8500、8500c和8900(mammoth)的数据格式，容量从最初的2GB发展到现在的40GB，传输速率最快可达6MB/s。新一代的Mammoth-2技术又进一步提升，存储容量达到170GB(非压缩60GB)传输速率30MB/s（非压缩12MB/s），在技术上有广阔的发展空间。主要制造商是Exabyte公司。

DLT技术
    DLT(Digital Linear Tape-数字线性磁带)技术源于1/2英寸磁带机。1/2英寸磁带机技术出现很早，主要用于数据的实时采集，如程控交换机上话务信息的记录，地震设备的震动信号记录等等。DLT磁带由DEC和Quantum公司联合开发。由于磁带体积庞大，DLT磁带机全部是5.25英寸全高格式。DLT产品由于高容量，主要定位于中、高级的服务器市场与磁带库系统。目前DLT驱动器的容量从10GB到80GB不等，数据传送速度相应由1.25MB/秒至10MB/秒。另外，一种基于DLT的Super DLT（SDLT）是昆腾公司2001年推出的格式，它在DLT技术基础上结合新型磁带记录技术，使用激光导引磁记录（LGMR）技术，通过增加磁带表面的记录磁道数使记录容量增加。目前SDLT的容量为160GB，近3倍于DLT磁带系列产品，传输速率为11MB/s，是DLT的2倍。

LTO技术
    LTO（Linear Tape Open）技术，即线性磁带开放协议。是由HP、IBM、Seagate这三家厂商在1997年11月联合制定的，其结合了线性多通道、双向磁带格式的优点，基于服务系统、硬件数据压缩、优化的磁道面和高效率纠错技术，来提高磁带的能力和性能。
    LTO技术有两种存储格式，即高速开放磁带格式Ultrium和快速访问开放磁带格式Accelis，它们可分别满足不同用户对LTO存储系统的要求，Ultrium采用单轴1/2英寸磁带，非压缩存储容量100GB、传输速率最大20MB/s、压缩后容量可达200GB，而且具有增长的空间。非常适合备份、存储和归档应用。Accelis磁带格式则侧重于快速数据存储，Accelis磁带格式能够很好地适用于自动操作环境，可处理广泛的在线数据和恢复应用。

AIT技术
    AIT是指先进智能磁带，英文为Advanced Intelligent Tape，具有螺旋扫描、金属蒸发带等先进技术，AIT的数据保护性能比较突出，AIT已经发展到目前的AIT-3，目前开发AIT技术的索尼公司和专注在AIT技术上开发产品的Spectra Logic公司都在大力的推广采用AIT的产品。
    AIT采用的是螺旋扫描方式进行记录，与家用录像机的工作原理一样，这样一来，整个磁带机中，只有磁鼓是高速旋转，其它部件，如磁带、伺服机构都是低速运动的。这样的结构紧凑合理、易于设计和维护。而LTO(Linear Tape Open)、DLT(Digital linear Tape)、SDLT(Super Digital linear Tape)都是线性记录，像录音机一样，磁头是固定不动的，磁带直线运动通过磁头。与录音机不同的是，磁带机要保证记录速度，就要让磁带高速通过磁头，为此，就需要复杂机构控制磁带抖动、冷却高速运动的各种部件和轴承。在相同材料下，采用螺旋扫描的方式能使材料寿命延长。
    从应用方面讲，对于企业级用户来说，AIT磁带库可用于数据备份。与其它同容量、同传输速率的产品相比，AIT机架式的带库具有体积小、能耗低、容量大、价格便宜的优点。对于中端用户，AIT自动加载机是较好的选择。考虑到数据容量和自动备份等问题，可选用能容纳4盘磁带的自动加载机。

VXA技术
    VXA技术是由Exabyte（安百特）公司开发的磁带备份技术，VXA技术不依赖于精确的磁头和磁道位置来保证读写的可靠性，它不像流式磁带设备为定位磁道而需要昂贵的高精度的部件和精确的机械零件。不同于传统的磁带驱动器，VXA通过自动调节磁带移动和主机的传输速率相匹配而完全消除磁带“回扯”问题，能够显著提高介质和驱动器的可靠性，进而优化了备份和存储。 
    VAX技术对磁带上的数据记录区进行无空隙扫描，目前已经从VAX-1发展到VAX-2，在保持高可靠性的基础上，提高了速度和容量，单盒磁带容量为160GB（非压缩为80GB），速度为每秒12MB（非压缩为6MB）。

1．MetaFrame Presentation Server enables multiple users to log on and run applications in separate, protected sessions on a single server or on multiple servers.You install MetaFrame Presentation Server on computers running a multiuser operating system and install and publish the applications or other resources that you want to deploy on computers running MetaFrame Presentation Server.

2．You can group a number of servers together to form a server farm. A server farm is a group of computers that you manage as a single entity. Server farms provide you with a flexible and robust way of deploying applications and content to users.

3．Use the Web Interface for MetaFrame Presentation Server to give users access to published resources through the Web or your Intranet. Users log on to the Web Interface using their usual Web browser and see links to the applications that they are authorized to run.

4．The Secure Gateway is a secure Internet gateway for ICA data traveling into and out of a server farm. You can secure all traffic traveling across the Internet among computers running MetaFrame Presentation Server and SSL-enabled client workstations. Using the Secure Gateway makes firewall traversal easier and provides heightened security by providing a single point of entry and secure access to your server farms.

5．Servers in a farm share a network connection and a single data store of the farm’s configuration information. Your farm design must include creating a data store and connecting each server in the farm to it.

6．IMA runs on all servers in the farm. IMA subsystems communicate through messages passed by the IMA Service through default TCP ports 2512 and 2513.

7．You can use zones to enhance a farm's performance and organization. A zone is a grouping of servers that share a common zone data collector. A zone data collector is a server that manages dynamic information about the servers in the zone. Each farm has at least one zone.

8．Important：If you change a server’s zone membership (move the server to another zone), incorrect information can appear in the Presentation Server Console until the server sends updates to the zone data collector. To ensure data synchronization,restart a server after you move it to another zone.    

9．If you manage an enterprise farm with servers in different geographic regions, you can create zones based on the location of the servers. This can improve performance and allow you to more efficiently manage the farm.

10．Each zone in a farm contains one server that is designated as the zone data collector. Zone data collectors store dynamic information about the servers, published applications, server load, and user sessions in their zone. The zone data collector tracks, for example, which applications are available and how many sessions are running on each server in the zone.         

This diagram shows a server farm with two zones connected by a WAN link. Only the zone data collector in each zone communicates over the WAN link. Individual servers communicate over LANs with their zone data collector.

11．To reduce network traffic in large farms with multiple zones, Citrix recommends that you use the Zone Preference and Failover policy rule to direct users’ requests for applications to preferred zones within the farm.

12．The data store provides a repository of persistent information about the farm that each server can reference, including the following:

• Farm configuration information

• Published application configurations

• Server configurations

• MetaFrame administrator accounts

• Printer configurations

• Trust relationships       

13．Ensure that the data store is properly backed up on a regular basis. If the data store database is lost, you must recreate the farm. You cannot recreate the data store from an existing farm.

14．You can view and change data store information using only management tools for MetaFrame Presentation Server, such as the Presentation Server Console or the Access Suite Console.

15．Do not directly edit any data in the data store database with utilities or tools provided by any product other than the MetaFrame Access Suite. For example, do not use IBM DB2, Microsoft SQL Server, or Oracle utilities to edit the data store. Doing so corrupts the data store database and destabilizes the farm.

16．Do not install MetaFrame Presentation Server on the Microsoft SQL,Oracle, or IBM DB2 database server.

17．Although it is possible to configure multiple servers in the farm to connect directly to a single MSDE database, Citrix does not recommend this configuration because it is not supported by MSDE. MSDE allows only five connections per installed instance of MSDE. If more than five servers attempt to access the MSDE

database at the same time, they cannot connect. Citrix recommends that you configure an MSDE database for indirect access.

18．You can adjust the interval by which member servers query the farm’s data store for missed changes. The default interval is 30 minutes. You can configure the interval using the following registry key on each server you want to adjust, with the value expressed in hexadecimal notation:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\

DCNChangePollingInterval (DWORD)

Value: 0x1B7740 (default 1,800,000 milliseconds)

You must restart the IMA Service for this setting to take effect.

19．You can force a manual refresh of a server’s local host cache by executing dsmaint refreshlhc from a command prompt.

20．To recreate the local host cache, stop the IMA Service and then run the command dsmaint recreatelhc. Running

You must restart the IMA Service after running dsmaint recreatelhc. When the IMA Service starts, the local host cache is populated with fresh data from the data store.

The data store server must be available for dsmaint recreatelhc to work. If the data store is not available, the Citrix IMA Service fails to start.

21．You must install the Terminal Services component before you install MetaFrame Presentation Server. Terminal Services is not installed with Windows by default; you can install it with Add/Remove Programs in the

Control Panel. Install Terminal Services in Application Server mode.

22．On Microsoft Windows 2000 Server and Microsoft Windows Server 2003 operating systems, Citrix does not recommend using the /3GB switch in the Boot.ini file on servers running MetaFrame Presentation Server.

23．The most important measurements for performance monitoring are the percentage of total processor time, memory pages per second, percentage of network utilization, and hard drive I/O rates.

24．Citrix recommends that you do not install MetaFrame Presentation Server on Windows primary or backup domain controllers because of the following factors:

• Domain controllers handle user validation for network logons and access to network resources. These functions and the associated network communication can significantly affect the performance of an application server.

• MetaFrame Presentation Server Setup cannot create anonymous accounts on primary or backup domain controllers, so you cannot publish applications for anonymous access on servers that are domain controllers.

25．Citrix recommends that you use domain global groups for user access to published applications and network

printers.

26．The user management subsystem updates its domain trust information every six hours (and during service startup). Therefore, it might take as long as six hours for all servers in the server farm to recognize a new trust relationship. You can avoid a delay in detection of network trust changes by restarting the IMA Service on all servers affected by the change.

27．One MetaFrame administrator account with full administration rights must always exist in the server farm. MetaFrame Presentation Server prevents you from deleting the last MetaFrame administrator account with full administration rights. However, if no administrator accounts exist in the farm data store database, a local     

administrator account can log on to the Presentation Server Console to set up MetaFrame administrator accounts. If the data store database contains at least one MetaFrame administrator account, a local administrator account cannot log on to the Presentation Server Console.         

28．The default port on servers for ICA sessions is 1494. This port must be open on firewalls for inbound communication if clients are outside the firewall. The outbound port used on the client for the ICA session is configured dynamically when the session is established.

29．Port 80 is the default port for HTTP communication with Web servers. The Citrix XML Service includes an Internet Server Application Programming Interface (ISAPI) extension that you can plug into Internet Information Services (IIS). The extension allows IIS and the XML Service to share port 80. This is necessary only if

IIS is installed on servers running MetaFrame Presentation Server. IIS is required to run the Web Interface.

30．If you intend to change a server’s drive letters, do so before you install MetaFrame Presentation Server. If you change server drive letters after you install MetaFrame Presentation Server, you must do it before installing any applications.

31．To manage your deployment more flexibly, you can install the Access Suite Console and the Presentation Server Console independently from MetaFrame Presentation Server. Both consoles can be used on client devices as well as servers, but for best performance Citrix recommends running the Access Suite Console on a computer running MetaFrame Presentation Server.

32．ICA Client Creator is not supported on servers running Windows Server 2003.

33．During MetaFrame Presentation Server installation, Setup creates a special user group named Anonymous. By default, this user group contains 15 user accounts with account names in the form Anonx, where x is a three-digit number from 000 to 014. By default, anonymous users have guest permissions.

34．Do not assign any explicit users to the Anonymous group.

Windows Server Update Services ( WSUS ) Frequently Asked Questions

Q. What is Windows Server Update Services (WSUS)?

A. WSUS (previously called Windows Update Services) is the new name for the next version of Software Update Services (SUS). WSUS is a patch and update component of Windows Server and offers an effective and quick way to help you get secure and stay secure. WSUS represents an important step toward delivering a core software distribution and update management infrastructure in Windows. WSUS has both a server and client component.

Q. On which platforms does the WSUS client run?

A. • Windows 2000 Service Pack 3 (SP3) and later• Windows XP and later• Windows Server 2003

Q. On which platforms does the WSUS server run?

A.• Windows 2000 Service Pack 4 (SP4) and later• Windows Server 2003

Q. Why is the name changing again after it was just changed from SUS to Windows Update Services?

A. Based on customer and partner feedback, the name Windows Update Services and the associated abbreviation (WUS) did not accurately describe the functionality and value of the product. Windows Server Update Services more appropriately positions the product as a component of Windows Server and reflects the fact that it can be used for updates beyond Windows itself.

Q. Will WSUS update only Windows operating systems?

A. No. WSUS will support updating Windows operating systems and, over time, additional Microsoft software products. When initially released, WSUS will support updating Windows XP Professional, Windows 2000, Windows Server 2003, Microsoft Office XP, Office 2003, Microsoft SQL Server 2000, Microsoft SQL Server 2000 Desktop Engine (MSDE) 2000, and Microsoft Exchange Server 2003. Support for additional Microsoft products will be added over time, without the need to upgrade or redeploy WSUS.

Q. How can I get WSUS?

A. WSUS is available as a download at no cost. To download the software, see the Download WSUS page.

Q. Is WSUS free?

A. Yes. Windows Server Update Services is free and is available to download at no cost. Each managed client requires a Windows Server CAL. To download the software, see the Download WSUS page.

Q. How long will Software Update Services (SUS) be supported by Microsoft?

A. SUS will be supported through December 6, 2006. The documentation for SUS for SUS will remain available on the web here.

Q. How long will SUS continue to receive new content from Windows Update?

A. SUS will no longer receive new update content after December 6, 2006.

Q. What are the differences between WSUS and SUS 1.0? 

A. In addition to the current capabilities in SUS 1.0, WSUS will:

• Update more than just Windows.

• Provide reporting capabilities.

• Provide targeting capabilities.

• Give administrators more control over the update process.

For a list of the new capabilities, please refer to the WSUS Datasheet.

Q. Will the existing SUS client work with WSUS servers, or will a new client need to be installed?

A. Existing SUS clients must be updated to work with WSUS. The update process is automatic if you previously used SUS. If you never used SUS before, the latest Automatic Update client is available as part of Windows XP SP2. The new client is also backward-compatible with SUS 1.0 servers.

Q. Does WSUS support migration from SUS 1.0?

A. Yes. Although there is no upgrade, you can migrate approvals and updates to WSUS. If you use multiple SUS servers to target updates to specific client computers, the WSUS migration tool enables you to consolidate approvals from specific SUS servers to WSUS computer groups.

Q. If I have Windows Server Update Services, do I also need SMS 2003?

A. Windows Server Update Services provides basic patch and update capabilities only. If your environment requires support for deployment of software packages, reporting on software and hardware inventory, remote-control functionality, or other more advanced functions, SMS 2003 includes these features.

Q. Is there a way to disable the balloon alert when an update from WSUS is ready to install?

A. No, there is no way to disable the balloon alert. However, you can configure the frequency of its appearance. If the concern is to prevent the alert from interrupting end users, you can configure updates to install at a scheduled time, which has no associated balloon alert.

Q. Why don't the cloned or imaged PCs register with a WSUS server?

A. This can happen if the machines share the same ClientID. You can work around this by deleting the following registry keys and rebooting the clients:

HKLM\Software\Microsoft\Windows\CurrentVersion\Windowsupdate

Delete the following entries, if present:

• AccountDomainSID

• SusClientID

• PingID

Before you clone the OS image, consider using SysPrep – reseal to make sure the SIDs are generated. Machines that are sysprepped will automatically get a new ClientID when they are first booted.

Q.What documentation is available to help me set up WSUS?

A. Before setting up WSUS, you may find the information in the following guides useful:

•Step-by-Step Guide to Getting Started with Windows Server Update Services. Recommended as the quickest way to start using WSUS, this paper provides step-by-step instructions for getting started. You will find instructions for how to install WSUS on Windows Server 2003; configure WSUS to obtain updates; configure clients to install updates from WSUS; and approve, test, and distribute updates.

•Deploying Microsoft Windows Server Update Services. Recommended for administrators requiring comprehensive information about WSUS, this guide describes how to deploy WSUS. You will find step-by-step installation and configuration procedures, as well as details on how WSUS functions, its scalability, and bandwidth. Additionally, there is how-to information for updating and configuring Automatic Updates on client workstations and servers, steps for migrating from SUS to WSUS, and steps for setting up a WSUS server on an isolated segment of your network, and then manually importing updates.

Q. What do the different update approval options mean, such as Detect Only, Not Approved, Install, Declined, and Remove?

A. Only updates that have the approval status Install will be downloaded to computers served by WSUS. By default, Critical and Security updates are already approved for detection (Detect Only), which means WSUS will determine if these updates are needed by any of your computers. These updates will still need to be approved for Install before WSUS downloads them to your computers.

All other new updates will show up as Not Approved until you decide to approve them for Install or decline them with the Declined approval. (You can also approve them for Detect Only or Remove). If you decline an update, it will no longer appear in your list of updates unless you filter by All updates or Declined updates. Remove will remove updates from computers that already have the update installed, providing that the update is compatible with this feature.

Q. Can WSUS tell me if an update is needed on a computer?

A. All updates can be approved for detection (using the Detect Only approval option—Critical and Security updates are approved for detection by default), which gives you needed status for updates on your computers.

Q. How can I prevent updates from rebooting my server?

A.You have an option to either "Download and Install" or "Download and Notify". "Download and Notify" allows you to avoid reboots, but it is risky to install an update on a machine without rebooting as recommended by an update. Consider using the SDK to create a script that approves and restarts servers on a regular basis if you choose the "Download and Notify" option. To download the SDK, see the Windows Server Update Services Technical Information page.

Q. What are the prerequisites for installing WSUS on Windows Server 2003? 

A. For Windows Server 2003, WSUS requires the following:

• Microsoft Internet Information Services (IIS) 6.0

• Background Intelligent Transfer Service (BITS) 2.0.

• Microsoft .NET Framework 1.1 Service Pack for Windows Server 2003.

Q. What are the prerequisites for installing WSUS on Windows 2000 Server?

A. For Windows 2000 Server, WSUS requires the following:

• IIS 5.0

• BITS 2.0

• Database software that is fully compatible with SQL Server

• Microsoft Internet Explorer 6.0 SP1

• .NET Framework 1.1 Redistributable Package

• .NET Framework 1.1 SP1.

MES的管理基础

　　要想充分发挥MES系统的功效，企业需要先健全自身的管理体系——没有严格的管理约束机制，MES系统信息的及时维护就难以保证；没有先进的管理模式，MES整理出来的信息就不能得到有效利用，从而也不能产生效益。因此，信息技术可以成为提高企业管理水平的有效手段，但不会自动地解决企业的管理问题。要想成功实施MES，企业必须先在管理上下功夫——与MES密切相关的工作，包括车间环境、职责分工以及人员保障等方面。

　　定置，改善车间环境

　　定置，是指通过对生产和工作环境的分析，把生产和工作需要的物品按照工艺的需要科学地确定位置。定置管理，则是指对现场物品定置的设计、组织、实施、控制，使现场管理达到科学化、规范化、经常化的全过程。定置管理为生产者在较短的时间内用较低的成本制造出高质量产品提供良好的客观条件。通过定置管理，理顺物流，可以为MES的实施提供良好的车间环境。

　　合理分工、明确责职

　　“计算机能够解决一切管理问题。”——这是相当一部分企业领导在实施MES时的一个误区。事实上，许多企业面临的管理问题是不可能靠计算机来解决的，必须靠企业自身通过科学的组织、严格的规章及有效的控制来解决。计算机只能通过信息的获取与加工、一定的流程控制来支持企业管理思想的贯彻。

　　有些企业的组织结构不合理、职能相互重叠，其结果是责任不清、相互扯皮。这一方面妨碍了MES的顺利实施，另一方面也难以保证MES正常高效地运行。因此，在实施MES时，必须对企业的业务流程进行合理重组，去除重叠的部门责能，减少无效劳动，合理分工、明确责职。这样既可以简化MES软件的权限设置和流程控制，又能够保证信息处理的及时性，为MES的实施提供组织保证。

　　提供人员保证

　　MES系统实施，通常涉及到计算机人员、企业管理人员、车间现场操作人员和具体业务人员等方面。不仅涉及面广，而且各类人员的文化水平、业务能力、计算机应用水平也参差不齐。因此，为了保证MES的顺利实施，必须对相关人员进行足够的培训。

　　对不同类型、不同层次人员的培训方式应有所不同。实际上，在整个MES实施过程中，培训工作是贯彻始终的。不仅要在实施准备阶段进行原理培训，而且在实施准备、模拟运行与试运行、切换运行、新系统运行过程中也要进行有关培训，如软硬件产品培训、系统管理员培训和持续扩大培训等。只有企业员工对MES软硬件产品有了一定的了解，才能够保证系统最终的顺利实施和应用。

　　完善了管理环节，就可以考虑实施MES项目了。一个典型的MES实施进程，主要包括前期工作、实施准备、模拟运行与试运行、切换运行以及新系统运行几个阶段。

　　项目前期，打好基础

　　项目前期，是指MES软硬件安装之前的阶段。这个阶段非常重要，关系到项目的成败，但往往为实际操作所忽视。这个阶段的工作主要包括前面提到的MES培训、车间现场问题诊断、需求分析以及软件选型等方面的工作。

　　车间现场问题诊断，是指由企业的高层领导、车间(分厂)领导和项目组人员用MES的思想对车间(分厂)现行业务流程和存在问题进行评议和诊断，寻求解决方案，用书面形式明确预期目标，并确定评价实现目标的标准。

　　需求分析方面，企业需要理智地进行分析以下问题：

　　◆企业当前最迫切需要解决的问题是什么，MES系统是否能够解决？

　　◆MES系统的投资回报率如何？

　　◆在财力上，企业能不能支持MES的实施？

　　◆上MES的目的所在，系统到底能够解决哪些问题、达到哪些目标？

　　◆基础管理工作有没有理顺或准备在上MES之前让咨询公司帮助理顺？人员的素质够不够高？

　　认真考虑以上问题之后，企业应该将分析结果写成需求分析和投资效益分析正式书面报告，从而做出是否上MES项目的正确决策。

　　实施准备，“软”“硬”兼顾

　　在运行MES系统之前，要准备并录入一系列基础数据，部分基础数据是在运用系统之前往往没有或未明确规定的，故需要做大量分析研究的工作。基础数据通常包括产品结构、物料(包括物料编码规则、零件、毛坯、在制品、刀具、工装、工具、量检具等)、工艺路线、加工工时、物料库存、设备与人员资源、各种例外代码与原因代码等信息。

　　在MES系统安装和实施之前，必须把网络系统建设好。MES所需的网络，除了一般的局域网外，还涉及车间现场数据采集与控制网络。车间现场网络可采用多种形式，如工业以太网、现场总线、RS-485网络或RS-232网络等。具体的网络形式，应根据数据采集系统的要求来确定。

　　在人员、基础数据和网络基本准备好的情况下，可以将系统安装到车间(分厂)和相关的业务部门中，并进行一系列原型测试。原型测试用企业的典型数据对软件功能进行测试，也称计算机模拟。

　　由于MES系统是信息集成系统，所以在测试时，应当是全系统的测试，相关部门的人员都应该同时参与，这样才能理解各个数据、功能和流程之间相互的集成关系，找出不足的方面，提出解决问题的方案，以便接下来进行补充开发、二次开发或用户化。

　　由于行业与企业的特殊性以及MES系统的成熟性问题，在系统原型测试后常常会发现许多问题以及部分功能上的不足，需要对系统进行补充开发与二次开发。由于MES与ERP、数据采集系统、DCS系统等有数据集成要求，因此，为了简化数据准备时间，必要时应在系统二次开发的同时进行系统的集成开发。

　　MES软件的选型

　　目前，国内市场上的大部分MES软件还不是很成熟。因此，软件选型对MES项目的成败有重要影响。MES软件通常可分为三类：具有标准功能的、成熟的商品化软件；为满足特定需要而专门设计开发的软件；标准产品和其它系统的集成软件。

　　在选型过程中，首先要“知己知彼”。知己，就是要弄清楚企业的需求，即先对车间(分厂)本身的需求进行细致的分析和充分的调研；知彼，就是要弄清MES软件的管理思想和功能是否满足企业的需求。这两者是相互交织进行的，可以通过软件先进的管理思想来找出企业现有的管理问题。

　　企业要调查好行业、企业或车间(分厂)的特殊要求，根据这些要求来设计流程和功能，从“用户化”和“本地化”的角度来为MES选型。下面这些因素，需要重点注意：

　　厂商能力要过硬

　　MES产品，需要一个复杂的过程才能生产出来。如同我们考察制造企业一样，我们同样要看MES厂商的性质和开发能力，看看厂商的管理是否规范，工作是否严谨等，看看厂商是否有一支完整的开发队伍、实施队伍和系统维护队伍--从系统分析师、系统设计师、软件编程员、系统测试员、实施顾问直到系统维护人员。

　　产品要简单易用

　　MES软件产品，主要是为车间(分厂)的现场管理人员所使用的，这些现场管理人员不是IT人员，他们的文化水平通常也不高。所以，MES产品的使用要很方便，几乎要做到只要熟悉自己的业务就能使用软件系统，要将技术屏蔽在后台。

　　适应性要好

　　MES产品可在流程制造业、离散制造业应用。流程制造业和离散制造业又可细分为许多行业。即使同一行业，由于生产批量和产品定货方式的不同，其生产的组织方式也各不相同，其对MES产品要求也不完全相同。另外，同一企业的生产组织方式也不是一成不变的，也会随着企业的发展变化而变化。

　　通常，成熟的产品常有较多的应用，其适应性也相对较好。适应性较好的MES软件，用户可以根据需要自行进行系统配置，以协调企业在应用范围、组织结构、用户权限甚至业务流程等方面的变化。

　　因此，企业最好选择有一定成熟度的产品，至少在本行业是有过应用的，哪怕是失败的应用。因为失败的教训也是财富，这点不仅对软件公司，对用户也是一样。

　　扩展、集成要可靠

　　现在，企业实施信息与自动化系统都不是单一的一套系统，从制造业早期的财务管理软件、计算机辅助设计(CAD)、计算机辅助工艺(CAPP)、产品数据管理(PDM)到企业资源计划(ERP)、办公自动化(OA)、集散控制系统(DCS)，企业或多或少都会使用其中多套软件系统。为了防止出现信息孤岛问题，MES软件产品不仅在功能上要满足企业现在的需求，还要能尽可能满足未来的需求，这就要求软件具备一定的扩展性，将来能够和其他的系统(如ERP、DCS等)进行集成，以适应企业信息化整体的需求。

　　产品升级要保障

　　MES软硬件产品的升级，是一项必须要考虑的因素。IT技术发展速度日新月异，从开发平台到网络技术都在迅速改变，所以软硬件的更新速度也非常快。能否及时给企业使用的MES产品升级，而且是在不影响正常工作的前提下平滑升级，是判断产品好坏的基本条件之一，也是企业日后持续稳定应用的基本保障。

　　价格体系要明晰

　　大型软件产品的价格，很难说单一价格，大多数都是有一个体系构成的，分别包括软件产品价格、实施指导价格、客户化价格、二次开发价格、年服务费等。所以，一定要搞清楚供应商的价格体系，其中具体包括哪些项目。软件产品价格方面，各个厂商的数据都是比较明晰的。而其他部分的价格，就各有千秋了。现在行业内还没有统一的标准，基本上是各家软件公司自己定的，有的按人天计费，有的按人月计费等等。

　　运行阶段的管理

　　在用户基本掌握系统功能的基础上，企业可以将各种必要的数据录入或导入系统。带着车间(分厂)日常工作中经常遇到的问题，组织项目小组进行实战性模拟。此时，要对测试和模拟中发现的不合适系统界面与报表进行用户化。

　　在模拟运行和制定工作规程的基础上，可以对系统进行试运行。试运行时既要按原来的手工管理模式进行操作，同时又要按MES的管理模式进行操作。此时，相关业务人员的工作量就会增加，特别是那些需要进行大量人工数据录入的工作岗位，工作量会大大增加，对此，企业领导需要采取相应的对策。

　　切换运行是指把原来并行运行的业务切换到只有MES单系统运行。系统切换要根据企业的条件来决定应采取的步骤，可以各模块平行一次性实施，也可以先切换一两个模块。在这个阶段，所有最终用户必须在自己的工作岗位上使用终端或客户机操作，处于真正应用状态。原则上，系统并行运行的时间不宜过长，在条件合适的情况下尽早切换。

　　一个新系统被应用到企业后，实施的工作其实并没有完全结束，而是将转入到业绩评价和下一步的后期支持阶段。这是因为我们有必要对系统实施的结果做一个小结和自我评价，以判断是否达到了最初的目标，从而在此基础上制定下一步的工作方向。

　　由于市场竞争形势的发展，将会不断有新的需求提出，再加之系统的更新换代，数据量的快速增加，IT技术的进步都会对原有系统构成新的挑战。所以，无论如何，都必须在巩固的基础上，通过自我业绩评价，制定下一目标，再进行改进，不断地巩固和提高。

说明：此补丁管理解决方案利用微软免费提供的SUS，仅适用于中小企业。

补丁管理可以帮助保持运作效率和有效性，克服安全漏洞并保持生产环境的稳定性。组织应该采取以下步骤：正确地配置系统，使用最新的软件，以及安装建议的有效性和安全补丁。

如果考虑到分布式 IT 环境下的补丁管理，则某些基本问题就会立即变得非常明显：

• 组织如何识别需要哪些补丁？

• 是否真的需要应用最新补丁？

• 特定补丁会产生哪些更广泛的影响？

• 补丁带来哪些变化？

• 补丁安装之后是否可以删除？

• 不同环境之间存在哪些依赖性？

• 组织如何判断某个补丁是否获得成功？

• 如果补丁覆盖了特定的自定义设置，应该怎么办？

• 恢复已安装补丁的环境时可能出现那些情形？

Microsoft Baseline Security Analyzer (MBSA)扫描单个系统或网络中的多个系统，并发现常见的系统配置不当或缺少安全性更新的现象。

管理员可以从中心位置运行Office Update Inventory Tool工具，通报目前已应用到 Microsoft Office 2000、Office XP 和 Office 2003 的更新、当前可应用的更新，以及只能应用到管理镜像的更新。

Windows Update Website扫描个体计算机以找到其所缺少的关键 Windows 更新、补丁和驱动程序更新。

Office Update Website扫描个体计算机来识别其所缺少的 Microsoft Office 更新（Office 2000 及其后的版本）。

SUS服务器安装事项

1.安装前请注意以下几点：

·用来安装SUS服务端的系统需要安装好相应的补丁程序

·系统安装了IIS5.0以上版本，并且系统的80端口没有被其他程序占用

·SUS不能在Active Directory域控制器上运行

2. SUS Server (Software Update Services 1.0 with Service Pack 1)下载:

http://www.microsoft.com/downloads/details.aspx?FamilyId=A7AA96E4-6E41-4F54-972C-AE66A4E4BF6C&displaylang=en

SUS客户端安装事项

1、安装以下关键补丁

Windows 2000: SP4,KB828741,KB835732

Windows XP: SP2,KB828741,KB835732

2、配置sus客户端

你可以选择两种方式中的一种来配置

通过组策略方式来配置

“计算机配置”->“管理模板”->“Windows 组件”->“Windows Update”项下启用并设置“配置自动更新”和“指定Intranet Microsoft更新服务器位置”

注：若没有“Windows Update” 项，需右击管理模板，选择“添加/删除模板”添加wuau.adm模板

修改注册表方式来配置

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]

"WUServer"="http://sus.abc.org"

"WUStatusServer"="http://sus.abc.org"

注：示例sus.abc.org为自动更新的服务器地址, 类型为String。

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]

"UseWUServer"=dword:00000001

Important Note: Windows Server Update Services, (WSUS), the successor to SUS, supports updating for a broader set of Microsoft products and provides robust management and reporting features. Customers can download WSUS from Windows Server Update Services (WSUS). In response to customer feedback, and in order to provide customers with additional time to migrate from Software Update Services (SUS) 1.0, Microsoft has announced an extension to the end of support date to Tuesday, July 10, 2007.

Microsoft Solution Accelerator for Business Desktop Deployment (BDD) 为高效地规划、构建、测试和部署 Microsoft Windows XP Professional、Windows XP Tablet PC Edition 和 Office Professional 2003 Edition 提供了端到端的指导。它帮助 IT 专业人员实现快速的投资回报，同时还为可靠性、性能、安全性和易用性设定了新的标准。

注意： 对于文中描述的某些过程，BDD Solution Accelerator 需要得到特定软件工具的支持。请检查下表中针对标准版和企业版 BDD 解决方案的系统需求，确保它们适用于您的操作环境。

该加速器提供了经过考验的工具和实践，允许 IT 专业人员：

• 创建软件和硬件清单来协助部署规划

• 测试应用程序与 Windows XP Professional 的兼容性，并减轻在该过程中发现的兼容性问题

• 使用部署和映像服务器来建立初始的实验室环境

• 自定义并打包核心和补充应用程序

• 自动化桌面映像创建和部署

• 确保桌面得到加强以改进环境中的安全性

• 管理用于产生全面、集成化部署的流程和技术

Solution Accelerator for BDD 解决方案包含指导、示例模板和技术文件（比如脚本和配置文件）。

下载 标准版：BDDStandard.msi

下载 企业版：BDDEnterprise.msi 

我应该使用标准版还是企业版？下面显示了标准版和企业版的使用标准。

Title:Browsing the Web and Reading E-mail Safely as an Administrator 2/2

Summary: showing you how to use SAFER with local or enterprise policy to reduce potential threats when running as an admin.

Download the SetSAFER.msi file.

Note   You must be a local administrator to set SAFER policy on your computer.

Open the Local Machine Policy object by running MMC and adding the Group Policy Object snap-in, and navigate to the Software Restriction Policies.

You'll see there are two security levels—Disallowed and Unrestricted. Disallowed will prevent an application from executing, and Unrestricted means the application executes with the same trust as the user. So, if the user is an admin, the application runs with full admin rights.

Try it out! Here's how to do it:

·                     Right-click on Additional Rules.

·                     Click New Path Rule.

·                     Browse to Notepad.exe in the \Windows\System32 directory.

·                     Set the Security Level to Disallowed.

·                     Go to the command-line and type gpupdate (you may need to wait a few seconds for the policy to take effect).

·                     Run notepad.exe.

·                     Well, try to run notepad.exe.

The Disallow setting is a very useful option if you know there is some malware "in the wild" and you want to proactively stop it from running. Let's say there's a virus that drops a file named nuke.exe to the c:\windows\system32 directory and the c:\ root directory. You can add two Disallow rules, one for c:\windows\system32\nuke.exe and another for c:\nuke.exe to your Group Policy and roll the policy out to the entire organization. Now you are protected from the malware because it simply won't run. You could also just add nuke.exe with no directory name, but this would block a legitimate nuke.exe. Of course, a file named nuke.exe is a little suspect, anyway! And remember, you can use Windows environment variables, such as %PROGRAMFILEs% in place of hard-coded path names.

There are in fact three other SAFER security levels beyond Disallow and Unrestricted. The three other settings are:

·                     Normal User (also named Basic User)

·                     Constrained (also named Restricted)

·                     Untrusted

I want to focus on the Basic User security level, as this offers the best results in terms of application compatibility and security.

To make this perfectly clear, you can run applications at much lower privileges than Basic User, but you're on your own because things may break. For example, I often run Internet Explorer in Constrained mode when browsing sites laden with exploit code. That said, it probably can't hurt to call out some of the end-effects of Constrained and Untrusted:

·                     HKCU is read-only.

·                     %USERPROFILE% is inaccessible.

·                     Some crypto operations including SSL negotiation do not work.

The first step is to enable the Basic User setting. You can do this with a registry tweak. Add a DWORD value named Levels set to 0x20000 to:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Now reload the MMC snap-in and add the Group Policy Object editor. You will see the Basic User under Software Restriction Policy.

Now here comes the cool part—you can set the policy on an application such as a Web browser or e-mail program such that it runs as a normal, low-privilege user rather than as the admin account. For example, to make Internet Explorer run as a normal user, perform the following steps once you have loaded the Group Policy Object snap-in:

·                     Right-click on Additional Rules.

·                     Click New Path Rule.

·                     Browse to c:\Program Files\Internet Explorer\iexplore.exe.

·                     Set the Security Level to Basic User.

The beauty of this solution over the solution using the SAFER APIs is that the SAFER policy mechanism is enforced by the operating system when a process starts. So you can invoke Internet Explorer from a shortcut on the desktop or a saved URL on the desktop, and Internet Explorer will run as a user. Of course, you could copy iexplore.exe to your desktop and the SAFER policy would not apply because the browser is not being executed from the c:\program files\internet explorer directory.

Setting SAFER Policy Without Using the Policy Snap-in

I've written a small program named SetSAFER to set SAFER policy. All it does is read from an XML file and set the appropriate registry keys to enable or disable SAFER policy on applications defined in the XML file. You can, of course, add your own applications to the XML file. You'll notice you can use an application name or a directory. Setting SAFER policy on a directory affects all executables in that directory.

There's a very important point you should know about this tool. It will blow away any existing Basic User SAFER settings you have in the registry and set them to whatever is held in the tool.

Also note, the tool was written and compiled with the May 2004 release of Visual Studio .NET 2005 beta, so you'll need a beta of the .NET Runtime 2.0 available at http://lab.msdn.microsoft.com/vs2005/downloads/default.aspx to run the tool.

Now here's an important caveat. This technology will change in Longhorn, so don't be too surprised if this tool and the Software Restriction Policy technology doesn't work as they do on Windows XP and Windows Server 2003.

Determining Success

How do you know the process is running with reduced privilege? It's pretty easy to determine—just look at the token associated with the process. The best tool, in my opinion, is Process Explorer from Sysinternals (sysinternals.com.) When using this tool, simply double-click the process you're interested in, and then select the Security tab. A dialog box like Figure below will appear. Note the Admin SID is set to Deny, and there are no potentially hazardous privileges in the token. This application is running as a user, not an admin.

Title:Browsing the Web and Reading E-mail Safely as an Administrator 1/2

Summary: discussinghow you can run as an administrator and access Internet data safely by dropping unnecessary administrative privileges when using any tool to access the Internet.

Download the DropMyRights.msi file.

For Best practices on running as a non-admin, I urge you to look over Aaron Margosis' blog to glean tips on running as a non-admin in Windows.

DropMyRights is a very simple application to help users who must run as an administrator run applications in a much-safer context—that of a non-administrator. It does this by taking the current user's token, removing various privileges and SIDs from the token, and then using that token to start another process, such as Internet Explorer or Outlook. This tool works just as well with Mozilla's Firefox, Eudora, or Lotus Notes e-mail. Now let's look at configuring the application to run applications in lower privilege.

Setup

Simply copy DropMyRights.exe to a folder. Then for each application you want to run in lower privilege, follow the steps in the next three sections.

Create a Shortcut

Create a shortcut and enter DropMyRights.exe as the target executable, followed by the path to the application you want to execute in lower privilege.

For example:

C:\warez\dropmyrights.exe "c:\program files\internet explorer\iexplore.exe"

Updating the Shortcut Name

Next, update the name of the shortcut to represent the executable target, and not dropmyrights. I usually put the word "(Safer)" after the application name to denote this application will run in a safer security context. "(Non-admin)" is another common addition

Setting the Icon and Run Mode

Finally, once the shortcut is created, set the Run option for the shortcut to Minimized and if you want, select a new icon.

Advanced Options

The arguments to DropMyRights are:

DropMyRights {path} [N|C|U]

The meanings of the variables are:

·                     Path is the full path of the application to launch.

·                     N means run the application as a normal user. This is the default if you provide no argument.

·                     C means run the application as a constrained user.

·                     U means run the application as an untrusted user. Chances are, this will cause some applications to fail.

My opinion is use Normal (the default) for most things, and Constrained if you think you'll be browsing hostile or potentially dangerous Web sites.

放宽访问控制列表限制
LUA 错误最常见的主要成因是开发人员（往往也是测试人员）通常以管理员身份运行。开发人员可能并非有意要求最终用户以管理员身份运行，但依赖管理员访问权限的东西可能会潜入代码（例如，写入到 C: 驱动器根文件夹中的文件、写入 %ProgramFiles% 下的应用程序安装文件夹中的文件或写入 %windir% 中的文件）。开发人员和测试人员使用时应用程序还能正常工作，但当您以普通用户身份运行应用程序时，它就崩溃了。
一种方法是更改对象的访问控制列表 (ACL)，为用户授予程序所需的访问权限。通常，需要调整的对象位于注册表或文件系统（如果使用 NTFS）中。采用此方法时需要进行认真考虑，并应注意一些重要事项。
首先，在已尝试了所有更可取的方法并确认这些方法都不能修复所要处理的 LUA 错误时，才应选择此方法。如果采用此方法，一定要非常小心。

只应考虑对应用程序特有资源而非 OS 范围资源进行 ACL 更改。虽然更改 %ProgramFiles%\VendorX\AppX\DataFolder 的 ACL 可能没有问题，但永远都不应更改 %SystemRoot%\System32 的 ACL，无论目的是放宽还是收紧访问权限。此外，应尽一切可能避免更改程序代码的 ACL。这是为了防止恶意软件感染或替换应用程序文件。

还要避免更改由管理员或服务使用的资源（尤其是 .exe 和 .dll 文件）的 ACL。这样做会增加提升权限的风险，从而导致整个系统遭受危害。（即便如此，受攻击面仍远小于所有内容都始终以管理员身份运行的情况。）
理想情况下，资源只应由一位用户进行访问。如果资源被多个非管理员用户访问，则一位用户导致另一位用户的帐户遭受危害的风险会增加。
最后，只要应用程序能够工作，应只为可能的最少数量用户授予访问可能的最少数量资源所需的最少量附加访问权限。在任何情况下都不需要为“每个人”授予对文件系统或注册表一大部分的完全控制权限。
最理想的做法是只为计算机的主要用户授予附加访问权限，但如果系统数量庞大，这样做在管理上可能会有困难（例如，在一个系统上授予 MARY 权限，在另一个系统上授予 STEVE 权限，依此类推）。如果可以定义一组需要使用该程序的用户，应将这些用户添加到一个组，然后为该组授予访问权限。
也可以授予对内置 INTERACTIVE 仿真组的访问权限。这样做将只为当时以交互方式登录的用户授予附加访问权限，而不会授予附加的对资源的远程访问权限。请注意，在终端服务器或“快速用户切换”应用场景中，计算机上可能同时有多位用户的令牌中有 INTERACTIVE。

优点：
此方法会为您的时间投资带来巨大回报。我和我的同事见过的大部分 LUA 错误都与文件和注册表权限有关。调整访问控制列表可能比任何其他方法修复的 LUA 错误都要多。

缺点：
此方法的可取性较低，因为出于某种原因对 ACL 进行了这样的设置。更改 ACL 使得受限用户能够更改共享资源（出于善意或恶意），并会使一位用户（或该用户无意间运行的恶意软件）可以更容易地影响其他用户。如果管理员受到影响，就会危害整个系统。

此外，精确地确定应开放的资源及开放程度并不容易。而且也难以肯定地了解开放对资源的访问是否会无意间公开提升权限的途径，从而使系统被他人接管。

只以提升的权限运行那个有问题的应用程序
一些应用程序解决 LUA 错误的方法是，在启动时显式地检查您是否为管理员组成员，如果您不是，将显示一条错误消息，坚称您必须是管理员，才能使用该程序。这可能是由于开发人员的懒惰、不称职或傲慢（或三者兼而有之），但无论您使用任何其他解决方法，这些应用程序都不会让步。如果已经确认所有其他方法都已失败，就只能考虑以提升的组或权限运行那个有问题的应用程序。
请不要以管理员身份运行应用程序，而是尝试以提高的权限（但仍低于完全管理权限）运行它。可以 Power Users 成员的身份或特定权限（如 SeLoadDriverPrivilege）运行应用程序。但要知道，只需多费一点工夫，就可利用这些其他组和权限中的许多组和权限接管整个系统。

那么，该如何完成此项任务呢？如果您信任拥有管理员密码的用户（或者您信任制定安全决策的用户），则有四种选择：

可以使用 RunAs。

可以使用 MakeMeAdmin。这是一个批处理文件，可以轻松地自定义该文件来运行命令外壳以外的内容。也可以对其进行调整，使提升的上下文低于完全管理上下文。

SysInternals 提供了 PsExec 和 Process Explorer。这些应用程序提供了各种类似 RunAs 的选项。
最后，可以使用 RunAsAdmin。这是 Valery Pryamikov 开发的一个值得关注而且有用的开源实用程序。RunAsAdmin 采用的方法有点类似于 Windows Vista 的“用户帐户控制”功能 (UAC)，就地提升当前用户的权限而不要求使用密码。

另一方面，如果您不信任拥有管理员密码的用户，还有几个第三方选择值得考虑。

DesktopStandard 开发的 PolicyMaker Application Security 使用“组策略”扩展来配置修改进程令牌的规则。它减轻了下面提到的部分缺点的严重程度。可以对其进行配置，使由目标应用程序启动的子进程不继承其修改过的令牌。它还可以执行细微的令牌修改，以提高（或降低）权限或添加（或删除）特权。
Winternals（SysInternals 的商业机构）提供了 Protection Manager，该工具使用轻型客户端-服务器应用程序和白名单技术来封锁所有不受信任的应用程序。可通过 Protection Manager 将应用程序的进程令牌和权限提升到管理员进程令牌和权限的级别或降低到用户进程令牌和权限的级别（当最终用户分别是非管理员或管理员时）。Protection Manager 不允许已提升权限的应用程序的子进程以提升的权限运行，除非也将该子进程显式地配置为已提升权限的应用程序。已降低权限进程的所有子进程的权限将自动降低。可按管理员通过数字签名、散列、NTFS 文件所有权或路径进行的指定对应用程序执行允许、封锁、提升权限或降低权限操作。

PolicyMaker Application Security 和 Protection Manager 都通过内核模式代码确定是否、何时以及如何修改进程令牌。由于不使用密码，因此不存在泄漏风险，而且非管理员无法干涉修改决定。
还可使用其他工具，这些工具执行类似 RunAs 的操作时会将管理员帐户凭据加密（有时只是进行模糊处理）。尽管此方法提高了标准，可阻止一些用户获取管理员凭据，但那些密码仍然需要在用户的安全上下文中解密，因此可能会暴露给拥有适当工具的攻击者。
有一个我听过的常见问题是，RunAs.exe /savecred 选项是否可用作快捷方式，以使用户能够使用保存的密码（不需要再次输入密码）以管理员身份运行某个应用程序。但这会导致无法预料的问题，而且也有许多问题是应该知晓的。凭据并不是绑定到任何单个快捷方式；凭据保存后，就可以使用它们来启动任何应用程序。尽管密码使用用户特有密钥进行了安全的加密，但仍然要在用户的安全上下文中进行解密而被短时间公开。而且，在 Windows XP Home Edition 上无法使用 /savecred 选项。

优点：
使用此方法可以避免始终以管理员身份运行所有内容。遗憾的是，这差不多是此方法的唯一优点。

缺点：
以提高的权限运行应用程序比我已介绍过的任何其他方法的风险都高得多。如果以管理员身份运行应用程序，将很难保护系统不受恶意用户或恶意应用程序的攻击。以下是一个简单的示例。如果以管理员身份运行“记事本”，然后选择“文件”|“打开”，将会显示一个类似资源管理器的小窗口。您仍然位于“记事本”中，这意味着您拥有对整个文件系统的完全管理员级别访问权限，甚至可以从该处以管理员身份启动程序。此项简单技术会被恶意用户或将击键或窗口消息送入已提高权限程序的恶意软件利用。

结束语
“最低权限用户帐户”可以作为安全策略中的一个便利选择，但它可能会引发一些值得关注的难题。这些错误解决方法的效力和安全性有很大差异。虽然确定错误的确切成因，然后使用最佳解决方案进行修复有困难，但这样做很重要。如果使用其中一个可取性较低的方法，则应了解如何尽最大可能保护系统。

如果一个应用程序或应用程序的一个功能在以高级权限运行时能够正常工作，但 LUA 用户却无法使用，而且并没有必须使用高级权限的技术或业务原因，这便是 LUA 错误。一个常见的示例是，应用程序将其设置保存到 HKEY_LOCAL_MACHINE 下的某个注册表项（LUA 用户对其只拥有只读权限），而不是保存到 HKEY_CURRENT_USER 下的某个注册表项。

到目前为止，大多数 LUA 错误都归因于注册表和文件系统访问权限。例如，一个程序可能尝试将其设置保存在 %ProgramFiles% 下的安装文件夹中，也可能会尝试使用“完全访问”权限打开 HKLM 下的某个项，即便实际上使用“读取”访问权限便可。其他类型的 LUA 错误包括尝试启动或停止服务、加载设备驱动程序、直接访问硬件资源、创建或管理文件共享，甚至是显式地检查当前用户是否为 Administrators 组的成员。

始终会有一个或多个低级别操作（API 调用），在作为管理员时可以成功执行，但作为 LUA 执行时却会失败。自己可以通过一些工具（如 SysInternals 开发的 Regmon 和 Filemon）来查看其中的一些错误。所查看到的每一个都真的是 LUA 错误吗？这取决于应用程序响应失败的方式。

举个例子，有一个您或您的用户需要运行的标准应用程序。该应用程序的设计用途并不是在计算机上执行任何系统管理任务，但由于某个未知的原因，只有通过具有管理员级别访问权限的帐户运行，它才能正常工作。您需要为您的用户授予对该应用程序的访问权限，但又不希望他们以管理员身份运行。您该怎么办呢？

我将介绍一个系统性的方法，既能够解决 LUA 错误，同时又能将风险降至最低。我将按从最可取到最不可取的顺序来介绍这些方法，并列举每个方法的优缺点。

它是错误 - 将它视为一个错误并请开发人员进行修复！
这是最佳方法。如果应用程序要求具有管理员权限并无合法理由（无论是业务还是技术上的理由），那么无法通过普通用户帐户运行应用程序就是一种严重的错误，会对系统的安全性、稳定性和可管理性造成危害。请认真考虑让开发人员直接在代码中修复该问题。
如果开发小组答复您的请求时这样说“这是一个关键任务应用程序，因此必须以管理员身份运行，因为它会在 HKEY_LOCAL_MACHINE 中写入信息”，就应该这样回答“你胡说八道”，并坚持让他们修复错误。

优点：
开发小组在应用程序代码中直接修复错误后，就不必再执行任何修补程序、调整程序或解决方法了。此外，开发人员还可以从经验中学习，避免产生新的 LUA 错误。（请注意，LUA 错误的首要成因就是开发人员在编写代码时以管理员身份运行！我将在“放宽访问控制列表”部分对此做详细论述。）

缺点：
时间和金钱两方面的开销都会令人望而却步，如果资源有限，需要修复的应用程序又很多，就更是如此。可能需要重新设计应用程序的结构，而且在此过程中可能会引入新的错误。

另一个障碍是可能找不到开发人员或源代码。需要处理的可能是第三方代码，而开发它的公司已不存在。开发人员可能正在重组，或进了监狱，或更糟糕的是，正在为您的竞争对手工作。您明白了吧。

使用 Application Compatibility Toolkit

Application Compatibility Toolkit (ACT) 提供了有用的“LUA 模式”修补程序。这些修补程序会检测对文件系统和注册表中系统范围位置的写入尝试并在不提示的情况下将这些尝试重定向到每个用户的位置。（Windows Vista 中包括一个更有效的对应程序，叫作“文件和注册表虚拟化”。）在“应用程序兼容性：概述”中，可以找到 Application Compatibility Toolkit。

优点：
使用 Application Compatibility Toolkit 中提供的“LUA 模式”修补程序真正诱人的原因是，它使用方便。还不需要提升权限。

缺点：
在 Windows XP 中，“LUA 模式”修补程序往往无效。（Windows Vista 中的“文件和注册表虚拟化”经过了完全重新编写，其兼容性比 Windows XP 中的 ACT“LUA 模式”高得多。）
工具不奏效时底层操作所增添的复杂性会使故障排除变得更加复杂。

尝试解决 LUA 错误

如果问题是权限有限所致，可尝试使用许多可能会修复问题的方法。在这些解决方案中，有一些要比其他更好，因为承担的风险较低。如果遇到 LUA 错误，请按照下列步骤操作，先使用最可取的修复方法，必要时再尝试后面的修复方法。

将特定的 HKCR 项复制到 HKCU\Software\Classes
在 Windows 2000 之前，HKCR 只是对 HKLM\Software\Classes（只有管理员才可以向其中写入数据）的一个符号链接。这表示对 HKCR\.txt 执行的操作实际上发生在 HKLM\Software\Classes\.txt 中。Windows 2000 引入了以用户为单位的注册数据，因此现在 HKCR 已成为 HKLM\Software\Classes 和 HKCU\Software\Classes 的合并视图（用户可以向其中写入数据）。如果后者中存在项，它将享有优先权。因此，如果 HKCU\Software\Classes\.txt 中已存在 HKCR\.txt，现在对该项的操作将在 HKCU\Software\Classes\.txt 中进行；如果不存在，将和以前一样，操作将在 HKLM\Software\Classes\.txt 中进行。
问题在于，有许多应用程序会在运行时向 HKCR 写入数据，以增强其文件关联、COM 注册数据等。如果写入失败，即使要写入的数据已经存在，也会产生错误。每次应用程序运行时，都会写入相同的数据。如果相同的注册数据存储在 HKCU\Software\Classes 中，写入操作将会成功，而且不会更改程序的行为。
要修复此问题，首先必须确定应用程序试图写入到的 HKCR 下的项。将这些项导出到一个或多个 .reg 文件中（在“注册表编辑器”中，选择“文件”|“导出”，然后选择“选定的分支”）。然后使用文本编辑器，用 [HKEY_CURRENT_USER\Software\Classes\ 替换 [HKEY_CLASSES_ROOT\ 的所有实例并保存更改。完成后，将编辑过的 .reg 文件导入到需要运行该程序的用户的注册表中。

优点：
此方法可修复应用程序在 HKCR 中执行本应在安装期间完成的操作的问题。该方法好于放宽对 HKCR 下系统范围资源访问控制的方法。恶意软件覆盖 HKCU 下的项将不会影响操作系统组件或计算机的其他用户。

缺点：
直到最近才出现能够将 HKCR 写入识别为 LUA 错误来源并隔离所涉及项的工具。使用 LUA Buglight 执行此任务要容易得多。

使用 IniFileMapping

在 Windows 3.x的时代，我们了解并喜爱的注册表尚未出现，OS 和应用程序将配置和首选项数据存储在 .ini 文件（如 win.ini）中。Windows 过去支持 .ini 文件，现在也仍在通过配置文件 API（如 WritePrivateProfileString）为 .ini 文件提供 API 级别支持。许多应用程序（包括一些 Windows 小程序）仍然使用这些 API 来尝试写入 .ini 格式的文件，这些文件通常位于用户不应写入的文件夹中。

Windows NT 3.1 鼓励用于从使用 .ini 文件迁移到使用可扩展性和可管理性更强的注册表，并提供了用于将 .ini 文件读取和写入自动重定向到注册表项的手段。配置文件 API 的内部实现进行了扩充，以使用 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\ 下的映射。如果在该项下未找到 .ini 文件的映射，将和以前一样，在文件系统中执行操作。

如果通过配置文件 API 访问 .ini 格式文件是 LUA 错误的成因，那么通过在 IniFileMapping 项下添加项，将访问重定向到 HKCU，便可以修复该错误。请注意，IniFileMapping 位于 HKLM 下，配置它需要具有管理权限。配置文件 API 的文档中介绍了配置细节。

优点：
此方法可避免放宽对文件系统内系统范围资源的访问控制。同样，恶意软件覆盖 HKCU 下的项将不会影响操作系统组件或计算机的其他用户。

缺点：
IniFileMapping 条目仅指定文件名，因此将会影响配置文件 API 对任何路径中具有该名称的任何文件的所有访问。这可能会对具有专用的同名 ini 文件的其他应用程序产生副作用。

更新 SafeDisc 驱动程序
许多游戏依赖 Macrovision 开发的 secdrv 设备驱动程序（也称为 SafeDisc）。随 Windows XP 一起提供的 SafeDisc 驱动程序是一种需要时启动的驱动程序；不允许用户停止和启用它，这会导致程序尝试访问该驱动程序时出现错误。有一个更新（可从 Microsoft 及从 Macrovision 站点获得）可以将该驱动程序配置为在系统启动时加载，这样用户启动它时就不需要拥有权限。此更改使非管理员用户能够正常地运行某些游戏。
（请注意，撰写本文时 Microsoft 下载页面针对该更新有一句说明，称该软件“will not alter or patch any component on your system; it will only change the startup state of the system component.（将不会改动或修补系统上的任何组件；它将只更改系统组件的启动状态。）”。事实并非如此 - 它会安装更新的驱动程序。）

优点：
此更新易于实现，而且不需要在访问控制列表 (ACL) 中进行与系统范围资源有关的更改。

缺点：
除了该方法主要用于更正与游戏（而不是生产力应用程序）有关的问题之外，实际上没有任何缺点。

这些工具包括：

• Secondary Logon 服务

• MakeMeAdmin

• PrivBar

• PolicyMaker

• 应用程序兼容性工具包

• RegMon 和 FileMon

• 系统管理服务器

Secondary Logon 服务

Secondary Logon 服务（或 runas 命令）允许用户使用其他凭据运行程序。Secondary Logon 服务可使用新凭据和组成员身份创建另一个安全令牌，程序使用该令牌来访问资源。

尽管 Secondary Logon 服务是非常有用的工具，但辅助帐户使用不同于主帐户的凭据，这会产生以下限制：

• 用户必须知道辅助帐户的密码，并且必须提供这些凭据。

• 某些程序不能运行凭据不同于当前实例的第二个实例。

• 辅助帐户可能具有与主帐户不同的打印机和驱动器映射。

• 辅助帐户可能是本地帐户，因此可能不具有对网络或域资源的访问权限，无法运行域登录脚本，或无法应用组策略。

• 某些更改（如安装程序）只能应用到辅助帐户的配置文件，不能应用到主帐户的配置文件中。如果程序安装为“仅此用户使用”而非“所有用户均可使用”，则可能会出现这种结果。

runas 命令在被定向到使用通用命名约定 (UNC) 路径，如打印机和网络连接时，无法正常运行。有很多方法可解决此问题，如使用 runas 命令启动 Internet Explorer，然后在 Internet Explorer 中打开基于文件夹的对象。但是，这种方法不如“右键单击，然后单击‘运行方式’”的方法简便。

runas 命令的其他用途包括在用户的“发送到”菜单中创建脚本的快捷方式，通过该快捷方式可以管理权利运行选定的程序。此外，可为快捷方式设置“以其他用户身份运行”高级选项。有关详细信息，请参阅 HOW TO：在运行程序时启用和使用“运行方式”命令

MakeMeAdmin

MakeMeAdmin 使用两个连续的登录进程，绕过 Secondary Logon 服务的驱动器映射、访问权限和程序安装限制。为了绕过这些限制，脚本将执行以下操作：

1. 获取当前登录帐户详细信息。

2. 调用 Secondary Logon 服务，以便您可以使用本地管理员帐户凭据登录。

3. 使用该新的本地管理员登录会话将您的当前帐户添加到本地 Administrators 组中。

4. 再次调用 Secondary Logon 服务，并提示您以当前用户帐户但作为本地 Administrators 组的成员登录。

5. 创建一个新的命令提示，其中您的当前帐户是本地 Administrators 组的成员。此命令提示具有不同的背景颜色和标题，以便与标准命令提示区分开。

6. 从本地 Administrators 组中删除当前帐户。

该脚本创建的命令提示在当前登录帐户凭据下运行，但具有管理权利，因此您从此命令提示运行的任何程序也都具有管理权利。驱动器映射和网络访问权限与当前帐户相同，如果您使用此命令提示安装程序，则该程序将安装到当前配置文件，而非本地管理员配置文件中。

有关 MakeMeAdmin 的详细信息，请参阅 Aaron Margosis 的 WebLog 上的 MakeMeAdmin -- 受限用户帐户暂时充当管理员

PrivBar

PrivBar 在 Internet Explorer 和 Windows 资源管理器中显示不同颜色的工具栏，表示用户当前的特权级别。例如，如果用户使用管理权利登录，PrivBar 工具栏将变为黄色，并带有红色指示器。此指示器提醒用户他们正使用管理特权浏览网站，这样会增加其计算机的风险。有关 PrivBar 的详细信息，请参阅 Aaron Margosis 的 WebLog 上的 PrivBar -- 可以显示当前权限级别的 IE/Explorer 工具栏

PolicyMaker

Desktop Standard 中的 PolicyMaker 由一套实用工具组成，这些实用工具扩展了组策略的功能，以在分布式网络中使用 LUA 方法。PolicyMaker 套件还包括检查和修复程序兼容性问题的工具。实现 LUA 方法的最重要的工具包括 PolicyMaker Standard Edition、PolicyMaker Application Security 和 PolicyMaker Software Update。

对 LUA 方法具有特殊意义的是 PolicyMaker Application Security，它使网络管理员可以为各个程序附加权限级别。网络管理员选择程序，然后在该程序启动时从进程令牌中删除安全组。此限制随后通过组策略进行传播。有关 PolicyMaker 的详细信息，请参阅 Desktop Standard 网站上的 PolicyMaker 概述

应用程序兼容性工具包

Microsoft Windows 应用程序兼容性工具包 (ACT) 是工具和文档的集合，可协助 IT 专业人士和开发人员实现与 Windows 操作系统之间的最高级别的应用程序兼容性。这些工具包括：

•       应用程序分析器。此工具可简化应用程序清单和兼容性测试。

•       兼容性管理器。此数据库列出支持 Windows 中过期程序所需的兼容性修复程序。

•       Internet Explorer 兼容性评估器。此工具提供有关 Internet Explorer 的详细日志，记录与此浏览器相关的应用程序兼容性问题。

兼容性管理器中包括开发人员可在自定义应用程序的开发阶段用来检查用户权限问题的工具。ACT 能够生成管理员可部署到用户的计算机的兼容性修复程序。该兼容性修复程序通过将应用程序调用重定向到受限用户具有读写权限的位置，使程序可以在 LUA 模式下运行。有关 ACT 的详细信息，请参阅 Windows 应用程序兼容性

RegMon 和 FileMon

RegMon 和 FileMon 是来自著名的 Sysinternals 网站的两个实用工具。RegMon