Posts by Paul S. Gazo

In reality, there's almost no such thing as software that requires admin rights.

Oh, sure, there's hunk-of-crap software that puts some critical .INI file in c:\windows\system32 and there's plenty of trashware that expects to write to c:\progra~1\trashware because that's where it put its database. There's also more than enough badly-written code that wants to modify registry keys it put in HKLM when it should've been HKCU. Granted.

Spend a half-hour with something like Process Monitor and identify those oddball dependencies and grant the user(s) perms on those specific files and/or keys.

But wait... how about those pesky programs that just fire up a UAC prompt when you run them Just Because? Almost all of those you can make an application shim for that turns on the RunAsInvoker compatibility flag. Just because the horrible developer turned on the "you need admin rights" checkmark when compiling their code doesn't mean it's actually required. It very, very rarely is.

Learn these two things and earn your pay as an IT professional. In nearly three decades of doing corporate IT as an MSP before MSP was a thing, I've encountered maybe one program that couldn't be handled by scoped permissions.

It CAN'T be harder on Linux.

Re: How do I opt users out of this "upgrade" ?

Nice anecdote. I've got one too.

All of the businesses I consult for run MS-something. From insurance brokerages to tool & mold shops to non-profits that teach... they've all got something that requires Windows. Sure, some of what they do has FOSS equivalents. But with my customer base there's always that one thing that interfaces with a milling machine, or tracks donations, or does EDI to the national secure network for their industry.

Can some industries do without Windows? Absolutely. Content-production being a huge category of them. Advertising firms, video production firms, billboard designers, music studios, newspapers. Sure. But the other guys? The smaller but more numerous guys? No. Because the software the auto-makers provide body-shop repair companies to look up panel parts and paint codes and industry-standard billing estimates... Windows first.

Understand... I absolutely do not guide my customers' purchases. I don't push Windows. They tell me what milling machine they just ordered from Germany and what the installer wants for a controller PC. They tell me what heating & cooling system they bought for their new gallery and what the manufacturer's software requires. They tell me what cargo truck scheduling and routing software their customers demand them to use. They tell me what the performance tracking software for the treadmills they bought for their gym uses for their patrons. Windows, Windows, and more Windows.

Sorry, but in the small & medium business segment there are plenty of markets that are mandatory Windows ones. The folks suggesting "just install Linux and LibreOffice" are missing the point that it's all the other stuff that integrates with Office that invalidates that idea.

Re: meh

The command you're looking for is TASKKILL, which is absolutely included with Windows.

I'm afraid not. Microsoft keeps putting crap in there, so you can't get it.

Have Apple users e-mailing your Windows users HEIC files? No worries, Windows 10 has a filter for that... only it's distributed via the Microsoft Store.

Want to deploy Windows PCs en-mass via new Azure inTune deployment? No worries. Windows 10 has an app (Windows Configuration Designer) to make a glorified XML file for you... only it's distributed via the Microsoft Store.

Calculator stopped working? No worries. Windows 10 will let you just download it from the Microsoft Store.

That's acceptable, I guess. When it works. But I seem to find about one in ten computers just don't work right. One of my two work computers just doesn't have Microsoft Store visible at all. No worries. There are PowerShell commands that will reinstall modern apps. Lots of them. Take your pick. I got bored before I found one that worked on my particular machine.

Remember when you could just download an EXE and it just worked? Yeah, Microsoft's not interested in that reliability anymore. The freaking Start Menu is a modern app that can be broken now, as opposed to just a few library functions Explorer.exe can call on demand.

So yeah, the MS Store still exists. Wish it didn't.

Re: Yet another Windows 10 annoyance

"it does what _I_ want. And I could type in 'cmd' and rapidly create a desktop icon for it, or run it from the start (what used to be) menu EASILY. So what do you type in for 'power-hell' now?"

Relax. Per the article, you type in "CMD". I know, I know, change is bad, but you'll get used to it.

"It's just like MICROSHAFT to JAM A CHANGE FOR THE SAKE OF CHANGE into our orifices, just because they *FEEL*."

I doubt this has anything to do with *FEELING* anything. I expect it's that PowerShell has a (massive) superset of capability. I too have been lazy and spent most of my time in CMD (well, actually, like so many others here I've been using TCC), but this isn't for change's sake. Changing Outlook's icon from orange to blue was change for change's sake. Changing the default shell from a less capable one to a more capable one is a net increase in capability. Which strikes me as a pretty good justification for the change.

"The reason they're jamming POWER-HELL up our collective backsides is because it SUPPORTS ALL OF THAT '.NUT' CRAP. They've got ".NUT" on the brain, and it's made them ".NUTTY"."

You know, when you start playing derogatory word-games, it undermines the impact of your argument, right? Throw some "Micros$oft" and "Windoze" into the mix and maybe your point will be conveyed better, right?

PowerShell and .NET don't have a direct relationship. .NET is a runtime that various programs can rely on. PowerShell is a command interpreter which was designed to be able to call far, far more APIs than CMD can. It's about having syntax to create, start, stop, or live-migrate a Hyper-V virtual machine. It's about having syntax to administer Exchange mailboxes. It's about having syntax to manipulate ActiveDirectory data, or Storage Spaces disk volumes, or system devices. It's pretty much got nothing to do with .NET

So... relax. As far as changes go, this is actually a good one. This, coming from someone whose shell of choice hasn't been PowerShell. Maybe now I'll get off my lazy butt and learn more of it, and be a better IT guy because of it.

Actually, that brings up an excellent point.

"In fact the LHC is more likely to blow up the earth before somebody finds proof that God exists."

I'd think that if God exists, He's massively more likely to blow up the Earth on a whim than is a hypothetical particle reacting in a way that doesn't fit any non-discredited theories. Thus, God is the clear and present danger and we should perhaps divert more of our funds from less-urgent tasks such as killing ourselves, towards the location and neutralization of God.

Perhaps investing more strenuously in particle physics might be a reasonable start.

Friend, BE2012 isn't usable for anyone INSIDE Enterprise level IT. In fact, the loss of multi-server selection-lists impacts larger companies the most. While there were some really neat improvements in things like DeDupe, the fundamental functionality of the product is seriously degraded.

Good news: Symantec has a Beta out for the next release of BE.

Bad news: the beta is a refresh to include Server 2012 and Exchange 2013. It explicitly won't return Job Monitor or multi-server selection lists. For that... we continue to wait.

This, after the debacle that was SEP11's gold release. SEP is pretty decent now, but after the elegance of SAV, the 11.0 release was horrendous.

My advise to Symantec: stop worrying about "solutions" and "channels" and such. Just make your products better than everyone else does and you'll rake in money.

Re: RDP in the open

A few points for you.

You're placing faith that there will never be an exploit discovered in whatever VPN client/server/protocol you've decided to use. That's exactly as reasonable as placing faith in RDP - which is an encrypted protocol - only moving the vulnerability to some other software stack.

Second, RDP has been available since Windows Server 2000, released February 2000. Twelve years for this vulnerability to be discovered. Yes, it's been there the whole time, but again... there could be an undiscovered issue that's been lurking in whatever VPN solution you've been advocating for the last decade.

Third, RDP is used for Terminal Servers which have the most utility when exposed to the Internet for access. Doing so is no more unreasonable than exposing a web server or mail server. Yes, a Terminal Server will generally have access to internal resources and yes there are ways to have public-facing web servers in a DMZ but ultimately we're still talking about software that is most useful if not behind a VPN.

Am I supposed to keep my IIS sites with Outlook Web Access behind a VPN? That'll be great... all my users with phones relying on that site for ActiveSync just... can't get e-mail. Anyone who wants to check their e-mail via OWA at a kiosk in a hotel just... can't because they can't install the VPN client I force them to use.

There's a difference between best-practices and practical-for-this-application.

Finally let's not forget the Small & Medium Business market. There's a whole whack of real-life reasons in that market that make it impractical sometimes to add layers of complexity. Sometimes Good Enough is the difference between losing a client and keeping one. And I point out again... twelve years we've had no meaningful discoveries in this technology.

As for internal LANs, there's another great point. Someone brings an infected laptop into the network where we DO have exposed RDP for maintenance purposes and wham... the entire building starts executing arbitrary code. Including the domain controllers. Yay.

So hopefully you understand that there are reasons to expose protocols other than SSH to the Internet from time to time, and that regardless... everyone* needs to patch NOW.

*Everyone = those who have RDP enabled.

You named the group incorrectly.

They're not the moral majority. Amongst the developed world, they're the hypocritical majority and the moral minority. Most people like porn. Most people like sex. Most people just aren't willing to publicly admit it for fear of being ostracized as perverts.

Behind closed doors when nobody's looking, the guys proposing strict anti-porn regulation are busy taking a strap-on up the arse from a dominatrix in leather.

Don't be fooled. It's just about appearances. It's trendy to seem prudish, at least amongst the U.S.

Paris because at least she wasn't afraid of doing something that felt good.