Tools & Information:


Windows Mailing List:

CSU maintains an email list for Windows administrators. To join the list:

  1. Go to the WINDOWSADMINS mailing list page.
  2. Fill out your email information and hit subscribe.

Computer Name Search


DNS Admin Tool


Resources:


Walk-Throughs:

Microsoft Office 2010/2013/2016 (running on Microsoft Windows platforms) is activated in one of two ways: Key Management Service (KMS) or Multiple Activation Key (MAK).

For CSU-owned computers, the preferred, and default, activation method is KMS. KMS works well for computers that will be connected to the campus network (either physically on campus or through VPN) at least once every 180 days. For those systems that will not be connected as such, MAK is more appropriate. MAK keys may be obtained from the RAMtech store.


KMS Activation Of Office 2010/2013/2016

Office 2010/2013/2016 activate automatically with CSU’s KMS servers. No manual intervention is required, as long as the following are true:

  1. The computer is connected to the CSU network (either physically or via VPN)
  2. The media used to install Office 2010/2013 was acquired from the CSU RAMtech store
  3. The computer is joined to one of the many campus Active Directory domains (check with your local IT support personnel to verify)

If #1 and #2 above are true, while #3 is not, follow the instructions below to manually activate Office 2010/2013/2016 via the KMS method.

  1. Connect to the campus network physically or via VPN
  2. Make sure any Office applications are closed
  3. As an administrator of the local system, open an Administrative command prompt (accessed by typing “cmd.exe” in the Start menu search box, then right-clicking the result that appears in the start menu, then selecting “Run as administrator”)
  4. At the command prompt, type the following command, pressing the “enter” key afterward (Note: for Office 2010, use “office14”, for Office 2013, use “office15”, for Office 2016, use “office16”):

For Office 2010:

cscript “c:\program files\microsoft office\office14\ospp.vbs” /sethst:ms-kms-1.colostate.edu

For Office 2013:

cscript “c:\program files\microsoft office\office15\ospp.vbs” /sethst:ms-kms-1.colostate.edu

For Office 2016:

cscript “c:\program files\microsoft office\office16\ospp.vbs” /sethst:ms-kms-1.colostate.edu 

Note: in the above command, double quotes are necessary because of the space in the path; if you have 32-bit Office installed on 64-bit Windows, then you need to change “program files” to “program files (x86)”

  1. Next, at the command prompt, type the following command, pressing the “enter” key afterward (Note: for Office 2010, use “office14”, for Office 2013, use “office15”, for Office 2016, use “office16”):

For Office 2010:

cscript “c:\program files\microsoft office\office14\ospp.vbs” /act

For Office 2013:

cscript “c:\program files\microsoft office\office15\ospp.vbs” /act  

For Office 2016:

cscript “c:\program files\microsoft office\office16\ospp.vbs” /act

Note: in the above command, double quotes are necessary because of the space in the path; if you have 32-bit Office installed on 64-bit Windows, then you need to change “program files” to “program files (x86)”

After issuing the above commands, the second command should result in output similar to what appears below, representing a successful activation attempt:

—Processing————————–  
—————————————  
Installed product key detected – attempting to activate the following product:  
SKU ID: 6f327760-8c5c-417c-9b61-836a98287e0c  
LICENSE NAME: Office 14, OfficeProPlus-KMS_Client edition  
LICENSE DESCRIPTION: Office 14, VOLUME_KMSCLIENT channel  
Last 5 characters of installed product key: H3GVB  
—————————————  
—————————————  
—Exiting—————————–

KMS Troubleshooting Tips

  • KMS activation is sensitive to variances between the local computer’s time and the KMS server’s time. Please ensure that the time and date reported by the computer to be activated is accurate
  • You must be an administrator of the computer you are activating. If you are not, you need to enlist the assistance of your local IT support personnel.
  • You must connect to CSU’s network, either physically or via VPN, at least once every 180 days to reactivate a KMS-activated system. Note, however, that once KMS activation has taken place initially, the reactivation should happen automatically with no need for the manual steps outlined above.
  • If you have trouble with activating Microsoft Office, please contact the ACNS Windows team by sending e-mail to: windows@colostate.edu

Windows Vista, Windows 7, Windows 8, Windows 10, Server 2008 and Server 2012 are activated in one of two ways: Key Management Service (KMS) or Multiple Activation Key (MAK).

For CSU-owned computers, the preferred, and default, activation method is KMS. KMS works well for computers that will be connected to the campus network (either physically on campus or through VPN) at least once every 180 days. For those systems that will not be connected as such, MAK is more appropriate. MAK keys for the above operating systems may be obtained from the RAMtech store.


KMS Activation Of Windows Vista, Windows 7 – 8 – 10, Windows Server 2008 & Windows Server 2012

The above operating systems activate automatically with CSU’s KMS servers. No manual intervention is required, as long as the following are true:

  1. The computer is connected to the CSU network (either physically or via VPN)
  2. The media used to install the operating system was acquired from the CSU RAMtech store
  3. The computer is joined to one of the many campus Active Directory domains (check with your local IT support personnel to verify)

If #1 and #2 above are true, while #3 is not, follow the instructions below to manually activate these operating systems via the KMS method.

  1. Connect to the campus network – physically or via VPN
  2. As an administrator of the local system, open an Administrative command prompt (accessed by typing “cmd.exe” in the Start menu search box, then right-clicking the result that appears in the start menu, then selecting “Run as administrator”)
  3. At the command prompt, type the following command, pressing the “enter” key afterward:
 cscript c:\windows\system32\slmgr.vbs /skms ms-kms-1.colostate.edu
  1. Next, at the command prompt, type the following command, pressing the “enter” key afterward:
cscript c:\windows\system32\slmgr.vbs /ato

After issuing the above commands, the second command should show output similar to “Product activated successfully.” (actual output varies based on the operating system being activated).


KMS Troubleshooting Tips

  • KMS activation is sensitive to variances between the local computer’s time and the KMS server’s time. Please ensure that the time and date reported by the computer to be activated is accurate
  • You must be an administrator of the computer you are activating. If you are not, you need to enlist the assistance of your local IT support personnel.
  • You must connect to CSU’s network, either physically or via VPN, at least once every 180 days to reactivate a KMS-activated system. Note, however, that once KMS activation has taken place initially, the reactivation should happen automatically with no need for the manual steps outlined above.
  • If you have trouble with activating Microsoft Office, please contact the ACNS Windows team by sending e-mail to: windows@colostate.edu

Obtaining Updates for Windows Computers at CSU:

ACNS maintains a Windows Software Update Services (WSUS) server from which CSU’s Windows computers can receive security patches and updates for various Microsoft software and operating systems. ACNS tests each update prior to approving it for distribution.

To configure your clients to use the ACNS WSUS server, apply the following Group Policy settings to an applicable child domain GPO or to local Group Policy via gpedit.msc:

Computer Configuration \ Administrative Templates \ Windows Components \ Windows Update

  • Configure Automatic Updates: Enabled, 4 – Auto download and schedule the install, 0 – Every day
  • Set the intranet update service for detecting updates: http://sus.colostate.edu:8530
  • Set the intranet statistics server: http://sus.colostate.edu:8530
  • No auto-restart with logged on users for scheduled automatic updates installations: your choice
  • Enable client-side targeting: contact windows@colostate.edu for details

If you have any questions about WSUS, would like access to update reports for centrally-updated computers in your environment or would like to be added to the ACNS SUS Admins listserv, please contact Jason Huitt.

Additional information about eID can be found on the eID website.

The information and links below are intended to act as a resource to assist with setting up PCs for use by people logging in with eIDs.


Downloads:


Configuring Login Scripts Using Environment Variable:

  1. Add a Windows system environment variable on the PCs that users will logon to using their eIDs. The variable name and the value it should be set to are below:
    • Variable Name: LoginDomain
    • Value: name of domain (ex: ACNS)
  2. Request that one or more users be added to your department’s admin group
  3. Connect to the Sysvol share at the Colostate root (“\\colostate.edu\sysvol”) as an eID user belonging to the admin group. If you are logged into a PC with your eID you can access the share at “\\colostate\sysvol”. Otherwise, you can connect to the share using the “net use” command as shown below – you will be prompted for a password when after pressing “Enter”:
net use * \\colostate.edu\sysvol /user:colostate\[your ename] /persistent:no 

4. Navigate to the folder colostate.edu > scripts > [your child domain]

5. Modify the .bat and/or .vbs scripts to fit your areas needs. Note that the             .bat file must be named “[login domain]LoginScript.bat”, for example:                 acnsdemoLoginScript.bat. If you prefer to use vbs login scripts, you must           call the vbs script(s) from the bat file. Also, you can use environment                   variables such as “%username%” to call different scripts for each user.


Profile Linker – “Link” Child Domain Account Profile to an eID Account:

Prerequisites and Notes regarding the Profile Linker

  • Only to be used to link profiles for users on the SAME computer
  • The developer’s documentation is available at here
  • Acknowledgements: Developed by Kyle Schultz, former Sys Admin at Coooperative Extension
  • Test and use at your own risk!

Using the Profile Linker

  1. Download the Profile Linker executable from and unzip it to a known location on an “admin” PC. Optionally, you may download the project and modify the code if you want!
  2. Prepare the target PC on which the profile will be copied
    • Verify the user whose profile will be copied has never logged onto the PC using an eID
    • Reboot the target PC so that it is at the logon screen
  3. Logon to an admin PC with an account that has administrative rights on the target PC.
  4. Run the “EIDProfile.exe” application.
  5. Click the “Locate” button to select the target PC. The locate button brings up an Active Directory Object Picker dialog box to be used to select the target computer.
  6. Once the Target Computer is selected, the target PC’s local profiles will be listed in the Selected Profile combo box. Select the source profile from the combo box.
  7. Select the eID account to which the profile should be linked using the Find button in the “Target User” area. This will open an Active Directory Object Picker Dialog which can be used to find and select the appropriate eID account.a user must be selected from the Active Directory Enterprise Forest (i.e the Colostate.edu root domain). Once selected, the eName should appear in the Selected User textbox.
  8. Optionally, add the eID user to the “Local Administrators” group on the target PC.
  9. Press Link Identity.
  10. When the process has been finished, a “Completed Successfully” message will be displayed. The selected profile is now linked to the target eID user so that the next time the user logs in using his/her eID, they should be presented with the same desktop environment they had previously setup with a child domain account.

Configuring GPOs for eID Logins

  • It is recommended you download and install the Group Policy Management Console from Microsoft on the PC or server on which you’ll be configuring GPOs. The GPMC provides an improved interface to review and configure GPO settings.
  • Group policy objects (GPOs) can be created and applied when using eID logins. However, in order to apply the user settings of GPO objects against eIDs, you must enable the “User Group Policy loopback processing mode” (located at Computer Configuration > Administrative Templates > System/Group Policy) and set the mode to “Merge”. In many cases, you may also want to apply GPOs based on a user’s membership in a group residing within your local domain. The recommended process/configuration to accomplish that is outlined below:
    • Create a Universal Group that resides on your child domain.
    • Add one or more eIDs to the Universal Group
    • Create a GPO to enforce loopback processing and apply it against the “Authenticated Users” group. As you create additional GPOs, this GPO should always be listed as the top GPO in the link order.
    • Configure the following GPO setting in the GPO created in the previous step:
      • Computer Configuration > Administrative Templates > System/Group Policy > User Group Policy loopback processing mode: Enabled
      • Mode: Merge
    • Create additional GPO(s) to configure the settings you’d like to implement. Apply the additional GPOs against the universal group created during step 1.

Example Powershell Script To Copy Group Memberships

The following powershell script can be used to add an eID to all groups within your domain that a given child domain account is a member of. The steps to run the script are below. Note that you should run this script with an account that has priveleges to manage your domain’s groups.

  1. Download and install Powershell on the PC or server from which you will be running the script.
  2.  Download the script and extract it (from the downloaded zip file) to a known location – ex: C:\Temp.
  3. Using notepad, edit the line of the powershell script so that it queries your child domain for the child domain user account – also noted by a comment within the script.
  4. Open Windows Powershell. Important: In order to successfully run the script, you may have to modify the execution policy within powershell by entering the following command:
Set-ExecutionPolicy -ExecutionPolicy Unrestricted  

5. Run the script downloaded during step 2 using the following syntax.

.\MigrateEidUserGroupMembership.ps1 [child domain account] [eName]

6.  Verify the eID account has been added to the expected groups.