The Blackbird Group is raffling off a 1,000 user license including a 1st year maintenance (total value 7,200 USD) for Blackbird Auditor for Active Directory. The deadline of this contest is May 31, 2012. If you want to take part, please send an email with the subject Blackbird to .

In Microsoft Windows Active Directory administration nomenclature, auditing refers to the capture and display of user- and/or system-generated activity.

Many systems administrators are required by governmental and/or industry regulations to track changes on our domain systems to a fine degree of granularity. Some of these regulatory laws include the following:

• FISMA
• HIPAA
• PCI
• SOX

As you know, Windows Server 2008 R2 includes a built-in auditing framework that can help to determine the so-called “4 W’s” of audit policy:

• What was the change?
• Where was the change made?
• When was the change effected?
• Who made the change?

Traditionally, we enable auditing in one or more Group Policy Objects (GPOs) that we deploy to our domain. We then use Event Viewer to analyze local and remote auditing events. We can even leverage event log forwarding and subscriptions to aggregate audit log data from multiple systems across the domain or forest.

The main downside to Windows Server 2008 R2 audit policy is that it is quite cumbersome to manage, especially when we aggregate data from multiple sources.

With respect to GPO reporting, Windows Server 2008 R2 provides us with the Resultant Set of Policy (RSoP) tools that are baked into the Group Policy Management Console. Again, though, the tools scale poorly and are relatively inflexible.

To attain a deeper appreciation of the limitations inherenet in traditional Windows auditing, I encourage you to read the white paper “The Tradeoffs and Risks of Traditional Windows Auditing” from the Blackbird Group’s Web site.

Speaking of the Blackbird Group, today’s blog post centers upon their Blackbird Auditor for Active Directory solution, which is software aimed squarely to replace the aforementioned auditing toolset.

In this article we will examine Blackbird Auditor for Active Directory from the following angles:

• Software Setup
• Using Built-in Audit Views
• Analyzing and Exporting Captured Audit Data
• Rolling Back Changes with RSAT Extensions

Let’s get started!

Setting up the Software

The Blackbird Management Suite is a Microsoft Management Console (MMC) snap-in that relies upon a SQL Server database for AD metadata storage. Therefore, a local or remote instance of SQL Server is a prerequisite to installing this software.

NOTE: You can use SQL Server Express if you want to; you are not required to have a full edition of SQL Server to run Blackbird Auditor for AD.

After you have SQL Server installed and ready to accept incoming remote connections, you can download the binaries and obtain your license code from the Blackbird Group’s Web site.

The order in which you install the software is significant. Here is the nutshell workflow:

1. Install the 32-bit or 64-bit Blackbird Management Suite Server
2. Install the Blackbird Management Suite Console on the Blackbird server
3. Install the Blackbird RSAT Extensions on your other domain controllers
4. Install the relevant extension packages on the Blackbird server

Heads-up: Blackbird says that only one Blackbird Management Suite server is allowed per forest. Each extension package (also called a module) enables Blackbird Management Suite to capture particular types of data from domain member computers. These modules are named as follows:

• Blackbird Auditor for AD
• Blackbird Auditor for File System
• Blackbird Event Vault
• Blackbird Privilege Explorer
• Blackbird Privilege Manager for AD
• Blackbird Recovery for AD

In this review, we are concerned only with the Blackbird Auditor for AD module.

Administrators can license as many or as few of these modules as their systems management needs dictate. Licensing is calculated per “heartbeat,” which means that you pay only for the number of human users (and not service accounts) that are embraced by the software’s functionality.

Using Data Handlers and Audit Views

In Blackbird Management Suite terminology, Data Handlers represent the rough equivalent of agent software. Specifically, Data Handlers allow the Blackbird Collector component to retrieve Active Directory data from each domain controller. Ideally, you should deploy the Data Handler to all of the domain controllers in your organization.

To deploy Data Handlers, we open the Blackbird Management Console, right-click the Domain Controllers node and select Deploy data handler from the shortcut menu.

In the Deploy Data Handler dialog box (shown in the next screenshot), we can install the agent bits on some or all domain controllers within the forest.

Deploying data handlers

NOTE: Blackbird Management Suite requires the use of several service accounts that need administrator-level access to your domain controllers as well as to SQL Server. During setup you’ll also be asked to specify a communications TCP port; keep this in mind as you plan your Blackbird implementation.

Our next task is to specify auditor accounts. These are Active Directory users who are allowed to configure Blackbird Auditor for AD and to view audit report data.

Now that we’ve deployed the Data Handlers and specified our auditor accounts, we can turn our attention to Audit Views. Audit Views are the (very) rough equivalent of the Custom Views that are found the Windows Server 2008 R2 Event Viewer.

Specifically, an Audit View filters the retrieved AD audit data according to pre-defined criteria. Blackbird Auditor for AD provides us with several pre-built Audit Views that cover the most common administration and regulatory compliance scenarios; these are shown in the following screenshot:

Built-in Audit Views

Of course, we can build our own Audit Views from scratch if we wish. As you can see in the following figure, we define an audit view by scoping data retrieval according to the “4 Ws” of audit policy.

Defining a new Audit View

In practice, these Audit Views give administrators quick insight into specific changes occurring in Active Directory over time. As we shall see a bit later in this article, Blackbird Auditor for AD allows for full previous/current value comparisons as well as selective or full rollback to previous states.

Analyzing and Exporting Audit Data

To view captured audit data, we can simply expose a predefined or custom-created Audit View in the Blackbird Management Console, right-click the appropriate view, and select Open from the shortcut menu.

This action launches the Audit Viewer tool, a standalone application that includes the “you either love it or you hate it” Ribbon UI introduced in Microsoft Office 2007.

The Audit Viewer displays each audit entry in three simultaneous views. The Summary pane gives you a simple list of all audit entries scoped in that Audit View. What’s cool about this view is that we can see both previous and current values for audit entries that involve a change.

In the following figure we see the results of the “All User Creation in the Last 30 Days” built-in Audit View on my test domain controller. If the Audit View contents included changes in addition to object creations, then we would see before and after data values as well.

Audit Viewer results

The Activity pane shows high-level audit statistics. For instance, in the following screenshot, we see a breakdown of the specific types of AD activity recorded by the tool over the past 24 hours. Be aware that these views are eminently customizable. For instance, we can edit this view on-the-fly to show account activity over the past month, and so on.

Activity view

Finally, the Details pane shows (a) a summary report of the entry; and (b) which specific Active Directory schema attributes were involved in the audited action.

Audit details view

Rolling Back Object Data with RSAT Extensions

As I mentioned earlier, the Blackbird Data Handler and Collector components work together to aggregate and store Active Directory metadata in the Blackbird Auditor SQL Server database.

What this means for us administrators is that:

• Blackbird Auditor for AD does not rely upon AD itself for the storage of schema information
• We can undo changes and perform restores directly from the Blackbird backup repository

For example, we can examine the Blackbird Management Suite Recycle Bin to enumerate and potentially recover deleted AD objects.

The Blackbird RSAT Extensions serve to integrate Blackbird auditing, analysis and recovery features into other core Windows AD management consoles. For instance, we can view the audit trail and/or roll back changes to an AD user object from Active Directory Users and Computers simply by right-clicking the object in question. This is shown in the following figure:

Blackbird RSAT extensions in action

You might have also noticed other Blackbird-related entries in previous screen capture. For instance, we can quickly generate a report of all of that particular user’s activity, and optionally roll back any changes made to the object’s schema properties.

We can also track the evolution of our GPOs by accessing the Rollback shortcut menu item in Group Policy management console (GPMC). As you can see in the following figure, Blackbird enables us to quickly compare the current state of a GPO with a previous incarnation that is stored in the Blackbird backup repository.

GPO change analysis

The Rollback functionality in Blackbird Auditor for AD is very impressive. With a few mouse clicks you can undo the most potentially damaging of AD object changes. For example, if a junior-level administrator inadvertently deleted an OU and is unable to regenerate the lost objects by using standard Windows tools, you can easily perform the restore from within the Blackbird Management Console.

Conclusion

In my opinion, Blackbird Auditor for AD is an extremely easy to use product. As busy systems administrators, we often don’t have time to spend performing elaborate setups and slogging through steep learning curves when implementing management software.

I think that those of you who are hit by compliance regulations can derive special benefit from this software. Please feel free to leave any questions in the comments portion of the post. If I cannot answer them directly, I will forward them to the Blackbird team.

If you want to take part in this raffle and have the chance to win a 1,000 user license (total value 7,200 USD) for Blackbird Auditor for Active Directory, please send an email with the subject Blackbird to contests@4sysops.com.

• FREE: ManageEngine Free Active Directory Tools (0)
• Microsoft Exam 70-640 – Operations Masters – Sample question (3)
• Microsoft Exam 70-640 – The Global Catalog – Sample question (0)
• Microsoft Exam 70-640 – The Global Catalog (3)
• Automatically fill the computer description field in Active Directory (9)

Before we start, we will need to make sure we have a few things ready:

1. USB (2.0) stick >16GB (>32GB USB 3.0 is recommended for seamless performance)
2. Windows 8 ISO (or at least the install.wim file from inside the ISO)
3. A system with the Windows Automated Installation Kit (WAIK) installed

The first thing we will need to do is make sure that the partitions on the disk are set up correctly. For this, we will need to run “diskpart” from a command prompt. When you see the diskpart command prompt, enter the following command:

list disk

This will show all the disks currently attached to the system. Identify your USB disk. (Make sure you do this correctly. We don’t want to trash the system disk!) Once identified, enter the following command, substituting X with the disk number of your USB disk:

sel disk X

Now that we have the correct disk selected, we can partition and format it with the following sequence of commands:

clean

create partition pri

format fs=ntfs quick

active

exit

Windows To Go – Format USB stick

At this stage, you should be able to see your empty USB drive in Windows Explorer. If you can’t, you may need to assign the disk a drive letter. You can do this by running computer management (compmgmt.msc) and then selecting the disk management node, right-clicking your partition on the USB drive, and selecting the “Assign drive letter” option.

Now we need to get our hands on the install.wim image file, which is located inside the Windows 8 ISO. If you are running Windows 8, you can just double-click the ISO file and access the files via Windows Explorer (similar to how ZIP files are handled). If you’re running a previous version of Windows, you may need a third-party tool to open the ISO, such as 7-Zip.

Once you’re able to access the files in the Windows 8 ISO, you will find install.wim in the “sources” folder. Now that we have the WIM file, we can apply it to our USB disk. Start the Deployment Tools command prompt. (This is just a regular command prompt, but it loads extra locations into the path when it starts.) Then, run the following command:

imagex.exe /apply c:\path\to\install.wim 1 X:\

You will need to replace the path to install.wim and also substitute X: with the letter assigned to your USB drive. This stage may take quite a while, but we’re almost there.

Once the image has applied, we just need to set up a boot record on our USB disk. To do this, issue the following command from a regular Windows 8 command prompt:

bcdboot.exe X:\windows /s X: /f ALL

Again, make sure you substitute X: with the letter assigned to your USB disk.

Windows To Go – Startup Options

Our basic Windows To Go workspace is now complete. Reboot your system and press F12 (or whatever key is required to get the boot menu), and then select the USB device. Windows should load from your USB drive!

• Windows To Go introduction (0)
• Windows 8 new features – The complete list (0)
• Windows 8 Hyper-V (0)
• Windows 8 Metro – Disable in Windows Server 2012? (0)
• Domain join behavior in Windows Server 8 (0)

This feature goes by the name of “Windows To Go.” Windows To Go is intended for systems administrators to build system images that are then loaded onto a USB disk. End users can then take the USB disk and boot any system from it.

We can build the images in the exact same way as we would do if we were deploying any other Windows 8 system. We can also preload the image with any specific business applications or resources that our users may require, and we can still manage it via our usual tools.

There are many scenarios where I can see a good use for Windows To Go.

• Staff can work from home on their own hardware. By using Windows To Go, we instantly turn their systems into a trusted/managed corporate system.
• A classroom could have a room full of diskless systems where each student is issued a Windows To Go USB drive.
• You can have a dual boot OS, without the risk of trashing your main OS installation!
• In a disaster recovery scenario, we could keep a box of 500 disks at our DR site and then hand them out to staff when disaster strikes.

To keep things simple and similar to the environment end users are used to, when we boot a system from a Windows To Go disk, any drives in the host system are automatically hidden; just a single drive (C:) for the Windows To Go system is shown. Things are similar the other way around too. If we insert the Windows To Go disk into a system that is already running Windows, the disk will not show because drive letters are not assigned by default.

While on the topic of keeping things simple for end users, I thought that showing people how to reconfigure your BIOS boot order across a huge array of varying hardware might be a bit of a mammoth task! For host computers that are running Windows 8, this seems to have been taken care of for us, as there is a new “change Windows To Go startup options” applet in Control Panel. By using this applet, we can essentially change our boot order to try USB devices first.

While running Windows To Go, removing the USB disk is essentially the same as pulling your hard drive out of a regular system (not a good idea!). If this does happen for any reason, the kernel will freeze the system for up to 60 seconds, allowing you to reinsert the USB drive and continue working without any loss of data. If it is not reinserted within this time, the system shuts down. This is a security measure in case you have left confidential information displayed on the screen.

Windows To Go looks at each system’s SMBIOS UUID when it starts. When it sees a new system that it has not booted on before, it detects devices and installs drivers as required, similar to when you boot the first time from a sysprepped image. Once it has finished this process, it will remember that system; therefore, when you return to a system you have previously booted from, the startup times should be much faster.

In my next article, I will explain how to install Windows To Go on a USB drive.

• How to install Windows To Go (0)
• Windows 8 new features – The complete list (0)
• Windows 8 Hyper-V (0)
• Windows 8 Metro – Disable in Windows Server 2012? (0)
• Domain join behavior in Windows Server 8 (0)

Let’s take a look at some of the ManageEngine Free Active Directory Tools.

ManageEngine Free Active Directory Tools

Password Policy Manager

Admins in a crunch can use the Password Policy manager tool to quickly view and edit a domain’s password policy. Rather than hunting down the effective GPO, you can quickly “login” to the manager using an administrative username and password and view/set enforced password history, minimum and maximum password age, minimum password length, complexity requirements, and whether or not to use reversible encryption to store passwords. You can also restore the default settings for a new domain.

Free ManageEngine Free Active Directory Tools – Password Policy Manager

Get Duplicates Tool

Even experienced Windows administrators sometimes have to deal with duplicate object creep in their domains, something that can cause unexpected issues and waste considerable time. Among the AD Tools is the Get Duplicates tool, which simplifies duplicate object identification (but does not allow you to clean it up). Using Get Duplicates you can verify that your domain does not contain any messy duplicate objects.

ManageEngine Free Active Directory Tools – Get Duplicates Tools

Empty Password Checker

If you inherited a domain that did not enforce a password policy or you do not employ such a policy, you may inadvertently end up with accounts that do not have passwords. This is an obvious security risk and all accounts should have passwords (with very specific exceptions). You can use the Empty Password Checker tool to check for empty passwords in a particular OU or in your entire domain.

ManageEngine Free Active Directory Tools – Empty Password Checker

AD Replication Manager Tool

Possibly the most useful tool of the suite, the AD Replication Manager Tool makes manual, “push-button” replication a breeze. Instead of using command line tools or navigating through the clunky Active Directory MMCs, you can use the manager to force replication across your domain, between two domain controllers, or to view information about previous replications.

It is a pretty nifty tool – if you create a user in your Branch Office domain controller and need that user to be authenticated in another site (such as one where Exchange is located) you would normally have to wait for replication to occur. Using AD Replication Manager you can force replication to happen immediately between the two sites, easing potential headaches and reducing wait time. The replication information is also very useful for troubleshooting replication issues, displaying any errors that may have occurred in previous replication attempts.

ManageEngine Free Active Directory Tools – AD Replication Manager Tool

Terminal Services Manager

This tool allows you to shut off Terminal Service (and Remote Desktop) sessions remotely, which is great if you have encountered “this terminal server has exceeded the maximum number of allowed connections” error and need to eliminate a stale session. If you work in an environment with users who frequently leave administrative sessions hanging (and this is most certainly not optimal) you can clean up the mess as needed with a few clicks.

ManageEngine Free Active Directory Tools – Terminal Services Manager

Conclusions

AD Tools are great for the time-crunched administrator who wants a cost-and-worry free “toolkit” for some of the most common and annoying Active Directory tasks. While none of the tools are groundbreaking individually, and some administrators undoubtedly already have scripts that perform some functions, they are collectively very useful in a pinch. Give AD Tools a try today!

ManageEngine Free Active Directory Tools

• Microsoft Exam 70-640 – Operations Masters – Sample question (3)
• Microsoft Exam 70-640 – The Global Catalog – Sample question (0)
• Microsoft Exam 70-640 – The Global Catalog (3)
• Automatically fill the computer description field in Active Directory (9)
• Microsoft Exam 70-640 – Active Directory replication – Sample Question (0)

At the time of this writing, the feature list is probably not yet complete. I will update this list whenever I stumble upon a new feature and post the update in the 4sysops news streams (Twitter, Facebook, RSS, newsletter).

If you know of a new Windows 8 feature that is not listed here, please leave a comment or send me an email. I will then update the list. It would be great if you add a short description of the feature and, if available, a reference where the feature has been described in more detail.

Please notice that this list not ordered. I will add new features I find at the top of the list.

Metro

There is no doubt that the new Metro UI, which some of us know already from Windows Phone, is the most prominent and controversial enhancement. The main point about Metro is that its user interface and the corresponding apps are optimized for touch screens. Cche

Windows 8 Metro

Designing for Metro style and the desktop

Designing the Start screen

Evolving the Start menu

Designing search for the Start screen

Reflecting on your comments on the Start screen

Microsoft account integration

You’ve probably heard that Microsoft gave up the Windows Live brand. Windows Live accounts are now called Microsoft accounts. You can either log on to Windows 8 with a local/domain account or with a Microsoft account. The latter allows you to store personal data and app settings in the cloud.

Windows 8 – Microsoft account

Signing in to Windows 8 with a Windows Live ID

Windows Explorer

Most visible is the new ribbon, which Microsoft introduced with Office 2007. What may be more interesting are the new file management features, such as improved duplicate file identification, multiple channel support in the Server Message Block (SMB) protocol, and better handling of confirmations and interrupts. IT pros in particular will love that they can now mount ISO and VHD files directly in Windows Explorer. There are many more new Windows Explorer features.

Windows 8 Explorer

Acting on file management feedback

Improvements in Windows Explorer

Windows to Go

Windows to Go allows you to boot up Windows 8 from a flash drive. This feature is more powerful than you might think. We will soon have a review on 4sysops that will cover this feature in detail.

Hyper-V Client

Thus far, Microsoft’s OS virtualization solution Hyper-V was only available for Windows Server. In the workstation edition of Windows 8, Hyper-V will replace XP Mode of Windows 7. Aaron Denton reviewed Windows 8 Hyper-V for 4sysops.

Bringing Hyper-V to “Windows 8”

Fast boot

Microsoft claims that Windows 8 boots up 30-70% faster than Windows 7. This is still not instant-on, but it is certainly a great improvement. I have been working with Windows 8 on a netbook for a few weeks and Microsoft’s claim appears to be true.

Delivering fast boot times in Windows 8

Performance

Reports indicate that Windows 8 is considerably faster than Windows 7. In the 4sysops Windows 8 feature request poll, more than 4000 people chose better performance as the most important new feature. Good that Microsoft listens to their customers.

Windows 8 preview beats Windows 7 in most performance tests

SkyDrive integration

I could have added this feature to the Windows Explorer or the Microsoft account sections. But I think the integration of Microsoft’s cloud storage service SkyDrive in Windows 8 is important enough to have its own heading. If you still think that “the cloud” is only a buzz word, think again. Or as Steve Ballmer would put it: “We will all be in.”

Connecting your apps, files, PCs and devices to the cloud with SkyDrive and Windows 8

Unified Extensible Firmware Interface (UEFI)

This feature caused a lot of stir in the Linux community because many Open Source guardians feared that Unified Extensible Firmware Interface (UEFI) would prevent people from installing Linux on computers that are delivered with Windows 8. These fears were unjustified. Essentially, UEFI uses public key cryptography to allow secure boot-ups by reducing the risk of boot loader attacks.

Protecting the pre-OS environment with UEFI

Malware protection

Hard times are to come for malware programmers (and third-party antivirus vendors). It appears that Microsoft Security Essentials won’t be integrated into Windows 8. However, Windows Defender will become full-blown antivirus software as it will not only protect Windows 8 from spyware, as in Windows 7, but also from viruses and worms. It will also feature real-time protection. SmartScreen, Microsoft’s reputation-based malware protection, will now protect not only Internet Explorer but also Windows 8. Windows 8 will also be hardened with an enhanced Address Space Layout Randomization (ASLR), kernel improvements, and a new Windows heap.

Windows 8 – Antivirus

Protecting you from malware

Large disk support

Windows 8 will support partitions larger than 2TB, which will be important for the next netbook and tablet generation. There are ways to use more than 2TB volumes in Windows 7, for instance with RAID, but I guess this wouldn’t be an option in tablets.

Enabling large disks and large sectors in Windows 8

Storage Spaces

Storages Spaces allow you to combine multiple disks into one storage pool. The new technology is comparable to RAID, but it is more flexible and easier to configure. Probably the coolest thing is that disks can be of different size and connected through USB, SATA, and SAS (Serial Attached SCSI). Storage pools support thin provisioning (physical space is only used when the capacity is needed) and resiliency (mirroring for fault tolerance).

Windows 8 Storage Spaces

Virtualizing storage for scale, resiliency, and efficiency

Setup experience

I already covered the main new features of the Windows 8 setup process. Certainly most interesting is the new web setup, which allows you to install Windows 8 through the Internet.

Improving the setup experience

Fewer restarts

If you ever lost data because of an automatic restart, you might be interested to know what Microsoft has to say about this kind of “user experience” (link below). The major improvement in Windows 8 is that security-related restarts will happen only once a month (on the second Tuesday). The only exceptions are critical security updates—for example, if a computer worm is spreading. Microsoft also introduces a few changes in the way users will be informed about updates and restarts.

Minimizing restarts after automatic updating in Windows Update

Power management

In every Windows version, Microsoft tries to improve power management. However, major advances in recent years were developed by the hardware industry—in particular, the battery makers. But Windows 8 comes with a promising new concept that is known from smartphones. Apps in the background are suspended, thereby consuming no more energy. This feature will only work for Metro apps and not for legacy Windows desktop applications.

Building a power-smart general-purpose Windows

Updating live tiles without draining your battery

Improving power efficiency for applications

New Task Manager

The new Task Manager in Windows 8 is nice, but I guess most IT pros will barely appreciate it considering that free tools like Process Explorer and Process Hacker have much more to offer. However, whenever you have to troubleshoot a Windows machine and you didn’t bring your tool box, you will like new features such as resource usage light-ups, process type grouping (applications, background processes, Windows processes), friendly names for background processes, and top-level grouping windows by app. Interesting for server admins is the new heat map of logical processors.

Windows 8 Task Manager

The Windows 8 Task Manager

Using Task Manager with 64+ logical processors

Windows Store

The new Windows Store for Metro apps is certainly a Windows 8 highlight. The fact that you won’t be able to buy and update legacy desktop applications through the Windows Store could be the major driving force for software vendors to focus on Metro and give up the old Windows application paradigm altogether.

Windows 8 Store

Previewing the Windows Store

Picture password

I hate it when people say they hate something, but I really do hate passwords. Secure passwords are hard to memorize. And, even if you use a password management tool, you need to at least be able to log on to your Windows machine before you can use it. With Windows 8, you can perform gestures on a picture of your choice to log in. Such a gesture is probably easier to memorize but still hard to crack with a brute force attack. The only problem I see is that gestures are easy to spot by someone at your back.

Windows 8 Picture Password

Signing in with a picture password^

PC Reset and PC Refresh

Many PC vendors have their own tool to reset a PC to the state it was delivered. It is good that Microsoft integrates this functionality now into Windows because it standardizes PC troubleshooting. However, more interesting is the PC Refresh feature of Windows 8, which allows you to keep specific settings such as user names and passwords, data, and installed apps. You can create a base image to which users can go back if they have messed up their PC.

Windows 8 Reset / Refresh

Refresh and reset your PC

Sensors

A better tablet user experience is certainly a key functionality in Windows 8. Support for sensors such as accelerometers is therefore a must.

Supporting sensors in Windows 8

Windows 8 on ARM / Windows RT

There has been lots of confusion since information leaked that Windows 8 will run on ARM devices. I am not sure if the term “Windows on ARM” still makes sense because ARM devices will only support Metro apps and no Windows desktop applications. I am afraid that the confusion will continue once the first Windows ARM tablets become available. Many will notice only when they unpack the device that it is not really a Windows machine since the vast majority of Windows applications won’t run on it. The awkward name “Windows RT” for the corresponding OS doesn’t make things better. For ISVs, this will be another reason to dump Windows desktop mode and concentrate on Metro.

Building Windows for the ARM processor architecture

Narrator

Windows 8 also has some enhancements to offer for people with disabilities: Narrator with improved performance, more languages and voices for the Narrator, and more Windows components and applications that can make use of the Narrator.

Windows 8 Narrator

Enabling accessibility

Internet Explorer 10

The most noteworthy Internet Explorer enhancement is the new Metro version. It is optimized for touch and comes with many of the features you know from the browser of your smartphone: double tap, default full screen mode, touch keyboard, and touch optimized tab bar. Of course, the old style desktop Internet Explorer is still available in Windows 8. This could be a role model for many software vendors. I think many ISVs will have to offer two versions of their applications. I wonder if it wouldn’t have been better if Microsoft introduced a new abstraction layer that allowed applications with two types of user interfaces.

Windows 8 – Internet Explorer 10

Metro style browsing: one engine, two experiences, no compromises

• How to install Windows To Go (0)
• Windows To Go introduction (0)
• Windows 8 Hyper-V (0)
• Windows 8 Metro – Disable in Windows Server 2012? (0)
• Domain join behavior in Windows Server 8 (0)

SmartDeploy is raffling off 50 end-point licenses with 1 year of basic support (value $1610 USD). The deadline for this contest is June 1, 2012. If you want a chance at winning this license, please fill out this form.

SmartDeploy Enterprise is a powerfully simple deployment suite. In fact, it is so simple that the entire process can be summed up in five steps, with steps 1 and 2 being covered in the previous post. In short, the steps are:

1. Building the image
2. Capturing the image
3. Packaging the drivers
4. Creating the PE media
5. Deploying the image

We have already built and captured our image. Now we face a humongous hurdle with driver management. In nearly every organization, model sprawl reigns. Even in organizations where machines are regularly replaced, some department will buy a make and model that wasn’t previously supported. This is the area where SmartDeploy Enterprise really shines.

In the past, most images stored drivers on the local drive in a manually arranged system. Enter the Platform Pack—a completely prepackaged set of drivers for deployment available through their website. To show how much time a Platform Pack will save, I tested our environment. We have 27 different models, including some old POS machines. SmartDeploy had Platform Packs for all of them! Even better, some models (like a Dell Latitude D610) only have Windows XP available for download from Dell’s Support page. SmartDeploy had the Windows 7 drivers already packaged along with the Windows XP drivers.

Platform Packs come in nearly every make and model.

Now that I have finished saturating my bandwidth with Platform Packs, let’s look into altering and merging the downloaded Platform Packs. This is done within the Platform Manager where, once opened, Platform Packs may be added as needed. A Platform Pack could be created for a universal image or as granular as needed. In my environment, the Platform Pack was organized based on make, model, operating system, and hardware type. To make driver updating easier, I left the default driver names that were created in the import process.

Platform Packs are scoped based on automatically configured WMI filters.

A very cool bonus feature is a WMI Filter Wizard, which is included in the Platform Manager. It allows for the quick scoping of drivers to specific make and models. It could also be quite useful when creating WMI filters for a GPO.

In this example, a WMI filter could be created to apply certain drivers when a machine’s memory exceeds a determined amount.

Now that the Platform Pack has been created, altered, and saved, we need to associate it with boot media. Our boot media of choice is a Windows PE image that is WDS compatible. This will allow us to network boot our machines to an imaging server. To do this, we will launch the Media Wizard and proceed through the steps. Because we will be using multicasting, the wizard will enable that option.

If physical media is desired, the Media Wizard can create a completely standalone boot image.

In the Media Wizard, two features stand out. The first is the ability to integrate a VNC service for remote imaging monitoring. This seems similar to DaRT Remote Connection integration in Microsoft Deployment Toolkit 2012. The second feature is the ability to deploy images over disconnected networks. Although I did not have a chance to test this feature, it seems very cool!

For remote or dispersed organizations, the Cloud Services add-on would be a life saver.

Now that we have created the SmartDeploy media, all that is left is to deploy the image to machines. For those familiar with the Out of Box Wizard, SmartDeploy is easy. After booting of deployment media, the machine image can be selected. Other settings, such as resolution or domain information, can also be entered.

If your organization already has a robust imaging solution, SmartDeploy Enterprise may not be a solution for you. For organizations with a smaller IT staff (or those one-man shops) looking for a very simple extendible imaging suite, SmartDeploy Enterprise becomes very appealing.

If you want a chance to win 50 end-point licenses with 1 year of basic support (value $1610 USD), please fill out this form.

• Raffle: SmartDeploy Enterprise – Easy OS deployment – Part 1 (0)
• Windows deployment preflight checks – Part 2: The script (0)
• Windows deployment preflight checks – Part 1: Introduction (2)
• MDT Workbench and Windows deployment (0)
• MDT (Microsoft Deployment Toolkit) prerequisites and add-ons (0)

Remember that first time you tried to fire up a virtual test machine in Windows 7 Virtual PC only to discover that 64-bit operating systems were not supported? How disappointing!

Enable Hyper-V in Windows 8

Fret no more. Windows 8 desktop includes Hyper-V 3.0. I’ve spent some time checking it out and I’m quite impressed. The reason I’m so impressed is that the new feature looks and feels just like the Hyper-V Manager we all grew accustomed to in Windows Server 2008 R1 and R2. It is in fact the exact same tool available in Windows Server 2012.

Please note that you will need Windows 8 Professional to run Client Hyper-V (see edition features). Windows 8 (standard edition) and Windows 8 RT (for ARM processors) won’t support Client Hyper-V. You can try Client Hyper-V by downloading the current Consumer Preview.

Client Hyper-V hardware requirements and Limitations

The added capability also includes new hardware requirements. The good thing is that your typical modern desktop system should support them.

• 4GB of RAM is a requirement. You will probably have at least 4GB if you’re going to be running virtual machines.
• A 64-bit Second Level Address Translation (SLAT) capable system is also required. Intel’s Desktop i-series (i3, i5, i7) supports SLAT. For AMD support see AMD Processors with Rapid Virtualization Indexing Required to Run Hyper-V in Windows 8. Also see Hyper-V: List of SLAT capable CPUs for Hosts for more information.

Although the Hyper-V Manager tool looks identical to what you see in Windows Server 2012, there are a handful of features that cannot be used in Client Hyper-V.

• Remote FX
• Live VM Migration
• Hyper-V Replica
• SR-IOV networking
• Synthetic Fibre Channel

For additional information please see Microsoft Technet Client Hyper-V Survival Guide.

Enable Hyper-V in Windows 8

Enabling Hyper-V is extremely easy in Windows 8.

1. If you are at the Start screen, begin by clicking Desktop.
2. Now move your mouse to the bottom left corner of the screen and right-click when you see the start icon pop up.
3. Click Programs and Features and then click Turn Windows features on or off.
4. From here you can just enable Hyper-V and all other Hyper-V components will be installed. Included are the GUI Management Tools, Module for Windows Powershell, and the Hyper-V Platform.
5. After clicking OK, you’ll have to restart. Once you get to the logon screen, the machine will restart again.

After logging back in, you may have to scroll in the Metro interface all the way to the right to see a new tile labeled Hyper-V Manager. Click the tile and Hyper-V Manager is opened at the Desktop.

Hyper-V in Windows 8 Metro

If you’ve been using Hyper-V Manager in Windows Server 2008, the GUI in Windows 8 will feel very familiar. What really impresses me is that it doesn’t appear that any features have been stripped out that would make the desktop version a “dumbed-down” version with limited usefulness. For example, an important difference is that Windows 8 Client Hyper-V is a bare metal hypervisor (type 1) as opposed to the Windows 7 Virtual PC hypervisor that is hosted (type 2). Thus you can expect better performance and more reliability with Hyper-V in Windows 8.

Two features that stood out to me were the expanded list of processor and virtual NIC options.

Processor settings

• NUMA – NUMA customizations can now be made for each virtual machine. Previously this could be done in the host settings but not per VM.

Hyper-V Windows 8 – Processor settings

Network adapter

• Bandwidth – Enable Bandwidth Management and control the minimum and maximum bandwidth for a virtual network adapter. The settings are in MBps.

Hyper-V Windows 8 – Network settings

Windows 8 Client Hyper-V is definitely a great improvement over Windows 7 Virtual PC.

• How to install Windows To Go (0)
• Windows To Go introduction (0)
• Windows 8 new features – The complete list (0)
• FREE: Veeam ONE Free Edition – Real-time Hyper-V and VMware monitoring (0)
• Windows 8 Metro – Disable in Windows Server 2012? (0)

After implementing this in several organizations, I’ve discovered several issues that may be of interest if you’re planning on implementing Folder Redirection.

Test, test, test

If you’ve read other Group Policy articles I’ve read, I harp on testing. Sorry, but way too many people make a change in a production environment before trying it out on test systems first.

Communicate to end users

If Folder Redirection is new for your users, make sure they know the change is coming. Most users will never notice until they accidentally delete a file or have a machine die and you become their hero.

Slow logons after implementation

One of the things you’ll need to communicate with users if you have pre-Windows 7 computers is that they may see slow logons the first time they log into their computers after Folder Redirection is implemented. Not only are everyone’s files being copied to the file server, but the server’s NIC and the network will probably be saturated with file transfer traffic. (Microsoft improved this in Windows 7 with Fast First Logon.

Broken shortcuts and Recent Documents

If users have created shortcuts to documents or folders inside of folders that you’re redirecting, they may end up with broken shortcuts. The same is true for the Recent Documents feature in applications like Word and Excel.

Which folders to redirect

Decide beforehand what you want to redirect vs. what you really need to redirect. Is it really important to redirect Downloads? How about Saved Games? Everything you redirect is going to have an impact on how much storage you need.

Planning storage

For your shared folder, you’ll want to make sure that the share is on a volume that is large enough to handle the amount of data that your users will be storing. There are a few ways to accomplish this, but most of them depend on your server environment. If your file server is a virtual machine, you can always expand your virtual disk and then expand the volume in Windows if you start to run low on disk space later. In the event you’re using a physical server connected to some kind of Fiber Channel or iSCSI SAN, you can do pretty much do the same thing: Expand the volume on the SAN and then expand the volume in Windows.

The amount of storage you’ll need can vary widely depending on the types of users you’re supporting. I’ve seen administrative users (accountants, HR, etc.) users use as little as a few hundred megabytes and engineers use hundreds of gigs. Plan accordingly!

File server configuration

File server configuration can have an impact on Folder Redirection. Just be aware that things like antivirus or an IDS application can impact your users. Also be aware of whether or not File Screening is being used to block files on your file server since this will impact Folder Redirection also.

Consider using DFS

If you’re already using DFS, seriously consider using DFS for your folder redirections. In the event you need to change servers or create a more redundant file server, everything you need is already built in to DFS.

Stopping Folder Redirection for labs and kiosks

If you have training facilities, kiosks, or other computers where you don’t want user folders being redirected, you’ll need to use loopback processing. In most cases, using Replace will be the easiest since it will just ignore all of the User Configuration. In the event you do decide to use Merge, make sure you set a User policy that redirects all of the folders to the local user profile.

Offline Files

In most circumstances, the default settings for Offline files will probably be adequate. In the event you need to change those settings, Offline Files can be configured for the entire computer in the GPMC at Computer Configuration > Policies > Administrative Templates > Network > Offline Files. On the user side, it is located in User Configuration > Policies > Administrative Templates > Network > Offline Files. By default, Redirected Folders will be made available offline. On both sides, you can disable Offline Files by setting “Prevent use of Offline Files” to Enabled.

Folder Redirection – Prevent use of Offline Files

Disabled Offline Files and server availability

In the event you need to disable Offline Files for security reason, you’ll want to make sure that your file server is as highly available as possible. In the event your file server does need to be offline or reboot, just be aware that any logged in users will immediately lose access to their files until the file server becomes available again.

Folder Redirection – Offline Files disabled and file server unavailable

• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (4)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)
• Microsoft Desktop Optimization Pack (MDOP): Advanced Group Policy Management (AGPM) (0)

Extending Orchestrator 2012

When the standard activities aren’t enough to accomplish the automation you need, the next step is to turn to Integration Packs (IP). Currently there are IPs available from Microsoft for the System Center 2012 suite as well as for earlier SC versions, there is also IPs for HP iLO hardware and HP Operations and Service Manager; IBM Tivoli and VMware vSphere. There are also community IPs available on TechNet Gallery and Codeplex for various tasks (see resources). Configuration management tools such as Remedy and CA are also slated to have integration packs. Today there are also community IPs for SharePoint and VMware’s vSphere but I would expect more IPs, from Microsoft, third parties and the community to be published as SC 2012 gains market share.

Extending Orchestrator with IPs involves several steps: download the IP(s), register them using the Deployment Manager and then deploy them to the relevant Runbook servers. Finally they need to be configured using the Runbook Designer.

Orchestrator 2012 – the glue in System Center 2012

Orchestrator is at the center of the System Center suite – bringing what are essentially separate islands of data and functionality together to work in unison. For proof you need to look no further than the recently added Unified Installer which is an Orchestrator Runbook that automates (to a degree) the installation of all the other components of the SC suite.

Another benefit Orchestrator has over Opalis is the introduction of monitor activities, Opalis used polling monitors that were constantly checking for activity to see if a runbook should be started, with the tighter integration in SC 2012; other parts of the SC suite (particularly SCSM) can notify Orchestrator and initiate runbooks.

The amount of control that Orchestrator runbooks can exert over the other SC 2012 suite programs is remarkable, on the right hand side you can see a few of the activities that are available for SCVMM 2012.

The new Web service – Orchestrator’s secret weapon?

The authoring experience and how you work with Orchestrator is virtually unchanged from Opalis; in contrast the new feature is the Orchestrator web service. This exposes the functionality of Orchestrator through an OData / REST based interface and lets other programs see and use runbooks which may eventually lead to Orchestrator fading into the background and being the engine that orchestrates behind the scenes whilst being controlled by other applications.

Conclusion

System Center 2012 is a major revamp of the whole suite, and whilst the components are still separate, Orchestrator and the SC 2012 IPs bring them closer than ever before. For this reason alone, adding Orchestrator to your list of must have skills for the future is a good idea but when you take into account the extensive reach of Orchestrator to automate across many other disparate systems my conclusion is that getting the hang of it is crucial for the future.

Playing with Orchestrator 2012 is a lot of fun, and I must say that the visual part of me is certainly picking up how to do things quicker than when struggling in the light blue sea of PowerShell.

Resources

• Overall list of Integration Packs available for Orchestrator 2012
• List of System Center (both earlier and 2012 versions) Integration Packs available for Orchestrator 2012
• Detailed Data Manipulation functions descriptions
• Orchestrator open source Integration Pack projects on Codeplex
• SC2012 Solution Runbook Examples on Codeplex
• Orchestrator Integration Pack projects on TechNet
• Orchestrator Jump Start by Pete Zerger – in five parts
• TechNet Virtual Lab: Opalis: Incorporating Advanced Logic into Your Policies
• TechNet Virtual Lab: Opalis: Building Advanced Policies

• System Center 2012 – Orchestrator 2012 – Runbooks best practices (0)
• System Center 2012 – Orchestrator – Creating Runbooks (0)
• System Center 2012 – Orchestrator – Installation (0)
• System Center 2012 – Orchestrator Review (0)
• FREE: SCCM Client Actions Tool (SCCM CAT) – Manage Configuration Manager clients (4)

SmartDeploy is raffling off 50 end-point licenses with 1 year of basic support (value $1610 USD). The deadline for this contest is June 1, 2012. If you want a chance at winning this license, please fill out this form.

SmartDeploy Enterprise Architecture

Let me start off by saying that I am a huge Microsoft Deployment Toolkit (MDT) fan! I love the granular control, the nifty wizards, and the extensive logging. But MDT is a pain to set up and a bear to learn. Between the barrage of terminology, layers of components, and simple confusion over when a deployment share needs to be updated, an overworked admin in an overstretched shop could not dedicate the time needed to master MDT. Simplicity is where SmartDeploy Enterprise succeeds.

The entire image creation and deployment process can be summed up in five steps.

1. Building the image
2. Capturing the image
3. Packaging the drivers
4. Creating the PE media
5. Deploying the image

As we progress through each of these steps, we will cover the actual process, best practices, and some time saving tips.

Step 1: Building the Image

When installing the SmartDeploy Enterprise suite, be sure to use a physical machine. The setup will only continue if the machine is not virtual. A well-known best practice of image creation is the use of virtual machines for the master image. This practice allows for changes, such as software installation or Windows updates, to be captured in snapshots. If problems are found in the image, the image can be reverted instantly to the clean state.

SmartDeploy wisely enforces this best practice in their deployment suite. To simplify the image building process, SmartDeploy Build Wizard allows for the selection of multiple virtualization products. The Build Wizard will even go so far as to automatically create the needed VM files. When building my image, I used VMware Workstation 8, but I selected Workstation 7 as my virtualization platform.

To simplify deployment, the Build Wizard supports a variety of virtualization products.

Step 2: Capturing the Image

After the image has been created, configured, and finalized, the image can now be captured. Unlike some image management tools, SmartDeploy will automatically scan your virtual hard disks (which were created in Step 1) for operating systems. If your virtual hard disk contains multiple partitions, be sure to uncheck all but the primary partition if WDS will be used.

Direct integration with Windows Deployment Services is provided in the Capture Wizard.

When manually managing an image, one would normally alter the Unattended.XML file to enter the product key or default local administrator password. The Capture Wizard provides the ability to directly inject this information.

The Capture Wizard simplifies the management of the Unattended.xml file.

A feature that sets SmartDeploy apart from the pack of deployment suites is the ability to deploy a standard image or a differencing image. A standard image is a normal captured image in a .WIM format. A differencing image is a captured image that only deploys the differences between the new captured image and a previously captured image. For example, an organization could create a differencing image on a quarterly basis that wraps up all updates published. This granular approach cuts down on wasted space by only capturing the changes to an image. It also safeguards the original clean image by adding distinct layers.

If capturing as a differencing image, you have to select an existing previous image.

After the image has been named and the save location selected, the Capture Wizard will generate the image file.

One of the most challenging portions of image creation is driver management. To ease the pain of driver management, SmartDeploy has an innovative solution using prepackaged platform packs.

In the next post, we will cover driver management (Platform Packs), deployment media, and deployment.

If you want a chance to win 50 end-point licenses with 1 year of basic support (value $1610 USD), please fill out this form.

• Raffle: SmartDeploy Enterprise – Easy OS deployment – Part 2 (1)
• Windows deployment preflight checks – Part 2: The script (0)
• Windows deployment preflight checks – Part 1: Introduction (2)
• MDT Workbench and Windows deployment (0)
• MDT (Microsoft Deployment Toolkit) prerequisites and add-ons (0)

Now that we have a server with a share configured, we’re ready to set up the Folder Redirection in Group Policy. Folder Redirection is User configuration. Because of that, you’ll need to either create a new Group Policy Object (GPO) or edit an existing GPO that is linked to an OU for your users. Go to User Configuration > Policies > Windows Settings > Folder Redirection.

GPMC in Windows 7 Showing Folder Redirection

Right-click on one of the folder names and click Properties. In my example, I’ll be using Documents. The first thing you’ll want to set in the Target tab is how you want to redirect folders: Basic or Advanced. If you’re planning on directing every user to your new User share, then Basic will probably do for you. If you have multiple shares for Folder Redirection (possibly for departments or geographical locations), you can choose Advanced and assign specific folders for groups.

Folder Redirection Properties

Next, you’ll need to determine where you want to redirect the user folders. In most circumstances, you’ll probably want to use “Create a folder for each user under the root path.” However, you can also use a user’s home directory (if you have that attribute configured in AD), a specific path (for labs or common area computers where every user should share certain folders), and the local user profile (useful if you don’t want users reconfiguring folder locations).

Target folder location

Type in the name of your server and the path to your Users share. If you used the option to create a folder for each user under the path, you’ll see that your folder structure should be in the format \\fileserver\Users\%username%\redirectefoldername for each Folder Redirection you configure.

Root Path setting

Go to the Settings tab. Uncheck the checkbox by “Grant the user exclusive rights to Documents.” If you don’t uncheck this setting, the permissions will be configured so that even Administrators won’t be able to access the files without changing the folder permissions.

Settings Tab

Choose the settings for the remaining options that work for your environment and click OK.

That’s it! All you need to do is go to your test system, refresh Group Policy, log off, and log back in. Just be aware that when you run gpupdate, you’ll get a reminder that you need to log out and back in for the changes to take place.

In the last post of this Folder Redirection series I will share some best practices tips.

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 3: Explanation of folder permissions (4)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)
• Microsoft Desktop Optimization Pack (MDOP): Advanced Group Policy Management (AGPM) (0)

Considerations for creating a good runbook include knowing when and how often it’s going to run, which steps to include, how it’s going to start, what data is passed along from activity to activity and what’s the end result as well as how you are going to report on the results? Good design includes handling failures and warnings of activities, clear naming conventions, using link colors wisely and splitting long and complex runbooks into parent and child tasks that pass data to each other. Establishing a good naming convention and an agreed upon folder structure will minimize confusion and exporting your runbooks regularly for backup purposes is prudent.

Permissions can be set at the individual runbook level or you can group runbooks together and control security at the folder level. Read permissions let a user run and view runbooks, write makes changing possible and with full control users can alter the permissions. Security can also be controlled at the IP level, for instance you could have three different configurations for connecting to a ticketing system to match permissions for level 1, 2 and 3 help desk staff. Orchestrator provides simple version control; once a particular user has checked out a runbook for editing, no one else can alter it until it’s checked in again.

To control what systems are targeted by a runbook you can use Computer Groups in Orchestrator and these in turn can be based on AD queries, ensuring that new Exchange servers end up in the right group for example.

An example Runbook that’s part of a set of SC 2012 runbooks recently published on Codeplex.

There are several types of logging to see how Runbooks and Orchestrator is doing, I find that turning on object level logging for a Runbook gives enough insight when I’m creating and testing Runbooks. There’s both a Real time log for currently executing runbooks as well as a historic log. For each runbook you can set logging to include the values of the Published Data; either Activity specific data and / or Common Published data. There are also the Audit Trail text log files that detail the interaction of Orchestrator with external systems; this is not enabled by default. Logging can add substantial amounts of information in your database, a scheduled job can either purge this data regularly or you can manually purge runbook logs.

You can set up a runbook to notify you when it takes longer to execute than a threshold you’ve specified as well as control how many instances of a specific runbook is allowed to run simultaneously. Be careful if your runbook has a modify counter activity not to run several instances at the same time. For robustness it’s also a good idea to have an activity early in a runbook that detects if there was an earlier instance of the runbook that was terminated (server crash or other mishap) so this can be handled smoothly.

A key consideration in automation is that when things “just happen by themselves” it’s crucial to keep an eye on the environment through monitoring and reporting; there’s an Orchestrator management pack for Operations Manager that’ll help in this regard.

In this part four of five we looked at best practices for runbook creation, in the next and final part we’ll look at extending Orchestrator with Integration Packs as well as how Orchestrator fits into the System Center 2012 suite.

• System Center 2012 – Orchestrator 2012 – Integration Packs (0)
• System Center 2012 – Orchestrator – Creating Runbooks (0)
• System Center 2012 – Orchestrator – Installation (0)
• System Center 2012 – Orchestrator Review (0)
• FREE: SCCM Client Actions Tool (SCCM CAT) – Manage Configuration Manager clients (4)

At this point, you may have noticed that we didn’t give our users very many permissions on the Users folder. First and foremost, we made sure that one user can’t see inside of another user’s folder. It’s also pretty obvious that we don’t want to give users the ability to do things like take ownership, delete files/folders, or change permissions, but a few of the other missing permissions take a little more explanation.

First off, you don’t want users to have Create files/write data permissions or they can save files into the root of the shared folder. Since we’re redirecting folders, we only want the users to be able to create folders in the root Users folder, but not individual files. Once the user creates a folder named %username%, the CREATOR OWNER permission will take over (since it is a sub-folder of Users) and will give the account full control over the %username% folder and everything inside of it.

Second, List folder/read data is also missing because we don’t want users to be able to enumerate folders in the share. Here’s what it will look like to the end user if they try to go to \\fileserver\Users:

User can’t enumerate folders

However, if the user tries to go to \\fileserver\Users\%username%, he can see all of his folders:

User CAN see inside username folder

To the Administrator, you’ll still be able to see everything on the server:

Redirected folders on server

Why would you want to do it this way? The biggest reason is that we’re giving the user the ability to create folders in the Users share. That means that there is nothing to stop a user from creating a few hundred folders and then saving files into those folders inside of Users. By removing the ability to enumerate folders in the Users share, you eliminate the ability of the user to see what is in the folder. It doesn’t stop the user from being able to create other folders or copy data into them, but it makes is much more difficult to use should they decide to try.

The other big benefit you get is that users can’t see the other user account folders that are stored in the Users share. Can’t I do that with Access Based Enumeration? Yes… Access Based Enumeration will essentially hide any files/folders to a user that he/she doesn’t have permissions to see; but, it doesn’t solve the problem of the user being able to create new folders in your Users share. If you enable Access Based Enumeration and allow users to enumerate the contents of the share, they’ll just see their %username% folder and all of the other folders they’ve created there.

In the next post I will show you how to configure folder redirection in Group Policy.

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)
• Microsoft Desktop Optimization Pack (MDOP): Advanced Group Policy Management (AGPM) (0)

I recently attended the Microsoft Management Summit in Last Vegas with 5,000 fellow admins and engineers who specialize in the System Center product line. In its 14th year, MMS is still a unique Microsoft conference for sysadmins in that it’s focused exclusively on systems management using a pure Microsoft stack.

Good News! If you missed MMS, nearly all the sessions and keynotes are free online at the Digital MMS site (over 150 hours worth!). If you want to take the videos offline, someone’s written a PowerShell script to download them. Common topics beyond System Center 2012 include Hyper-V, PowerShell, Windows 7 deployment, MDT, and many more.

When you see session ID’s like EC-B101 in this article, search that ID on the Digital MMS site to watch it.

System Center 2012 is now a suite of eight products, but licensed as one suite. Even though Microsoft would like you to think it’s one product, they are still deployed as separate server apps… that is, you don’t have to deploy all of System Center 2012 to use just one component:

• Configuration Manager (SCCM. getting started: CD-B207, what’s new: CD-B330)
• Operations Manager (SCOM, what’s new: FI-B317)
• Virtual Machine Manager (SCVMM, what’s new: SV-B206)
• Data Protection Manager (SCDPM, what’s new: FI-B405)
• App Controller (VMM self-service portal plus. intro session: AM-B305)
• Orchestrator (task/job automation)
• Service Manager (user service desk)
• Endpoint Protection (previously Forefront. what’s new: CD-B332)

The Private Cloud

Microsoft is claiming that if you implement most of these products, then you’ll be on your way to enabling the “Private Cloud” in your sever room. Checkout session SV-B308 where Young Chou details what the private cloud really entails, which I found enlightening. The key takeaway for me is that virtualization of your servers is just the first piece in making your own Cloud infrastructure. You also need:

• Self-Service (Limited number of clicks to deploy a new system, high level of OS and server app deployment automation)
• Resource Pooling (Standardization plus optimization plus systems management)
• Elasticity (Grow and shrink number of virtual machines based on demand)

If you’ve ever seen the 4 stages of the Infrastructure Optimization Model (Basic, Standardized, Rationalized, Dynamic) which is a way to rate the maturity of your systems and processes, then just know that Private Cloud likely starts in the Rationalized stage. If your shop spends most of your days controlled by support tickets (reactive), and it takes you a day or more to set up a new virtual machine, then you’re likely in Basic (hey we all start there). Implementing the System Center suite could be one of the steps you take to mature your IT org toward the more advanced and automated stages where system admin life gets easier.

A few popular sessions

Are you a SCCM guru? Then Configuration Manager “State of the Union” CD-B102 will catch you up, and they also pitted common scenarios in SCCM 2007 R3 against SCCM 2012 (spoiler: 2012 killed it). A little quirky and fun.

• For OS deployment, a good bet is to search sessions by Michael Niehaus and Johan “I write a script” Arwidmark.
• In the troubleshooting arena (a skill I am always trying to hone) you want to check out Laura Chappell’s SV-B407 “Top 10 Reasons the Network is Slow” for some Wireshark kung-fu, and CD-B347 Troubleshooting Windows 7 Deployments for a exhaustive list of MDT and SCCM log locations and tips by Ben Hunter.
• Vlad Joanvic and Matt McSpirit have a unique session “Understand How Hyper-V and System Center Stand Up against the Competition” AM-B323.

The key takeaway is that all these products are “better together” as Microsoft likes to say: Data Protection Manager uses Operations Manager as a Central Console for multiple DPM servers. Orchestrator makes heavy use of Service Manager and Operations Manager. Service Manager pulls data from Configuration Manager for support tickets and some automation. The list goes on and on.

Further learning

Microsoft has a Virtual Academy with a growing System Center syllabus of documents and videos.

“How do I evaluate System Center now?” you might ask. Microsoft has an Eval Center where you can download a trial of System Center 2012 and get a summary of all the pieces to this expanding puzzle. The bundled download includes a Unified Installer that lets you run the System Center suite installer on one server, and remotely installs the components on other servers. MS says the Unified Installer is only for simplifying test environment installs.

Each product requires its own Windows Server OS (or more) so you’re looking at a minimum of 9 (yep) lab virtual machines to test out the full suite. The User’s Guide and MMS Sessions FI-B330 “System Center 2012 Unified Installer” and FI-B328 “How to Build a Microsoft Private Cloud…” can help you out.

Have you been at the MMS 2012? Please share your impressions!

• Will Windows 8 be a mess or a success? Vista or Windows 95 successor? (14)
• The evolution of Microsoft certification (2)
• What does the ‘R2′ mean in Windows Server 2008 R2? (1)
• Windows 8: The PC is dead, long live the PC (5)
• Windows Server 2008 Certification – A quick guide (0)