Contact

Subscribe via Email

Subscribe via RSS/JSON

Categories

Creative Commons Attribution 4.0 International License
© Rakhesh Sasidharan

Elsewhere

Roaming profile permissions and versions

Ever noticed that when you moved from Windows XP to Windows 7 the profile name as a .V2 appended to it? That’s because the profile format changed with Windows Vista and to avoid mistakenly loading the older profile format, Vista and upwards add a .V2 (version 2) to the profile folder name. This way a user can login to both XP and Vista/ 7 machines at the same time and the profiles won’t get mashed. 

Windows 8/ 8.1 changes the format again to version 3. This time, however, they don’t change the folder name. When a Windows 7 user logs in to a Windows 8/ 8.1 machine the profile format is upgraded in-place but the folder name is not changed. Later, if they log in to a Windows 7 machine there will be trouble. Workarounds include this one from a member of the AD team or using GPOs on the computers to redirect roaming profiles to different locations (the “Set roaming profile path for all users logging onto this computer” GPO setting). More information is available in this KB article which seems to be missing. 

Speaking of GPOs and roaming profiles, by default roaming profiles are configured with very minimal permissions. Only the Creator/ Owner and the Local System have full permissions to the roaming profile on the server. Administrators don’t have any permissions, including being able to see the existing permissions. There is a GPO setting which can be used to grant the Administrator group access to roaming profiles. This is a Computer policy, found under Computer Configuration > Policies > Administrative Templates > System > User Profiles and is called “Add the Administrator security group to roaming users profiles”. 

Once this policy is applied to computers, when a user logs in the computer adds the Administrator group to the ACL of the roaming profile. However, this policy has a catch in that it only takes effect on roaming profiles created after the policy was deployed. If a user has a roaming profile from before the policy was deployed, the Administrator group will not be added to it. Even if the user logs in to a new machine the Administrator group will not be added (because in effect the machine is downloading the existing profile and leaving things as they are). Of course, if you delete the roaming profile of an existing user so it’s recreated afresh then the Administrator group will be added. 

admin group gpo

 

The only way to assign access to the Administrator group in such cases is to take ownership of the user’s roaming profile add the Administrator group to its ACLs. Best to create a PowerShell script or a batch file and automate the whole thing. 

Disabling Connected Standby

As you know a few days ago I purchased a Notion Ink Cain, a Windows 8.1 tablet-slash-laptop. This is my first Windows tablet so while it doubles as both, I have slightly different expectations and use cases from this.

One of these is the battery life. Whereas I always hibernate my regular laptop, the Cain is just put to sleep once I am done with it. I put it to sleep either via the Power button or the device goes to sleep on its own. This is fine but for two problems – (1) since the device is only sleeping and I usually dock it into the keyboard and use the flap as the cover, any key presses when the device is asleep results in it waking up and thus some battery draining; (2) since the Cain supports Connected Standby (nowadays called InstantGo) the device does not really sleep in the way we usually expect Windows devices to sleep, the sleep here is more like a “light sleep” wherein the device is kind of awake and able to let some background stuff like email and other programs run and do their bit.

I work around the first issue either by rotating the Cain and then docking it, such that the keyboard is behind the device and so keypresses don’t get registered (the Cain requires the docking to be correct for the keyboard to be recognize). I also put the Cain in a pouch without the keyboard. It’s not very elegant but that’s what I was doing until today.

The second was an irritating issue. When I first read about Connected Standby I was very impressed with it. It’s not supposed to drain much battery. The requirement is that when on Connected Standby the device will lose less than 5% of its power over a 16 hour idle period, but that didn’t seem to be the case for me (try a powercfg /sleepstudy to get some results) and I wasn’t happy with the battery drain. Maybe it’s because I had set apps such as email to update in real time and so the device was regularly waking up to check email, I found that it barely lasted 2-3 days even when fully idle. That’s not great, and even putting it in airplane mode only made it slightly better.

To work around this I decided to start hibernating the device. I enabled the hibernation option in the Power menu and also created a shortcut to hibernate in the start menu. But these are manual approaches didn’t seem “neat”. I wanted something where the Cain would automatically hibernate after a period of inactivity. I remembered back in Windows 7 (and even on my Windows 8 laptops) there are options under the Power menu in Control Panel to make the laptop sleep after a certain period and then hibernate. On the Cain though, this option was missing and I wasn’t sure why. I had a suspicion it must be because the Cain uses Connected Standby and so perhaps disabling it will reveal these options. I Google’d a bit to see if there’s a way to disable Connect Standby. Surprisingly I couldn’t find anything until finally some forum post mentioned another forum post that gave a registry key setting which disables Connected Standby. Applied that to the Cain and now I have the option to hibernate after a certain period. Yaay!

Unboxing the Cain

I got my Notion Ink Cain tablet day-before. I unboxed it in the car itself! Below are some pics.

Bubble wrap packaging in which I got the Cain

Bubble wrap packaging in which I got the Cain

Out of the bubble wrap. Good quality box.

Out of the bubble wrap. Good quality box.

Close up of the box, showing price and specs

Close up of the box, showing price and specs

Unboxing

Unboxing

A nice touch. The box includes a letter and some mints (not shown).

A nice touch. The box includes a letter and some mints (not shown).

The letter and mints

The letter and mints

The tablet.

The tablet.

Tablet minus the wrapping.

Tablet minus the wrapping.

Tablet in portrait orientation.

Tablet in portrait orientation.

The keyboard-cum-cover. Notice the dock connector in the middle. That's where you dock the tablet.

The keyboard-cum-cover. Notice the dock connector in the middle. That’s where you dock the tablet.

Tablet docked into the keyboard

Tablet docked into the keyboard

Tablet docked and powered on.

Tablet docked and powered on.

Laptop next to my office desktop

Laptop next to my office desktop

Very irritatingly the tablet came with a screen protector. I hate screen protectors. I hate it when they have bubbles, and I hate the way they feel when I touch. One of my first tasks then was to a piece of paper (a good quality paper, one that wouldn’t bend easily) and poke around the screen where there were bubbles between the screen and protector, and slide the paper in to one of these bubbles and thus pry the protector off. Such a relief!

The next step was to set up encryption on the Cain. That’s a bit more detailed so I’ll post it later.

[Aside] Connected Standby available for 64bit Windows (since May!)

Only realised this today while I was reading about Connected Standby (because I am considering buying a Windows 8 tablet). Connected Standby is supported for 64 bit Windows too since May. Nice!