Category Archives: IT Pro

The Price of Quality

macallan18s During the summer I was sitting with a student of mine having a drink after class.  For those of you who do not know me, let me reassure you that I have not in many years taught anyone who was not old enough to drink.

We were sitting in a bar in Portland, Maine and after reviewing their brief list of scotch whiskeys I ordered an eighteen year old Macallan.  He ordered a beer, and as we took our first sips he told me that he couldn’t justify paying $12 for a scotch when the $7 scotch was just as good.  For the record this was a very reasonable bar.

I told him that for my tastes they are nothing near the same.  He said ‘Okay, so let’s say the more expensive scotch is 10% better than the cheaper scotch, does that really justify the expense?’  I asked if he had ever tried the ‘good stuff’ and he admitted that he had not.  He did like scotch, and was happy to be proven wrong.

I called the bartender over and explained our disagreement.  I asked her to pour him a glass of the eighteen year old Macallan, and asked if she would mind giving him just a sip of the twelve year old Glenfiddich (no slouch, but definitely the inferior of the two) to compare it to.  He tasted the Glenfiddich, and then (after a sip of water) tasted the Macallan… and you could see in his eyes with that first sip that he knew I was right… the difference was definitely substantial!

Of course, there was a time when I did not appreciate the difference either.  When I was in the army I drank cheap scotch and smoked cheap cigars; my first car was a used Subaru Justy.  The truth is that in life you get what you pay for.

The day I took my first sip of single malt scotch was the day I stopped drinking blends.  The day I smoked my first Cuban cigar (yes, my American friends, it is legal in Canada… although I smoked it in Israel where it was also legal) was the day I stopped smoking the crappy ones.  As I have said many times I would rather have one good scotch than three mediocre ones, and I would rather have one good cigar than three crappy ones.

For the record I drove that Subaru Justy for 9 months until it started falling apart, and didn’t trade too far up.  There is a difference between relatively inexpensive consumables and transportation, and in the years after my release from the army I was in no financial shape to buy anything nicer.  However I had driven better cars and looked forward to the day when I would be able to buy one… and I did.

Quality costs money.  You can buy an inexpensive suit and it will last a few months before the signs start to show, or you can buy a better suit that will last longer (I am told… I haven’t bought a lot of good suits in my life).  You can buy a cheap suitcase and expect to replace it after a number of uses (been there, done that!) or you can buy high-end suitcases that will last.  When my wife told me what she paid for my Briggs and Riley luggage I nearly fainted; five years and hundreds of flights later I swear by those suitcases, and have since bought several of the matching bits to complete the collection.

It is no different when you buy a computer, or when you hire an IT Professional.  You (more often than not) get what you pay for.  Higher end systems last longer and work better, and higher end IT Professionals will save you money in the long run.

Unfortunately when it comes to IT Pros sometimes you do not get what you paid for.  I have heard horror stories from customers and community members about consultants who over-charge and under-deliver.  That is why, just like when you choose a tailor, price should not be the only factor.  You have to do your research… look them up on-line, ask people for recommendations, and when interviewing the IT Pro (yes, you can and should do that) you should ask for references.  While a list of certifications is important, it means nothing without a list of prior satisfied customers.  Let’s face it, people can cheat on exams… it is a lot harder to cheat on your clients.

It sounds like I am perpetuating the cycle that you can’t get experience without a job and you can’t get a job without experience.  That is absolutely not the case.  Inexperienced IT Pros should spend some time working for more seasoned IT Pros who can show them the ropes, guide them, and have them work on projects which will give them experience.

Of course this means that more often than not an IT Pro will not work for the same company for his entire career.  That was the case before anyways, even though it may not have been explained as such.  However as an IT Director it would be irresponsible of me to give a large architecting contract to an inexperienced IT Pro (IT Amateur?) who may have learned from books but has never been hands on.  In the same way that I would never let a new tailor who just bought his first sewing machine to make my suits… although it would not bother me if that young tailor was assisting with or being supervised by a more seasoned tailor.

While I am not a supporter of unions, I believe the electricians have it right.  After school you take an apprenticeship, and that could have you sweeping floors on some days and doing work that some people today seem to feel is beneath them.  It is how you pay the Master Electrician for whom you are working back for taking you under his (her) wing and teaching you.  After the apprenticeship you get licensed, and soon enough (I do not know when or how) you too become a Master Electrician.

I would love to see the same sort of system in place for IT Professionals, but I know that it is just a dream.  However without that sort of system it is incumbent upon our new IT Pros to seek out the mentorship of experienced IT Pros, and it if some of those were to take on that responsibility I believe that we would have a profession worthy of the respect that I hope we are generally afforded.

And now, as I close, I am going to put my laptop back into my Briggs and Riley laptop bag, and rest for the remainder of the flight which, I hope, is being flown by a very qualified and well-paid pilot.

This is getting interesting…

Last year I was asked to participate in the Canadian launch tour for Microsoft Office 365.  At first I was hesitant, but I am really glad that I did.  I got to meet and speak to a lot of interesting people across the country who do not usually come out to my sessions on Windows Server, Virtualization, and System Center 2012.

After my presentation and demos in Toronto my friend and local (well… Guelph) SMB-guru Sharon Bennett came to speak to me in the Microsoft booth, and told me that she was surprised by a lot of the features I was able to demonstrate with the new software and SAAS (Software As A Service) offerings from Microsoft.  We had a good discussion during which she confided that she had been a loyal GMail user for years, but based on my demos she was going to try out Office 365.

Like most of you, I get a lot of ‘interesting’ titles in my Inbox, although my spam filter does a great job of keeping most of them out of sight.  So when I saw one this morning with the title ‘50 Shades of Grey’ I was surprised.  When I saw that Sharon’s name was attached to it I decided to investigate… and sure enough, it was a legitimate article from my favorite SMB Blogger :)

E-Mail Affairs: My  Version of ‘”50 Shades of Grey” is a very interesting read about a relationship that many of us have – this almost sordid affair with our e-mail provider; how we are expected to be fiercely loyal, but how when we veer from that path it can be exciting and such.  As with real-life affairs it can even lead to an eventual break-up.

I am always happy to read Sharon’s writings, and hope one day to be able to attend one of her sessions.  If you are interested in SMB IT from a fresh and fun perspective I suggest you give her a read!

What not to Learn… Revisited for 2013!

In October, 2011 I posted an article called vPTA: What NOT to take away from my 1-day virtualization training!  It was only partly tongue-in-cheek on the environment that I have been using for several years to demonstrate server virtualization from a pair of laptops.  A few months later Damir Bersinic took that list and made some modifications, and published it on this blog as Things NOT To Take Away from the IT Virtualization Boot CampBecause we spend so much time in our IT Camps demonstrating similar environments, I decided it was a good time to rewrite that article.

Normally when I revisit an article I would simply republish it.  There are two reasons that I decided to rewrite this one from scratch:

  • The improvements in Windows Server 2012, and
  • My more official position at Microsoft Canada

Since writing that original article I have tried to revise my writing style so as to not offend some people… I am trying to be a resource to all IT Professionals in Canada, and to do that I want to eliminate a lot of the sarcasm that my older posts were replete with.  At the same time there are points that I want to reinforce because of the severity of the consequences.

Creating a lab environment equivalent to Microsoft Canada’s IT Camps, with simple modifications:

1. In our IT Camps we provide the attendees with hardware to use for their labs.  Depending on the camp attendees will work in teams on either one or two laptops.  While this is fine for the Windows 8 camps, please remember that in your environment – even in a lab where possible – you should be using actual server hardware.  With virtualization it is so simple to create a segregated lab environment on the same server as your production environment, using virtual switches and VLAN tagging.  In environments where System Center 2012 has already been deployed it is easy enough to provision private clouds for your test/dev environments, but even without that it is a good idea.  The laptops that we use for the IT Camps are great for the one- or two-day camps, but for longer than that you are going to risk running into a plethora of crashes that are easy enough to anticipate.

2. You should always have multiple domain controllers in any environment, production or otherwise.  Depending on who you speak to many professionals will tell you that at least one domain controller in your domain should be on a physical box (as opposed to a virtual machine).  I am still not convinced that this does not fall into the category of ‘Legacy Thinking’ but there is certainly an argument to be made for this.  Whether you are going to do this in physical or virtual, you should never rely on a single domain controller.  Likewise your domain controllers should be dedicated as such, and should not also be file or application servers.

3. I strongly recommend shared storage for your virtualization hosts be implemented on Storage Area Networks (SANs).  SAN devices are a great method of sharing data between clustered nodes in a failover cluster.  In Windows Server 2012 we have included the iSCSI Software Target that was previously an optional download (The Microsoft iSCSI Software Target is now free).  While this is still not a good replacement of physical SANs, it is a fully supported solution for Windows Failover Cluster Services, including for Hyper-V virtual machine environments.  It is even now recognized as an option for System Center 2012 private clouds.  As well the Storage Pools feature in the new Server is a compelling feature to consider.  However there are some caveats to consider:

A. Both iSCSI software targets and Storage Pools rely on virtual storage (VHDX files) for their LUNs and Pools.  While VHDX files are very stable, putting one VHDX file into another VHDX file is a bad idea… at least for long-term testing and especially for production environments.  If you are going to use a software target or Storage Pool (which are both fully supported by Microsoft for production environments) it is strongly recommended that you put them onto physical hardware.

B. While Storage Pools are supported on any available drive architecture (including USB, SATA, etc…) the only architecture that will be supported for clustered environments are iSCSI and SAS (Serial Attached SCSI).  Do not try to build a production (or long-term test environment) cluster on inexpensive USB or SATA drives.

C. In our labs we use a lot of thin-provisioned (dynamically expanding, storage-on-demand) disks.  While these are fully supported, it is not necessarily a best practice.  Especially on drives where you may be storing multiple VHDX files you are simply asking for fragmentation issues.

4. If you are building a lab environment on a single host, you may run into troubles when trying to join your host to the domain.  I am not saying that it will not work – as long as you have properly configured your virtual network it likely will – but there are a couple of things to remember.  Make sure that your virtual domain controller is configured to Always Start rather than Always start if it was running when the service stopped.  As well it is a good idea to configure a static IP address for the host, just in case your virtual DHCP server fails to start properly, or in a timely fashion.

5. Servers are meant to run.  Shutting down your servers on a daily basis has not been a recommended practice for many years, and the way we do things – at the end of the camp we re-image our machines, pack them into a giant case and ship them to the next site – is a really bad idea.  If you are able I strongly recommend leaving your lab servers running at all times.

6. While it is great to be able to demo server technologies, when at all possible you should leave your servers connected (and turned on) in one place.  If you are able to bring your clients to you for demos that is ideal, but it is so easy these days to access servers remotely on even the most basic of Internet connections.  If your company does not have a static IP address I would recommend using a dynamic DNS service (such as dyndns.com) with proper port-forwarding configured in your gateway router to access then remotely.

7. I am asked all the time how many network adapters you need for a proper server environment.  I always answer ‘It depends.’  There are many factors to consider when building your hosts, and in a demo environment there are concessions you can make.  However unless you have absolutely no choice it should be more than one.  For a proper cluster configuration (excluding multi-pathing and redundancy) you should have a production network, a storage network, and a heartbeat network… and that is three just for the bare minimum.  Some of these can share networks and NICs by configuring VLANs, but again, preferably only in lab environments.  Before building your systems consider what you are willing to compromise on, and what is absolutely required.  Then build your architectural plan and determine what hardware is required before making your purchase.

7a. While on the subject of networks, in our demo environment the two laptop-servers are connected to each other by a single RJ-45 cable.  BUY SWITCHES… and the ones that are good enough for you to use at home are usually not good enough for your production environment! Smile

8. When it is at all possible your storage network should be physically segregated from your production network.  When physical segregation is not possible then at least separating the streams by using vLANs is strongly recommended.  The first offers security as well as bandwidth management, the second only security.

9. Your laptop and desktop hardware are not good-enough substitutes for server-grade hardware.  I know we mentioned this before, but I still feel it is important enough to state again.

10. In Windows Server 2008 R2 we were very adamant that snapshots, while handy in labs and testing, were a bad idea for your production environment.  With the improvements to Hyper-V in Windows Server 2012 we can be a little less adamant, but remember that you cannot take a snapshot and forget about it.  When you delete or apply a snapshot it will now merge the VHDX and AVHDX files live… but snapshots can still outgrow your volume so make sure that when you are finished with a snapshot you clean up after yourself.

11. Breaking any of these rules in a production environment is not just a bad idea, it would likely result in an RGE (Resume Generating Event).  In other words, some of these can be serious enough for you to lose your job, lose customers, and possibly even get you sued.  Follow the best practices though and you should be fine!

Microsoft Canada Partner Summit: CATCH IT!

clip_image001

Hey folks!  If you are a Microsoft Partner in Montreal, Toronto, or Vancouver then I’m happy to tell you that I am coming back to town!  Of course, I won’t be alone… I am coming with the while Windows and Office Partner Summit! 

Windows 8, the new Office and Windows Server 2012 are coming soon and if you are a Reseller Partner, we would like to invite you to the Partner Summits on Windows and Office. This is your opportunity to get the latest sales training and information on Windows 8, the new Office, and Windows Server 2012. Join us for this in-depth training event delivered by Microsoft subject matter experts and experience the simplicity, speed, beauty, and power of these exciting new products.

HP, Intel, Lenovo, Samsung, Sony, Toshiba and Microsoft Hardware will be showcasing their latest hardware for you to try out.

Register today as space is limited for an event in the city near you:

Montreal, QC – November 15, 2012

Toronto, ON – November 21, 2012

Vancouver, BC – November 28, 2012

Additionally, connect with representatives from Microsoft authorized distributors in Canada.

This training will take you through what’s new in Windows 8 and the new Office and how you can take advantage of the great opportunities these products offer you. The day will also cover a breadth of valuable information including:

  • Value for Business
  • Sales Opportunities
  • Devices
  • Partner Incentives
  • Product Demos
  • Licensing
  • …and more!

I will be speaking on two topics: Windows 8 Device Management and Windows Server 2012.  Additionally, I will be doing some of the demos to help a couple of the presenters.  I’d love to see you there, so come on out and say hi!

…and remember to download your evaluation copy of Windows Server 2012 today!

Windows 8: Why you should be excited!

This post was originally published on the Canadian IT Pros Connection

It is finally here. Microsoft’s most anticipated operating system in years is ready for prime time, and all around the world the enthusiasts are downloading bits, stores are putting out their new offerings with the new OS, and IT Pros around the world are asking the same question they have asked for years: do I need to upgrade my organization?

Of course, this is not a question that is going to be new to you as IT Pros. You evaluated Windows 7 and the answer was a resounding yes. For many organizations that transition has only recently completed or, in some cases, is still going on. For enthusiasts the question may be as simple as ‘what’s new and exciting?’ but for professional organizations you as IT Pros will have to make a business case that demonstrates a solid return on investments (ROI) and a lower total cost of ownership (TCO).  In this article I will demonstrate the value of win8 that will help make the decision to begin a transition plan for your organization easier.

The Application Compatibility Story

One of the biggest roadblocks that organizations had to consider when planning their migration to Windows 7 was application compatibility. It really didn’t matter how good the new OS was, if their business applications did not work then they had a problem. Fortunately there were several mitigations for incompatible applications, and most organizations were in the end able to deploy Windows 7. Nearly all of those mitigations will port over to Windows 8 (including the Application Compatibility Toolkit shims, Microsoft Enterprise Desktop Virtualization (MED-V), and Remote Desktop Applications (RD Apps). In short, if your applications worked in Windows 7, they will work in Windows 8… period. The goal of the development team was a one hundred percent (100%) application compatibility story between Windows 7 and Windows 8, and it looks like they achieved it. Wow.

But what about Windows 8 (modern) apps?

Windows 8 apps are not backward compatible to earlier versions of the OS; but that is not what you are trying to achieve. All of your Windows 8 apps will work on Windows 8, as well as all of your Windows 7 apps – whether they be on the desktop, in an RD session, or in the modern interface.

I’ve already built this whole deployment infrastructure for Windows 7…

Whether you used the Microsoft Deployment Toolkit (MDT) or System Center Configuration Manager (ConfigMgr) as the engine to deploy Windows 7, you have already built the deployment infrastructure needed to deploy Windows 8. You may need to upgrade MDT (updating MDT is not a difficult process, and from there upgrading your MDT Deployment Points (DPs) is a right-click away) or apply a service pack for System Center, but once you have done that all you are going to have to do is import your Windows 8 into your DPs and then create a new Task Sequence (TS). That’s it… nothing more. Once your DPs are updated you are ready to deploy Windows 8, and since your application packages from Windows 7 are all compatible with Windows 8, you are golden!

But what about Windows 8 (modern) apps?

While your modern apps are going to install differently from your legacy apps, rest assured that they will still deploy from your MDT and ConfigMgr deployment points. Of course you have probably heard about the Windows Store, and as a one-off you will still be able to buy apps from there; however for your deployment scenarios you will be able to side-load your modern apps from your DPs.

Won’t I have to retrain my users?

When you start Windows 8 it is going to look different from Windows 7 – you guessed it, the Start button is gone. In its place is a full-screen Start Menu that is going to take most users 5 minutes to understand and not much longer to get used to. Beyond that, the OS goes out of its way to be more user friendly than its predecessor. The new interface is optimized for touch, but is just as easy for users working with the mouse and keyboard to navigate.

Now it is true, as the IT Pro you may need a little more training than your end-users; not much, but some. Chances are you will be able to read a few blog articles (such as those on the Canadian IT Pro Connection) to get up to speed, but if you do need more there is training already available for you in many forms – the Microsoft Virtual Academy will have lessons that you can go through in order to get up to speed quickly. Microsoft Learning currently has a number of courses in beta[MDG1] which you will be able to take at a Learning Partner; additionally there are several exams that you will be able to take to prove your competency in the new platform, both to yourself and to potential customers and employers. The Microsoft Certified Solutions Advisor (MSCA) is a great way to prove that you are not only competent, but that you have taken the time to learn it right and to prove it.

Microsoft Learning has revamped their certifications in this its twentieth year of operations. The Solutions in MCSA means that certs are no longer focused on individual products, but on the infrastructure as a whole, which means that you should not be surprised to see questions about some of the Solution Accelerators that Microsoft offers (such as the Microsoft Deployment Toolkit, and the extremely handy Microsoft Assessment and Planning Toolkit. They have been listening to you and understand that we are not deploying Windows in a vacuum, and understanding the different components of the ecosystem and how they work together is more important to you than knowing what button to press.

How do I know what SKU is right for me?

Once again Microsoft has listened to you; the Windows 8 SKU line-up is now simpler, with Windows 8, Windows 8 Pro, Windows 8 Enterprise, and Windows 8 RT (for ARM based devices)

For businesses large and small there are really only two editions: Pro builds on Windows 8 with key security, mobility, and virtualization features. The most notable feature improvement in Windows 8 Pro over Windows 7 is BitLocker, the drive encryption technology that was previously only available in the Enterprise SKU.

Windows 8 Enterprise brings key mobility benefits such as Windows to Go (WTG), Direct Access, and BranchCache, as well as even more virtualization benefits with Virtual Desktop Infrastructure (VDI).

Windows RT is a new member of the Windows family, and will come installed on devices with ARM processors. For users who have been asking for tablet devices that will be light, easy to use, has a long battery life, and delivers a high quality and predictable experience, tablet devices running Windows RT is the obvious answer. They are the only tablets on the market that run the same applications as you do on your desktop. That means there is no need to convert your files, and you will not lose any formatting going from one device to the other. Additionally if you buy a app from the Windows Store for your desktop it will immediately work on your tablet as well.

Windows RT offers another distinct advantage over competitive devices – security. With on-device encryption you can rest assured that the data that is important to your business remains secure.

But what about my legacy apps?

It is true, Windows RT will not have a desktop mode that other editions will have. However it will have the same Remote Desktop application that all Windows 8 devices have, and will be a great platform for RemoteApps and Remote Desktops, and is the ideal platform for Bring Your Own Device (BYOD) scenarios.  Additionally it comes complete with several VPN clients built in, including Cisco, CheckPoint, and of course the Microsoft VPN client.

Some of my users love the Windows 8 features, but occasionally need Windows 7…

It is not uncommon to hear of situations like this, which is why Virtual PC was such a popular download in Windows 7. Client-Side Hyper-V is going to be very popular for those people who want the speed and security of Windows 8, but also need to support older platforms. Hyper-V on Windows 8 offers the same Layer 1 hypervisor that you use in your datacenter servers, and allows you to run an operating system within your operating system – whether that is Windows 7, XP, Windows Server, or any supported flavor of Linux. In fact, as long as you can install it on x86 hardware, you can install it in a virtual machine.

If you are tight on RAM then dynamic memory in Hyper-V will be a godsend to you, allowing you to set Startup RAM, Minimum RAM, and Maximum RAM per virtual machine so that it only uses what it needs at any given point. For advanced users running multiple VMs in your client the Memory weight and Memory buffer make it easier to allocate contention resources where they are most crucial.

With very few exceptions, almost all of the features of Hyper-V in Windows Server 2012 are available on the client, with a few obvious exceptions that nobody is really going to miss. Knowing that, many IT Pros will seize this opportunity to get to know Hyper-V before they set out to deploy it in their datacenter servers!

I feel the need… for speed!

Windows 7 was the fastest OS that Microsoft had released in many years; once it was booted, it was faster on Windows XP (on hardware that supported both systems), not to mention Windows Vista. Windows 8 has only improved on this, with a much faster boot time, as well improvements to memory management that prevents memory clogs where applications that are loaded but not in use cause your system to slow down. The development team was very conscious of the fact that modern users do not want to be kept waiting by their PCs, laptops, and tablets; you need devices that move at the speed of life, and Windows 8 will do just that.

Microsoft has made the hardware certification process much stricter on Windows 8 than it has been, ensuring higher quality devices and minimizing compatibility issues. However if you have recently gone through a hardware refresh never fear… Windows 8 runs amazingly well on legacy hardware as well!

Where do I start?

The best way to get to know any operating system is to start using it. Download your free trial today, and if you do not have hardware to dedicate to it, there are several ways you can try it out without having to go out and spend the money – there are a number of articles on the best ways to do that, and we recommend you try out one of them on your existing laptop today.

Of course, if you are a real enthusiast, then you may want to head down to the nearest retail outlet (such as the Microsoft Store) and purchase a new Designed for Windows 8 device on October 26th, and if you are like me, you will want to get a touch-enabled device!

Windows Server IT Camps: Server 2012!

Although our events are usually quite well attended, few have ever been as well received as the IT Camps that we’ve been holding across the country since last January. To date we’ve held Windows Server 2008 R2 SP1 Virtualization Camps , Windows Server 2012 Install Camps , Private Cloud Camps with Windows Server 2008 R2 SP1 and System Center 2012 and we’re currently making our way to a city near you with Windows Server 2012 IT Camps .

An IT Camp is a fun and collaborative event where you will get hands-on experience with the tools and products while completing a series of team challenges. Our Windows Server 2012 Camps are complementary, full day sessions where we cover the basics of Windows Server 2012, Hyper-v 3.0, virtual machine migrations and then dive in to scalability, capacity, storage and high availability. We go through an overview of System Centre 2012 and look at Virtual Machine Manager. We take our lab environment through its paces as we enable the Hyper-V role, complete Shared-Nothing Live Migrations, configure Storage Spaces, create a cluster and make one of our virtual machines highly available on a private cloud. It’s quite a jam-packed day and you certainly can’t beat the price!

Find out more about Windows Server 2012 IT Camps>>

Can’t join us in person? Don’t despair — there are plenty of online resources to help you out. Here are a few of my favourites:

- Download an evaluation copy of Windows Server 2012 for your own lab
- Download the PowerPoint deck for the Windows Server 2012 IT camps
- Get free, online, modular training with Microsoft Virtual Academy
- Download and read the free eBook, Introducing Windows Server 2012
- Try the Windows Server 2012 and System Center 2012 Online Virtual Labs
- Study for your Private Cloud Certification
- Read the IT Pro Connection blog

The Shoemaker is No Longer Barefoot!

This post was originally written for the Canadian IT Pro Connection blog, and can be seen there at http://blogs.technet.com/b/canitpro/archive/2012/09/13/the-shoemaker-is-no-longer-barefoot.aspx.

For years I have been espousing the need to and value of locking down client workstations in a corporate environment.  Part of the SWMI Story – the secure, well-managed IT infrastructure for which I named my company – is that every user in the organization should have the rights and permissions to do their job… and nothing more.

Most corporate users are issued a computer that they use in the office (and at home or on the road) that are domain-joined, and because of all of the security threats out there the SWMI Story is very clear that they should be locked down.  If they want a computer to surf websites that are not business-related, play games, watch movies or anything else then they should invest in a home computer (or laptop).  I know that it is not fun to travel with multiple laptops (better than most!) but the bottom line is that unsecure client workstations are a stepping stone on the path to compromised server infrastructures… and that is bad news for everyone but the hackers.

One of the reasons that client machines have to be locked down is because most people do not think about IT security during the course of regular computer use.  Because I am always thinking about security, coupled with the fact that if something goes wrong I am pretty good at fixing it, I have been quite lax with my own laptops over the years.  After all, I own them and the servers; I built and maintain the infrastructure, and of course I am in charge of IT security.  So for the last few years, as I have been advocating otherwise, I have been logging on as the Domain Administrator on every laptop I have carried.

Last week I joined Microsoft Canada’s DPE Team as a Virtual Technical Evangelist.  Although it wasn’t actually a requirement, there were real advantages to reimaging my primary laptop (an HP EliteBook 2740p) with the Microsoft corporate image.  I was all happy once it was done… until I went to perform a simple operation and got a UAC window asking me for administrative credentials.  I entered my corporate credentials… and had a sinking feeling in my stomach when it came back with a DENIED message.

Fortunately the internal image allows you to install Windows with a local Administrator account; I was able to add my corporate account to the Local Administrators group so I don’t have to keep going into that account to make changes.

For the first time in many years I am not an exception to the rule… and rather than trying to find a way around it, I accept that while I need to be a local administrator, there is no way that anyone is going to make me a domain admin.  However this means that I am exactly in line with the statement I made in the opening paragraph… I have the permissions to do my job, and nothing else.  In order to do my job I need to be a local administrator… and nothing more!