Friday, August 31, 2007

Microsoft releases Group Policy Best Practices Analyzer tool

I happened to catch this news: and started to check out what this does and how useful it is. I assumed my buddy Darren Mar-Elia would be all over this and he was. In fact, you might want to check out his tool GPExpert™ Health Reporter 1.5.

Here's his post...

Microsoft has publicly released their Group Policy Best Practices Analyzer (BPA) tool. This tool is designed to collect GP-related data from remote nodes and provide you with some ideas of things to be concerned about as it relates to Group Policy. I encourage everyone to check out the tool. In some respects, it seeks to do some of the same things that SDM Software's GPExpert Health Reporter does. I looked at the GP BPA when it was still in beta, and I must confess that I am, not surprisingly, partial to the Health Reporter for doing this kind of analysis. The problem I had and still have with the BPA is that it presents the information, while useful, in an almost incomprehensible format. It also presents so much information so as to not be very actionable. Hopefully MS will improve the tool over time but I would have a hard time recommending its use to anyone, unless they are truly a GP guru and can understand exactly what they are seeing.

In addition, I did some initial tests in my test environment using the BPA and I have to say that it appears to lack some QA before its delivery. For example, in one test I did against an XP, SP2 workstation, I got a number of warnings with the following text:

"GP_LINK is for"

Clearly it was trying to tell me something about a gplink attribute on the domain level, but I couldn't figure out exactly what . It also warned me that GPrefresh was unsuccessful but returned with error code 0 (that usually means things worked ok) and then told me it took 60 seconds for the refresh. When I ran the same test from the Health Reporter tool against the same machine, it returned a red status and indicated that Folder Redirection had failed for the currently logged on user, something I did not get from the GP BPA. The GP BPA also presents some really confusing data--and I say that as someone who sorta gets what's going on under the covers in GP. For example, the screen shot below shows a report on that XP node, and frankly, I'm not sure what its trying to tell me, esp. when it says "Any = true".

In any case, I'm happy that MS is putting *something* out there to help folks, and its free!. Check it out.

Technorati Tags:

ILM 2007 article in Windows IT Pro mag

Brian Komar authored a good article on ILM 2007 in Windows IT Pro magazine. Check it out if you're interested in ILM.

Technorati Tags:
, , ,

Thursday, August 30, 2007

Windows Server 2008 RTM Slips

Probably not a surprise to most folks...Rather than RTM at the end of December/07 it will now RTM in Feb/08. Generally, after RTM there's a lag (2-3months?) until it is actually "generally available".,1895,2177267,00.asp?kc=EWKNLNAV083007STR3

Technorati Tags:

Does your application support Active Directory?

When I was at Microsoft I would have frequent discussions with ISVs that went something like this:

J: So, what does your product do?
I: Our product does "x".

J: It's integrated with Active Directory?
I: Of course, we use LDAP!

J: OK, let's get clear about it. You use LDAP, right? Do you use ADSI?
I: No, just LDAP.

J: So, you're integrated with LDAP directories. You're not integrated with Active Directory.
I: Well, Active Directory supports LDAP.

J: Correct, it does. But I'm really interested in advanced integration with Active Directory like "serverless bind", Group Policy integration, the ability to modify permissions on resources...
I: Ah, well, you see, but, we...sometimes, ah, our customers, bzzzt, click, blue screen

These memories came back after I read a post over at JoeWare on this topic...

I am about sick to death of running into LDAP apps that need hardcoded host names. What the hell is wrong with you people? There is a perfectly good RFC out there for locating LDAP Services (as well as other services) that works quite well and you still refuse to use it. FYI, if you don’t know about it, it is RFC 2782 - A DNS RR for specifying the location of services (DNSSRV) -

All you are doing is making your apps susceptible to single server failure and requiring businesses to try to solve issues with failover for you. You look like a bunch of schmucks, stop that shit. I know it can be done, I saw people doing it on UNIX more than five years ago.

Right on, Joe!

Just by using a bit of ADSI an ISV could tout another great benefit to their customer's and make it look like they did all the work themselves: "Mr. Customer, our widget provides automatic failover in an Active Directory environment without any additional hardware or software!!"

Wake up and smell the coffee ISVs! Active Directory is deployed in 85% of the enterprises in the US. Pay it some respect for crying out loud.

Technorati Tags:
, , ,

Wednesday, August 29, 2007

Computer security = A fence around your computer

There's an article in ComputerWorld that just surfaced an old memory for me:

Friend of mine takes a course on computer security. My first question is: "So, what did you learn?" His response: "I'm not sure what the big deal is. You just make sure you have a fence around your computer building, some good door locks and a few security guards and you're okay."

I should have known. My friend had recently been promoted to a senior role in the security guard company he worked for so, of course, his computer "security" course was all about the physical security of the building.

If you read the article by "C. J. Kelly" it could have been written by my old friend. Talk about that "security guard" mentality: Wireless is a security hole therefore I must crush/kill/disable all wireless. Her attitude on wireless: "Not on my watch, thanks" she says.

I say what a crock of do-do, Ms. Kelly! Get your head out of the sand and figure out how you can use the 802.1X protocol and certificates to secure communications, or tools that would prevent the wireless from being used in an un-secured environment.

I love her next comment: "We allowed laptops until last year...Now, only systems administrators and a few chiefs trained in laptop security have laptops."

Oh, here's another nugget: "When I travel, my eyes never leave my laptop...I try not to leave it in a hotel room but if I must, I hang out a "Do Not Disturb" sign and put the laptop in the room safe. I refuse housekeeping services." You must be a barrel of laughs when you travel. Do you also handcuff the laptop to your wrist while you're out to dinner because you can't trust it tucked under your chair?

I think you could do better Ms. Kelly. Order everyone back to paper and start installing "Cones of Silence" in meeting rooms, offices and employee's homes.

p.s. For those of you too young to have seen the Cone of Silence in operation I'm hoping they'll reprise its role in the upcoming "Get Smart" movie starring Steven Carell. Check out the trailer here:

Copper thefts and the birth of identity management

There's an interesting story in Network World titled: "Rewards grow to quash copper cable thefts." Basically, scrap copper is going for $4/pound and "bandits" are stealing copper communications cable.

This isn't a new activity by any means. When I worked for the International Development Research Center in Ottawa (1989-1993) we deployed a Banyan VINES network that spanned the globe - including Nairobi, Kenya. Our network went down to Nairobi one day and we couldn't contact the office by telephone. However, a telex (remember those?!) came in one day saying a few miles of copper telephone cable had been "stolen" and they'd be down for a few weeks while it was replaced.

So what's the connection to identity management? In those days we had a directory synchronization product built by ZOOMIT (who I joined in '94) that would sync Ottawa and all the regional offices around the world. So while Nairobi was down things just kept synchronizing across all the other offices, including with Ottawa.

The big problem came when Nairobi came back on line. There were a ton of synchronization events queued for Nairobi and, of course, events in Nairobi that were queued to go to Ottawa and the other offices. Some of the updates walked over each other - a new user provisioned for Nairobi prior to the copper theft was deleted on the Nairobi side, updates were made on the Ottawa side and when the connection was set back up the synchronization couldn't resolve the differences.

This was one of those moments where Kim Cameron and myself both realized the world needed something more than just "directory synchronization". All because of the theft of some copper cable...

Technorati Tags:
, ,

Tuesday, August 28, 2007

FTTP? FiOS? part #3

This is my third post about Verizon's "fiber to the premises" (FTTP) or their "fiber optic service" (FiOS). I first commented about it coming to my area and then about the actual install. Well, I've been checking the order page daily and today I was finally able to place an order.

I've requested Verizon's 15Mbs(down)/2Mbs(up) Internet service and apparently the installer will be by on September 19th to light me up (summary of my order below). The monthly fee is basically $50 for this service which is the same that I pay Comcast for a lower grade of service.

Anyway, more on how the install pans out and if the actual speeds measure up. I will take Verizon's advice which was on the order summary: "We recommend that you wait until after your FiOS service is installed before you cancel your current provider."

Funny, that's exactly what my wife said...Along with "Why do you want to be first?"

ILM "2" beta webcasts

I'm going to be watching these live meetings on ILM "2"!
Greetings ILM "2" beta customer,

To help you in evaluating ILM "2" beta 1 the Identity Management team will conduct a number of live meetings where we will cover different aspects of the product. Those will be held every Wednesday from now through September. The purpose of the calls is to provide product information and training for Beta participants. It is also an opportunity for you to be able to provide feedback on the product.

You will find information about the topics, live meeting URL and phone numbers on the Connect site

Questions regarding the calls can be sent to

The ILM "2" team.

Technorati Tags:
, , , ,

Dmitry Sotnikov, MVP designate

My buddy Dmitry Sotnikov has been designated an MVP for PowerShell! I guess it isn't quite official yet but he's been told. It's super awesome because he has done a ton for PowerShell. I checked out yesterday and he has over 2,500 posts! Amazing! He has a great blog, too: If you have any interest in PowerShell you need to keep an eye on both sites (and Dmitry)!

I'm hoping that we (Quest) do even more around PowerShell in 2008! (Say Steve, have you made that call yet?)

Congrats, Dmitry.

Technorati Tags:
, ,

Monday, August 27, 2007

Password management in Windows Server 2008 - part deux

In a previous post I commented on the fact that there was no GUI or easy way to expose the new password policies in Windows Server 2008. Obviously, someone from our PowerGUI team saw that and created a new power pack for our PowerGUI product...

This is a PowerGUI pack providing user interface for fine-grained password policies in Windows 2008 domains.

The pack allows to create new policies, associate them with groups and users, see the resultant policy for a selected user, etc.

The pack has the following system requirements:
* Windows Server 2008 domain,
* AD cmdlets installed on this computer.

If you don't have AD cmdlets installed please download them from

Feel free to download and try it out - oh, and free is the operative word here!

Technorati Tags:
, , , , ,

Sunday, August 26, 2007

Separating Good from Great

I really enjoyed this short movie. I thought it really was able to illustrate the difference between good and great.

Check it out as I am sure you'll get something out of it...

Tuesday, August 14, 2007

VMware Shares Surge With I.P.O.

Pretty amazing story! So who do you invest in? VMWare or the parent EMC? Or both?

Shares in the software company VMware surged 75 percent in their first day of trading, closing at $51, or $22 above the initial offering price of $29.

VMware, which raised about $1.1 billion in the offering, hopes that the strong reception in the stock market will also have strategic and marketing benefits. A valuable stock will give VMware the currency to make acquisitions, Diane Greene, the chief executive, said in an interview.

The standout public offering — the largest technology company I.P.O. since Google in 2004 — is also an “über-marketing event,” Ms. Greene said, which should widen the audience for its software.

VMware makes so-called virtual software that allows a computer to run different operating systems, or several versions of the same operating system, at the same time. In corporate data centers this means that more chores can be juggled by fewer computers, reducing spending on hardware, electricity and maintenance.

At their height today, the shares reached $55.50, or 90 percent above the offering price.

The strong opening was encouraging not only for VMware’s 3,000 employees, nearly all of whom are shareholders, but for the company’s other investors as well. In the last couple of months, both Intel and Cisco have invested in VMware.

EMC, the big computer storage and software company, will continue to own 86 percent of VMware. It paid $635 million in cash for VMware in December 2003.

Today’s closing price values the company at $19.5 billion. “It’s been a great investment,” said David Goulden, chief financial officer of EMC.

VMware’s sales increased more than 70 percent last year, and are now running at a rate of about $1 billion a year. But the company’s customers are still mainly the largest companies.

“To be really mainstream, you need to move into the smaller companies as well,” Ms. Greene said. “And the higher profile of a separate listing, an attractive stock and being more widely known should help us in the marketplace. More companies will understand our products and how they can use them.”

Technorati Tags:

Active Directory DC Virtualization?

OK, I believe that customers are testing and engineering with VMWare or Microsoft Virtual Server-based Active Directory domain controllers. But, are customers actually, really deploying virtualized Active Directory domain controllers in production environments???

I have yet to find a customer who said "Yes, we are!" (or maybe they don't want to admit it?)

Are you or do you know someone who has deployed virtualized Active Directory domain controllers in production?? I'd sure like to know if folks are doing that because they've overcome some of the FUD that's out there (below).
Microsoft does not test or support Microsoft software running in conjunction with non-Microsoft hardware virtualization software. For Microsoft customers who do not have a Premier-level support agreement, Microsoft will require the issue to be reproduced independently from the non-Microsoft hardware virtualization software. Where the issue is confirmed to be unrelated to the non-Microsoft hardware virtualization software, Microsoft will support its software in a manner that is consistent with support provided when that software is not running in conjunction with non-Microsoft hardware virtualization software.
Plus one has overcome specific statements Microsoft makes around backups (and other tools) as they relate to virtual machines...(not to mention the security worries!)
Domain controllers that are running in virtual machines must be backed up and restored only by using an Active Directory-compatible backup and restore application such as NTBackup.exe. Any other method of backing up and restoring .vhd files is not recommended. Specifically, you must absolutely ensure that no personnel make copies of .vhd files that represent deployed domain controllers for the purpose of deploying additional domain controllers or for restoring a failed domain controller by starting the .vhd copy.

Technorati Tags:
, , ,

Monday, August 13, 2007

Wow, just noticed that was my 200th post...

And I thought I had nothing to talk about. Ha! (and it was about the I-5 construction in Seattle, very technical)

The I-5 Clog Blog

For Seattleites who are putting up with major traffic disruptions due to the closure of most/many lanes of I-5 that runs through the heart of Seattle (and to/from the airport!) there's a blog you can check out for the latest. It's aptly called "The Clog" and is run by the folks at the Seattle Times.

The Clog, a blog on all things I-5 construction, will be your one-stop shop during the closure. It offers the latest news and updates, tips on alternate routes and transit, maps and gives you a chance to share your tales from the road. Check back for updates and read what others are saying.

I have a 6AM flight tomorrow morning and my car service wanted to pick me up at 3:25AM and I am only 30 minutes from the airport - the horror!

Technorati Tags:

Common Criteria

What is "Common Criteria" anyway? Let's get the definition from Wikipedia...
The Common Criteria (CC) is an international standard (ISO/IEC 15408) for computer security. Unlike standards such as FIPS 140, Common Criteria does not provide a list of product security requirements or features that products must contain. Instead, it describes a framework in which computer system users can specify their security requirements, vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. In other words, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard manner.

So basically it is a standard for computer security. Common Criteria certifications are being asked for more and more by customers these days. It's not uncommon in Europe to have a customer specify that a solution has to have been Common Criteria evaluated (and certified) and with many U.S. government entities - certain "three letter" agencies especially - it has become mandatory.

We've currently got Quest's Vintela Authentication Services undergoing an evaluation for certification at "evaluation assurance level" 4+ (EAL4+) which is the same security certification as, for example, the Windows Server operating system, Trusted Solaris and VMWare's ESX Server. Why bother getting a product certified?

  • Customers can compare their specific requirements against the Common Criteria’s consistent standards to determine the level of security they require.

  • Because the Common Criteria require certification bodies to prepare detailed reports about the security features of successfully evaluated products, consumers can use those reports to judge the relative security of competing IT products.

  • Customers can depend on Common Criteria evaluations because they are not performed by the vendors, but by independent testing labs. The Common Criteria is increasingly used as a purchasing benchmark; for example, the U.S. Department of Defense has a policy of using only Common Criteria-evaluated information assurance products.

  • Because the Common Criteria is an international standard, it provides a common set of standards that customers with worldwide operations can use to help choose products that meet their local operations’ security needs.

So the end result is our customers will have more information about the security of our products. I also expect that this type of rigorous testing and evaluation will help Quest build more secure products.

Technorati Tags:
, , ,

Saturday, August 11, 2007

Non-Slip Camera Straps

I have a Canon EOS 30D which came with the colorful Canon camera strap which I grew to hate (the strap, not the camera!). Why? The darn thing kept slipping off my shoulder all the time. I have one zoom lens which is worth more than the camera itself and the thought of everything slipping off my shoulder and crashing onto the floor, ground, dock, table top or bar made me plenty nervous.

Well, while reading a magazine one day I came across something called the UPStrap invented by Al Stegmeyer a photographer that was "desperate to keep his cameras and bags from slipping off his shoulder". I found a great review of the UPStrap which convinced me to shell out the nearly $40 for it.

It was well worth it! Check out the UPStrap if you're interested in a high quality, non-slip camera strap.

Technorati Tags:
, , , ,

Friday, August 10, 2007

Dear Miss MIIS

I recently had an e-mail exchange with Carol Wapsphere who has aptly coined herself "Miss MIIS" - kind of the Dear Abby of the Microsoft metadirectory world! She's got a running blog that details her "adventures in MIIS".

She has a blog entry about yours truly where she discusses my views on MIIS being too complicated and on the lack of management and monitoring tools for identity management products generally. It's worth a read if you use MIIS or if you missed my "Tenets of Identity Management" whitepaper.

Add Miss MIIS to your list of regularly read blogs folks! I know you'll benefit from her adventures in MIIS...

Technorati Tags:
, , , ,

Monday, August 06, 2007

Password management in Windows Server 2008

John Fontana wrote up a story on password management in Longhorn (Windows Server 2008). Here's a quote from his article: (emphasis is mine)

“This [fine-grained policy control] is solving a user pain point,” said Ward Ralston, senior technical product manager for Microsoft. He said users no longer have to worry about maintaining password policies in many different locations and segmenting users based on password policy requirements. With the new Longhorn password policy feature, Ralston said administrators will use Active Directory Services Interface (ADSI) to create a new Active Directory password object. The object is then assigned to a user or group of users. The policy requires that the user create passwords that adhere to certain rules, including how often the password must be updated.

As always, the devil is in the details! How many administrators are proficient at using "ADSI to create a new Active Directory" anything? That translates to programming to create the object. Or, you could use LDP, which is practically a fate worse than death.

There is already a great tool for creating and applying policies across your Windows network - it's called Group Policy. That's what customer's today already use for setting their Windows 2000 and Windows Server 2003 password policies. I wonder why Microsoft isn't using Group Policy???

Technorati Tags: , , ,

Saturday, August 04, 2007

Thank you United Airlines

I have to say that since I moved to the Pacific Northwest in 1999 that I do not miss traveling on the east coast. Summer or winter - it doesn't matter - it always seems to be a goat rodeo.

Thunderstorms in the New York area delayed my departure on Friday by over two hours. I figured for sure I would miss my connecting flight in Chicago and that would mean an overnight at the airport. Fortunately, thunderstorms in Denver delayed the aircraft and we departed at 10:15PM local time to arrive back here in Seattle around 1:30AM. I was happy to get home as I am off to Detroit tomorrow to visit with EDS on Monday. I would have hated to get home late Saturday and then turn around to fly to Detroit in less than 12 hours!

So what does this have to do with United Airlines? Well, normally most of us like to carp and complain about the airlines but I've had two awesome experiences with United Airlines over the last few weeks that I wanted to share and give UAL props for their actions...

First, my son's flight to meet us for vacation actually took off and then was canceled in mid-air when they had a mechanical problem. I was already in Chicago and we were supposed to meet at the airport. Unfortunately, it was the only flight from Missoula, Montana to Chicago. No problem, I figured my son could fly the next day to Chicago and then on to Ottawa and we'd meet him at the airport. Problem was I had his passport and he had to have it to get on the plane to Ottawa. United not only put my son up - at their expense - and gave him some meal vouchers but they also re-booked me the next day on the same flight to Ottawa with him at no charge. In addition, they gave me a super discount to stay at the Chicago-O'Hare Hilton which is attached to the airport.

Second, imagine a planeload of people who are anxious to get home to Seattle and have been bounced around, delayed, re-routed or have been sitting around O'Hare for many hours. That was us yesterday. Lots of people were frustrated and temperatures were running high. As soon as I saw that the flight was delayed to 10:15PM my first thought was that the inbound aircraft wouldn't make it and we'd be out of luck. Well it did make it! My second thought was that the crew either wouldn't make it or would exceed their number of hours either of which would result in a canceled flight - neither happened! We boarded and took off. Now here's where the thanks come in: The captain got on to say that the flight attendants all waived their "legal limits" and instead of just going to the hotel in Chicago they went ahead to Seattle. It was awesome to come home and for them to work longer than they needed to.

Thanks United!

Friday, August 03, 2007

I heart New York

I love New York. Every since I was a kid in Ottawa it was always my dream to visit New York. Little did I know how much I'd be visiting New York! This is my first post-vacation stop on the reality tour. In fact, I left Ottawa and headed right to Gotham City.

I'm visiting a bunch of companies while I'm here including Pfizer, JPMC, Viacom, Time, McGraw-Hill and, of course, Microsoft. More on those later.

When you get here I have a few recommendations for you:

- For an awesome deli sandwich check out the Carnegie Deli. The pastrami sandwich I had there last night was two meals in itself!

- Want a slice of New York pizza? Try out Famous Original Ray's New York Pizza. The wikipedia entry gives you a good run down on the long standing feud around the "Ray's" name, too.

It's going to be a scorcher here in Manhattan today - a "spare shirt" day.

Technorati Tags:
, ,

Thursday, August 02, 2007

Owls, Loons and Beers

I'm back after some fine lake time in Ontario and Québec. I even avoided e-mail for five days which was actually pretty easy since there was no internet, wi-fi or broadband access at our cottage on Grippen Lake. After a week at Grippen we moved on to our place at Mont Ste. Marie in Québec. Had a grand time with friends there and spent a beautiful day on Lac Pemichangan to cap it all off.

I got to hear lots of loons, owls and even had a few beers. Who could ask for more?