The Sean Blog

2008 Certification Posters

I was playing around with Trika's skydrive (wait a minute, that sounded better in my head)... and see that she has uploaded three very nice looking posters showing the various courses, tests and certifications available for SQL Server 2008, Visual Studio 2008, and Windows Server 2008.  Apparently she was running short on green by the time she got to the Windows Server 2008 poster...

Download the PDFs here: http://cid-17971e0c952a3d0a.skydrive.live.com/browse.aspx/MSFT_Certification

Microsoft Baseline Security Analyzer update released. Now with 64-bits!

I see over on Matt's blog that MBSA 2.1 has been released, with the following new features:

• Windows Vista and Windows Server 2008 compatibility
• New revised user interface
• 64-bit support
• Improved Windows Embedded support
• Compatibility with Microsoft Update, Windows Server Update Services 2.0 and 3.0, the SMS Inventory Tool for Microsoft Update (ITMU), and SCCM 2007.

What is MBSA 2.1?

Microsoft Baseline Security Analyzer (MBSA) 2.1 is an easy to use tool that helps small and medium businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common administrative vulnerabilities and missing security updates on your computer systems.

What new features are included in MBSA 2.1?

MBSA 2.1 provides full support for the latest Windows Update Agent (WUA) clients installed by Microsoft Update and Windows Server Update Services (WSUS) servers. MBSA 2.1 also provides an updated graphical interface for Windows Vista and Windows Server 2008, full-64-bit installer, MBSA tool and vulnerability assessment (VA) check support, as well as revised and updated VA checks for SQL Server 2005 and Windows XP Embedded platforms.

Download here: Microsoft Baseline Security Analyzer 2.1

Read the FAQ here: MBSA 2.1 Frequently Asked Questions

Read more about MBSA here: Microsoft Baseline Security Analyzer Home

Why can I not compress AND encrypt a folder in Windows?

Just a random bit of knowledge to share here :)

If you open the Advanced Attributes of a folder (right-click on it, choose properties, then click Advanced...), you have the option at the bottom of the window to either compress the contents to save disk space, or encrypt the contents to secure data.

Judging by the check-box options instead of radio buttons, you might think that you can select both options, but you cannot.  Bad UI aside, why is this?

According to Wikipedia's article on File Compression (http://en.wikipedia.org/wiki/File_compression):

Lossless compression algorithms usually exploit statistical redundancy in such a way as to represent the sender's data more concisely with fewer errors. Lossless compression is possible because most real-world data has statistical redundancy. For example, in English text, the letter 'e' is much more common than the letter 'z', and the probability that the letter 'q' will be followed by the letter 'z' is very small.

<snip>

However, lossless data compression algorithms will always fail to compress some files; indeed, any compression algorithm will necessarily fail to compress any data containing no discernible patterns. Attempts to compress data that has been compressed already will therefore usually result in an expansion, as will attempts to compress encrypted data.

So... compression algorithms work their magic by finding redundant data, and replacing the redundancy with a smaller bit of data that can be expanded out to represent that redundant data (yes, the word "redundant" was quite redundant in the previous sentence).  However, data that has been encrypted by a good encryption algorithm should be indistinguishable from random data. 

If there are redundant patterns in the encrypted file, the encrypted data may be subject to cryptanalysis techniques such as Frequency Analysis.  The Encrypting File System (EFS) within Windows uses FIPS 140-evaluated Microsoft Cryptographic Service Providers,so your encrypted data is safe.  Attempts to compress this encrypted data would actually cause the file size to INCREASE.  Good times!

Read more about the Encrypting File System and associated best practices here and here.

SharePoint - Searchier!

It looks like we have posted nearly 17 hours of training videos for enterprise search on TechNet. The presentations provide details about key enterprise search capabilities in Microsoft Office SharePoint Server 2007.

• Module 1: Workshop Overview
• Module 2: Enterprise Search Overview
• Module 3: SharePoint Search 2007 Walkthrough
• Module 4: Search Architecture and Deployment Scenarios
• Module 5: Crawl and Query Processes
• Module 6: Relevance Ranking
• Module 7: Customizing the End-User Experience
• Module 8: Developing Search Solutions
• Module 9: Business Data Catalog Search
• Module 10: Extensibility and Integration for Search
• Module 11: Search Administration
• Module 12: Security for Search
• Module 13: Performance Scalability and Capacity Planning for Search
• Module 14: Search Operations

Microsoft Operations Framework (MOF) Job Aids released

As I mentioned in an earlier post, the recently released Microsoft Operations Framework (MOF) v.4 is extraordinarily helpful from a practical standpoint in running your IT organization.  I'm glad to see that they just released the job aids and templates that accompany the documentation available with MOF.  From the Microsoft Operations Framework Job Aids page:

Microsoft Operations Framework 4.0 is designed to help IT professionals quickly access useful, relevant content. It contains practical guidance—not just theory—and its streamlined approach makes it possible to use either the entire framework or one process from a particular service management function (SMF).
In a similar fashion, these job aids are intended to provide tools that IT professionals can put to immediate use. Job aids are most often in the form of templates and examples; these items can be tailored to meet the needs of specific organizations and activities.
The job aids are packaged by MOF phase, so IT pros can choose the tools that are likely to be most useful given the task at hand. Here is a list of what is available within each package:

• Manage
  • Change Management Forward Schedule Template
  • Request for Change Template
  • Risk Template Tool
• Plan
  • Operating Level Agreement Template
  • Operations Level Agreement
  • Privacy Policy Sample
  • Service Level Agreement Template
  • SIP Service Catalog Sample
• Deliver
  • Functional Specification
  • Migration Plan
  • Site Deployment Project Plan
  • Test Cases Workbook
  • Test Plan
  • Test Specification
  • Training Plan
  • Vision Scope
• Operate
  • Incident Management Ticket Template
  • Operations and Services Description Template

This collection of job aids will be expanded on an ongoing basis, supplying tools for IT professionals to use throughout the IT service lifecycle.
Send questions or feedback to us directly at mof@microsoft.com

Download the job aids here.

Group Policy Documentation Survival Guide

The latest version of the links below can be found here, or download a PDF version here.  Don't ask me where they got that US-Army-looking-font in the PDF... it probably wouldn't have been my first choice ;)

I did it! (also known as the June TechNet Magazine)

One of the best parts of working at Microsoft is the amazing discussions and debates that take place on our internal Discussion Lists.  A few months ago, the greatest security minds at Microsoft were undergoing a hot and heavy debate on Security by Obscurity.  Does it make sense to rename the Administrator account?  Change the listening port for well known services such as SQL?  In the midst of my debate, I courageously joined the discussion with my opinion...

"Hey!  This debate would make for a great story in TechNet Magazine!"

One thing led to another, their people talked to... someone else's people, and before you knew it... Voila!  Roger Grimes, Jesper Johansson, Steve Riley, and Aaron Margosis are duking it out in the cover story of the June TechNet.  Good times!

June 2008

Security: The Great Debate: Security by Obscurity

Security by obscurity involves taking measures that don't remove an attack vector but instead conceal it. Some argue that this is a bad practice while others claim that as part of a larger strategy, every bit counts. The debate is quite heated, and some of our finest security experts face off, explaining security by obscurity and presenting both sides of the debate. Jesper M. Johansson and Roger Grimes

Security: New Elevation PowerToys for Windows Vista

Michael Murgolo is back with an update to his Elevation PowerToys. You'll find enhanced Run as Administrator functionality that works with third-party scripting tools, a way to replace a handy Windows XP feature removed from Windows Vista, and many more useful tools. Michael Murgolo

Security: Advances in BitLocker Drive Encryption

Windows Vista SP1 and Windows Server 2008 introduce important changes to BitLocker, including support for data volumes and improved protection against cryptographic attacks. Byron Hynes explores the new features, demonstrates how to use BitLocker on a server, and discusses some of the recent media coverage affecting BitLocker. Byron Hynes

Security: Application Lockdown with Software Restriction Policies

When you want to reduce the total cost of ownership of the desktop machines in your organization, application lockdown can be a great help, letting you limit IT issues related to unsupported applications. See how you can use software restriction policies and Group Policy to control the applications being run throughout your IT infrastructure. Chris Corio and Durga Prasad Sayana

Security: Managing the Windows Vista Firewall

The recent update to the Windows Vista Firewall offers some impressive new features that make it a compelling choice for the corporate environment. Jesper Johansson gives a brief overview of the evolution of the Windows Firewall and delves into enhancements—such as new rules and profiles, domain isolation, and encryption—that will have administrators taking a closer look. Jesper M. Johansson

Security: Secure E-Mail Using Digital Certificates

Secure Multi-Purpose Internet Mail Extensions let you hide information in transit, validate senders, and authenticate messages. Learn how to secure e-mail using digital certificates and how to troubleshoot problems you may encounter on your S/MIME system. Matt Clapham and Blake Hutchinson

WorldWide Telescope Released

Wow.  Microsoft Research's WorldWide Telescope must be seen to be believed.  Make sure your kiddoes are handy, because they will love this.

Experience it here:

http://worldwidetelescope.org

Installing Ubuntu 8.04 Hardy Heron in Virtual PC 2007

A picture is worth a thousand words...

"An unrecoverable processor error has been encountered.  The virtual machine will reset now."

It looks like Ubuntu isn't the only one with this problem... Fedora 9 releases tomorrow and according to this post, it has the same error in Virtual PC.  Whatever happened to Linus' Law? (given enough eyeballs, all bugs are shallow).  I guess enough eyeballs writing kernel code are not doing so on Virtual PC.  ;)

Fortunately, the fix is covered in the comments (and summarized by Robert) from Arcane Code's excellent article, aptly named Installing Ubuntu 8.04 under Microsoft Virtual PC 2007.

Using guidance from a number of participants on this blog I’ve successfully managed to install Ubuntu 8.04 on two separate PC’s running VPC 2007 and I have it running at 1152 X 768 @ 55Hz with working sound.

The notes below are nothing original, they are just summarized from previous entries and maybe clarified.

To get the CD to load,
Press F4 to select an alternate starting mode. When it pops up, change to Safe graphics mode and press Enter.
Select F6 and add “noreplace-paravirt” to the end of the command line and press Enter.
Now pick “Try Ubuntu…” (should already be selected) and press enter. Do NOT pick the Install Ubuntu option,

Once Ubuntu is loaded from CD, select install from the desktop and it’ll build the system on the VPC disk.
After you press restart, it just kind of hangs there. I shut the VPC session down and told it to save state, then started it again and it booted fine.

Once it gets to GRUB, interupt the boot and add the “noreplace-paravirt” to the kernel boot line.

1. Press “esc” while grub is visible.
2. You should now see 3 entries to select from. Leave the first one “Ubuntu 8.04, kernel 2.6.24-16-generic” selected and press “e”.
3. On the next page, select the second entry that reads “kernel /boot/vmlinuz…” and press “e” again.
4. You will see a command line that ends with “xforcevesa”. Hit “space” and add “noreplace-paravirt” (without the quotes) to that line and press “enter”.
5. You are now back at the previous selection screen with the entry “kernel /boot/vmlinuz…” still selected. Now press “b” and it should boot correctly.

Once Ubuntu has loaded, open a terminal window (Applications. Accessories, Terminal) and on the command line enter “sudu nano /boot/grub/menu.lst”
Enter your password and page down to near the bottom and locate the “kernel /boot/vmlinuz… in the “Ubuntu 8.04, kernel 2.6.24-16-generic” section

Move the cursor to the end of the line after xforcevesa and add “noreplace-paravirt” (no quotes)
Ctrl + O to write out, enter to accept the name, Ctrl + X to close

While you’re editing, you might as well fix the sound while you’re at it.

sudo nano /etc/rc.local

At the end of the # lines, but before “exit 0″, type on a new line (again without quotes) “modprobe snd-sb16″
Ctrl + O to write out, enter to accept the name, Ctrl + X to close.

Reboot Ubuntu. The reboot should be clean, and the sound icon should come up without an error indication.

Screen size is a little tricky. Go to http://arcanecode.wordpress.com/2008/04/07/installing-ubuntu-804-beta-under-virtual-pc-2007

Find the entry from pb dated April 27 and cut the xorg.conf file from this entry and past it into the Ubuntu text editor. (Applications, Accessories, Text Editor). Save the file as xorg.conf in your user folder.

Open a terminal window.

Backup the old version of xorg.conf
sudo cp /etc/X11/xorg.conf /etc/X11/xorg.conf.backup

Copy the new one you created to the same location
sudo cp xorg.conf /etc/X11/xorg.conf

Reboot.

When Ubuntu reboots, your get a black screen with a X in the middle, then you’ll get a dialog message to saying “Ubuntu is running in low graphics mode, screen and graphics card coud not be detected”.

Take the option to configure graphics mode.
In the drop down where it says plug & play, select “Monitor 1280 X 1024″.
Select 1280 X 1024 @ 60Hz as your resolution.
Select Test
You should get a larger ‘gray’ window with option to keep the confguration. Select the option to keep it.

Ubuntu will start as normal and will be exactly the same size as before. Before you reboot, take alook at /etc/X11/xorg.conf …. it’s not the one you just created. Creating the new one appears to force Ubuntu to create a new one with more options.

Reboot again and you shold have a Ubuntu session runing at 1152 X 768 @ 55Hz.

Last couple of things…. in System, Preferences, Sound, set the playback options to ALSA. It’s pretty crappy but works better than OSS and certainly better than Auto detect which generates a stream error when you try to play MP3’s or movies.

Whew!  That's a lot of text.  I'll leave you with the new Ubuntu desktop background, which is pretty cool in a orange-brown-must-be-the-new-black kind of way.

Operate IT like a pro

I have been agonizing over this post for the last week and a half. I do my best in this blog to not post entries designed just to make me look smarter... I hope that you can use these posts to make your life easier, do your job better, and maybe have some more time to spend with the kiddoes.  This particular post is about the release of MOF (Microsoft Operations Framework), one of the best kept secrets at Microsoft. However, most of the announcements about its release that have come out in the last week have been (necessarily) acronym/buzzword-heavy.  From the release announcement on the MOF blog:

The practical guidance in MOF 4.0 features processes; governance, risk, and compliance activities; management reviews; and best practices from Microsoft Solutions Framework (MSF). Finally, to ensure industry alignment, MOF 4.0 supports the best practices found in frameworks such as ITIL, CoBIT, and ISO 20000.

Best Practices was used twice in two sentences there, so you know this must be something that piques my interest :)  I will try to ensure that I answer the question "Why do I care?" in the post below.  In short, as you/your company/your network progress in maturity from a few computers in a workgroup to a network with a helpdesk, change management policies, and alignment to the business; wouldn't it be helpful to have a guide with the best practices in establishing these functions?

Enter... MOF.  As you can see in the graphic below, MOF touches on quite a bit.  If you are the CIO/CTO of a company, it is possible that you will have experience with all of the areas below.  If you are Joe IT Pro, it is likely that you only work in one particular area.  Wouldn't it be helpful if there was a guide you could read in 20-30 minutes that would let you know the Roles, Responsibilities, and Deliverables of any particular function within a well-run IT organization?

Whereas the previous version (v.3) of MOF went into an AMAZING amount of detail about people and process, the Service Management Functions (SMFs) of MOF v.4 are designed to be read in a relatively short amount of time, and give you everything you need to start working in that area. You no longer need a PhD in Organization Psychology, or a Master's in Project Management to start working on a project or planning for risk.

Why do you care?  That entirely depends on your experience, what change initiatives are underway in your company, and where you may fit within those initiatives.  I'll tell you why I care... Recently, I have been working with a number of Junior Project Managers.  While they had worked on "projects" before, they did not have a knowledge of formal project management methodologies, such as those used by the Project Management Institute.  While different project management methodologies name their phases differently, the basic progression is the same.  For reference, the PMI and MOF phases are as below:

I decided to dive into the "Deliver" phase of MOF to level-set my PM on my expectations for project processes and deliverables.

Rather than have my new PM start by reading the Project Management Body of Knowledge (PMBOK) (which could cure the most severe case of insomnia), I had her read through the MOF documents for Envision, Plan, Build, Stabilize, and Deploy.  Each document introduced her to key terms used in a project.  For example:

At this point, we had a common language to discuss the progress of the project.  Next, the document provides useful reference diagrams walking her through the creation and approval of various deliverables.  We now have a good understanding of what documents (Vision/Scope, Functional Specification, Master Schedule, etc) I would expect at which phase of the project, along with who is responsible for each deliverable, and what approvals are needed at each milestone.

At each step of the way, activities and processes list Best Practices to follow.

Best practices:

· Establish fixed schedules. Internal time limits (time-boxing) keeps the project team focused on prioritizing features and activities.

· Use bottom-up scheduling. Estimates for IT projects should be made by those who will do the work. Bottom-up estimating provides better accuracy, accountability, and team empowerment. The result is a schedule that is fully supported by the entire project team.

· Prioritize by using risk-driven scheduling. Risk assessment by the team identifies which features are riskiest. Problems requiring major changes to the architecture can be handled earlier in the project, thereby minimizing the impact to schedule and budget.

Add buffer time to project schedules to permit the team to accommodate unexpected problems and changes. The amount of buffer to apply depends on the amount of risk. By assessing risks early in the project, the likeliest risks can be evaluated for their impact on the schedule and compensated for by adding buffer time to the project schedule.

Finally, we finish up with a review of the key questions that need to be answered, along with the inputs and outputs.  It does not get any simpler than this.

Best of all, MOF is free.  And Awesome.  You can read it online here: http://technet.microsoft.com/en-us/library/cc506049.aspx or download in Word format here: Get the Microsoft Operations Framework 4.0.  The MOF team has also setup an online forum here: http://forums.technet.microsoft.com/en/MOF4/threads/

MOF guidance is contained in 23 documents:

• The MOF 4.0 Overview describes all of the MOF content and its goals. It is the ideal starting place for someone new to the framework or an executive looking for the big picture.
• Four MOF phase overviews have been written primarily for IT managers and directors seeking a better grasp of IT service strategy. The overviews provide an introduction for the phase, describe the service management functions contained within, and detail the management reviews performed during the phase.
• Sixteen SMFs contain specific activities and workflows designed primarily for the IT professionals who will be implementing the activities.
• A glossary gives definitions of terms used frequently in MOF.
• A spreadsheet maps earlier versions of MOF to version 4.0.

I have only scratched the surface of what is included in MOF.  If there is any particular aspect of MOF that you would like me to dive into, please post in the comments and I will write a follow-up post. For other perspectives:

Techlog overview of the MOF announcement

System Center blog MOF announcement

To watch the on-demand Day 2 keynote webcast, click here:  mms://wm.microsoft.com/ms/msnse/0804/33036/MMS2008-Day2-Keynote-bradand.wmv

Installing OpenSUSE 11 in Virtual PC

It's that time again!  Wife's away, and I'm installing Linux distros for fun.  :)  Feel free to click on any of the images below to see them at full size.

Our friends at Novell recently released the second beta of OpenSuse 11 (although all the screenshots in this post are from Beta 1.  It took forever to download, and I am not going to re-download for a beta rev :)  As the installer reminds us, this is a beta.  Expect no support!

You can see what has changed since 10.3 here, although the highlights are:

• Linux 2.6.25, AppArmor 2.3, Xen 3.2.1 RC1
• Alsa 1.0.16
• glibc 2.8 branch
• binutils 2.18.50 SVN
• gcc 4.3 branch
• gdb 6.8
• Perl 5.10
• ConsoleKit 0.2.10
• CUPS 1.3.7
• D-Bus 1.2.1
• NetworkManager 0.7 SVN
• PackageKit 0.2.0
• PolicyKit 0.7
• PulseAudio 0.9.10
• Samba 3.2pre2
• X.org 7.3

• themed installation
• rpm payload switch to lzma (results in smaller rpm packages)
• DVD uses images for installation (speed-up)
• new installation work flow
• libzypp uses a new much faster solver
• German language support on CD media
• Sax2 and YaST Qt frontend are ported to Qt4

The themed installation is quite pretty, and you can't go wrong with Qt.  Suse is also the only distro I have found that JUST WORKS with Virtual PC.  No funky kernel arguments needed for the mouse to work and the graphics to display properly.  They are also not shy about using color in their installer.  Kudos!

For your desktop, OpenSUSE gives you the choice of GNOME, KDE 3 or 4, or XFCE (along with the naked look, if that is your ball of wax).  I have always been partial to KDE, and version 4 adds some neat new features (it has also been ported to QT, uses less memory, and is faster)

Flash, Java, and Acrobat are installed by default, which should probably help with the girlfriend Linux acceptance factor when Youtube comes into the equation.

I wonder where they got the icon for their music package installation screen?  It looks remarkably similar to the much-better-looking iTunes logo... 

I'm just saying...

After finishing the install, I ended up with a strange kernel initialization error of some sort.  Urrrggghhh.  I downloaded the CD (rather than the DVD) of beta 2 (as it did not require BitTorrent).  The rest of the screenshots are from the beta 2 CD.  Even after installing, the Desktop looks very similar to the LiveCD, which may be a side-effect of installing from the CD instead of the DVD.  In any case, KDE4 has some new widget thing.  I did not like widgets from Konfabulator, I did not like them from Apple, I did not like them in Vista, and I do not like them in OpenSuse.  The stupid fade effect in the "Add Widget" dialogue box is particularly egregious.  Bleh!

Shortly after closing the widgets, I got to see OpenSUSE's crash handling system.  I have to admit, I like the one in Vista much more.  It is less obtrusive, and keeps a log of old problems, so that if a fix is ever found in the future, you are notified.  As far as I can tell, this crash handler does not even have a "Send to KDE" button that will submit the dump to KDE. 

In a BIG UI step-up from other distributions such as Ubuntu, OpenSUSE labels its applications in plain English ("Web Browser", "Word Processor", etc).  In the land of Linux, where there are 59 versions of any given program (all cleverly named something like KMusiOggGimperor), your standard end-user has NO CLUE what the program does.  Awesome job here!

OpenOffice is pretty much the same as it ever was... a clone of Office XP.  I understand that Open Office.org 3 will solve cancer, cure world hunger, and make you sandwiches when you are hungry, but the version included with OpenSUSE 11 is pretty blah.

The music player (Amarok) shows the reason that Linux is not yet ready for my wife... how the heck should she know whether her music files are kept in /bin /etc /sbin or /mnt... 

The UI once you have finished the First-Run Wizard is not much better.  It looks like it has a ton of bells and whistles, but does not hold a candle to iTunes or Zune in terms of UI.

All-in all, a fairly good experience.  It is clearly a beta product, and many of the errors that I experienced should be fixed once the final version is released. The fact that I can install OpenSUSE without any tweaking of kernel parameters is always a good thing.  There are some great features (as mentioned above) that make OpenSUSE usable for newbies, but has some features such as Amarok that would drive anyone mad.  I look forward to revisiting this distro once it finally releases in June.

Currently Listening to: Hide and Seek by Imogen Heap

May TechNet magazine is out

...and awesome as always!  Check it out here.

Windows Administration: Active Directory Backup and Restore in Windows Server 2008

Windows Server 2008 and the new Windows Server Backup utility bring many changes and welcome enhancements to backing up. Here is an in-depth guide to backing up and restoring Active Directory in the new server OS. Gil Kirkpatrick

Windows Administration: Designing OU Structures that Work

Too many administrators underestimate the importance of having a well-designed Organizational Unit structure. Find out why having a sound OU strategy is important and determine the best OU structure for your organization. Ken St. Cyr

Windows Administration: Extending the Active Directory Schema

Many applications that rely on Active Directory define their own changes to the schema. But it's important that these changes don't impact other applications. Get an overview of extending the Active Directory through the classSchema and attributeSchema objects. Vikas Malhotra

System Center: Introducing System Center Mobile Device Manager

The new System Center Mobile Device Manager provides a complete set of tools for managing Windows Mobile devices through an MMC snap-in or via Windows PowerShell. Find out how this vital tool will allow you to manage mobile devices, increase security, and deliver mobile VPN capabilities. Matt Fontaine

System Center: What's New in System Center Essentials SP1

Service Pack 1 introduces significant enhancements for System Center Essentials 2007. Explore some of the key changes that will improve the user experience and streamline administration. Pete Zerger

Combining Smart Art Diagrams in Word 2007

One of the coolest features of Office 2007 is SmartArt.  It makes it incredibly easy to create great looking diagrams to show a process, cycle, hierarchy, or relationship.

During some business planning recently, however, I had the need to actually COMBINE two different diagrams to show a relationship between two related processes.  However, in Word, I found that I could not combine the two.  The "Segmented Cycle" was exactly what I needed on the inside of my chart, and the "Block Cycle" was exactly what I needed on the outside.  However, when I dragged one over the other, they would NOT overlap. Both diagrams would just swap places.

It turns out that this is expected behavior. Each diagram type knows what type of shapes belong there and how the shapes related to each other, so adding other arbitrary shapes or diagrams isn’t possible. 

Fortunately, there are two possible workarounds.  The first is to use PowerPoint, where you can overlap Smart Art all day long, and group/ungroup with no problems. 

The second is to position two Smart Art objects, or a Smart Art object and other shapes, in a way that they appear together on a page (just fine for my needs)which requires both objects to be floating. To make the Smart Art floating, right click it (its border, not an individual shape) and change the Text Wrapping to something other than Inline (e.g., Square or Tight).  Once the images are “floating”, you can size them and position them over each other. 

The limits of Active Directory

A few years ago, at my first IT job, my manager told me that there was a server at Microsoft, and all day long it created objects in a test Active Directory Domain.  "This server has been running since Windows Server 2000 was released" he said, "and it still has not hit a limit on the number of objects AD can hold".

I'm pretty sure he was talking out of his arse at the time, but we really do test the limits of our software at Microsoft (both upper and lower).  Some limits are hardware driven (such as the limits of the 32-bit address space), some are hardcoded limits, and some are practical limits (such as how long it would take to restore in the event of a hardware failure).  As noted at Tomek's blog, the Active Directory Maximum Limits article was recently updated, so check it out if you are curious how many Group Policy Objects can be applied to a user account, or why each Active Directory domain controller can only create 2,147,483,393 objects during its lifetime (and how to work around that limitation).

Active Directory Security Best Practices

Because why wouldn't you?

Best Practice Guide for Securing Windows Server Active Directory Installations

Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations: Part 1

Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations: Part 2

Windows Server 2003 Deployment Kit: Designing and Deploying Directory and Security Services

Windows Server 2003 Security Guide

Windows Server 2008 Security Guide

Achieving Autonomy and Isolation with Forests, Domains, and Organizational Units

Active Directory Security Technical Implementation Guide (Non-Microsoft Guide)

http://iase.disa.mil/stigs/stig/active-directory-stig-v1r1.pdf