Monday 29 November 2010

Access denied to OWA for new user

The takeaway: Uncheck "user must change password on first login" to access Outlook Web Access.

A customer of ours had a very typical request. They would need "a user called info" to handle mails to info-at-their-domain. They would also be hiring an external person to handle the surge of Info activity they were planning for, using Outlook Web Access. Their infrastructure is Microsoft Small Business Server 2008 with the bundled Exchange 2007.

Step one in any such project-let is not to mistake customers' wants from customers' needs. What they needed was an info mailbox which given users on the inside could read from their own accounts, and a separate account for the external person, who'd have no mailbox of her own but would be allowed to access that same info box.

First things second, create the user. Usually externals would go go a separate Organizational Unit in Active Directory, but since this is a Small Business Server, things just tend to work better (or at all) if mucked about the wrong way. Thus, no extra OU. Just create a user x-username (to at least visually mark that the user is an external) and then peel off extra rights like interactive login or access to shared files. 

To create a shared mailbox, you need to use the PowerShell Exchange management console. This process is described elsewhere and i need to google it each time too. The same document will tell you the next two steps needed to allow x-username to read mail from the box and to send mail in the name of the box. I tried doing this using groups, but at least one of the steps failed. It wasn't very clear either which of the options are for the user and which for the mailbox, but in the end i got it to work. Or so i thought.

I sent the external user her credentials and URL to access the shared mailbox directly (which was news to me - will take you there). And soon got a reply that there was a problem.

A few back-and-forths later and it turned out that she was unable to log in to OWA. I reset her password, but the problems prevailed.

After some debugging, i tried to uncheck the option in Active Directory Users and Computers where it says that the user must change her password upon first login. This is on by default, and it is a good default. Hey, presto! The account was good, i could log on with the external's credentials and was taken directly to the info mailbox.

What failage. OWA could allow the user to change the initial password. Or could inform that the password needs to be changed first on a proper Windows session. But not like this.

Well, at least i have the user on line now, doing her work, and myself another blog posting.

Posterous mail interface sanity check

Test. This posting should not appear at

Tuesday 23 November 2010

Hip to be square

After hearing Foursquare's co-founder [0] Dennis Crowley enthuse about his co-creation (on speed) in a podcast episode, i decided to join.

Since first hearing of Foursquare a year back, i've wondered about two things:

a) isn't this awfully bad for privacy, and

2) what's the point.

I'm still not a 100% convinced about the privacy bit (or lack thereof) but i think i've got a vague shade-of-grok about what the idea is. On a hi-fly note, Foursquare bridges places in the physical world with the 'net. On more concrete terms, it is a way for people to exchange tips about places. And on the silly side, it makes being somewhere a game. Not being much of a gamer, i appreciate the exchanging-of-tips bit most. It's kind of a like a less fleeting Twitter of places.

My initial use case was cafés and lunch spots, so i did my first check-in at Café Regatta and my second from the only lunch joint i could fit into, Yes for food. The former is everything the second one is not. But hey, a guy's gotta eat. Only i'll do so somewhere else next time (and i'll order something else than the Auraleike with fries next time there is nowhere else to go). Both places got my tips. Then i tap (past tense for "tip") the coffe shop Caffi, the candy outlet close to a customer and even the electronics megastore where i actually got some good service!

The nice thing about tips is that you can read tips that are relevant to "this vincinity". You don't have to be in a restaurant, museum or market to read about it; rather you can ask "what interesting tips are there to this 'hood". And you can put that on your to-do (or to-done) list. 

Now i just wished that mobile data were affordable when abroad, because this thing would be really nifty Somewhere Else. 


[0] if i ever am to co-create some 2.0 craze, i want to be co-flounder. In fact, i shall call it Flounder while thinking of what it might be. Or Floundr.



Tuesday 12 October 2010

More power to the right-click

Well ain't something. In Windows Explorer, hold down the Shift key and right-click a folder. The context menu now gets a few extra options: Open Command Window Here and Copy As Path.

The first one does what one of my favourite XP Power Toys did, which is to open a command prompt at that location. This will probably go joyfully astray if you try opening the command prompt on a network folder (Powershell can do that for you).

The second one is something Really Useful. When i want to send a mail to a colleague about a file on the server, i can copy the full UNC path name to said file. The previous alternative would have been to surf to the containing folder, copy the file name from the address bar, then select the file, press F2 to enter Rename File mode, select ^All of the file name (Windows 7 and Server 2008 will select all but the file extension, which usually is a Good Thing), ^Copy the file name, and paste that into the mail i was sending.

This is what is known as Good Laziness.

Thanks to Petri.

Monday 11 October 2010

The do's and dohs of File and Settings Transfer Wizard

Your job: Install a new computer for a client and transfer all the documents. The old box is a Windows XP, the new one runs Windows 7.

The tool: Windows File and Settings Transfer Wizard.

The caveats: Many.

It's a well known story. Your client has a new computer to install. She's used the old one for quite a while and it's full of documents (in weird places), although you've suggested storing them on the server, "just in case". But old habits die hard.

Thankfully, Microsoft has a pretty good tool for this case, namely the Files and Settings Transfer Wizard. This baby does most of what you'd believe it show and it's been bundled with Windows since the XP times. 

Step one: get an external hard disk or a fairly large USB flash fob (thumb drive, "minnepinne"). While you could do this over the net, it's probably faster over the USB. Nothing will be deleted from the external device so don't worry about that bit. 

Step two: Start the process from the new computer. Plug in the external memory device and fire up the F&STW. While the old one probably has the equivalent software installed, the file format has most likely changed between your brand spanking Win7 and the old XP box. This was learned The Traditional Way.

You do not need to be logged in as the user whose data is to be transferred but you will need admin rights on both the source and the target box.

Now tell the Wiz that you are on your new computer and that you haven't done the transferring bit just yet. FSTW will create an installer on the external disk, after which it'll close (given a button-push or two). 

Step three: Eject the external disk and plug it into the old computer. Run the installer created above. Start it and press the appropriate Next buttons. The transfer will commence. Have tea, this'll take a while.

Step four: Again, eject the external hard disk, plug it into the new computer. Navigate to where you created the transfer files (which probably is where you left the installer a few steps back) and open up the .MIG file there. This will awaken the FSTW anew, to let you drop the files and settings on the target computer.

Let it churn. Have more tea.

Step five: Check trough the transfer logs. Save the log for transferred files. Resist the urge to check trough the list of applications missing, and even more so, resist the urge to install the missing programs on the target machine. This, too was learned The Traditional Way.

Reboot the target computer. This will not be evident until you continue stepping through the logs. This, also, was learned The Traditional Way.

Step six: Surprise surprise, FSTW has not transferred the Outlook .PST Data Files from the source computer. Eject the external disk from the new computer, plug it into the old. Open the Control Panel from the old computer, open the Mail applet, check which Data Files are in use, click each one and the button to show the actual folder in which the .pst file is in. Outlook must not be running while doing this. Exit it, completely. Old Outlooks will leave a thread hanging to check for new mail.

Manually copy the .pst files to the external medium. Eject disk. Plug it into new computer. Create a directory c:Users%username%Outlook and manually copy the .pst files from the external disk into it.

Only now, start Outlook on the new computer.

At this stage, i have no idea if Outlook will have its settings transferred or incorporate the .pst files on the previous computer, as this too was learned The Traditional Way (or more so, Obscured in The Traditional Way) so you're on your own here. The only thing to add is that you can use the Mail applet from the Control Panel to add the .pst files to the new account if they aren't there from before.

Apart from that, Good Luck. You're a sysadmin, and you need it.

Thursday 9 September 2010

Application deployment The Proper Way

After my yesterday's post on application deployment the ghetto way, i realized that i'd written this post on application deployment the proper on my other blog. This posting has been sitting as a draft for ever and ever amen, mostly because i hadn't checked it out if it really worked. So with that warning in mind - this might (not) work - here's my posting:

One Windows Server feature i've actually never seen deployed in the wild is programs installable over the network. Seeing how painless it is to publishing software on Active Directory, and how useful this thing can be, it's quite a surprise.

Here's how to do it.

  • For starters, you'll need an MSI file and a file share on an unc path (\servershare). Some installation packs come as .exe files, but this is not the solution for them. See my Ghetto file deployment posting for that. Some exe installers however have the option to emit msi packages. Check your friendly documentation.
  • Start the Group Policy Management from Start –> Administrative tools (or press the Windows key and type policy if you're lazy)
  • Create and link a new GPO under a relevant OU folder. This is going to be one for Users, so you might as well put it under an OU that handles users instead of putting it too high up in the tree.
  • Call your GPO Published Software and leave the Source Starter GPO to (none).
  • The Group Policy Management Editor pops up. Navigate to User Configuration –> Policies –> Software Settings –> Software Installation.
  • Right-click and go New –> Package. This will pop up a File Open dialog. Find and choose the installable MSI file using the UNC path.
  • Choose Deployment method: Published.
  • Click OK.

Distributing (“pushing”) software is just as easy. There are two ways. You can either assign software to a user or to a computer. If you assign it to a user, the software will installed when the user logs in and it’ll be available to that user only. If you assign it to a computer, the software will be installed when the computer boots on a network and will be available to all users.

To assign (push) software to users, just change the Deployment Method above to Assigned. To assign software to a computer (and all its users), do as above but edit Computer Configuration –> Policies –> Software installation instead of User Configuration –> etc. Also, you should link to that policy from an OU that is relevant to Computers.

One particularly useful use case comes to mind. On most typical networks, you'll want to have Adobe Flash and Reader installed. But especially Adobe Reader has been so shot full of security holes lately that you really don't want anybody on your network to be sitting around with an old Reader. And here's the twist. Application deployment this way also supports updates. If your software becomes updated, you can tell the deploying thing that this here is an update of the already installed software. Then you can force-feed the update to your users et voilá, you have just blasted out a Reader with new bugs to replace the one with old ones :). To emphasise, this paragraph sits firmly in the This Might (not) Work section. Oh, and Reader requires a boatload of switches to actually deploy silently. But the idea is there to catch.

Finally, be a little careful when assigning software. If you go on an assigning spree, you might end up with workstation software like on the servers. Having Office or F-Secure Client Security on a server will just make things go weird.

More info in the Microsoft KB.

Heck, i should have named my blog This Might (not) Work.

Wednesday 8 September 2010

Ghetto application deployment with Zap files

I discovered a painfully simple (and only slightly inelegant) way of deploying software in a Windows Active Directory environment, namely Zap files. While you'd usually want to deploy an .msi file, you use Zap files when you want to deploy an .exe file.

Big fat caveat -- The installation will run on the user's rights, so s/he must have software installation privileges on the computer s/he's running, or the installer must have admin credentials baked in somehow. On a secure network, you don't let your users install stuff on their computers.

And with that said, here's how to do it. Windows Server 2008 recommended.

1. Create a file share if you don't already have one. Use Share and Storage Management from Administrative tools or Server management to do it The Right Way [0]. To be Really Swanky, use DFS to publish the share on a domain scope instead of on server scope. In this example, i'll be more ghetto and shall call the share \fileserverInstall and i shall call the fictional package to install agent.exe

2. Put your agent.exe file somewhere within the share created above; for the sake of this example, in \fileserverInstallagent.exe

3. Create a text file agent.zap (you can create it as agent.txt and rename it to dot-zap later) and place it in another share, or the same if you don't believe in security by obscurity, or don't have a compulsive manner in keeping things in neat little boxes. Here's what you'll put in the agent.zap file

[Application]FriendlyName = "The Agent"SetupCommand = "\FileserverInstallagent.exe /any /switches"

Wikipedia tells me there are loads of other commands, but this will do for the Ghetto Installation we're doing now. Anyway, the [Application] row must be written like that, in verbatim. The next row is what's going to be shown to the users when they want to install the file. And the SetupCommand shall point to the UNC path where the installer resides. Any command switches can be put after the executable name within.

4. Open Group Policy editor. Browse to your users' folder (or where-ever you want to apply the deployment). As i'm on Small Business Server, that would be around ...My BusinessUsers. YMMV. Right-click to Create a GPO in this domain and link it here. Call it Published Software (since eventually you'll put more published software here).

5. Under User Configuration / Policies / Software Settings / Software Installation, right-click New / Package. Navigate to where your .zap file is, make sure the file type selector is .ZAP (and learn that .zap stands for ZAW down-level Application Package) and select it. Click OK. Select Published to force the installer down your users' throats(generally a bad call) or Advanced to modify the settings and under the Advanced tab on the next dialog box, unselect Auto-install this application not to force feed the app.

6. Showtime. Log on as a user on a workstation. Open Control Panel. If you're on Win7, find the option "Get Software". If you're on an earlier incarnation of the ubiquitous desktop operating environment, go Add/Remove Programs or the like and choose Install published software. You should now see The Agent listed there! Yay presto!

And that's about the size of it on a space like this. Experiment and write about your experiences in the comments below!

[0] Also known as The One Microsoft Way :)

Monday 23 August 2010

Victory by damage control

Yesterday, i had an abysmal user experience trying a book on usability in front of me. Since the write-up really was of most interest to the book store and the author of the book, i also informed them of what i'd gone through. In retrospect, i should also have included Adobe in the loop.

It didn't take long before i had a reply from Books-a-million's customer service saying they're sorry and they'd notified the ebook department and that i should be hearing from them soon.

[Update] The response was that yeah, they know these problems and they've written about them, and how to work-around them, in their FAQ. What about just fixing the problem? And since much of the problems stem from the Adobe's Digital Edidtions software, why not just scrap it and sell the book as unprotected PDF and ePub bundle? It's not like the customer automatically is a thief that you need to protect yourself from. [/Update]

The real honker was receiving a message from Mica Endsley himself (yup!), saying that they will take it up with the book store and that he would make sure i'd be getting a copy of the second edition, out this spring. Kudos to you, sir! While i'm still stuck with a fairly scruffy looking ebook, i feel that everything wrong is right again.


Sunday 22 August 2010

Abysmal eBook UX fail

I bought an eBook today. It didn't go well. 

Ever since hearing a presentation mentioning a usability field i hadn't thought about, Situation Awareness, i've thunk about purchasing the book cited in the presentation: Designing for Situation Awareness by SA guru Mica Endsley. Turns out it is out of print, waiting for the second edition, and available at abything between US$50 + transport and the sky. The book is, however, available as an electronic book for the fairly decent price of seventeen bucks.

The page said it was a PDF, so technically i would be able to download the contents of the book and have it printed locally. Fair deal.

So i purchased my copy. The system said thanks, but was i sent a PDF? No. To access the book, i had to check my account in the bookstore and access the download link. While i appreciate the possibility to download a fresh copy in case i destroy mine, i would have liked to get something for my money. But OK, i got something, it was just hidden behind the bend.

I click the link, but is it for a PDF? No. The file is called URLLink.ascm and even Windows' file type "ask the web" magic wouldn't figure it out.

Turns out i need Adobe's ebook reader, Digital Editions. So i go to the download page. But do i find a download link there? No. But a flash application which warns me that downloading and installing stuff from the Internet can be bad for you. Still, i'm out to get myself the software so i ignore Adobe's warnings about its own software and press the OK-GO button. Twice.


But does that install the software? No. It downloads the installer. OK, fair enough. Let's have the installer. Launch it. Accept another responsibility so that Windows won't take the blame for irresponsible software installations. A Nullsoft based installer launches.

But does the installer install the software? No. It croaks it can't find some resource, don't know which, and the only way out is the Cancel button. After which Windows installer says that "This program might not have installed correctly" and offers to Reinstall using recommended settings. Which does not help.

So i head for the command line to have a look at the mysterious .acsm file. Turns out it is an XML file with metadata about the ebook. And indeed there is a <src> tag in the file which points to a PDF file. Victory!

I open up Adobe reader and ask it to open the URL. Since the URL contains a fairly long GUID, it spans two lines, so i need to paste it into the File/Open dialog box in two rounds. After carefully checking out that i pasted the right URL, i click OK and Adobe Reader freezes.

I download GNU Wget to get the file locally; just the binary. It won't run on my box. I guess it wasn't compiled for Win7/x64 or i should take the full installer instead (18 megs of installer for a 187 kB utility?!).

So i ssh to a Linux box that does have wget, paste the URL again and download the file. Phew. I actually have the file even if it isn't on my computer. The file name includes the {fairly-long-GUID-string} so i rename it to Endsley.pdf and move it to that computer's ~/public_html and enter the URL from my web browser. 

Almost there.  


But does that get me the book? No. The browser considers the download for an unusually long time and finally greets me with information that i'm missing some security bit somewhere.

Next i tried with two PDF unlocking programs, GuaPDF and Parallel pdf password recovery to be able to actually read the file i've paid for. If i were in the States, i'd be violating the DCMA. Over here, i'm violating "Lex Nokia" which forbids me to transform the file from one format to another if i'm not supposed to. The first program told me that the PDF file uses 128 bit encryption so i should look at the latter. The latter is specifically a password crac... circumventing program and wouldn't even work without a password dictionary file. Not that it mattered, the file wasn't password protected. It was view-protected.


[Update - Whose victory?] In the end, i finally got Digital Editions installed. At the bottom of the Digital editions download page, there's a link suggesting that if installation fails, one should go and have a look. From there, there's actually an honest-to-Bob download link to the installer. I managed to fetch the installer. I ran it, as an Administrator. It installed. And instantly demanded to know my Adobe ID. To safeguard my library, i need to bless all the computers i intend to read Adobe-protected PDFs with or i can kiss my ebooks goodbye in case my computer blows up. Supposedly that means Adobe will kindly store a backup of the book on their servers. Or some signature allowing me to open up my own backups after the manure has hit the AC.

So i go and register for an Adobe ID which also fails because i've already got one. It used to be called Adobe Membership when i registered it a year and a half ago which explains why "adobe id" didn't turn up anything in my mailbox. It's not that Adobe told me that immediately either, it just said that the (optional) screen name "was taken" while registering. Would have been better just to check whether my registered email address was in their cold fusion database.

But i did get my Editions registered. And i looked very hard for a File -> Open feature to open my ebook. If you click on the menu button which really looks like a text label Library, a menu literally drops down with the option "Add Item to Library    Ctrl+O". So i do. 

But does that open my ebook? No.

There's an IO Error #2038 on local file open. Whatever that means.

I go back to the .acsm file that started it all. I click it. Nothing happens.

It is so hard to win.

[another update] Finally, after closing everything and clicking on the .acsm link, take a turn for the better. I do indeed get another error message, but after that, Digital Editions begin downloading the document. I still get error messages about some manifest XML and another Error that it cannot create a backup file (informs the dialog box, rounding it with an OK button. I ask what is it that is OK with the situation). Yet lo and behold i can in fact read the book! Only took me this many hours, this many fails and this many attempts.

What utter failage. I suppose i could count the fails here but it wouldn't make me any happier.

As long as the user experience for acquiring and reading a book is so abysmally miserable i just can't imagine paperless books ever taking over the world. I just hope the Kindle guys are doing this any better.

I should add that i bought another book from No Starch Press a few months back. It was also in PDF. And it opened without a hitch. And i even have a hardcopy version i had printed myself. I asked the guys at Nostarch first whether that was kosher and they said of course it was. I wholeheartedly recommend both No Starch and the book. I bought a "pure pdf" ebook on Cisco ASA configuration another while back. It opened and it printed and the author Harris Andrea even emailed me a month ago that he had an updated edition which i could download for free. So you can do this right. Or you can fail.


So down with formats that don't work. Down with copy protection that don't allow me to even read my book. And special reader software needed to read the file, software that doesn't even install. Come ePub and save the world. Come anyone and save us from this fail.


Wednesday 18 August 2010

Envisioning project management with Outlook

A tool i spend a lot of time with at work is Microsoft Outlook, as i guess it is with many of you as well. Often, i get mails that translate to initiating tasks. For that, Outlook can be used to create a Task, based on that mail, or set a follow-up flag on the mail, denoting that it's something to do. The vital difference here is that the flagged mail is the task, whereas a Task created from a mail is a copy of that mail. Finishing the Task will not have any input on the mail that was the source of the Task (before you get all weirded up, a Task is the Outlook-specific representation/implementation of a task, a Contact is a contact entity in Outlook. And so on).

Often, however, a single mail does not constitute the full communication and involvement of a task. The GTD school of thought calls any task with more than one action a project, which is fine by me. A project will usually include a minimum of two persons -- the requestor and i -- but more often have other stakeholders included. These stakeholders can be represented as Contacts in Outlook.

What i would really appreciate is to quickly and painlessly whip up a Project, which, if created from a mail, is tightly bound to the mail that the Project came from. A Project can have many tasks (or Tasks, if you will) and many Contacts. All communication, mail mostly, but could be IM as well, would be part of that Project.

I'm sure this could be done with existing tools -- OneNote or Groove perhaps -- but i don't know how. Do you? How do you manage your projects.. eh, Projects?

Monday 16 August 2010

Group policy preferences discovered

How do you map a network drive using Group Policy? You use Group Policy Preferences. No script required.

I got a pretty typical request from a client today. He'd hired a new employee, for whom i'd installed a computer a few days ago. One thing i hadn't done was to map to a network drive. Typical task, typical setting. I don't know why she (the new hire) didn't have the drive mapped but i promised him (my client) i'd fix it tonight. Which i did.

There are two ways to map a network drive:

  1. the Stupid way, which is to log in on a computer as the user and map the network drive and set it to re-map between sessions (/persistent:yes)
  2. the Ordinary way, which is to have a logon script run from the logon server, mandated by group policy.

There is also a New way offered on Windows Server 2008: Group Policy Preferences. Unlike Group Policy Settings, preferences are something that are suggested rather than mandated to the user, who may change the suggested preferences if so wanted. Another thing is that there are a bunch more preferences available than i'd found in GP Settings, and the one i was looking for was indeed the preference for drive maps.

For magic to happen, open the Group policy manager and create a new Group policy opject (GPO) where the users you want to target are. Call it Drive mappings. Go to User configuration -> Preferences -> Windows settings -> Drive maps. Right-click it and New -> Mapped drive. Set Action as Update (or Replace; see help file for info), fill in the UNC path (ie. \serversharename), give it a nifty Label and a Drive letter. And you're there. Repeat for other drive letters as necessary, creating other GPOs for other groups who have their own network drives. There's even variable substitution so you could probably map a drive for a group or a site or something equally local.

Given all this, drive letters are hopelessly outdated; it's just the fact that people are so used to them that it'll take a while for them to die out. And the same goes for home directories on the net. The Correct Way would be to have the venerable [My] Documents folder silently residing on the server and replicated for offline use (hint: use Folder Redirection), and any shared or common folders under the Libriaries meta-folder-thingy on the new and improved Windows 7 file explorer.

But that's for another time, when i've updated all their workstations to Windows 7.

Wednesday 28 July 2010

Not my network

I know there's a balance between security and usability and that balance is called Usable Security (or hcisec for the acronym geeks). If done wrong, a product can be usable or secure, if done right, it can be both.

One good way to make a product more secure is to offer the user only secure choices, or at least make the less secure ones hard to choose. A stupid way to execute this guideline is to "dumb down" the product enough so that the user can't go wrong. I found such a lack-of-features today, with Windows 7.

I work as a "sysadmin on wheels", which is to say i travel between customers -- either physically or over the wire -- and take care of their computing infrastructure. I often need to connect my computer to the customers' networks. Windows 7 (and Vista) has realized this with their Network Locations "Work", "Home" and "Public". When Windows connects to a hitherto unknown network, a dialog box pops up, prompting me to set the appropriate Location for that network, with some help text. This is, of course, an improvement from the "one rule set to rule them all" mindset, and a considerable improvement from the old days of XP when Windows came with no firewall at all.

But here i am on a customer network. It is a work network, but it is not my work's network. This means that i need to be able to discover "professional" windows infrastructure services and computers, but it doesn't mean that i trust the network enough that i'd want it to find me. Or put in a more mild scenario, i would not want my customers' network to believe they have an unknown computer on their net. I for one would be freaked out if it did, and in all effect, i am the netadmin of that network, who should get freaked out.

So thus, i am hoping to find an extension to Windows 7's firewall profiles, the Customer location. And it may be that Windows has thought of this already.

Windows has something called "Windows Firewall with Advanced Security" and i know it talks about the Profiles "domain", "private" and "public". According to an article on 4sysops, these do not map 1:1 to the network Locations work, home and public which you can set from the for-mortals interface i mentioned earlier. Whereas the public profile is equivalent to the public location, the private profile maps to the home and work profiles, and the domain profile is "when a domain-joined workstation detects a domain controller". Which is nice. Now the Work location really may mean a work network and Windows will automagically realize whether it's my work network. But shouldn't there be some difference between a customer network and a home network.

I guess i need to think about that.

Now back to work.

Thursday 15 July 2010

Greetings from the big blue room

These last five weeks i've been mosltly outside, and while i've been connected to the Internet, i haven't really been connected with it. And i could write more about it but as i'm still on vacation until the end of this week, i won't :)

No, wait, that's not right (except for the vacation bit, that one's true). It's true that i have not checked work email or been connected to the work network more than once, and i haven't spent vacation time tied do a desk. But i have used the 'net and in fact rather frequently. I've checked the weather on the road. I watched a classic sci-fi  flick from my TVkaista account in a hotel. I've spat out irrelevancies on Facebook and on Twitter. And i've observed that i've received mail and ignored most of it. I've played music with Spotify for my kids, watched some Manu Chao clips with my son on YouTube...

So yes, i have been connected with the Internet, even though it's been mostly as a consumer. But it's been good to have it around.


Wednesday 16 June 2010

Musik för självömkan (Anathema at Tavastia @ Mon 2010-09-27)


Inkommande höst dyker Anathema in för att spela sin hurtiga självmördarprogg (eller gååttiproge?) för oss. 

Roligare än Riverside! Skojigare än Sylvan! Positivare än Porcupine Tree! Men inte mycket! F... öh, mer rakt-fram än Frost*! Senaste skivan producerad av Steve Wilson! (och gästad av Ville Valo -- precis som Fem Femton!) Tjo i luren! Fram med sparrisen! Här ska hurtas!

Biljetterna säljs utav Tiketti imorgon (torsdag). Sprid ordet.

Friday 4 June 2010

On deep water

When i was little, BP was known as British Petroleum. When i first read about the Gulf of Mexico <Crisis|Response>, depending on the spin), it was referred to as the Deepwater Horizon oil spill, after the oil rig that sank.
Particularities are generalized and in time, forgotten about. We'll remember Blackwater but forget Xe. We'll remember Watergate (even if we're too young to even know what it all was about) but we'll forget... well, a lot of political scandals that... just didn't get a name. One that stuck.
I'm sure it's just what the spin doctors had in mind.

Monday 24 May 2010

Acceptable use policy

I wrote a generally applicable acceptable use policy for a computer environment for customers or companies that do not have one in place. What do you think of it? What should be added, removed, changed, fixed?

Version 0.1 DRAFT Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 1.0 Finland License

Written herein is some common sense on how you should be handling your computer and the environment in which it lives. Computers are fairly delicate tools and should be handled accordingly. Think of a lab, or a restaurant kitchen. You need to wash your hands, wear certain clothes and jump certain hoops to be allowed there, otherwise you're thrown out. But while this can seem obvious in environments like kitchens and labs, the corresponding may not hold true when it comes to computers and how to use them.

The most fundamental thing to have in mind is this: you at work is not you off-duty. When you can separate the work-you from the freetime-you, you've come a far way. If you want another parallel, think of your computer as a gun, or a fairly expensive car. Use it accordingly.

Your work computer is a tool for your work. Use it for work, only. Purchase a computer for you to toy with. It's fun and you can do whatever you want with it. So can your spouse and your children, who all should be kept at arms length from your work computer. Keep it clean. A contaminated computer can cause serious problems with business, which can be very expensive.

Use a hard-to-guess password. If your laptop gets stolen (yeah, it can happen, and not just to somebody else) make sure the bad guy only gets a chunk of fancy metal, not your company's trade secrets or a key to the back door of your office.

Your friendly IT support will worry about the well-being of your work computer. If you destroy it, contaminate it or do something foolish with it on purpose, negligence or stupidity, you will probably be frowned upon (if you wear a suit, you will be frowned upon after you leave), but you and your work computer will be taken care of. Your personal computer is off the IT support's radar and should be treated accordingly. Play with it to your heart's delight but don't call on your job's IT support to have it fixed.

Your work email address is for your work, only. Use a private email address for off-duty communications, when you don't represent your job. And should you change jobs, you'll still have your private email address. Do not forward "funny mails" from your job address within your organization (if you must, forward a link) and especially not out of it. It will make us look stupid and unprofessional.

Related to this, don't register to web sites or similar services with your work email address. Your work persona is not your off-duty persona and we have no intention making them one. And it's okay to surf porn, just don't do it on your work computer (piracy, on the other hand, is illegal). If you get a disease, at least you're not taking the whole company with you. Which, again, can be very, very expensive.

Your work's laptops, desktop computers, printers, servers (which you rarely see, but they do exist) and other things with blinking lights are connected together in a network. Simply put, what can be used on one computer on the network can be used on another computer, which is why not everybody needs a printer of their own, or an Internet connection. Since the network is a fairly intimate connection between computers, only work computers are allowed to connect to it. If the company's IT department can't carry the responsibility of its well-being, it shouldn't share the network with business critical data and applications. You wouldn't take a dog from the street into that lab or restaurant kitchen, right?

The same goes the other way. While you can VPN into the office, do that only with your work computer, never with an "unblessed" one. You can read your mail using webmail on any computer, though (remember to log off when you're done!).

All computers fail. It's not a question of if, but when. Laptops fail more frequently than servers. Thus, store all the important stuff you have on the server. Your computer may be set up so that your "Documents" folder really reside on the servers and a copy of them are invisibly made on your laptop. In that case, you're safe, as long as you save your documents into the "Documents" folder. If your computer gets driven over or falls from a high building (or a table) have things so that you can have a new computer and normality restored onto it.

That said, store only work documents on the server. Vacation pictures can be wonderful, but their place is not on company resources. Put them on a photo service on the web (Flickr, Picasa web, Photobucket), share and enjoy. Same goes for music files and, heaven forbid, videos. Your friendly IT support can open any file on the network (but won't -- they have ethics, and work to do).

As we share storage space on the server, we also share the Internet connection. If someboduy has a garguntian download or watch high definition video at work, others at work (who may want to do billable work) will have "a slower Internet".

If you blog or tweet, don't reveal your cards from work unless that is your job. Mentioning your work is okay, mentioning your work's particulars probably isn't. Mentioning your colleagues or your customers in bad light is definitely off the charts. If you feel iffy or unsure, it's probably in the not-okay-zone. The Internet has the memory of a herd of elephants.

And that's about the size of it. The Acceptable Use Policy can really be boiled down to "use common sense" and if you don't have enough of it, ask. "Stupid questions" are always better than ignorant behaviour.

Monday 17 May 2010

I backed the Diaspora project

Project Diaspora* aims to put each node of the social network in the hands of each user and create the infrastructure to tie all these nodes together. You own your node, so you own your data. It's a little geeky since folks tend to favour ease of use (Facebook owns you) to privacy, portability and interop (bring your own server), but i very much appreciate the effort. You owning the data is, i believe, the way it should be. And if you want to, you may host your social presence elsewhere -- like on Facebook -- or just echo them elsewhere -- like onto Facebook -- but it's up to you. You own the content of your social network. You own the connections. It's yours.

The Diaspora* project team consists of four geeks, two almost graduated and two freshmen. They consider doing this as their summer project and had the mighty idea to ask for croudsourced funding using the Kickstarter service. They asked for ten thousand and with two weeks to go, they've already received nearly two hundred grand in pledges. But even though they already are funded, i chose to back them anyway, for their effort and for their full-ahead enthusiasm. I hope they find good use for my money too.

Thanks to Vesa for pointing out the project to me.

Tuesday 30 March 2010

In the future, all my blog post headers work as tweets and status updates

My previous post just made me realize a fundamental flaw in automatic
crossposting (ie., what i write on my blog gets tweeted on Twitter
which in turn is echoed on Facebook). A tweet/status update of
"Comment ground" makes Absolutely No Sense At All when seen in that
context. It might have been another cute wordplay when it was a blog
post header but when migrated, all alone, to another platform -- it
just looks stupid.

So what to do? Give all my postings tweet-friendly titles or continue
confusing people with lyrical/musical/cultural references and not get
a discussion? A human-centered approach -- taking YOU into account,
before me -- would probably be the right one, but what will i be
losing in the process?

Comment ground

I have a system in place where my tweets are echoed as Facebook wall
posts. What is a bit surprising to me is that i get a fair amount of
comments to Facebook on these used-to-be-tweets, a lot more than i get
responses as tweets.

While an analysis of the reasons is way beyond the scope of article,
two things emerge. The phenomenon itself, and the redundance of data.
I think it's great that my words of wyrd echo out to where me mates
are, but the fact that the possibly ensuing discussion forks into two
unconnected branches sucks. In fact, there is even little evidence
that an update on Facebook originates from somewhere else. You may be
reading this very posting through Twitter or Facebook but it
originates from Posterous.

What i'm missing is the facility to recombine the responses into one
comment stream. I don't really care where this happens, as long as
there only is one stream.

Tear down the garden walls. Interoperability is playing nice.

Tuesday 23 March 2010

Quick zoom tip in Windows

Here's a tip i've used and forgotten. If you want to zoom the Outlook reading pane text, point your mouse at the text, hold down the CTRL key and roll your mouse wheel up or down.
The same works if you want to resize in Internet Explorer (page content will reflow), Microsoft Word (page will zoom) and other programs (action depens on software and context -- just try it out!)

Sunday 21 March 2010

Another two Kiva loans

Some of you may know that i lend money to people in (mainly) developing countries, through an organization called Kiva. I've written about Kiva in my actual blog a few times before so i won't repeat most of it. Basically the idea is that you finance microloans for folks that need microloans to get out of a rut or build their capacity in doing their thing.
Today, i helped funding a loan to two women in South America.
If you want to do some good with just US$25, i urge you yo also become a Kiva loaner. And if you know me && want to help me gain some more Kiva karma, contact me for an invite.

Thursday 18 March 2010

The call for full screen web applications for netbook and slate consumption

Related to my previous post, i just realized what's missing from my world. Web applications which play nice on nettops and slates and iPads.
And here's my hypothesis. I think the right solution is to create full screen web apps that run on a modest-size screen (the one i'm looking at is an 11" 1024x600 px) and that do not require scrolling of the application itself. People are used with scrolling content but the application should not require scrolling to be useful.
GMail for instance resizes the edit box to fill my web browser screen, which is nice when i'm using GMail on a desktop web browser. But the model fails when i'm GMailing on my small laptop. I use Google Reader for iPhone when i'm using the small laptop. It's fairly okay for modest-screen usage but it could take my keyboard into consideration.
So there we have that. Now to actual, billable work :)

Jolicloud will be nice


I came across a new system the other day, Jolicloud (yeah okay, it's a Linux distribution, based on Ubuntu -- now i've said it). Jolicloud is built with "netbooks", those small and fairly inexpensive laptops built for surfing, in mind. So after trying out the live version, i installed it on my wife's laptop.

The "pre-beta" Jolicloud shows promise. I can't say that the currently running version is ready for deployment and production usage for my dear lady, but it will be after a few iterations.

First the good.

Jolicloud looks very nice. That's always a good one if you're going to push it to the masses,

Jolicloud was Really Painless to install. You can download an installer that runs on Windows and everything is pretty automagic from there ("Go have a coffee, we'll take care of the rest"). After less than half an hour, and that includes downloading Jolicloud over the 'Net and optimizing it for its target platform, the system is ready to boot. Unlike other linucen i've installed, this uses Windows' own boot manager to give you the choice between starting Windows or Jolicloud.

There are two kinds of applications on Jolicloud; locally installed ones like Firefox, Spotify (under Wine) or F-Stop for photo management, and "cloud-based" ones like Google Documents, xkcd and so forth. The "cloud apps" run under Prism, which is a Firefox without the chrome. In this respect, it's very much like the Google Chrome OS, and a worthy alternative while waiting for Chrome OS to be released.

And then the bad.

From a user's standpoint, the two really bad things are that the system feels unresponsive at times and that it still is a bit too "techy". A very natural reason why it (in fact) is unresponsive is that many of the applications do live on the other side of the Internet, and for them to get there takes a bit of time. Some proper caching technologies should be applied. And the sluggy bits have become less prominent now that the system has done it's initial updating bits. Or then i've just become used to them.

And then the techy bit. Jolicloud's main menu is mixes user-centric bits like Internet or Sound & Video with system-centric stuff like Accessories, Preferences and disk folders. While i understand the historic reasons why these are where they are, they really should be separated so that there are parts which are for the user's benefit and other parts which are for pampering the machine and the operating system. But i guess these things will be ironed out before actual release.

Another thing which should be addressed is all this logging in. The user needs to log in separately to the machine (which is okay, but why ask for a username if this is primarily for a one-user setup), into the Jolicloud itself (only once, but you do need to create an account, which is a bit weird for your typical user), to Google Mail, Google Docs, Google Calendar and if there's anything else on the Googlesphere i use, then that bit too. The user would probably appreciate a bit more magic behind the scenes. Also, many of those so called web applications are just web pages, which for instance means one scroll bar for the text field i'm writing into just now and another scroll bar to scroll the whole page. GMail should create a more application like interface if this thing is to take off.

Some surprising additions came from hardware support. While i couldn't get wired Ethernet working on the computer, wireless worked perfectly well on any network i connected to. Most pleasing however was the fact that connecting to the 'Net using my cell phone was a plug and play affair. That was nice. And my daughter got to play Tractor Beams while we waited for our son to have his music club.

So there we have it. Using Jolicloud really has a promise of a silver lining out there. I'll be eagerly awaiting for it to come.

Wednesday 17 March 2010

If a tape backup system requires two hours of specialist time just to change the tapes, something is wrong

I just came back from a customer[0][1], having spent the AM there changing their backup tapes. The good: ArcServe support tweeted me back even before i had the chance to write this (good work @arentejaswi!). The bad: everything else.
The manoeuvre required to change the backup tapes includes copious amounts of arbitrary-length waiting time and split-second reaction times to when one waiting has ended. It requires living with a tape drive and its controlling software that both seem to have individual minds of their own, sometimes with conflicting goals. To perform this seemingly mundane task, i need to "move a tape" (from the drive to the magazine, but only if the tape is in the drive). I need to run inventories on the tapes which take 20 minutes or more a pop. Sometimes the backup software informs me that the "Unit is busy" (which unit?), and i'll have to wait for another 20 minutes. I manually need to inform which tapes are in the "save set" and which are in the "scratch set", which probably is backup-lingo for which tapes can be saved onto (that's the scratch set, mind you) and which tapes should be left untouched (the save set, which incidentally consists of tapes that even aren't in the bloody tape drive).
All in all, using the system requires that i have a system-level understanding of it. And i don't. To operate it, i don't even know if i should; a properly trained monkey should be able to change tapes.
One problem i had today was that the backup software claimed tape 11 was in slot number five when i knew it was tape 20 in there. Tape 11 was in fact in the tape box. It took an hour of convincing the system and i'm still not sure it approved.
Still, all of that is technicalia. A system should not be so complicated to maintain that it requires hours of specialist time to do the seemingly mundane task of changing the tapes. The system should take care of doing inventories. It should understand which tapes were removed and which were replaced. It could even suggest to me which tapes i should insert next. Or it should accept whatever tapes i feed it and be able to take it from there.
At the same time, it feels unethical to the customer that they're going to see a bill from us for that changing-the-tapes time. It's not like it's their fault that changing tapes on a backup copy system sucks. But i know that something in all of this must be wrong.
[0] A real one this time
[1] Taking a therapeutic detour through my favorite curry joint

Tuesday 16 March 2010

How not to destroy your workstation

Dear client,
Once again i will have to bill your company for removing viruses/spyware/some-other-ware from one of your workers' machines. The job took me seven hours of which i only have the heart to bill you for four. After all, i want to keep you as a client in the future too. But for the price i should be billing you, you could get your employee a new computer.
Here's what you should do.
In short terms, educate your users that their workstations are for work only. That it will cost you the equivalent of one new computer each time i have to make it work again after the fun software they installed onto it brings it to a screeching halt. this money could be put into much more fun and/or productive use. Ask them to be very, very careful with the tool you've provided them with. A craftsman will take care of his or her tools even if they belong to their company and not themselves.
Ask them to get a personal computer for personal work. If you can, sponsor them into getting a personal computer. We can even work out something that is so easy to re-install that if it's broken again, it will be painless to get it back to wor... to play.
Or we could put all the work stuff on a terminal server. The users can bang their computers to bits for all i care, but the work is behind a remote connection.
Here's my favorite one, and it's not even expensive. We'll install a second environment for your people to play with. If they're at work, they boot into "work mode" and if they're at home, they boot into "play mode". I have the perfect suggestion for you.
So please, let's sit down and talk. This will only take a while and you'll save lots of extra money for it.
(fictional message to a customer)

Friday 12 February 2010

Look, it's a wormhole!

I've just created a two-way connection between Posterous and Facebook. Not only will this post echo from Posterous to my page on Facebook, but if anybody comments on it, comments should be echoed back to my Posterous site. Which is kind of nifty.

For this magic to happen, i needed to create a custom domain (for reasons i don't know -- i would happily have used my regular Posterous URL) and a Facebook app. As a Learning Experience, that was okay, but i do fear that you'll need to accept yet another stupid Facebook application to be able to comment.

Anway, first commenter from Facebook gets grand kudos and ten brownie points!

How to figure out who runs your IIS process

I was asked the following, totally normal sysadmin question; will the Internet Information Service at a given server be allowed to write to a network-mapped folder. Whoa.

Had this been Linux, it would have been an easy one, but since it was Windows, it instead turned into a Valuable Learning Experience.

Through some creative googling and a wee bit of experimentation, here’s how, on a Windows 2003 or XP, using IIS 6.

First we need the Internet Information Services (or is it Server?) management interface.

·         Open Start menu à Administrative tools à IIS Manager

Then we need to know which Application Pool runs a given Web Site, marked relevant web site below:

·         Click your way: IIS Manager à server name à Web Sites à relevant web site [right-click] à Properties

·         Relevant Web Site Properties à Home Directory à Application Settings à Application Pool à Which Application Pool

On a one-site server, this may turn out to be default application pool DefaultAppPool. Oh if things were more exciting J

Now we’ll figure out who runs That Application Pool:

·         IIS Manager à server name à Application Pools à That Application Pool [right-click] à Properties.

·         ThatAppPool Properties à Identity à The Service Account You Are Looking For

Again, on a one-site server, it just might be Network Service. There is something in me that rings a small alert bell that this may not be the most secure of options. If some security guru knows better, please do leave a comment!

Alright, now we’ll need to check whether That Service Account has proper rights.

·         Open Windows Explorer on My Computer and right-click the folder you want to examine à Properties

·         From the Security Tab, click Advanced, and on the popped up dialog box, choose Effective Permissions

·         Press the Select button, fill in That Service Account and press Enter

The Effective Permissions will now be displayed.

Phew. Easy as algebra.

Friday 5 February 2010

Recovering from a bad Windows profile

Sometimes, Windows XP loses the user's profile and goes with a temporary profile instead which is just that, temporary. Any changes made to that profile -- like Outlook settings -- are lost with the next logout.

Here is a simple ten step process to get the profile back.

0. Reboot the computer. You'll see why in a minute.

1. Log in with Administrative priveleges (domain or local). If you're trying to recover your own profile and your own logon has admin priveleges, you need to take the longer route. You need to log in as somebody else than you're trying to restore. [0]

2. With Windows Explorer, navigate to C:Documents and Settings. From View » Options » Advanced [1], set the appropriate option to show hidden files and folders.

3. Make a backup copy the Problematic user's directory under Documents and Settings -- for this discussion, we shall call it C:Documents and SettingsProblematic or Problematic for short -- just in case. This is why you needed to reboot; if the user has been logged in since the last boot, there will be some files locked inside the Problematic directory.

4. Tricky time. Rename the hidden (and now made-visible) directory Default User into Default User Original. Rename the Problematic directory to Default User. [2]

5. Log out Administrator and ask Problematic to log in. Since Problematic does not have a profile, a new one is created using the data from Default User. This is not just magical, but doubly so, as the bad data isn't copied verbatim but used as profile fodder to create a new and altogether less Problematic user profile!

6. Log out Problematic (who know for the discussion really should be called something else :) and log in as an administrator.

7. Delete the "Problematic" Default User directory. Rename the Default User Original into Default User.

8. Log out. Feel smug.

OK, that was only nine steps so keep one in store for your next sysadmin magick. We both know you will both use and need it.

[0] In short, the longer router involves creating a new user and granting that user admin privs.
[1] OK, that isn't the exact path, but you'll find it. It's the second rightmost menu. I don't have an XP handy at the moment.
[2] You could probably achieve the same thing right clicking My computer > Properties > ... > User profiles and removing the offending profile, but this method includes recovering the b0rken profile itself. Do this for extra karma.

Wednesday 3 February 2010

S60 Profile Scheduler by Dr. Jukka

The Profile Scheduler by Dr. Jukka is such an insanely useful application that it's amazing the
feature of timed profiles isn't built into the S60 platform per
default. Profile Scheduler has become such a natural part of my normal
phone functionality that i can only vaguely remember the times when i
had to switch the phone on normal profile manually after having it
quiet over the night. Or remembering to switch it on night mode so i
don't have to hear the beeps when it starts or stops charging, or when
some id..ndividual decides to call or text me in the middle of the
night. Be noted: you are ignored.

The Profile Scheduler user interface may be a little confusing at
first contact, but it's really just simple: choose which profile to
switch to, which days and at what time. Press save. Repeat as
necessary. There are no separate "entry" and "exit" times, just a
single time when to switch and what to switch to. The other confusing
bit is that the application has an Exit button. Pressing it will only
exit the profile scheduling configuration interface; the profile
switching will still take place as scheduled.

A more complex scheduler might react to calendar events or cell towers
- and perhaps future Nokia phones will. Until then, i'll happily
support Dr Jukka with a buck for Profile Scheduler, even if there is
the no-cost unsigned version you can download, sign and install
yourself. I did that twice. This time i think both Jukka and i are
worth the paid version.

Tags: automation nokia s60 mobile profile scheduler

Thursday 28 January 2010

Symantec regards Spotify a trojan



I don’t know if it’s a Symantec update or a Spotify update but one of them thinks the other is b0rken.

Thursday 21 January 2010

Thermonuclear telephone resettage

My phone is getting increasingly unreliable (from all the abuse i've given it, i'm sure -- but it's been mutual abuse so i call it justified). I have now come to the point where i'm ready either to factory reset the machine using conventional means or with a mallet.

I have now learned that the way to positively wipe a Nokia Series 60 telephone so that nothing remains goes like this

  • Shut down phone
  • Remove memory card (just in case)
  • Press and hold Green + 3 + * (star) + Power
Keep holding the four finger salute until your phone asks in which country it is. Voila, your phone is reset.

Before doing that, there are a couple of recommended measures.

  • Stop Mail for Exchange synchronizing your mail box. MfE stores some email related stuff on your memory card which you want gone when the system is reset
  • You can send yourself your podcast subscriptions by marking them in the Podcasting application then sending them to an email address using MMS
  • Use Opera synch to get your Opera bookmarks to the cloud
  • Use paper and pen to get your Web Browser bookmarks saved (or use the Nokia backup app on PC Suite)
  • Use your favorite listing tool, write down what apps you have on your phone and where you got them
  • Run PC Suite backup and synch your stuff with Mail for Exchange. In the state your phone is, it'll probably fail, but you can try nonetheless.
  • Think, twice.
  • Reset your phone.
And that's it. See you on the other side.



Test. Detta hände länge sen.

How not to receive mail

I just had a very Douglas Adamsy moment. There's a passage i love in one of his books where there's a big hole in the space ship but the hole in question also knocked out the sensor that would have told the monitor computer that there's a piece of the space ship missing. Which causes the maintenance robot to fall through the hole in the space ship because it does not know it exists.

The moral of the story? Monitor your monitors.

The case in question? Email. I have two email accounts that i use, one with the gmail domain name and one on my vanity domain. I actively use the Gmail account because i got it first, but i use the vanity email address for all outgoing mail regardless from which email address i send it. This means that when i send mail from Gmail, the replies get sent to the vanity domain which are automagically forwarded back to my Gmail account. It's a bit of a hack, but it has worked so far.

But oh.

At some stage in December apparently, i managed to mistype the forwarding settings so that all my email to the vanity domain got forwarded to another user at Gmail. Of course, i was not aware of this. I just stopped receiving some of my email. I just never attributed that to my own stupidity. But i should have.

When i today checked my vanity domain, i had a bunch of non delivery reports from that other account. Not very cool. I suppose i could go and send an apology mail to that other user but i fear that too is going to be bounced.

So if you haven't received a response from me to a mail you sent to my vanity domain, i am sorry (this, unfortunately also goes for billing statements sent from my ISP). My fault. Mails should be delivered now. And i shall cluebat myself just to improve my memory.