From the mailbag today comes a question from James regarding how much you can put on one SBS 2003 box.  Good question.  I'll check with my gurus.  I know that you can put CRM on SBS and infact the information is included in the CRM documentation.  In fact there's an excellent CRM community at the MS CRM listserve that's headed up by the guru of SBS on CRM, Scott Colson.  But I'm not sure about the combo of Great Plains and CRM.  I'll get back to you on that one.

One thing that I probably would recommend is that you think about doing a joint venture with a MS partner that already does Great Plains or any other of the Accounting applications or Customer Relationship Managment.  To set up a network is one thing.  To set up an accounting installation is something totally different and is a different mindset as you need to analyze document flow.  I'll ping up with Jeff Loucks who along with Chad and Scott areprobably our best “SBS *and* persons around.

Starting February 1 is a huge CRM+SBS partner push to expand the marketplace.  Hope Scott is ready for all the new community members :-)

Configure Password Policies

Using strong passwords is important, and configuring password policies to enforce strong passwords helps keep the Windows Small Business Server network secure. After you configure or change password policies, all users are required to change their passwords the next time they log on. The password policy options are as follows:

• Password must meet minimum length requirements. This option determines the least number of characters that a password can contain. Setting a minimum length protects your network by preventing users from having short or blank passwords. The default minimum length is 7 characters.  [my note... I think we'll all agree that we're kicking this one up past 14 in our own consultant recommendations]
• Password must meet complexity requirements. This option determines whether passwords must contain different types of characters. If this policy is enabled, passwords cannot contain all or part of a user's account name and must contain characters from three of the following four categories:
  • English uppercase characters (A through Z)
  • English lowercase characters (a through z)
  • Numerals (0 through 9)
  • Nonalphanumeric characters (such as , !, $, #, and %)
• Password must be changed regularly. This option determines the period of time (in days) that a password can be used before the system requires the user to change it. The default maximum password age is 42 days.
• Policies go into effect. You can specify when the policies take effect. The default is three days, but the range is "immediately" to seven days.

  You can choose to configure the password policies immediately or after a specified period of time. If you choose to configure password policies immediately, you must use strong passwords to log on to each client computer. You can simplify the process of setting up client computers by choosing to delay configuring the password policies until your configuration is complete. You will be able to work on the client computers without the password policy restrictions. If you use this option, choose to enable the policies after you have set up the client computers but before the users log on for the first time.

  P.S.  remember though...stop thinking passwords...think passphrases!!

So I brute force cracked a password yesterday....It was a 6 character password with one capital letter, one number and the rest lowercase.  I password protected an Office document and then used an Elcomsoft.com program to see how long it would take to brute force crack it.  I came to the conclusion... two things....

• I need a faster computer - it took about a day and a 1/2 to brute force break the password
• And 19,770,609,664 different possible passwords still takes a while to go through.

Now normally I would have no idea whatsoever that a 6 character password like that would have that many passwords to try but I was swapping emails with the guru of passwords, Dr. Jesper Johansson as I was reviewing a chapter on passwords in his and Steve Riley's upcoming book called Protecting your Windows Network and the topic of brute force attacks on Office passwords came up and I was doing a bit of testing to see how long it would take.   

SuperG took a poll of how many of us truly renamed the Administrator account and I'll admit to not doing that.  But I do admit to changing the passwords every 90 days AND my password on that account and others is longer than 14 characters.  I'm the password “wrangler” in my office and the one in charge of saying to folks.. no it's time... not that's not good enough... no pick something else.  Six or seven characters for an Administrator password account is just not good enough these days.  Especially that Admin account, protect that one with a long password or passphrase.  You shouldn't be logging into that account that much anyway.

It's the human thing not a technical thing that I think keeps you the safest.  Letting people know that blank spaces are just fine in passwords.  A small phrase is fine.  Weird stuff like ! and & and other wacko things are great.  Technology will not protect you from weak passwords.  You must inform your small business clients of HOW important this is.

Think about your bank account ATM for a moment.. what protects that?  4 numbers.  I don't even want to think about the lack of password combinations in that one.

Kinda scary isn't it?

Excuse me while I go check my bank balance and change the password on my Amazon.com account which also has a sucky password.

Sometimes we feel the need to be extra paranoid in SBSland and that includes making sure the password on the Administrators account is EXTREMELY Dr. Jesper Johansson approved long and hard to crack.  There's also another step you can do BUT remember you may need to then change ALL third party software logins as well... so just be prepared.....

Securing Your Windows Small Business Server 2003 Network http://www.microsoft.com/technet/security/secnews/articles/sec_sbs2003_network.mspx
This document helps you to more securely configure your Microsoft Windows Small Business Server 2003 network. By completing the tasks in this document you can better protect the availability, integrity, and confidentiality of your network.

Inside this document are the instructions to change the Administrator's account.  BUT don't forget to also change the “description“ so it doesn't say “this is the build in administrator's account that the do do brain didn't take the time to change the description so I can still see that it IS the administrator's account“.  Remember too while I say in Harry's upcoming book that PSS have not gone on record in the past as supporting this, the guidance is out there:

"No Updates Were Installed" error message when you try to install an update from the Windows Update Web site on a computer that is running Windows Small Business Server 2003:
http://support.microsoft.com/?kbid=887425
Event 1030 and event 1058 may be logged, and you may not be able to start the Group Policy snap-in on your Windows Small Business Server 2003 computer:
http://support.microsoft.com/?kbid=888943

Your domain user name may not be accepted in Windows Server 2003 or in Windows XP:
http://support.microsoft.com/?kbid=887710

File upload in Internet Explorer 6 to a Web page may time out or take longer than expected to complete in Windows XP Service Pack 2:
http://support.microsoft.com/?kbid=889334
You may receive the "The local device name is already in use" error message when you try to restore a network mapping connection to a shared network folder on a Windows XP-based client:
http://support.microsoft.com/?kbid=890413

How to disable MSN Messenger 6.0 traffic in ISA Server 2000:
http://support.microsoft.com/?kbid=891598

While I think POP pulling into a workstation is silly as you should use the power of your server, if you absolutely positively MUST have your Outlook on your workstations individually POP AND do Exchange you'll want to make the POP be the “main honcho” of the mailbox.

A post in the newsgroup and a response from Les reminded me of this reg fix [originally posted by Ray-the Man Fong so I'm categorizing it under Ray-ism in honor of Ray Fong who graciously and patiently put up with a bunch of rowdy SBS MVPs in Charlotte, North Carolina]

At the client, create the following registry key:

Location: HKLM\Software\Microsoft\SmallBusinessServer\ClientSetup
Name: NoTransportOrder
Type: REG_DWORD
Data: 1

Remember I said how we add the domain/connectcomputer to the IE trusted zone to properly run it?  So exactly what does connect computer script do anyway you ask?

psst... yes it DOES do way more than manually connecting the computer to the network through the control panel:

Client Configuration
 The following section outlines the automatic configurations performed as
 part of client Setup for client computers running Windows XP
 Professional and Windows 2000 Professional, based on best practice
 implementations.
 
  Important: To connect client computers to the network, use DHCP to
 automatically assign IP addresses.
  
 Client Networking Configuration
 Once you have added users and computers using the To Do List, go to the
 client computer, open Internet Explorer, and type http:// ServerName
 /connectcomputer (where ServerName is the name of the computer running
 Windows Small Business Server). Click Connect to the network now, and
 follow the instructions in the Small Business Server Network
 Configuration Wizard to configure networking settings for your client
 computers. The wizard requires the following:
 
  • You must be logged on as a member of the Local Admins security group
 on the client computer.
 
  • Only one network adapter can be enabled and configured to connect to
 the local network.
  
 • TCP/IP, Client for Microsoft Networks, and File and Printer Sharing
 for Microsoft Networks must be installed and bound to the network
 adapter. TCP/IP is configured to automatically obtain an IP address and
 DNS server addresses.
  
 Client Application Configuration
 After the applications that have been deployed by the Set Up Computer
 Wizard are installed, they are configured for each user and for the
 local network. The following settings are configured:
 
 Microsoft Internet Explorer 6 Service Pack 1
  
 Internet Explorer 6 provides the Web browser for client computers.
 Client Setup Configuration configures Internet Explorer 6 as follows:
 
  • The Home Page is configured to point to “My Company” (http://companyweb).
 
  • The following internal Web site links are added to the Favorites list
 Web site:
  
 Web site Address
 Microsoft Windows Small Business Server Web site
 http://go.microsoft.com/fwlink/?LinkId=17117
 
 My Company
 http://companyweb
  
 My E-mail
 http://sbsserver/exchange
  
 Information and Answers
 http://sbsserver/clienthelp
 
 Small Business Server Administration
 http://servername/tsweb/Default.htm?AutoConnect=1
  
 Microsoft Office Outlook 2003
 
 Outlook 2003 provides a single location for organizing and managing
 daily information, from e-mail and calendars to contacts and task lists.
 Client Setup Configuration configures Outlook 2003 as follows:
  
 • A user profile is created and configured to use Exchange Server 2003.
 The profile specifies Exchange connections and defines account information.
  
 • If the client computer contains existing profiles, the option for
 using Exchange is added and a new profile is created as the default. The
 old profile is backed up.
  
 • If you specify that the client computer will be used remotely, Outlook
 2003 is configured to run in Cached Exchange Mode.
 
 Fax Client
 
 Fax Client enables users to send faxes directly from their desktops.
 Depending on the user permissions, users can view the status of faxes in
 the queue or cancel faxes. Client Setup Configuration configures Fax
 Client as follows:
  
 • Outlook is configured with faxing capability.

Adding Les's comments:

First, there's the whole server site setup that enables and configures
dependencies and configuration options that connectcomputer funcionality
uses. Not discussed here, except to say that you'd have a virtually
impossible task uncovering all of the pieces touched. And if you didn't use
the SBS setup wizard, then you may as well hang up right now and fdisk.

1. Checks Client OS and takes appropriate path (ATAP)
2. Causes an activex control to become available.
3. Determines whether the computer is or is not a member of the domain, and
is or is not a DC or SBS server, (ATAP)
4. Tests resolution to the SBS server (ATAP)
5. Checks for multiple non VPN network connections (ATAP)
6. Checks account permissions, allowed to join computer to domain?
7. Assigns users, and migrates local profile(s), if they exist, to domain
profile (SID mapping)
8. Assigns requered local permissions to domain user account.
9. Provides selection of computer name from list, automatically if there is
one-to-one mapping of user/computer on the SBS.
10. Joins the domain (creating a temp user account for autologon to ease the
process) - including getting the client computer in the correct AD OU so the
GP applies correctly.
11. Sets some runonce reg keys to clean up after the above process.
12. After required input is provided, steps through the above process,
including automatic restarts as required.
13. Now we are into Application Deployment (Susan shows some on her blog).
This is seen on the workstation as the Client Setup Wizard, which is
automatic on login after the above 12 main steps are complete.
14. The list of configurations made after Application deployment:
My network places
TAPI information
Connection Manager
Fax Printer
SSL Certificate
ActiveSync (special, just for SBS and mobility devices)
IE
Outlook
Additional global settings:
DNS Timeout Value
Deleted Item Recovey
Remote Desktop permissions
Network Printer(s)
Disable getting started screen (annoying XP thing)
Disable ICS
(used to turn off ICF, but now handled by GP (xp firewall settings))
Disables network bridging

Note also, we're talking client computers here, but connectcomputer also
knows what to do with member servers ;-) .

If you think you can or want to do all this manually, please be my guest.
This is not the most complex wizard on the box. The wizards are a brilliant
piece of engineering, IMHO you are nuts if you ignore them.

It's good that we're getting important enough for a known 
"google hacker" site to post about our uniqueness... 
 
It's bad that we're getting important enough for a known 
"google hacker" site to post about our uniqueness... 
 
Just a heads up ...they know our "google parts" How do you stop this?
 
First off... don't click the button in the connect to internet wizard to 
“expose the entire web site” Next... if you are stupid enough to do 
THAT one, I'm copying a post from Alan Billharz 
 
Some customers may wish to exclude their SBS 2003 installation
from the scope of Web search sites such as Google.com.  This
may be because you would prefer to restrict knowledge of your
installation only to those who can use it, or, you may want to 
keep some portions of your site (e.g. Business Website) 
searchable while keeping other portions under the radar 
of Web search sites. There is a way to do this using 
the Robots Exclusion Protocol.  
By placing simple text file at the root of your Web site,
you can tell Web search robots which parts of the 
Web site are open for search.I've attached 
two versions of robots.txt that I've whipped up 
for my SBS2003 server:  
 
1.. robots.txt - Allows search of your business Web site 
but hides SBS-specific  sites from search robots.  
2.. robots2.txt - (Must be renamed to robots.txt) 
Denies search of your entire Web site .
For more information, 
check out these sources: http://www.robotstxt.org/wc/robots.html
http://www.searchtools.com/robots/robots-txt.html
http://www.searchengineworld.com/robots/robots_tutorial.htm
Many Web sites implement this functionality.  
For example, you can check out 
http://www.cnn.com/robots.txt .
Please respond to this post if you have any questions 
or comments - let us know how this works out for you!
Thanks,Alan Billharz
--------------------------------------------------------------------------------
# Place this file at the root of the Default Web Site (%system drive%\inetpub\wwwroot) 
# to allow search engines to catalog your Business Web site, but not catalog the other 
# SBS-specific Web sites. 
# 
# Note that you must choose to publish the root of your Web site to allow the search 
# engine robot to read this file.  In the Configure E-mail and Internet Connection Wizard, 
# choose to publish Business Web site (wwwroot). 
 
 
User-agent: *
Disallow:   /_vti_bin/
Disallow:   /clienthelp/
Disallow:   /exchweb/
Disallow:   /remote/
Disallow:   /tsweb/
Disallow:   /aspnet_client/
Disallow:   /images/
Disallow:   /_private/
Disallow:   /_vti_cnf/
Disallow:   /_vti_log/
Disallow:   /_vti_pvt/
Disallow:   /_vti_script/
Disallow:   /_vti_txt/
--------------------------------------------------------------------------------
 
# Place this file at the root of the Default Web Site (%system drive%\inetpub\wwwroot) 
# to prevent all search engines from cataloging your Web site. 
# 
# Note that you must choose to publish the root of your Web site to allow the search 
# engine robot to read this file.  In the Configure E-mail and Internet Connection Wizard, 
# choose to publish Business Web site (wwwroot). 
 
User-agent: *
Disallow: /
 
P.S.  This will be included in the SBS 2003 advanced 
book by Harry Brelsford

I was googling and stumbled across a KB article and thought I'd stick it up here

Codes for the audit logs:

Jut got an email in the mailbag and this is not the first time I've gotten this question:

How do we become members of your site?

Well see it's like this... it's not really a member site.  You see, that login box is just my username and password to post.....it's just a blog for a wacko SBSer who just kinda does this to relax at the end of the day [I told you I was weird].  But see there are other places where you can become a member of ...it's up to you the “kind” of participation you want.  But if you want to want to join in a peer sharing enviornment we have TONS of options for you:

Starting off with newsgroups, the SBS2003 newsgroup needs Outlook Express or Thunderbird to be read properly.

Want listserves?  We got those in different flavors:

• smallbizit - for sales and marketing
• sbs2k - for technical side of SBS [all versions]
• mssmallbiz - the Official Microsoft Small Business Community Listserve

Just click on each to join

Next we have websites with SBS forums

• http://www.smallbizserver.net with the Magical M&Ms
• Nick's place on the Minasi web site
• Handy Andy's forum

Chats?  We've got those too

• Handy Andy's web chat

And how about face to face meetings?

• We've got those too!
• And if you don't see one...attend a TS2 event and ask to make an announcement to start your own!

See SBSland is kinda like a country...we have lots of places to go and have community.

P.S.  Don't forget to check out the blogs linked on the side as well!

I make it a rule to merely add the web site of the SBS server I am going to either connect to internally or connect to externally in the trusted zone in Internet Explorer.  IE, Tools, Internet Options, Security, Trusted Sites, sites and then enter the web site like http://domain/connectcomputer or https://www.domain.com/remote  for the connect computer wizard or Remote Web Workplace respectively.

This ensures that the active X scripting occurs as it should and I can join computers to the domain with no issue.  If you don't, you might not spot the tiny “info bar” at the top that is jumping up and down yelling at you to download the Active X control.

Just stick it in the trusted zone and all is well.

From the mailbag today comes the question from Alex... is there a way to publish Companyweb without opening 444?  And the answer is.... No.  You must have 444 for external access to CompanyWeb [Sharepoint].

SBS bascially requires the following ports:

If you need access to Sharepoint .... you MUST go through port 444.  For RRAS, the Sharepoint is automagically enabled if you merely click the box, for ISA they thought we'd be a bit more paranoid so you have to manually publish it.

Looking for Troubleshooting tips for Small Business Server 2003?

There's an excellent resource on the SBS web site but I“ve put links here as well:

• Troubleshooting Server Setup
• Troubleshooting Users and Groups
• Troubleshooting Client Computers
• Troubleshooting Mobile Devices
• Troubleshooting E-mail
• Troubleshooting Monitoring
• Troubleshooting Backup and Restore
• Troubleshooting Internet Access
• Troubleshooting Your Intranet
• Troubleshooting Shared Network Resources
• Troubleshooting Remote Connections
• Troubleshooting Client Licensing

Back in May I posted of the three things I've done on my SBS servers.  But I'm here for an update because I only do two of them now:

• To ensure that file locking doesn't occur on databases and Quickbooks
  Disable oplocking http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264
• Lastly this turns off the annoyance of XPs and 2k's have of “falling“ off the LAN and then needing to be clicked to be reconnected.  In our little lans I turn this off.  Disable autodisconnect http://support.microsoft.com/default.aspx?scid=kb;EN-US;138365

Cal emailed today a “Geese as community” piece that I had to find a copy to share:

When you see geese flying in a "V" formation, you might be interested in knowing what facts scientists have discovered about why they fly that way. While you read this, keep in mind how adoptive families form a community--helping each other, often without the benefit of ever having met.

FACT: As each bird flaps its wings, it creates an uplift for the bird immediately following. By flying in a "V" formation, the whole flock adds at least 71% greater flying range than if each bird flew on its own.

TRUTH: People who share a common direction and sense of community can get where they are going quicker and easier because they are traveling on the trust of one another.

FACT: Whenever a goose falls out of formation, it suddenly feels the drag and resistance of trying to go it alone and quickly gets back into formation to take advantage of the lifting power of the bird immediately in front.

TRUTH: There is strength and power and safety in numbers when traveling in the same direction with those with whom we share a common goal.

FACT: When the lead goose gets tired, it rotates back in the wing and another goose flies point.

TRUTH: It pays to take turns doing hard jobs.

FACT: The geese honk from behind to encourage those up front to keep up their speed.

TRUTH: We all need to be remembered with active support and praise

FACT: When a goose gets sick or is wounded and falls out, two geese fall out of formation and follow it down to help and protect it. They stay with it until the crisis resolves, and then they launch out on their own or with another formation to catch up with their group.

TRUTH: We must stand by each other in times of need.

Okay grab the kleenix folks because not only does this remind me of the Anna Paquin Geese movie that makes me cry at the end even though I've seen it a thousand times, it reminds me of the world I live in.

So many of the people that flap flap around me and honk honk at me all the time I've never met... or if I have, it's only been once or twice and now we only share an online presence.  Between email and IM, there isn't a day that doesn't go by that I don't smile at an email or at a IM tag line that is funny. 

So whereever you are in your life, your career, your job, find a place where you can Flap and Honk.  I think you will find, like I have, that a few years go by and you realize that you've gone a long way on a long journey, and yet you are not one bit tired and enjoyed it the entire way.

To the Communities of SBS that constantly FLAP FLAP and HONK HONK, thank you very much for your consistent uplift.  To the Center for Internet Security where I started out a few years back as just being this little SBSer on the phone calls, thank you for letting me drink in all the information that you put out.  Honk Honk, Flap Flap to you as you have taught me so much.  And to all of you [and you know who you are] that Honk Honk and Flap Flap with me, thank you for this journey.

I'm sure people wonder what exactly is my job.  Sometimes that's a very good question.  Somedays it's just standing over the shoulder and telling someone in the office how to attach a file to an email.  Somedays it's trying to visualize what a client is looking at over the phone.  Sometimes it's trying to visualize what my partners are looking at on the screen. So many times I have to walk over and see what they are looking at and more often than not, I say “oh yeah, just click there”.  And they'll say...where?  “There, I say... right there”.  I can see the obvious “click“ but they can't.

It's funny that just right after yesterday's post about documentation that was prompted by a newbie SBSer in the newsgroups who came looking for real basic documentation as he was helping to set SBS up in his small firm... comes an article about “the basics”.  I chaired the Top Technology survey and helped “craft” the descriptions.  And in our survey of fellow “uber geeks”, the top issue was Security [gee that's a surprise].  But when the Ohio Society put it out for ALL of the membership to revote on their idea of the top ten...what was their top issue? 

Finding out where to click.

Learning technology was their biggest issue.

It's even obvious in my firm that there are those that are the “technology enablers” and those that ...well are still just dealing with the technology.  John Pocaro back on blogging again, has some great productivity tips about handling email overload that they do in Microsoft.  But they are a pretty darn consistenly agile firm. 

The “real” SBSers are still a bit lagging behind, I think.  What are my goals this year as compared to his daily tasks? 

• To get more people to use the shared calendaring.  I have a few but not all using it.  Some are still relying on paper calendars.  Lose the paper this year.
• We're doing pretty good on saving in file shares but my weekend loss of a desktop reminds me to put a better, stronger emphasis on redirection of the “my documents“ and remind folks to NOT store on local hardrives.  SeanDaniel.com talks about how the My document redirection is for “backup“ purposes.. I'd add how about for physical security purposes?  I can and do physically secure the server... I can't the desktops.
• If the item is of a personal [personnel] nature, I'll be setting up access controls for that location and deny everyone BUT the people that need to have the information
• Install Lookout on all the desktops
• Have more training sessions and do more “picture“ how to's.  People remember with pictures not words in my office.

So I think this year I need to concentrate on taking the concepts that I take for granted and making them more normal for everyone else.  So that folks will just know to click “there”.

You do know about the documentation resources for SBS right?

What?  You don't?

Start here for a Documentation by Task for Windows Small Business Server 2003

Then you do know about the SBS Documentation blog, right?

Huh?  You don't?!!

Dude, click here to see some of the cool stuff they have in store.  You remember how blogs work, right?  You get a newreader [I like newsgator.com] and you sign up inside of newsgator, inside of Outlook so that the information goes directly to you. 

Kewl, huh!!

Too many times I see people not understanding the difference between being a DOMAIN administrator and being a LOCAL administrator. 

Being a domain admin means that the user logging in has full right to anything on that domain and basically has the keys to the kingdom.

Local administrator means that you merely have keys to the local workstation.

So many of our stupid apps want LOCAL administrator rights but they do not NEED domain administrator rights. 

When you set up users and there are the pre-done SBS templates [which it's perfectly normal that they have red X's by them as they are “just” pre-done templates for you and not true users] just make sure that you only give rights that you minimally want to the users ON THAT SERVER.  In my opinion there is no need whatsoever to make a user a domain admin.  Pick Mobile user or user but never domain admin. You then change the user to be a “local” administrator on THEIR machine, but not on the domain.

Over time, both Microsoft will make it eaiser and Vendors will finally see the light and start coding security for running as “USER” on the local machine.  In the meantime, while you are stuck in giving local administrator rights, just don't hand our more rights than you intended. A couple of ways you can use group policy to add the users to the LOCAL group are discussed here, but you could always log in as the administrator on the workstation [and many times the admin account on an OEM box has a blank password which means it cannot be access remotely over the web] and then just flip that domain user to have administrator rights on JUST that workstation.

P.S.  you do know that running the domain/connectcomputer wizard will PUT that workstation in the local admin group, right?

SeanDaniel.com points out once again that we should WAIT [patience patience] for our OWN SBS SP1 which will include Windows 2003 sp1 and we should not run the Security Configuration Wizard on our SBS [see I was right] and also points to that kewl Exchange “tarpit” that YES you can do on a SBS box to slow down the bad guys.

Sean says that sometimes things slip through the cracks [oooh there's transparancy and credibility] and that's why this SCW tool isn't SBSized but I would argue that it's the SCW that's coming up to the SBS world.... certainly where auditing is concerned as ours are specifically tuned for us.

An often asked question is why the audit logs in SBS are so “noisy” as compared to SBS 2000 and a blog by “the” auditor of windows Eric Fitzgerald talks about what they are doing to “bring down the noise” in the future.

When we look at our SBS boxes, though, what do we audit in our SBS boxes?

• Account logon is audited for success - default domain group policy controls this
• Account management is audited for success - default domain group policy controls this
• Directory services is not audited [for a very good reason] - our SBS group policy kicks in
• Logon events is audited for success, failure - our SBS group policy kicks in
• Object access is not audited - default domain group policy controls this
• Policy change is audited for success - default domain group policy controls this
• Privilege use is not audited - default domain group policy controls this
• Process tracking is not audited - default domain group policy controls this
• System events is audited for success - default domain group policy controls this

And why do we do this?  Because if we are not “pulling a status” of normal, we won't have the data when something bad happens and we need to have auditing logs available.

Keep these audit logs just the way they are.  You will want them when something happens and you need to prove something.  I would argue that you should do similar settings in SBS 2000.  This is one area that turning on auditing really doesn't hurt a well done server at all.  We should all be auditing the processes on our boxes like this.

Then if you need it, it will be there.   If however, you shut them off, you'll not know what happened.

Vendor:  noun:  one that sells something

Customer:  noun:  One that buys goods or services.

Salesperson:  noun:  A person employed to sell merchandise 

VAR/VAP:  Value Added Reseller/Provider

Value:   noun:  quality considered worthwhile or desirable

Added:  verb:  To join or unite so as to increase in.... scope

I looked up the definitions of these tonight for a reason.  On a community listserve the topic came up regarding “should vendors be allowed on a peer resource list who's charter states that it's designed to discuss issues around the marketing, sales and development of small business IT consultants for those IT consultants servicing small to medium businesses“ and it just made me think a bit.  Especially when some of these “customers“ of vendors are obviously, vendors themselves.. I would think that people who are themselves vendors would want to try to bridge the gap between customers and vendors.  The concern was that the “vendors“ on the list would turn on the “sales and marketing“ mode and the real truth would get overwhelmed by the advertisements and offers. 

I too, am sometimes guilty of talking about “marketing” as the dark side.  But here 's the dumb thing... it's doesn't have to be.  Sometimes the best marketing is just being honest.    Jackie Huba today in the Church of the Customer [there's that word customer, again] talks about a disturbing trend in marketing. “Stealth Marketing” as they call it.  And included in the post is a very interesting discussion of “ethics in marketing”.  [Okay, I'll admit that I've never quite thought of that phrase quite like that before].

In an email thread that I was on today, someone wrote that they didn't trust a company to have their [the customer's] best interest at heart.  I find that statement a bit odd since it would seem to me that any company would want to have their customer's best interest at heart because without that customer, they wouldn't BE a viable company.

Jackie talks about that there's a “growing demand of transparency and credibility”. There is isn't there?  Too often I see it time and time again that when the “salesman” says “Oh we can do that” and totally overpromises what the item or software or technology can do and all that ends up happening in the long run is an unhappy customer.  If there is one thing that I could say to any company wanting to bridge the gap between vendor and customer is to just BE HONEST.  I don't expect a firm to say “oh we totally screwed up when we promised you the moon”, but I do expect more of an honest “we can't do that now, but we're working on it for the future”. 

In reality, even though over time I've turned into this hybrid of a wacko SBS customer that is turning into a Windows Software Patching ebook author and newsletter author, I still feel a lot like just a customer around here making sure that the SBS customer gets a fair deal.   I don't like it when a SBS customer doesn't get the installation experience he or she deserves.  I don't like it when consultants don't take the time or the energy to learn the SBS platfom and install it and support it the right way. 

It drives me crazy when people constantly hang onto the myths surrounding the platform.  I was on a security listserve where the topic of having Internet Information Services on a domain controller and here's little ol' wacko SBSer me piping up and saying that these days I wasn't worrying about my domain controller and IIS6 on there but rather freaking out about controlling my workstations.  In the ensuing back and forth threads it was very obvious that people still had stuck in their minds the steroetype of SBS.  “Limitations“ was definitely in their mindset.  Once again the myths of SBS surrounding the backup domain controller, the lack of expandability in their minds.... [hello?]  Don't people know that once you hit the 75 limit there is a transition pack that allows you to grow past 75 and split off the parts to separate boxes if that is truly your heart's desire?

Instead I don't see limits at all... I see possibilities.  Already a couple of folks at my office are thinkin' ...hey with this remote web workplace.... I don't have to come into the office all the time to do my work... I can do it from home!   That's right.  And my boss already asked about email on the cell phone that he saw some other Attorney receiving and responding to.  As I told him, you want it?  Say the word as we can set it up!  [He declined because he said the Attorney was constantly emailing on his phone].  But the point is that seeing technology truly in action, honestly, and credibly had done far more to “sell“ my boss on technology than any glossy ad had done.  He saw it working in real life and asked me about the technology.

The “Build your business“ ad campaign is my FAVORITE ad.  To me it so much showcases when the Vendors and the VARs and the VAPs and customers all come together and synergy is made what possibilities you can have.