THE OFFICIAL BLOG OF THE SBS DIVA

So why did they move those file locations in Vista?  More granular control so that we can change permissions and tighten up program settings is my understanding (I can't find the page and given that I read it outside with the crickets with a mini booklight last night as we were without power until 6 a.m the following morning is it any wonder that I can't find in the book where it said that)

\Documents and Settings is now \Users
\Documents and Settings\All Users is now \Users\Public
\ProgramData\Desktop is now \Users\Public\Desktop
\ProgramData\Documents\ is now \Users\Public\Documents
\ProgramData\Favorites is now \Users\Public\Favorites
\ProgramData\Start Menu is now \ProgramData\Microsoft\Windows\Start Menu
\ProgramData\Templates is now \ProgramData\Microsoft\Windows\Templates

Page 91 of this book lays out the facts....

\Documents and Settings is now \Users
\Documents and Settings\All Users is now \Users\Public
\ProgramData\Desktop is now \Users\Public\Desktop
\ProgramData\Documents\ is now \Users\Public\Documents
\ProgramData\Favorites is now \Users\Public\Favorites
\ProgramData\Start Menu is now \ProgramData\Microsoft\Windows\Start Menu
\ProgramData\Templates is now \ProgramData\Microsoft\Windows\Templates

I'm putting folks on notice... while I won't be too pleased that you do this... but I'd rather folks do an alternative setting in group policy controlling the User Account Control prompt than the alternative of shutting it off completely.

Okay step one you need to go buy this book:  And then as you read this you'll begin to understand why it's important that we understand in Vista that when people say "but I'm running as Administrator" they really are not THE ADMINISTRATOR.  They are not the BUILT IN ADMINISTRATOR and thusly things will be different.  And while it's nicer if you are running as a standard user, even if you are running as an administrator (small caps), you are not THE ADMINISTRATOR like you were in XP era.

So if you are a geek and those UAC prompts are driving you nuts first I'm going to ask exactly what are you doing that makes you get them... like are you fiddling with network connections all the time or what?  and secondly I will say that I'm sorry they don't drive me nuts they REMIND me of when I'm up in the "nosebleed" rights area and I should be careful.  But IF and ONLY IF you want to be less annoyed, read page 150 of that book and set up a separate Organizational Unit/Group policy and put the geeks of the office that will annoy you in their complaining with Vista the first month or so into a special bucket so they won't see that secure desktop prompt.

What you need to do is build an OU and change the group policy setting to do this:

http://www.microsoft.com/technet/windowsvista/security/security_group_policy_settings.mspx#_User_Account_Control

Under this section:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

 User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

Now keep in mind you won't see that up on your SBS box and you'll need to connect to the group policy from your Vista machine (I'll do screen shots later).  The default is to prompt for credentials... you can set it to "Elevate without prompting" and the elevation to the admin will be silent.  Now this is a bad thing because a malware could be designed to hop on that elevation and get up to admin rights... but (and this is a huge but) it's WAY better than shutting off UAC completely.  Setting this setting leaves IE 7 in protected mode which is an EXTREMELY good thing while turning UAC off completely will turn off IE protected mode as well.

You might even consider setting this setting for a month or two after vista machines are first installed so that your users will be able to install and do the things they think they want to do and then a month or so later, take it back to the defaults where it will prompt you.

I'll bet you that after this first install period of time you won't see those prompts nearly like you did before.

But I guarantee you I'll be less apt to beat you over the head with my 2x4 if you change this setting  to silently elevate and not use the secure darkened desktop (which is really a screen shot of what you were working on setting up the elevated session) than if you turn off UAC completely.

Give it a try.... and then turn that prompting back on after a while.  I'll betcha you won't see it much at all after the machine is set up.

Where will you be this November?  I'll be upside down.  That's right... at www.smbfocus.com I'll be with Wayne Small who will be hosting and presenting the ITPro conference in Australia.  Along with me will be Jeff Middleton, Dana Epp, Amy Babinchak, Dean Calvert and Ryan Spillane and lots more.

So get ready to get upside down in November! (I've even put the logo for it on the side of the blog!)

My sister and I each have certain connections to the outside world we can't live without.  Mine is an internet connection, her's is the sound of a TV.  Which is why when the power is out AGAIN (it was off earlier today) I've got the laptop fired up and she's got 8 D batteries in a Sony TV watching Wheel of Fortune.  Not that she'd normally be watching that mind you, but just that it's "noise" to the outside world.

So for me my "fuzzy safety blanket" is a computer with an IM session going where even Dad can ping me when I'm on a trip and check that I'm safe in the hotel (yes.. Dad still checks in on me).  But it goes to show you how much both my sister and I are dependent so much on power.  Without power and energy there's not much that you can do. I'd argue that energy is a key element in any business. 

But we found tonight that we needed batteries as  well,, for the cell phone, for the TV, for the laptop, for the Kitchen area.... yeah... I didn't get out of doing the dishes though...dang... the City of Fresno has generators for the water wells so our water still works.

http://en.wikipedia.org/wiki/Business_continuity_planning

<edit: http://www.fresnobee.com/updates/story/100035.html it was a birds nest that started the power outtage, and it didn't come back on until 6 a.m. Tuesday morning>

Today's SBS blog moment is brought to you by Wayne McIntyre 

The Official SBS Blog : Active Directory FTP User Isolation Mode (IIS 6.0):
http://blogs.technet.com/sbs/archive/2007/07/30/active-directory-ftp-user-isolation-mode-iis-6-0.aspx

On the inside of my LAN I have ftp enabled for two key business scanners.  Yes it's a risk, but to me an acceptable one.

http://msmvps.com/blogs/bradley/archive/2007/07/29/a-palm-750-in-the-house.aspx

Well that was easy.  I literally connected the Treo 750 to "my" computer, ran through the "connect to exchange activesync" wizard, stuck the two certs (I have ISA) on the device that I have parked on my computer and voila.

The easiest way to get a cert off your system and on to a device is to go into IE and find the two certificates, both in your trusted root certificate store in IE and export them anywhere.  Then put the cable with the device, go into explore .....

Once the device is attached, go into Explore and find a folder location that you can remember to find on the device.

Dump the cert files into this folder location

Now take the device and typically it's a matter of tapping enter on the cert to "install" it on the device.  The 750 didn't need any hacking or unlocking or anything to get it to accept the self signed cert.  Heck it didn't even mind being temporarily activesync'd to a totally different workstation.

Now to figure out if we can do Comcast email "and" hotmail email "and" Outlook Exchange all at the same time..... 

When you are installing software on Vista, you may have to right mouse click on the setup and "Run as Administrator".  Once it's installed, if it balks a bit at running under Vista, try right mouse clicking on the icon, and go into the compatibility tab and clicking on "Run as XP sp2".  If that doesn't work try all the way down to Win98.  As a last resort, click on "Run this program as administrator".  Now in a true locked down network you should use fast user switching in a domain and run the crappy apps in another profile to keep them away from the secure apps, but I'm going to guess that many firms don't or won't do that.

The other issue you might see is this -
http://msinfluentials.com/blogs/jesper/archive/2007/01/16/help-vista-won-t-let-me-write-to-my-external-hard-drive.aspx but I guess I'm the weird one as I don't find the UAC prompts annoying and in fact when they do pop up I keep track of the apps (including Microsoft ones) that are still needing UAC help.  Live meeing does the yellow warning along with Live messenger on this Vista (but then again I need to see if I'm running the right Live messenger version on this Vista at home)

P.S. the thing that takes a while to get around your head is that even when logged in as administrator you aren't quite logged in as Administrator like you were in the XP era.  Admin isn't Admin and it takes a bit of getting your head around.

http://www.palm.com/us/support/downloads/versamail/certmodtool.html
http://discussion.treocentral.com/showthread.php?p=1202566
http://www.palm.com/us/products/smartphones/treo750/

I was just put on notice that the office a partner of the office is now the proud owner of a Palm 750 and the thing on my agenda tomorrow is to get the self signed cert (yes we still use self signed certs) to be put on the unit so that they can be sync'd with the server.  If you use like a godaddy cert you won't need the certmodtool, but if you don't, you will.

I was cleaning up the upstairs office and found that I'm a packrat.  I found what ended up being SBS 2003's first beta disks.  Way back in November 2001 was the first beta of SBS "Bobcat" what ultimately became SBS 2003.  That became a long beta due to the SQL slammer and security push.  (We even patched SQL during the beta with these "by hand" instructions that were pretty lengthy).

What was in that first beta was not what we ended up with in SBS 2003.  Bottom line... while being involved in betas lets you see the direction that various companies are heading towards, sometimes even as a beta tester you can be surprised about the changes that are made.

New laptop for a guy in the office....and look at all the stuff I'm pulling off.....

That HP help center/Yahoo search is now gone, along with the Vonage and the Norton antivirus.  In it's place are the native search and NOD32 a/v for Vista that I've found to be responsive but not too "chatty" and has a very good footprint and works very well on Vista.

This is an HP Pavilion with 2 gigs of ram, running an AMD Turion 64x2 mobile technology running Vista Home Premium.

Value Driven: Turning our backs on tech - July 23, 2007:
http://money.cnn.com/magazines/fortune/fortune_archive/2007/07/23/100135598/index.htm?postversion=2007071606

The answer is "Yes, it's a problem," because most people don't understand the reality of today's infotech work. "A lot of IT jobs in the future will deal with face-to-face interaction," says Stephen Pickett, CIO of Penske Corp. and past president of SIM. "You can't do a process analysis over the phone. You can't understand the inner workings of a corporation over the phone. You have to understand how a user wants to use software. Those are face-to-face jobs, feeling the good times and bad times, knowing enough about the company."

It isn't coding in cubicles anymore. Those jobs really are going offshore, and they should be. The jobs that remain are more demanding, higher paying, and multiplying fast - if only there were people to fill them.

SBSC & MSP Buzz » Blog Archive » Response to Response Point:
http://sbsc.techcareteam.com/archives/29

I don't think it's enough to put the product in the hands of the var/vaps... because they don't have time to deal with the issues that new operating systems just natively have with them.  The problem with Vista deployment is that it's different.  It's new.  Installing hasn't been well documented.  I think there's hasn't been enough "de-fud"ing of Vista.  I'm not trying to discount the issues, but are WE personally seeing deployment issues or are we hearing about them from someone else.  And then .. is it issues that we are causing on ourselves by deploying Vista on not suitable hardware and what not? 

I'm just not convinced that Microsoft has given enough "how to get crappy application X installed on vista" hands on seminars to the consultant space.

The other day I said I hadn't met a piece of software yet that I hadn't been able to get working on Vista and someone said (forgive me for not finding the original posting) that I obviously hadn't tried to install Adobe Acrobat 5 on Vista.

http://secunia.com/product/49/?task=advisories

First off ...that's such an old piece of software to be installing on Vista in the first place that if I even wanted to install THAT OLD of an Adobe I'd rather find another third party pdf making software rather than that old and I honestly don't think it's supported anymore.

It's one thing if your line of business software doesn't support Vista (and note I didn't say it wouldn't run, just that it won't support), it's quite another when you aren't recommending that instead of that old software that is out of support that people don't look for supported alternatives.

"This is a chart you're not really designed to be able to read. This is a chart that actually lists at least most, not all, but many of the new products that we're hoping to ship in roughly the next 12 months. Not everything that's beyond, but some of these things may or may not make the 12-month period of time. But, for us to generate the kind of growth you expect, you want, that I think we can generate, does require an amazing flow of innovation and new products. And I just want you to feel very, very good about that, because I do."

http://www.microsoft.com/msft/speech/FY07/BallmerFAM2007.mspx

In case you can't read that I've pointed out where "Cougar" aka SBS "next" is on that powerpoint page.

Microsoft Financial Analyst Meeting 2007:
http://www.microsoft.com/msft/speech/FY07/AnalystMtg2007.mspx

Today's SBS blog moment is brought to you by Justin Crosby:

The Official SBS Blog : Why can't I access my web sites by both FQDN and IP after running the CEICW?:
http://blogs.technet.com/sbs/archive/2007/07/26/why-can-t-i-access-my-web-sites-by-both-fqdn-and-ip-after-running-the-ceicw.aspx

This is unique to ISA, as the Standard SBS will not do this.

I still remember the stories by Steve Riley about the deployment issues with Biometrics.  Everyone sees stuff like digital personal as the panacea to password issues but they don't think about the deployment issues....if the fingers used to enter in the system have issues being read by the system, it's not an easy redeployment.   

DigitalPersona - Biometric, Fingerprint, Authentication, Sensor, Reader, Security:
http://www.digitalpersona.com/

Traditional two factor with tokins a much easier deployment and management solution. Not too mention there's not the Gummy bear issues.... http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/ where you can defeat the biometrics with the equivalent of gelatin to pick up the fingerprint image.

May not be as tasty as Gummi Bears.... but a lot more effective that's for sure... 

Check out Charlie Russel's post on it:  http://msmvps.com/blogs/xperts64/archive/2007/07/27/two-factor-authentication.aspx

In the action pack this month.... is a Windows 2008 beta, System Center Essentials, Vista Business 64bit and a few other things that I can't remember off the top of my head. 

I will bring this up again ... Bill ... or should I say Ozzie?  You know what folks were "buzzing" about with Vista?  Bitlocker.  And what manner do Microsoft partners have to get their hands on Bitlocker?  They have to buy TechNet Plus and then not use it in production, just for testing.   Because when it comes to encryption you NEED to understand the recovery and disaster and business issues, not just the technical process of encryption.  We need to roll up our sleeves and pretend to have a disaster need to ensure we can get that box back with the data not orphaned and stuck on that dead drive.

If you want to get an OEM Vista up to Enterprise you can add SA within 90 days, but it is kinda dumb when Microsoft isn't seeing that the push in my financial space is indeed the need for encryption as we have this data on laptops that has a need for protection.

In the meantime the word from Atlanta was that WinMagic worked quite well, had no performance hit, and just needed the machine to be left overnight to encrypt.

http://www.winmagic.com/

http://msmvps.com/blogs/donpatterson/archive/2007/07/25/poisoned-web-sites-soar-six-fold-sophos-says.aspx

Exactly what "is" Internet facing anymore?  These days I think I'd argue that everything that connects to the Internet is "Internet facing" if all we are using to protect ourselves is antivirus that is behind in it's detection, anti spyware that is reactionary and what not.

With our increasing emphasis on Web 2.0... can someone define for me what is Internet facing anymore?

Isn't the internet us?

Dear Microsoft Action Pack Subscriber:

We are pleased to confirm that your Microsoft Action Pack July Quarterly Update has been shipped. If you have not received your kit by July 31^st, please send an e-mail message to MAPS-NA@microsoft.com.

The Action Pack Update kits are sent quarterly. To see a complete listing of the contents of the Update kit (in the US and Canada), please visit:

https://partner.microsoft.com/40013779

Thank you for continuing your subscription to the Microsoft Action Pack!

-The Worldwide Partner Programs Team

...and I'm pleased that at least I'm in the Pacific time zone now... waiting for the Vegas to Fresno flight to take off....

http://www.youtube.com/user/fslabs

If you want some nice informative videos to show your clients, the Fsecure youtube channel is very nice and gives a great deal of informative videos you can use for your clients.

You can use a service like Vixy to make them portable - http://vixy.net/  (Chris Rue told me about that site) but if you want a higher resolution version you can get it from the excellent fsecure blog site - http://www.f-secure.com/weblog/archives/archive-072007.html#00001232

It's a great resource to educate the end users as to why spam works.... and why this is big business these days.