Happy Halloween 2013!

My shoes and stockings for the evening.

Happy Halloween everyone (yes blogging while waiting for trick or treaters)

And that’s about as much of a selfie as you are going to get out of me.

Group policy basics for Essentials

Kudos to Kevin Weilbacher for noticing this….. if you want to set up exactly the same Group policy organizational unit structure on your Essentials boxes…. steal from this KB:


re-create the MyBusiness OU manually. To do this, follow these steps:

  1. Open Active Directory Users and Computers.
  2. Right-click the domain name object. In the shortcut menu, point to New…, and then click Organizational Unit. Type MyBusiness to name the new object.

    Note Type MyBusiness as one word.

  3. In the MyBusiness OU that you created in step 2, create the following OUs:
    • Computers
    • Distribution Groups
    • Security Groups
    • Users
  4. In the Computers OU that you created in step 3, create the following OUs:
    • SBSComputers
    • SBSServers
  5. In the Users OU that you created in step 3, create the following OU:
    • SBSUsers

After you finish these steps, you should have a structure that resembles the following:

Collapse this imageExpand this image


Essentials has the same group policy, the same GPMC, it just doesn’t have prebuilt OU structure.
Courtesy of Jeff Middleton of http://www.itproexperts.com/ some words of wisdom about setting up a group policy structure:

There is never a case where the default (flat) Active Directory (AD) tree makes great sense in terms of Group Policy or organizing anything as the AD tree is intended to be used. For a domain/forest where no attempt is going to be made to use Group Policies, the default tree can work as-is to apply the two built-in AD policies known as Default Domain Security Policy and Default Domain Controller Security Policy. Therefore, default arrangement isn’t something broken that you must fix, rather it’s just absent basic organizational design. To not use Group Policies means you are not taking advantage of some powerful management options.
For any organized use of Group Policies, a tree structure makes more sense than nothing done default, and if you are familiar with it, you could apply policy in the manner SBS standard introduced. The first priority you are addressing is to collect the objects you are most focused upon managing into a single location in the AD tree, an Organization Unit (OU) for your business/organization specific objects.  You should be aware that you should not attempt to rearrange any of the existing or default “tree” objects of OUs or containers, many of these are “hardwired” path locations critical to baseline operations of AD. Therefore, creating your own top level OU to organize your own company assets also assures that you have the freedom to arrange your assets without harming the “hardwired” structure that the AD tree defines in a new AD Forest.
A common question is whether you should create a new AD tree, or remove an existing AD tree created by someone else or by a product design such as the SBS Standard platform design. In fact, for a domain that originated in SBS Standard design, there’s nothing wrong with continuing to use the SBS defined OU locations, it really has nothing specifically to do with SBS other than a couple of useful policies that SBS introduced. It’s more important to understand the Group Policies being used than to be concerned about the tree itself, but the relationship between tree design and points where Group Policies apply is part of the design of Group Policies.
Here are some guidelines to be aware of in modifying the AD tree or using Group Policies.
Critically Important Requirements
  • DCs must be located in the Domain Controllers container, deviation from this causes problems in standard Directory Services processing.
  • Do not create OUs below Domain Controllers container, deviation from this causes problems in standard Directory Services processing for having anything other than DCs in this location.
  • Default user and security group objects created by Windows as the default accounts should remain in the default Users container. This makes sense not only because some applications require this to be true, it makes sense not to move these objects into your “managed” company tree design. Your company specific users and security groups will be easier to manage and identify if you don’t clutter up the handful you need and use by mixing all the built-in and default accounts. I can make sense to locate “application specific” security groups or user accounts (think: SQL related objects installed by the SQL application) in either a separate OU within your tree, or let them flow into the default OU for Users if you don’t care to organize them or track them.
Recommended Design Guidelines
  • Create a company/organization level on the root establishes a top-level single point location for everything other than DCs. This is the most basic and common sense thing to do.
  • Example of the structure being discussed here:
Domain Controllers
RDP Servers
The tree above is sufficiently flexible to use minimal or very sophisticated Group Policy management. Dividing a multi-site company by site, then with the other OUs below each site would be the next most common advance in a tree design.
  • Create a tree that organizes your users, computers and security groups. The location of Security Groups objects has no significance in Group Policy, therefore, you can create an OU for Security Groups, or separate them by type (Distribution Lists vs Security Groups), but you can choose whatever makes sense to you.
  • If you use multiple “sites”, it generally makes sense to organize the site location identity below the Company Org if you are managing users and computers that are homed to those locations on a semi-permanent basis. It’s not wrong to create a top level (immediately below Organization name) as Users OU and a Computers OU with the sites below each, but as you can see immediately, that causes these “site specific branches” to be split from one another and generally makes less sense to manage a site reference this way than by physical locations, then object type.
  • A simple organization plan would prefer a separate location for workstations (user desktops) vs member servers. Many policies you apply to desktop computers might not make sense for laptops in a well-managed organization.
  • If you use Terminal Servers (RDP), you generally would prefer to have an OU specific for these that separates them from any other types of servers. This helps with applying Loopback Policies, and extremely valuable policy processing concept for multi-session RDP servers.
  • User account and Computer account objects are the only Group Policy enabled objects, and a policy will by default apply to any object that exists in the OU where the policy is applied, or for all OU containers further below that branch (sub-tree) of the OU where the policy is applied.

(and if you need advice about migration, Jeff is your man)

Got home users that need extra protection

Looking for a CryptoLocker way to protect Home Users including those that have Home SKUs?

Check out http://www.foolishit.com/vb6-projects/cryptoprevent/ (yes the url is a tad… interesting… )

But I’ll give kudos for giving a solution for Home PCs.  It is WAY easier to do this in a domain I might add.


What rules would you like to be added?


Amy blogged about some updates to the CryptoLocker tool kit.  I’ll be adding some some additional exemptions and rules as well based on some of the stuff I’ve seen posted on the web, but is there any specific items you’d like added to the list?

Up next in the SMBKitchen docs will be an article on application whitelisting as well as one on how to manage “updates” using Office 2013 click to run.

The push for Microsoft accounts

In the 8.1 release Microsoft makes it really clear that they want you to have Microsoft accounts.  Really clear.  So clear it’s really hard to keep them during the upgrade from 8 to 8.1

You can also see the push to Microsoft accounts in other areas on the box as well.


Supporting Windows Mail 8.1 in your organization – Exchange Team Blog – Site Home – TechNet Blogs:

Microsoft Accounts

By default, users are required to have a Microsoft account, formerly known as Windows Live ID, to use the Windows Communications apps. This will usually be the Microsoft account that the user is signed into Windows with, but if they have not done so, they will be prompted to provide one before proceeding.

If the Microsoft account is… Mail will…
Outlook.com or Hotmail account Automatically sync email, Calendar and Contacts using Exchange ActiveSync
Not an Outlook.com or Hotmail account
(for example, dave@contoso.com)
Prompt the user to provide password for their email account

Can my organization remove the requirement for a Microsoft account?

You can apply a Group Policy to a device to make a Microsoft Account optional for the Windows Communications apps.

Note, the Group Policy setting is configured in Computer Configuration node in the Group Policy and applies to all users of the computer/device to which it’s applied. The policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. Windows RT devices can use Local Group Policy.

To apply the Group Policy setting:

  1. Launch GPEdit by opening the “run” prompt (Windows key + r), and entering GPEdit.msc
  2. Go to Computer Configuration > Administrative Templates > Windows Components > App runtime
  3. Select Allow Microsoft accounts to be optional to configure the policy

If the Group Policy is applied and a Microsoft account is not used, the Communications apps will:

  1. Prompt the user for a work account (i.e. an Exchange ActiveSync account) password
  2. If account credentials are provided, use Exchange ActiveSync to synchronize email, Contacts and Calendar from the work account

A user can add additional accounts if desired. You can use corporate firewalls or other mechanisms to block access to any consumer email services as needed.

The following functionality will be unavailable to a user without a Microsoft Account:

  • Windows Store Application Installs
  • Account Settings roaming to additional devices
  • Connectivity to additional 3rd party services (e.g. Social sites)
  • Email communication from Microsoft regarding any updates to Microsoft Services Agreement.

So is cryptolocker really that bad?

So I saw an interesting comment on a web site.  Someone said that the CryptoLocker virus wasn’t a big thing.  As long as you were able to stop the process on the machine you would have an easy clean up.  I think that this person got lucky and didn’t really get hit with the real cryptolocker virus.  The one out there, by the time you see evidence of it, it’s already encrypted files on your computer and network drives and it’s too late.  The virus may be “easy” to clean up – but it’s the damage done by cryptolocker that is the real problem.


Did a few more updates the other day, probably will tweak it again.  But will also do a whitepaper on application whitelisting too.

Updating a Windows 8 laptop

I have a friend who gave me a Windows 8 laptop to look at.  Nothing I do to it will make it take updates. I can’t even delete the software distribution folder.  I’ve scanned it for malware.  I’ve refreshed the image.  Nothing works.

So I’m going to nuke and pave this little guy. 

How in the world can mere mortals handle this?

Not ready to give a thumbs up

We’re at the two week mark past Patch Tuesday and I’m not comfy giving a thumbs up to the following updates:

  • 2884256

    MS13-081: Description of the security update for USB drivers: October 8, 2013

  • 2883150

    MS13-081: Description of the security update for kernel-mode drivers: October 8, 2013

  • 2876284

    MS13-081: Description of the security update for kernel-mode drivers: October 8, 2013

  • 2868038

    MS13-081: Description of the security update for USB drivers: October 8, 2013

    Known issues in security update 2868038:

    • After you install security update 2868038, your audio playback device may be reset to use the system speaker. To configure the audio playback device, follow these steps:
      1. Click Start, type sound, and then click Sound.
      2. Click the Playback tab.
      3. Click the audio device that you want to use, click Set Default, and then click OK.

      Note You might have to restart your computer for the change to take effect.

  • 2864202

    MS13-081: Description of the security update for USB drivers: October 8, 2013

  • 2863725

    MS13-081: Description of the security update for USB drivers: October 8, 2013

  • 2862335

    MS13-081: Description of the security update for USB drivers: October 8, 2013

  • 2862330

    MS13-081: Description of the security update for USB drivers: October 8, 2013

    Known issues in security update 2862330:

    • After you install security update 2862330, your computer may restart two times. For more information updates that require multiple restart, click the following article number to view the article in the Microsoft Knowledge Base:

      Software updates that require multiple restarts may cause task sequence failure in Configuration Manager

  • 2855844

    MS13-081: Description of the security update for kernel-mode drivers: October 8, 2013

  • 2847311

    MS13-081: Description of the security update for kernel-mode drivers: October 8, 2013

  • All of these are part of the Windows kernel usb updates as part of MS13-081

    Gotta love the resolution…

    You cannot complete some downloads on the MSDN Subscriptions website:

    Love the resolution!

    Creating Self Signed Cert for HyperV


    Boon Tee just talked about his blog post about how to generate self signed certs for hyperV replication.  That’s the url he just referred to in his talk.