We have a client with two offices, one is a PC shop and the other is a Mac shop. The enjoy a friendly rivalry and it's up to me to make sure that they play nicely together.

We recently upgraded the servers in Microsoft shop to Windows 2003 and found that the Mac clients could no longer access the shares over the VPN.

Some googling and experimenting later, and we stumbled upon the issue.

The Samba client that the Macs use doesn't support encrypted communications, and the Windows 2003 server out of the box turns on encrypted communications and prevents anyone who isn't encrypting from accessing its shares.

So, a quick detour through the Domain Controller Security Policy applet in the Administrative Tools folder did the trick.

In there, go to Local Policies / Security Options.

Scroll down to "Microsoft network server: digitally sign communications (always)" and set that sucker to DISABLED.

Reapply the policy by running GPUPDATE (start, run, gpupdate) and sit back in delight as your clients can connect to the shares once again.

Thanks to MacOSXHints and AllInTheHead for the pointers.

A client asked me how to best install Windows 7 for testing. His son is interested in it, and he thought his son's machine could afford being wiped to install the new OS.

I instead told him to use VirtualPC to do the job.

A quick Google later, and I pointed him to these directions as they were as full featured and complete a set as I've seen... and I didn't have to type them myself.

Nice job, Abbas!

One of our clients picked up some sort of infection over the weekend. The sucker was persistent, and after running the usual battery of utilities -- RootkitRevealer, SDFix, ComboFix, Stinger running inside a WinXP PE shell -- we got rid of the thing.

When I checked the post-infection System Event Viewer log, however, I got an interesting message:

Event Type:Error
Event Source:Schedule
Event Category:None
Event ID:7901
Date:1/31/2009
Time:9:00:00 PM
User:N/A
Computer:XXX03
Description:
The At46.job command failed to start due to the following error:
The system cannot find the file specified.

Huh? At46.job? I know the machine doesn't use the AT scheduler... let's see...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\administrator\>at
Status ID Day Time Command Line
-------------------------------------------------------------------------------
 1 Each M T W Th F S Su 12:26 AM C:\WINDOWS\system32\Hi3TR1uq.exe
 10 Each M T W Th F S Su 9:00 AM C:\WINDOWS\system32\Hi3TR1uq.exe
 11 Each M T W Th F S Su 10:00 AM C:\WINDOWS\system32\Hi3TR1uq.exe
 12 Each M T W Th F S Su 11:00 AM C:\WINDOWS\system32\Hi3TR1uq.exe
 13 Each M T W Th F S Su 12:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 14 Each M T W Th F S Su 1:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 15 Each M T W Th F S Su 2:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 16 Each M T W Th F S Su 3:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 17 Each M T W Th F S Su 4:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 18 Each M T W Th F S Su 5:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 19 Each M T W Th F S Su 6:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 2 Each M T W Th F S Su 1:00 AM C:\WINDOWS\system32\Hi3TR1uq.exe
 20 Each M T W Th F S Su 7:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 21 Each M T W Th F S Su 8:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
Error 22 Each M T W Th F S Su 9:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe

And so forth, with hourly jobs listed down thru job 72. (It kept adding duplicate schedules...)

You can see we got the infection eradicated before 9 PM, because the 9PM AT job show errors.

For those of you who prefer a GUI, you can see the same thing in the Scheduled Tasks pane in Control Panel

So, don't overlook the AT scheduler as a place where infection might hide in an effort to replicate itself. This is the first time I've seen it there, and it will be a place I look at from here out...