Ramblings from another nerd on the grid
I was surfing around and stumbled into Chris Henley's blog. In his post at http://blogs.technet.com/chenley/archive/2006/07/13/441642.aspx the question is posted asking how to disable ALL of the local admin accounts on the various machines throughout the network. Smartly, Chris points out a GPO setting that will do this although I must be getting old because I cannot read it. Chris also mentioned Jesper's blog talks about this. So I dug around on Jesper's blog and sure enough, http://blogs.technet.com/jesper_johansson/archive/... talks about disabling the local admin account.
However, I think the context was different and I'm going to add my two cents to this discussion. Jesper said to disable the local admin because he wants anyone that needs admin privilege, to have a unique admin id. This is good for identity purposes so that you can tell which admin is doing what. If multiple people use the same admin id, guess what happens to reasonable doubt in court? So Jesper's suggestion is a very good one.
In the context of the question posed to Chris, it sounds like they want to disable all local admin's but still manage the machines with domain admin's. Sounds good on the surface.
What happens when there is no network connectivity between the machine and the domain? No administration. What happens when the machine is a laptop and is far from the mother ship and something happens that requires admin privilege? Again, with no network connectivity, the admin's can't RDP to the machine, and someone sitting at it cannot login to the domain.
So think long and hard about the scenarios where you need those controls. In a campus setting with a dense population of users that don't travel, the domain model works well. In a mobile workforce where some self service might be appropriate, I'm not sure I'd lock those machines down that far.
What do you think? How do you handle super users?
In case you haven’t noticed, http://www.microsoft.com/windows/virtualpc/default.mspx has a new little tidbit. Virtual PC 2004 is now free. We are also going to make Virtual PC 2007 free. So I’ll save you the trouble of following the links from the page. Goto http://www.microsoft.com/downloads/details.aspx?FamilyId=6D58729D-DFA8-40BF-AFAF-20BCB7F01CD1&displaylang=en and download Virtual PC 2004 SP1 right now.
Merry Christmas!!! Be sure to ask Santa for more memory.
[UPDATE] Blake Handler at http://bhandler.spaces.msn.com/ sent me some email and pointed me to the WMWare website. Interesting, now I can get some free goodies from them, too. See http://www.vmware.com/news/releases/server.html. Think anybody would notice if I was using VMWare Server to do my demos? Might be a fun test…
One of my favorite features of all time is RPC Over HTTP. Most of you are familiar with it because it allows Outlook to encapsulate RPC calls inside a HTTP packet or frame. That frame must of course travel across the internet to your “Front-End” server or proxy. All of that voodoo just makes it trivial for users to check email without first having to deal with a RAS/VPN infrastructure. RPCHTTP rocks and everyone knows it. But, if you’re like most of the geeks I know, you probably cracked the joke about wanting HTTP Over HTTP (HoH).
Guess what? It’s coming. Well, sort of. It isn’t really HTTP Over HTTP. Think of it more like fine grained control of multi factor authentication across HTTP.
This week I started testing our internal implementation of this new set of technologies using ISA Server 2006 and it’s ability to provide access to Microsoft internal LOB applications.
I was able to access my team’s SharePoint site, our expense reporting website, the security and email distribution list maintenance site, the bug reporting site, our timecard website and a few other pilot sites. SharePoint is of course pretty easy to publish with ISA Server 2004. However, until ISA 2006 and this pilot, access to many of the other sites required me to use a VPN connection. This also meant that the machine must be part of the Microsoft corporate Active Directory (AD) Forest in order to allow the IPSEC policies to work their magic. Several of my home machines are not part of the corporate forest, so access to the applications wasn’t an option. This is no longer true.
I recently purchased a new Dell Latitude D820. It’s my personal machine and I have no intention of adding it to the corporate forest and allowing SMS to control it. With this pilot however, I was able to simply pop my smartcard into the D820 built-in smartcard slot and go hit the portal website (see login screen shot). I modified the screenshot and removed our DNS name. Sorry.
The first time I went to this website, IE7 complained about the SSL certificate presented. Since my machine is not part of the corp forest, it doesn’t have the root CA certs already installed so the certificate path wasn’t trusted. This is of course easily fixed by installing the cert, which I did.
I should also mention that before being presented this screen, you are prompted for the pin to the local smartcard cert. Ah, multi-factor is a good thing.
After logging in, we get a custom webpage with the listing of supported websites. It isn’t wide open so I am not able to access resources like the daily Windows Vista .iso’s or another personal SharePoint web I have.
I did submit my expense reports Thursday across the connection. It was very nice to not have to VPN. Ok, I’m lazee.
I’ll be really impressed if we can rethink access to our product servers. Today, most of the beta’s I download are via a VPN connection using the SMB protocol. I would jump up and down for joy if I could use HTTP to grab the Windows Vista DVD .iso file from our internal servers. I’m guessing I’d see a huge improvement in performance by doing that. Improvement equals time. Time is money.
So where do you get more information on how to work this magic?
You should definitely check out the small whitepaper on ISA Server 2006 Web Proxy. That’s the official name. Download the whitepaper at http://www.microsoft.com/isaserver/2006/prodinfo/Web_Proxywp.mspx. It’s about twenty pages and will give you some decent descriptions of the HTTP filtering process, SSL bridging, the event and alert models, proxy caching, etc.
Next, make sure to check the TechNet resources on your subscription or at the http://www.microsoft.com/technet/prodtechnol/isa/2006/beta.mspx location. This link will of course change when ISA Server 2006 ships and considering it’s already in release candidate status, that isn’t too far off.
By all means download the product and install it. See http://www.microsoft.com/isaserver/2006/beta.mspx for access to the release candidate bits. The Enterprise and Standard Editions are siting there begging you to try them. Don’t forget you can test a wide variety of scenarios using our Virtual PC or Virtual Server 2005 R2 products. Virtual Server 2005 R2 is free so what’s your excuse?
That’s not all !!!
Don’t want to download and install? Don’t!!! Go to http://www.microsoft.com/technet/traincert/virtuallab/isa.mspx and run the virtual labs to see how to do secure application publishing.
Hugh has some really funny cartoons and business cards. If you’ve looked at his blog, you’ll notice he’s got more talent than most companies. What would you ask him to draw for your card? Or better yet, what would people tell him to draw for you? Now that might be fun.
For the record, I had cats in college. I had a cat after college. I like some cats. Some cats are kewl.
However, dogs still rule. I’ve had little, medium and big dogs. Elvis is my current dog. Elvis is kewl. Elvis has a blog. He doesn’t write much, but he’s busy doing dog stuff. Elvis is famous for interrupting my webcasts with well timed rants. He really can’t help it. The darn UPS guy always wakes him out of his slumber with the front door package thump. He doesn’t like that much.
Small dogs rock. They don’t droll as much. They don’t take up the whole couch. They don’t poop as much. And they don’t drink as much beer.
[NOTE] No cats or dogs were harmed during the writing of this post.
I’m looking for a 100 or 120gig 7200rpm 2.5” SATA drive for my Dell Latitude D820. I you see such a drive here in the USA at a reasonable price, and it is in stock, will you please reply and let me know where? It would seem those drives are in short supply right when I’m ready to buy. Oh, and the price needs to be below $200. I’ve already got some back in stock watchers on zipzoomfly.com, buy.com and a few others.
[UPDATE] Ordered at Newegg.com today for $159. Now I can have some fun with Vista, SUSE, or whatever.
I meant to post this a couple of days ago but since I have time today, I'm getting around to it. Why do I have time? Well, because I am fixing the virtual machine from hell and some of those copies and installs take a long time.
So back to the topic... I was wondering if you are seeing excellent, good, ok, or bad service from the shipping companies you use? I started to notice over the course of the past year that every time I specified overnight shipping, I never got my goodies overnight. To be fair, I'm talking about overnight from the time the shipping company picks up the package, to delivery of my door. The last time this occurred was a few weeks ago when I ordered some stuff through our internal procurement website.
That was the last time I'll ever use overnight shipping.
I talked to the shipper customer service and they are of course very sympathetic. I asked why the package didn't arrive on time, where it was, when to expect it, etc. I mentioned that none of the overnight packages for the past year arrived on time. I didn't ask for a refund, and guess what, one wasn't offered. It was almost as if they were treating this as business as usual.
Is it? Is this what you are seeing?
Last week, I ordered a new laptop SATA drive from newegg.com. I ordered it on Monday because the drive was finally in stock. It shipped the next day, although it shipped pretty late in the day. I specified 3 day shipping on the order. I still don't have the drive. If you look at the tracking there was a delay. It says, "A LATE TRAIN CAUSED THIS DELAY".
Well, at least they're starting to get creative. I called newegg on Friday and asked for a shipping refund. They obliged without issue. So when this occurs, who is penalized? I certainly don't want this to hurt newegg.
Does that refund end up coming from the shipping company? How are shipping service level agreements tracked and measured? Does someone have the skinny?
As you'll recall, back in March I did a fairly detailed post about storage management. In that post I demoed via a screencast the String Bean Software WinTarget software we acquired. Lots of questions are starting to surface about this technology. This is probably due to the fact that we are in the timeframe we said to expect a release. So here's an update on what's going on.
First, if you head over to the Microsoft Download Center, you'll notice in May we released Microsoft iSCSI Software Initiator Version 2.02 build 1895. This is the client side implementation of iSCSI and you'll see the list of supported operating systems. Pretty much every OS we still support is in the list with a notable exception. My favorite, Windows XP Media Center Edition 2005 isn't listed. I think it's probably an oversight. Or at least I hope so. Later this year I'll try it out and see. By then I'll be running Windows Vista Ultimate anyway and the initiator comes with it.
Second, please take the time to re-read our announcement on the acquisition of WinTarget. As you can see in the fourth paragraph, we will not be selling the iSCSI target technology per se. This technology is being integrated in the Windows Storage Server product line. After we get done with our part, we'll hand the operating system and technologies over to the storage partners we have. They'll need some time for final testing, integration and certification of their solutions. I fully expect to see those solutions early this fall, long before Santa Claus comes to my house. Hopefully he'll bring me a nice little SAN.
For more information, stay tuned to http://www.microsoft.com/storage.
I wanted to thank everyone who attended my webcast last week on Windows Vista Deployment (imaging). As you know, the content I received from our corporate group had some defects so I spent the time to create an environment that would hit the main points and then some. From the feedback I received, it appears I hit the mark. You can view the on-demand version at http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?EventID=1032301598. I did some testing during that webcast of streaming performance and I’ll be dialing things back a tad next time to improve the screen writes.
However, I am unsatisfied. Sixty minutes on that topic doesn’t do it justice. In fact, there are some key aspects of the imaging process we still did not cover. I promised the live audience I would do a comprehensive blog post to fill in ALL of the details and I will. But, I wanted to give you an idea of the schedule I have for the next few weeks to set some expectations.
First of all, in a few hours I’ll be flying to Seattle for the yearly pilgrimage to the motherland. It’s a training event we call TechReady. Normally I go there in January but we decided to go in the summer because we want to see the latest and greatest on Windows Vista, Office 2007, Office Servers, Groove, Exchange Server 2007, Longhorn server, etc.
Second, after I get back I’ll be wrapping up the final training associated with our next round of seminars. We start those seminars on 8/8. You can sign-up for the US TechNet Events at http://www.technetevents.com/. We’ll be discussing Windows Vista, Exchange Server 2007 and Exchange Server 2003. The content is looking great so come on out. You’ll be able to see each of the twelve Windows Vista demos here by 8/9 so that should keep you occupied. Actually, I’ll probably throw back in the 2–3 demos I cut.
I’ll be in New York on 8/10 to watch Michael J Murphy strut his stuff with our new content. He might share the stage, but if not I’ll be working the audience. I love going to New York. I haven’t seen a show there in a couple of years so I’ll probably see one that evening.
Next, I head south to Florida and visit top presenter and wild man, Blain Barton. Blain, get the boat gased up. I’m going to watch Blain amaze the crowd in Tampa on 8/15.
I get a break the week of 8/21 before I finish the month in Oklahoma delivering my own events in Tulsa on 8/29 and Oklahoma City on 8/31.
After I get done with the above, my focus will be on the creation of a world class blog post on Windows Vista imaging. It will include 5–7 detailed demos I’ll capture using Camtasia. I promise it will rock. That’s a big promise. Hold me to it. I will try to get it done by 8/28 but don’t hold me to it.
Now for the bad news. On 8/4, I was scheduled to deliver a webcast on Windows Vista Corporate Deployment. That material had some defects and isn’t using the Business Desktop Deployment 2007 tools so I asked for it to be placed on hold until it can be revised. It’s probably going to disappear from the http://www.microsoft.com/events website next week. Even if the content is fixed in a timely manner, I’ll do a kewl blog post on that subject, complete with streaming media demos.
He with the fastest device wins, right? Ok, maybe your device is getting smoked by your girl friend. If you want to check how that little speed demon is doing, goto http://text.dslreports.com/mspeed?jisok=1 from the browser on your SmartPhone or PocketPC device and run some tests.
If you are a Sprint PCS EVDO customer, you currently rule the roost according to the results at http://text.dslreports.com/mspeed?domains=1. Verizon is in second place although it appears they have twice as many samples which of course brings their average down. Some of the other US carriers aren’t showing too well. This is of course because they are still rolling out HSDPA, UMTS and other competing technologies.
UPDATE: I tested last night and was getting 300–350kbps here on my couch. During the day in my home office, I was getting 450–550kbps speeds. Just a moment ago, I ran a couple of tests again from the couch and got 700 and 735kbps respectively. I guess I’m not in such a dead zone after all. It was rainy and humid yesterday. Maybe the air was soo thick it was cutting my speed in half. Yea, that’s it.
Ever since Doom3 made it to the store shelves, I’ve used it as a test platform. The opening sequence gives you some idea of how well the operating system, video driver, and video card handle a rather resource intensive game. I also test with Half Life 2. I tested the HP nc8000 when we got them. The Mobile Radeon 9600 does a decent enough job to play the game at a good screen resolution with full shading and such.
The Lenovo ThinkPad T60 and my Dell Latitude D820 also do a great job. However, installs are a pain in the rear. What is up with the DVD drives that come in laptops these days? I had problems with the Doom 3 Disk 2 in both the T60 and D820. Have the laptop makers cut corners and the drives aren’t up to spec or what? I ended up installing from my external Sony DRX-710UL.
Anyway, time to dig around on the Doom3 sites and see how to use wide screen formats for the game. If someone has a link to a FAQ on the subject, let me know. I’d love to save some time. Also, if you have any other recommended config file settings, let me know about those, too. It’s been so long since I tweaked my home gaming machine, I forgot which settings I tweaked for screen tearing and better fluid movement. Thanks.
http://support.microsoft.com/lifecycle/?p1=6513 Should we be happy, sad or mad?
Who do you know still running Windows 95 or Windows 98? Why?
During the July 4th celebrations, Dell quietly started a new blog at http://one2one.dell.com/. You should check it out. Strange that netcraft.com can’t tell me what they are running the blog on. If someone figures out that platform and blog software they are using, let me know.
Microsoft ActiveSync 4.2 is the latest sync software release for Windows Mobile-based devices. ActiveSync provides a great synchronization experience with Windows®-based PCs and Microsoft Outlook right out of the box. ActiveSync acts as the gateway between your Windows-based PC and Windows Mobile-based device, enabling the transfer of Outlook information, Office documents, pictures, music, videos and applications to and from your device. In addition to synchronizing with a desktop PC, ActiveSync can synchronize directly with Microsoft Exchange Server 2003 so that you can keep your e-mail, calendar data, tasks and contact information updated wirelessly when you’re away from your PC.*
Changes in ActiveSync 4.2 help resolve connectivity related issues with Microsoft Outlook, proxies, partnerships, and connectivity.
ActiveSync 4.2 supports PC sync via USB cable, Bluetooth, or infrared connection.
But lets face it, the Ferarri F430 isn’t. Therefore, I am going to side with Italy for the big game. Sorry France but I have to pick someone and they make the Ferrari. Oh, and I am totally kidding about football boredom.
How would you like to be one of those security guys with the red shirts that stand between the field and the crowd? They’re only out numbered 2000:1. What are they supposed to do anyway?
Go Italy!!! Win big!!!
[UPDATE] Congratulations to all of the teams with a special congrats to Italy. It’s a shame someone has to win.
Sadly, they have posted the June "Best Of" TechNet webcasts. I am sad because I am no longer the top of the list like I was in May. It would help if I had actually delivered a webcast in June.
Ha!!! Bad doggie. :)
Anyway, go see the June webcasts. As you're doing that, pay attention to the website that was setup and the style of delivery for the "Best Of" series. Dean Andrews would love some feedback on this project.
Have you ever looked at your Windows Mobile device and wondered what all of those little indicators mean? What? You mean you didn't read the fabulous manual (rtfm) and memorize the indicator section? Now you don't have to.
Mike Calligaro posted some great information on the subject to the Windows Mobile team blog about the indicators. Interesting stuff. I'd like some indicators to tell me when my connection is smoking fast or sucking wind.