Create an IIS Manager User Account (IIS 7)

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Add an IIS Manager user account in IIS Manager when you want to allow a user to connect to a site or an application on your server, but you do not want to create a Windows user account or add the user to a Windows group. IIS Manager user credentials consist of a user name and password that are created in IIS Manager and are used exclusively for IIS Manager to access the IIS configuration files.
After you create an IIS Manager user account, you can allow the user to connect to sites and applications. The user can then configure delegated features in those sites and applications.

Prerequisites

For information about the levels at which you can perform this procedure, and the modules, handlers, and permissions that are required to perform this procedure, see IIS Manager Users Feature Requirements (IIS 7).
Exceptions to feature requirements

• None.

To add an IIS Manager user

1. Open IIS Manager. For information about opening IIS Manager, see Open IIS Manager (IIS 7).
   
2. In the Connections pane, click the server node.
   
3. In Features View, double-click IIS Manager Users.
   
4. On the IIS Manager Users page, in the Actions pane, click Add User.
   
5. In the Add User dialog box, in the User name box, type a user name.
   
6. In the Password and Confirm password boxes, type a password.
   
7. Click OK.
   

See Also

Concepts

Configuring IIS Manager Users (IIS 7)
Configuring Permissions for IIS Manager Users and Windows Users (IIS 7)
Configuring Delegation for a Site or an Application in IIS 7

Configuring IIS Manager Users (IIS 7)

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Create an IIS Manager user account when you want to allow a non-Windows user to configure delegated features in a site or an application in IIS Manager. After you create the IIS Manager user account, you can allow the user to connect to sites and applications in which you want them to manage delegated features.

Prerequisites

For information about the levels at which you can perform these procedures, and the modules, handlers, and permissions that are required for these procedures, see IIS Manager Users Feature Requirements (IIS 7).

Procedures

This task includes the following procedures:
View a List of IIS Manager User Accounts (IIS 7)
Create an IIS Manager User Account (IIS 7)
Change the Password for an IIS Manager User Account (IIS 7)
Remove an IIS Manager User Account (IIS 7)
Disable an IIS Manager User Account (IIS 7)

See Also

Concepts

Configuring Permissions for IIS Manager Users and Windows Users (IIS 7)

Configure the Web Server to Redirect Requests to an Exact Destination (IIS 7)

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Configure the redirection destination to be an exact destination when you want to change the default redirection behavior. When you configure the destination to be an exact destination, all incoming requests are redirected to the exact destination instead of the relative destination. This is useful when you want all requests to be redirected to the same Web page, such as when a site is down for maintenance or when it is undergoing construction.

Note
You must first enable redirection and configure the redirection destination. For more information about how to enable redirection and configure the destination, see Configure the Web Server to Redirect Requests to a Relative Destination (IIS 7).

Prerequisites

For information about the levels at which you can perform this procedure, and the modules, handlers, and permissions that are required to perform this procedure, see HTTP Redirection Feature Requirements (IIS 7).
Exceptions to feature requirements

• None
  

To enable redirection

You can perform this procedure by using the user interface (UI), by running Appcmd.exe commands in a command-line window, by editing the configuration files directly, or by writing WMI scripts.

User Interface

To use the UI

1. Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI based on your IIS administrative role, see Navigation in IIS Manager (IIS 7).
   
2. In Features View, double-click HTTP Redirect.
   
3. On the HTTP Redirect page, under Redirect Behavior, select Redirect all requests to exact destination (instead of relative to destination).
   
4. In the Actions pane, click Apply.
   

Command Line

To configure the redirection destination to be an exact destination, use the following syntax:
appcmd set config /section:httpRedirect /exactDestination:true | false
By default, this attribute is false, but you can specify true for the exactDestination attribute. To do this, type the following at the command prompt, and then press ENTER:
appcmd set config /section:httpRedirect /exactDestination:true
For more information about Appcmd.exe, see Appcmd.exe (IIS 7).

Configuration

The procedure in this topic affects the following configuration elements:
attribute of the element

WMI

Use the following WMI classes, methods, or properties to perform this procedure:

• HttpRedirectSection.ExactDestination property
  

For more information about WMI and IIS, see Windows Management Instrumentation (WMI) in IIS 7. For more information about the classes, methods, or properties associated with this procedure, see the IIS WMI Provider Reference on the MSDN site.

See Also

Concepts

Configuring HTTP Redirection in IIS 7

How Online Responders Work

Applies To: Windows Server 2008 R2

Most applications that depend on X.509 certificates need to validate the status of the certificates used when performing authentication, signing, or encryption operations. This certificate validity and revocation check is performed on all certificates in a certificate chain, up to the root certificate. If the root certificate, or any certificate in the chain, is invalid, then the certificates below the invalid certificate in the chain are also invalid.
The validation includes the following:

• Each certificate's signature is valid.
  
• The current date and time are within each certificate's validity period.
  
• No certificate is corrupt or malformed.
  

In addition, each certificate in the certificate chain is checked for its revocation status. Revocation checking can be performed by using either a certificate revocation list (CRL) or Online Certificate Status Protocol (OCSP) response.

What is OCSP?

The Microsoft Online Responder implements the OCSP protocol, which allows a recipient of a certificate to submit a certificate status request to an OCSP responder by using the Hypertext Transfer Protocol (HTTP). This OCSP responder returns a definitive, digitally signed response indicating the certificate status. The amount of data retrieved per request is constant regardless of the number of revoked certificates in the CA.
For more information, see RFC 2560, "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP" (http://go.microsoft.com/fwlink/?LinkID=71068).

Online Responder

The Microsoft implementation of OCSP—the Online Responder—is divided into client and server components. The client component is built into the CryptoAPI 2.0 library, while the server component is introduced as a new service provided by the Active Directory Certificate Services (AD CS) server role. The following process describes how the client and server components interact:

1. When an application attempts to verify a certificate that specifies locations to OCSP responders, the client component first searches local memory and disk caches to find a cached OCSP response that contains current revocation data.
   
2. If an acceptable cached response is not found, a request is sent to an Online Responder by using the HTTP protocol.
   
3. The Online Responder Web proxy decodes and verifies the request. If the request is valid, the Web proxy cache is checked for the revocation information needed to fill the request. If current information is not available in the cache, the request is forwarded to the Online Responder service.
   
4. The Online Responder service takes the request and checks a local CRL, if available, and a cached copy of the most recent CRL issued by the CA.
   
5. If the certificate does not appear on the local or cached revocation lists, the revocation provider obtains an updated CA CRL, if available, from the locations listed in the revocation configuration to check the status of the certificate. The provider, in turn, returns the status of the certificate to the Online Responder service.
   
6. The Web proxy then encodes and sends the response back to the client to notify the client that the certificate is valid. It also caches a copy of the response for a limited time in case there are additional status requests about this certificate.
   

Additional references

• What Is an Online Responder?
  
  
• Components of an Online Responder

Configure Desktop Composition on an RD Session Host Server

Desktop composition provides the user interface elements of Windows Aero, such as translucent windows, for remote desktop sessions. By default, desktop composition is not allowed when connecting to a computer running Windows Server 2008 R2.

Important
Because Windows Aero requires additional system and bandwidth resources, allowing desktop composition for remote desktop sessions can reduce connection performance, particularly over slow links, and increase the load on the Remote Desktop Session Host (RD Session Host) server.

Desktop composition is not available for RemoteApp sessions. In addition, the client computer must have the necessary hardware to support Windows Aero features.

Manually configuring desktop composition

To manually configure desktop composition on an RD Session Host server, you need to do the following:

• Install the Desktop Experience feature.
  
• Start the Themes service.
  
• Enable the Allow desktop composition for remote desktop sessions Group Policy setting.
  
• Set the maximum color depth to 32 bits per pixel.
  

Install the Desktop Experience feature

For information about installing Desktop Experience, see Install Desktop Experience on an RD Session Host Server.

Start the Themes service

Use the following procedure to start the Themes service on the RD Session Host server.
Membership in the local Administrators group, or equivalent, on the RD Session Host server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
To start the Themes service

1. On the RD Session Host server, open the Services snap-in. To open the Services snap-in, click Start, point to Administrative Tools, and then click Services.
   
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
   
3. In the Services pane, right-click Themes, and then click Properties.
   
4. On the General tab, in the Startup type box, select Automatic, and then click Apply.
   
5. Under Service status, click Start.
   
6. Click OK to close the Themes Properties dialog box.
   
7. Confirm that the Status column for the Themes service displays Started.
   

Enable the Allow desktop composition for remote desktop sessions Group Policy setting

To allow desktop composition when connecting to a computer running Windows Server 2008 R2, you must enable the Allow desktop composition for remote desktop sessions Group Policy setting. The Allow desktop composition for remote desktop sessions Group Policy setting is located in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment and can be configured by using either Local Group Policy Editor or the Group Policy Management Console (GPMC).
For more information about Group Policy settings for Remote Desktop Services, see the Remote Desktop Services Technical Reference (http://go.microsoft.com/fwlink/?LinkId=138134).

Set the maximum color depth to 32 bits per pixel

Use the following procedure to set the maximum color depth to 32 bits per pixel on the RD Session Host server.
Membership in the local Administrators group, or equivalent, on the RD Session Host server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
To set the maximum color depth to 32 bits per pixel

1. On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
   
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
   
3. Under Connections, right-click the name of the connection that you want to configure (for example, RDP-Tcp), and then click Properties.
   
4. On the Client Settings tab, in the Limit Maximum Color Depth box, select 32 bits per pixel.
   
5. Click OK. Changes to color depth settings are not applied to sessions that are connected when the change is made. The changes will take effect the next time the user establishes a new connection to the RD Session Host server.
   

You can also set the maximum color depth by applying the Limit maximum color depth Group Policy setting. This Group Policy setting is located in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment and can be configured by using either Local Group Policy Editor or the Group Policy Management Console (GPMC). Note that the Group Policy setting will take precedence over the setting configured in Remote Desktop Session Host Configuration.
For more information about Group Policy settings for Remote Desktop Services, see the Remote Desktop Services Technical Reference (http://go.microsoft.com/fwlink/?LinkId=138134).

Additional references

• Configure the Client Experience on an RD Session Host Server

Desktop Experience Feature

The Desktop Experience feature allows you to install a variety of components and features that are provided in the Windows 7 operating system onto a computer that is running the Windows Server 2008 R2 operating system. After you install Desktop Experience, the Windows 7 components and features, such as Windows Media Player, will appear under All Programs on the Start menu.

Note
Installing Desktop Experience does not automatically turn on any of its features or components. After installing Desktop Experience, you must manually enable or configure the features or components.

For information about installing Desktop Experience, see Install Desktop Experience on an RD Session Host Server.

What’s in the Desktop Experience feature

Desktop Experience includes the following Windows 7 components and features:

• Windows Media Player
  
• Desktop themes
  
• Video for Windows (AVI support)
  
• Windows SideShow
  
• Windows Defender
  
• Disk Cleanup
  
• Sync Center
  
• Sound Recorder
  
• Character Map
  
• Snipping Tool
  

Additional references

• Configure the Client Experience on an RD Session Host Server

WSUS 3.0 SP2 Reports

Applies To: Windows Server 2003 with SP2, Windows Server 2008 R2, Windows Server 2008 R2 with SP1, Windows Server Update Services, Windows Small Business Server 2011 Standard

You can use Reports in Windows Server Update Services (WSUS) 3.0 SP2 to monitor the WSUS network, including updates, client computers, and downstream servers. If a WSUS server has replica servers, you can roll up client status information for the replica servers to the upstream server.
You can generate update reports from the following areas of the WSUS administration console:

1. General reports on the Reports page.
   
2. Reports about specific updates. (Right-click the update (or go to the Actions pane) and click Status Report.)
   
3. Reports on specific computers. (Right-click the computer (or go to the Actions pane) and click Status Report.)
   

Note
Generating detailed reports for large numbers of computers and/or updates can be memory intensive. Detailed reports are most effective for subsets of computers or updates. If you must create a very large report, and you are concerned about CPU and memory resources on the WSUS server, you can generate the report on a non-WSUS server that has the WSUS administration console installed.

In this topic:

• The Reports page
  
  
• Enable reporting rollup from replica servers
  
  

The Reports page

You can generate of the following reports in WSUS:

 

Report name	Function
Update Reports	View update status
Computer Reports	View computer status
Synchronization Reports	View the results of the last synchronization

Update reports

Update reports provide the status of the updates. You can run update reports in the following ways: summary, detailed, tabular, and tabular for approved updates. You can filter an update report by update classification, product, target computer group, and update installation status.
An update report displays information about the most recent contact between client computers and the WSUS server. We recommend that you generate this report the day after you approve updates, so that it reflects the latest approvals.

Note
To immediately connect a client computer to a WSUS server, you can run the wuauclt /detectnow command. This command is mainly used to update the status for a particular computer. After you issue this command on the client computer, you can get the computer status by running an update status report. For more information about wuauclt, seeManage WSUS 3.0 SP2 from the Command Line.

To run an update report

1. In the WSUS administration console, select the Reports node.
   
2. In the Reports pane, click one of the options in the Update Reports section: Update Status Summary, Update Detailed Status, Update Tabular Status, or Update Tabular Status for Approved Updates.
   
3. In the Updates Report window, you can select the updates that you want to see by classification, product, computer group, and update installation status.
   
4. Click Run Report.
   

   Note
   See the Update Status Report Terminology for WSUS 3.0 SP2 section for information about the status values that are shown on the report.

   
   
5. To change the view of an Update report to a detail, summary, or tabular view, click Report View in the Updates Report toolbar.
   

Update Status Summary View

The Update Status Summary view contains the elements that are listed in the following table.

Elements displayed in the Update Status Summary view

Column name	Description
Updates Report tree view	The tree that lists all the updates in the report.
Title	The title of the update.
Description	The description of the update.
Classification	The classification of the update.
Products	The products to which the update applies.
MSRC Severity Rating	Microsoft Security Response Center rating.
MSRC Number	Microsoft Security Response Center identification number.
More information	Redirection to the relevant website.
Approval Summary for Computer Group	The list of groups and approvals.
Group	The computer group.
Approval	Approval status (Approved, Not approved, Declined).
Deadline	The date by which the update must be installed.
Administrator	The administrative action.

Enable reporting rollup from replica servers

You can roll up the computer and update status from replica servers to their upstream server.

To enable reporting rollup from replica servers

1. In the WSUS administration console on the upstream server, click Options, and then Reporting Rollup.
   
2. Select the Roll up status from replica downstream servers check box, and then click OK.
   

Note
During the client scan, if the server detects that the client computer changed group membership (or name, IP address, or operating system version), it marks the client computer as needing a full rollup. The downstream server will roll up these changes to the upstream server during the next rollup after scan on the client computer.

Computer reports

Computer reports show you the status of computers. You can run computer reports in four ways: summary, detailed, tabular, and tabular for approved updates. You can also filter a computer report by update classification, product, target computer group, and update installation status.

To run a status report for computers

1. In the WSUS administrative console, select the Reports node.
   
2. In the Reports pane, click one of the options in the Computer Reports section: Computer Status Summary, Computer Detailed Status, Computer Tabular Status, or Computer Tabular Status for Approved Updates.
   
3. In the Computers Report window, you can select the updates that you want to see by classification, product, computer group, and update installation status.
   Note that for the Computer Tabular Status for Approved Updates report, the scope of the update approvals and the set of computers that are considered for the report is based on the selected target group.
   
   • The updates that are considered for the report are those for which the selected target group has direct or inherited approval for installation.
     
   • The computers that are considered for the report are those that are direct members of the selected target group, and optionally, its child target groups.
     
4. Click Run Report.
   
5. You can change the view of a Computer report to a detail, summary, or tabular view by clicking Report View in the Updates Report toolbar.
   

Synchronization Results report

The Synchronization Results report enables you to see synchronization information for the WSUS server for a given time period, including errors that occurred during synchronization and a list of new updates. In addition, you can get general, status, and revision information for each new update.

To run a Synchronization Results report

1. In the WSUS administrative console, click Reports.
   
2. In the Reports pane, click Synchronization Results. By default, the report shows any synchronization that was done today.
   
3. To change the synchronization period for the report, in the Synchronization Report window, click Between these dates and specify the dates that you want included in the report.
   
4. Click Run Report.
   

The report has four components, which are described in the following table.

Components of the Synchronization Results report

Component name	Purpose
Report Options	Shows the start and end dates of the period that is shown in the report, the date of the report, and the server for which the report was made.
Synchronization Summary	Displays summary information for the numbers of new, revised, and expired updates in each synchronization.
New Updates	Displays the new updates that have been synchronized to the WSUS server during the report's time period. You can view the properties for each update by clicking the update. An update status report will be generated for that individual report.
Revised Updates	Displays the revised updates that have been synchronized to the WSUS server during the report's time period. You can view the properties for each update by clicking the update. An update status report will be generated for that individual report.
Expired Updates	Displays the updates that have been expired during the report's time period.

Printing a report

You can print the report in update summary, detailed, or tabular views, depending on how you have formatted the update status report.

Exporting a report

You can print a report in its original format, or you can export it to Microsoft Excel® or to a PDF format.

Important
Exporting a large report can be extremely time consuming and may exceed your computer's memory resources. If you are planning to export a report, consider limiting the size of the report to 200 pages or fewer. You can use different filters to reduce the size of the report, or you can choose the tabular format rather than the detailed format to reduce the number of pages to export.

To export a report to Excel or PDF format

1. Run the report you want to export.
   
2. On the report toolbar, click the down arrow associated with the Save icon.
   
3. You will see two options: Excel and Acrobat (PDF) file. Click one of the options.
   

Extending reports

You can customize WSUS reports as follows:

1. Use the WSUS APIs to create a custom report.
   
2. Use WSUS public views to create and extend custom reports.
   

Use WSUS APIs to create custom reports

For more information about WSUS APIs, see the Windows Server Update Services SDK on MSDN. You can use these APIs to create reports for updates, approvals, installation information, and such.

Use WSUS public views to create custom reports

For more information about public views, in addition to sample queries, see the WSUS SDK conceptual documentation on MSDN. If you are using SQL Server as the WSUS database, you can use the SQL Server Report Builder to generate custom reports by using these views, or you can access the views from the command line.
If you are using Windows Internal Database as the WSUS database, you can access it through the command line if you download the Microsoft SQL Server Command Line Query Utility and the SQL Server Native Client. To download and install packages, seethe Feature Pack for Microsoft SQL Server 2005 in the Microsoft Download Center.