Thoughts on Windows 8 and user privileges

Jeff Miles 1 Comment

Windows 8 Metro start screenThe Windows 8 developer preview has been shown and released (although I have yet to find time to get it installed), and if you haven’t seen it yet, go watch the keynote at the Build conference here: http://www.buildwindows.com.

 

I’m looking at this less as a home user, and more as a system administrator for an office-based company of 350 people. Overall I’m very excited by some of the things shown, and think that it will be an immediate upgrade from Windows 7 as we bring in new computers.

Built in anti-virus is a great addition, and if the updates come via WSUS then it may finally be time to shrink our Symantec license count. The additional tools and functionality Windows Explorer, including the ribbon and file copy changes look really nice, and shouldn’t be too difficult to train users on.

I won’t repeat every feature that I’ve seen so far, but there are two things concerning me:

 

  • With the new hybrid sleep/hibernate power model, when will group policy computer settings be applied, and will putting the computer into this mode constitute a log off?We rely on our group policy objects for many things, including program installations and keeping various applications up to date. If one needs to wait until Windows Updates are done to force a real reboot (once a month based on Microsoft’s update schedule) that is an awful long time to go before GPO processes new changes.
  • I was really hoping Microsoft would revamp the permissions model within Windows, to allow program installs without Administrator rights.As more and more of our workforce get familiar with Windows and its programs, or even have grown up their entire lives using it, those people expect more control over their computer due to that familiarity. While it has always been recommended to lock down users to standard accounts for security and to ensure un-authorized programs are not installed, we are quickly entering a world where this will no longer be acceptable, due to the large amount of users who balk at the idea of control being taken away.

    Ideally what I would like to see is the Power Users local group brought back, but made better. Standard users would remain devoid of many privileges, and UAC would prompt for elevated credentials if required. Administrators would retain full control over all aspects of Windows, but these rights would only be granted to IT staff.
    Power Users would have the ability to install programs, and that’s about all. No ability to make permission changes, can’t change user accounts or rights, and are still prompted by UAC for elevated credentials when trying any of these things.

    This would give those who are comfortable with Windows the ability to install programs if necessary, as well as give IT the ability to assign programs through GPO and have it actually work without requiring Admin rights.

  • The last thing that would make my life (and our upcoming help desk staff) much easier would be the ability to unlock a user account as an Administrator, or even log into a different user’s profile with Administrator credentials.Lets say John Doe is logged on, and submits a ticket to the help desk for a problem only experienced with his profile. IT goes to that user (or remotes in) and finds the computer locked, with John no where to be found. The solutions to this are to keep a list of John’s passwords, or wait until he returns, neither of which are good solutions.

    It would be better if that IT staff remotes in, see’s the computer is locked by John, and unlocks it with their own account, getting into John’s profile. IT is already trusted with the keys to the organization, so its not like there is a security issue with this model.

 

I guess these last two things don’t really have much to do with Windows 8, but they were on my mind as I watched the keynote.

 

 

Create a discussion board for Mindtouch wiki

Jeff Miles 1 Comment

A recent comment on my Mindtouch intro page asked how I built the discussion board.

I originally got the code from the Mindtouch Developer site here, however I can’t seem to find the complete source code anymore. Either way, I’m pretty sure neilw, a valuable contributor to the Mindtouch community is the author of this code and full credit goes to him.

The actual implementation is very simple. You just need to make a couple of templates.

First, create the discussion board page template, or topic list:

Template:/ForumTopicList




	
{{wiki.create("Create New Topic",homepath,(args.template ?? "ForumTopic"),true,"Put Your Title Here")}}

	

		
			

				Topic
				Starter
				Replies
				Last Comment(C) or Edit(E)
				Views
			

			

				{{t.sticky}} {{web.link(t.page.uri, t.page.title)}}

					 		
				{{ t.originator; }}
				{{#t.page.comments}}
				{{date.format(string.substr(t.date,1),'yyyy-M-d H:mm');' '; if (t.change != '(new)') { 'by '; t.author; ' '; } t.change; }}

							
				{{t.page.viewcount}}
			

			

				(no topics yet)
			

		
	

	

	 

Then call this template somewhere on your page, with this:

{{ template("ForumTopicList") }}

Now, you need to create the template for the actual new topic post:

Template:/ForumTopic


	
		

			Created by {{ edit: web.link(user.uri, user.name) }} on {{ edit:"{{ save:date.now}}" }}

				 		
			{{ if (page.tags.sticky != nil) { "STICKY"; } }}
			{{ web.link(page.feed, "Track this page") }}

				 		
		

	



  


 



	
		

			
				
Instructions:

				
    
					
  1. These instructions will only appear while you are editing.  No need to delete them!
    2. 
					
  2. Please enter your Subject in the title above.
    3. 
					
  3. Enter the content of your message in whatever form you like below.
    4. 
					
  4. Adding comment: If you're not the original creator of this topic, please reply by using the "Add Comment" field at the bottom of the page. The comment added will be tabulated in the "Reply" field.
    
						 
    5. 
				

					
		

	



 


<enter your topic message/description here>

You can modify this template to include whatever instructions you like.

That’s it! To create a new topic, navigate to the page that you call the ForumTopicList template, and click the “Create New Topic” button:

When others comment on the page that’s created, it will count as “replies” and show in the topic list.

Thoughts on my career path

Jeff Miles Leave a comment

A post by Ned Pyle was just released on the AskDS blog, which is excellent and should be read immediately:

http://blogs.technet.com/b/askds/archive/2011/09/02/accelerating-your-it-career.aspxLadder image from www.sxc.hu

Reading through this got me thinking about my own career, my abilities and attributes. I consider myself good at my job, and invaluable to my company, but reading pretty much anything by Ned or other respected IT personalities (those at the top of the Serverfault reputation list come to mind) leave me wishing I had more.

More knowledge, more skills, more time to study, play in a lab, read more books. More motivation to excel and be more creative for my company.

 

I find that it is difficult to really retain knowledge and gain expertise on technology with which you don’t have any real interaction with, and I’m always afraid of spending time learning and mastering something, just to have that knowledge wither and die. When I graduated from SAIT in 2005, I had my CCNA, was trained for CCNP and would have passed the test easily but never took it because my first job was entry level system admin. Since then I haven’t touched a real routing protocol, or any Cisco device for that matter, and those skills have atrophied. I’m fearful that things I spend time on that have no relevance in my current position will be a waste of time.

Perhaps my perspective on all this is a little skewed, since at this medium sized company there are only two IT staff (myself included) and every area of IT falls under my responsibility. I’m directly responsible for (and have implemented myself) Exchange, Hyper-V, SQL, Windows Server and client OS, networking, backups, purchasing, policy making, documentation, monitoring, the list goes on. In addition, I’m beginning to learn C# and ASP.net for developing in-house tools at my company.

Just as Ned mentioned, it’s hard to be an expert in everything, but since I deal with everything, sometimes its hard to be an expert in anything. We’re hiring for a help-desk position in the near future so hopefully that will remove some lower end duties, giving me a bit of free time for some real learning and professional development.

 

All that being said, I start thinking about the things I am involved in at work, and can see many areas of improvement. Exchange and Hyper-V both come to mind, as those have both been my implementations, but I am in no way an expert for either. They’re also both critical to my company, and that in itself is a good motivator for improvement.

 

Either way, knowing there is room for improvement is powerful, and there’s a lot of helpful links from Mr. Pyle that I’ll be following up on.

Shut down without installing updates – Windows 7

Jeff Miles Leave a comment
Shutdown with updates
What if I don't want to install updates?

An annoying attribute of Windows 7 is that when updates are waiting to be installed, if you choose to shut down, you MUST install the updates at the time.

While there are workarounds to shut down without installing the update (Ctrl+Alt+Del and the shutdown option there), they’re not suitable for an entire organization.

I understand the point of this being a default, but when one of the updates is Office 2010 SP1, and you have laptop users waiting to pick up and go it is not desired.

Fortunately there’s a Group Policy setting to give you the option to shut down without installing updates.

You can find this at:

User Configuration > Policies > Administrative Template > Windows Components > Windows Updates

 

Do not adjust default option to ‘Install Updates and Shut Down’ in Shut Down Windows dialog box.

If this option is enabled, you will get a regular shut down button, along with an extra option to “Install Updates and Shut Down” from the start menu shutdown arrow options:

 

Redirect HTTP to HTTPS with IIS

Jeff Miles 1 Comment

I’ve got an internal website that runs in IIS 6, for which I have enabled SSL. Due to the nature of this website, and the login credentials used, I want to make sure any access is always encrypted, but still allow my users to access it at http:// for ease of use.

 

Fortunately I found a pretty simple way of doing this with IIS 6 (I don’t know whether it’s still supported in IIS 7, but I imagine it would).

First, create a file called sslredirect.htm, with the contents as:

 

Then, go into the properties of your IIS site, and on the Custom Errors tab, change error 403:4 to point to your sslredirect.htm file.

IIS custom error configuration
 

Now, if someone opens up http://www.website.com, it will automatically redirect them to https://www.website.com.