April 2008 - Posts
Q: (from Gregory)
I am working with a variety of non-profits to help them collect and analyze various kinds of data. In some cases, it would be desirable to have a system whereby different permissions could be assigned to different users of these databases regarding which tables the user could access, which forms they could open, etc. Also, some users need read/write access where others should only have read access. Up through Access 2003 MS had the User level security wizard in Access which created a system for exactly this need. Now that system has apparently been discontinued and no longer supported by Access 2007, but I have not been able to find out if there is a replacement. What is the new best practice for setting user permissions on objects in an Access database?
A:
Regarding permissions in Access: what I’ve found from the Access online help (I searched on “permissions”; perhaps this is where you’ve already looked)
The new Access file format does not support user level security; so as I understand your choices (as documented by the online help)
- Adopt the new Access file format and utilize SharePoint to manage user security
- Stick with the old Access file format and apparently Access 2007 will re-expose the user permissions controls under the Database Tools tab
- Adopt a more robust back-end data solution like SQL or SQL Express
I don’t feel any of these are great solutions for you; but I have nothing else to offer. The impression I have is that since Access is categorized as a “user level” database solution; to continue to support a robust security model did not make sense. Access is targeted at straight-forward solutions and that stepping up to a solution like SQL or SharePoint (which shares SQL on the back end) provides our robust secure data solution.
Response: (from Gregory)
Thanks for the reply, Steve. I had come to the same conclusion as you regarding my options. I don’t really like the choices. I have a SharePoint site, but using that for security for an Access database, from what I have read, will involve many changes to the database which are not really acceptable to me. In short, there are many features of Access which will not be supported when it’s accessed through SharePoint. I don’t want to stick with the 2003 file format. That would leave me stuck in the past and unable to ever upgrade. Not something I want to do. And I’m not really anxious to learn SQL right now, as I’m just a lowly IT director and have about a million other hats. I can’t devote the time to becoming a real database admin.
I wonder if the folks in the Access division realize how many of us are using Access for some pretty sophisticated solutions involving many users. It’s their fault if they’ve built Access into a product which does a very nice job in a wide range of scenarios and is, while not easy to learn, still much easier than something like SQL. Maybe you could pass along my feedback to them that many of us in the small to medium business category would really like to see some help with user level security in Access, without involving SharePoint.
I would be very happy to provide more detail on what kinds of things I’m doing with Access, if anyone would find that helpful.
A:
I’ve forward your feedback though our internal channels, but I would recommend you (and any associates) send your feedback to the Access team directly. You can do this at:
http://office.microsoft.com/en-us/access/default.aspx
On the left side of the screen, you will see a link titled: “Send us your comments”
Q: (from Prasad)
Through our action pack subscription, we have access to several MS software products, that we can install and demo to prospective clients when we talk about features and benefits to clients. These demos are very helpful in making the sale. I like the Response Point phone system and would love to sell the system. What would be very useful is if we can demo the response point phone system to prospective clients like we are able to do, for MS software products. Can MS help partners with discounts or 0% interest rate financing for a demo unit (just for the demo unit), that the partners can purchase from Response Point vendors (Quanta or D-Link)? This will be a tremendous help for partners. Since this is a new product with speech technology, if people can see it in action they are more likely to buy it. Demo units would be an investment for partners… therefore a discounted price or 0% financing for demo units, similar to action pack subscription which is a tremendous value for partners, will go a long way to increase the RP sales.
A:
Because the Response Point systems are actually built by our hardware partners, Microsoft does not have the ability to include the technology in any of our technology subscription programs like Action Pack or MSDN.
However, each of our hardware partners do have partner programs which can provides systems at a discounted rate:
D-Link VoiceCenter specialist information
Quanta Syspine Discounted Demo Units Available for VARs
- Sypine is offering discounted prices for demo kit to Microsoft partners for a limited time.
- This is a great opportunity for our partners to purchase a demo unit - savings of up to 40% - that is ideal for you to quickly set up and use for your sales training, or use for live demonstrations in-house or at your customer's location.
- For under $1,000, the demo kit has everything you need to get started and see for yourself the advantages of adding this award winning new communications system for small businesses to your product line.
- To order your demo kit please visit our website at http://www.syspine.com/wheretobuy.html to locate a Syspine distributor.
- If you have further questions please email Syspine @ sales@syspine.com. When placing your order with our distributor please reference promotional code SYSDEMO.
We don't have information on the Aastra reseller's program yet.
Q: (from John)
Steve,Good to see you again. It really helps to have a consistent face from Microsoft. And one that isn't all marketing spin.We first started running into each other when ASCII was a co-sponsor.As to feedback about Vista, I server professional services people: Architects Engineers, lawyers. People who use their computers a lot every day in intensive file and calculation applications.It's slow. We want snappy a operating system. Vista is less responsive in basic file opens than XP Pro.It's hard to find things. Some simple things in XP which were 1-2 clicks are 4-6 clicks. For example checking IP status. XP: Right click on Network Neighborhood, Properties, Right click LAN, Status. In Vista, you have to drill down through many more layers.Hiding data. People really hate Windows hiding information. We want the Details view to always be the default, not icons. Folders should always open in Explorer mode. We always want to see ALL file extensions and never hide OS files.We would really like a GPO that controls all of these settings, XP Pro doesn't have one and haven't tried Vista GPO. We use third party such as Scriptlogic to control. (Hmm wonder if we can do it with Powershell?)Early Vista adoption was slow because you changed the TCPIP stack. We have lots of clients using Netware for file servers, the lack of a Netware client slowed everything.Vista Wireless fails to connect to many SECURE access points like Sonicwall. XP Pro has no trouble, Vista sees, but can't connect.Out of about 1,000 desktops under my control, we have maybe 3 Vista. AutoCAD runs slower under Vista. So lots of people have licenses, but we deploy XP Pro (SA on all of these new Vista only machines).On Powershell, I was one of the earlier adapters of Exchange 2007. I find the lack of documentation of what's done in GUI and what's in Powershell very frustrating. You know how you did it in 2003 Exchange Manager, but they don't even leave a cookie trail in 2007 Manager. There needs to be a matrix of "This way in 2003, then do this in 2007 or PowerShell."The Powershell Exchange scripts often don't have very good examples. A lot of trial and error to get the syntax right.So as usual I learned a few ne tricks.
A:
Again, thanks for the frank feedback. Remember, you can provide this feedback directly to Microsoft at:
http://connect.microsoft.com
Regarding performance, I would be interested in knowing if you have explored SP1. I realize my sole example is just antidotal, but I've have seen a distinct improvement in Windows Explorer performance since I installed SP1 (and I came in being skeptical)
Hard to find things: I use the desktop search and the control panel search ALL of the time to find applications and files on my system. If you aren’t finding something that you know is there, have to reviewed the scope of the search tool?
PowerShell only helps with applications that have been extended to support the PowerShell API (applications that have exposed their controls to the PowerShell programming environment). The ability to control what is visible in Windows Explorer can be controlled through the registry, which can be managed through a custom Group Policy.
Q: (from John)
Steve:
Perhaps you remember me asking you a question after your presentation in the Philadelphia “Heroes Happen” partner meeting. You asked that I send you this email so you can find out what you can about my concern for a possible limitation affecting the forthcoming SBS 2008.
My company, Trilon, provides outsourced IT support to small businesses in Eastern Pennsylvania and North/Central New Jersey. Many of our clients use Microsoft SBS 2003 as their only server in the main office. All such offices use SBS 2003’s two-network-interface configuration, which allows the SBS to share a single static IP address to the Internet on one interface with all the office workstations connected through a network switch to the other SBS network interface.
The two-network-interface SBS 2003 configuration uses the built-in RRAS-based NAT and Basic Firewall to share the single Internet connection. I have heard rumors that the new SBS 2008 will only support a single network configuration. Thus, we’ll need another server (like a Microsoft ISA server), or some network-sharing appliance, or hey—why not some sort of Unix-based box? And then, guess what? We can also run a mail server, DNS, DHCP, and file & printer sharing all from a single server again! And it doesn’t even cost as much as one SBS server! At least, that’s the observation I’m afraid my clients are going to make. I’m going to have to justify the additional cost for buying (and monthly cost to maintain) another thing (server or network appliance) after they upgrade to SBS 2008. They’ll ask why the upgrade to SBS 2008 can’t do what SBS 2003 did.
I really hate those cheesy NAT boxes that cost under $100 that everyone is throwing into their home offices because they always crash and need to be power cycled every week or so to restore service. My clients are all used to the rock-solid network sharing services provided by SBS 2003. And we have never had a problem remotely accessing SBS 2003 servers, even when their configuration needed adjusting. My experience with network-sharing appliances tells me that if they aren’t crashed, they’re certainly not going to respond to remote management! To achieve the same level of reliable network-sharing we had with SBS 2003, we’ll need to recommend some pricey box from Cisco, or a second machine running Microsoft ISA server—both of which are much more powerful than they really need. But we’ll still have to recommend them, since I don’t know of a cheaper, yet still reliable, solution.
I can understand the decision not to allow ISA server to run on SBS 2008; heck, we already don’t use it for any of our clients. But to take away the basic network sharing and firewall services of SBS 2003 is going to pose a real opportunity for my clients to rethink their server choice.
One final word regarding your presentation in Philadelphia: I find it very distressing that functions and features being taken away by SBS 2008 are not highlighted in the slides and addressed by your talk. Microsoft doesn’t have to sell us on the virtues of SBS—we already know it’s a good product, and we want to see it deployed to our clients’ sites. However, we’re supposed to be on the same team, so we need to know the good news along with the bad news. That way, we can begin to make plans and prepare proposals that will succeed. As it stands now, if I’m right that SBS 2008 will only support a single network interface configuration, I guess I’m expected to find that out when I try to install it the first time! Why not tell me now what’s changing so we can all be prepared! Hey, even better—shouldn’t Microsoft tell us that it’s thinking about removing such a key component, and ask us for feedback before just silently removing the feature?
A: (from Peter Gallagher)
For the dual nic scenario, SBS2k3 STANDARD fully supported 2 nics and used RRAS (component of Win2k3) as the firewall. In SBS2k8, the wizards will support a single nic install. If you have a partner that wants/needs 2 nics, make sure the customer understands the “80/20” rule where SBS out of the box fits (and was designed for) most customer’s networks. When the network starts falling into the “20” category, they need to look long and hard at why they are in the “20” category and be mindful of the “gotchas” when they start falling out of the design parameters.
Back to the original question about 2 nics: Will it support 2 NICs? YES but you gotta know what you are doing! Will the wizards support it? NO, manual config is required. Will it support NAT, the short answer is NO.
A more detailed posting about the "why" can be found here:
http://sbs.seandaniel.com/2008/05/preparing-your-network-for-small.html
Q: (from John)
Peter says "When the network starts falling into the “20” category, they need to look long and hard at why they are in the “20” category and be mindful of the “gotchas” when they start falling out of the design parameters."
The reason my clients would "be in the '20' category" and "start falling out of the design parameters" is because Microsoft pushed them, causing them to "fall out" and land "in the '20' category". 100% of my small business clients use SBS 2003’s two-NIC scenario to connect, share, and guard against the Internet. Since the two-NIC was included as one of the three scenarios supported by the SBS 2003 wizard, I would think my clients were in the 80%. What changed?
When customers who were in the "80" category wake up one morning and find themselves in the "20" category, Microsoft needs to look long and hard at why "improvements" to their products have the effect of marginalizing their customers. Remember, my clients didn’t change, it’s Microsoft who’s changing SBS 2008. Some of my clients use five year old server hardware and wish they could have a little more disk space and/or perhaps a little quicker response from their existing server. We all expect that buying new hardware for SBS 2008 would naturally include new faster/larger disks and processors. It’s hard to explain to my clients that when they get SBS 2008 and five year newer, faster hardware, they’ll need yet more equipment to connect their LAN and server to the Internet because Microsoft has declared them unfit for full support.
Steve, here’s the real test: did Microsoft decide that it would be best to take out support for two-NIC setups because very few sites wanted the feature, or did Server 2008 (which SBS 2008 is based on) drop support for components needed by SBS for two-NIC functions? If it’s the later, the argument put forth by Peter is just an attempt to justify the change, rather than an explanation for the decision. That is, the SBS team didn’t decide to take out support for a two-NIC scenario even though it would take effort to remove the feature; instead, they decided not to do the work necessary to put it back in when Server 2008 failed to include the necessary components to do it the same way it was provided with SBS 2003.
A: (from Steve)
As you pointed out in your last email Windows Server without RRAS looses the ability to provide NAT services and that’s where your “rant” comes in. The choice to remove the RRAS capability by the Windows Server team impacts what is available to the base SBS product. The SBS team then had to decide if they were going to replace that functionality separately. Since they were already on the track of removing SBS from the firewall role, the decision was to not replace the NAT functionality. I apologize for pushing your customers from the 80% to the 20% (really to the 0% since it can’t be done) but I also appreciate the internal consistency of the new approach; if we have been harangued about SBS (Active Directory, file & print, Exchange, Windows SharePoint Services, etc) not being robust enough to also play the role of a firewall with ISA; why would we let the box play a similar role with a less robust security technology (RRAS)? This is why we are recommending that you transition your customers to using an external firewall/NAT device either based on ISA or a 3rd party technology.
Q: (from John)
Follow-up from Philadelphia Heroes presentation.
Well, Server 2008 is almost as frustrating as Vista, but not entirely. Basic maintenance tasks are hidden away. Servers are meant to be easier to IT managers not more difficult.
We really need a task converter. You enter the clicks or menu items in 2003 or XP and it tells you where the same task is in Vista or 2008. THAT should be part of the standard install, not IE Enhanced Security or password policy set for complex passwords.
For example that irritating IE Enhanced Security Configuration goes in by default. But Add/Remove Programs no longer even gives a hint as to where you remove Windows components. It should at least give you a hint. And it's not under IE options. Why is it in the Server Manager in an obscure security setting?
Windows 2008 and Vista needs to give you a choice on first login to show everything in Explorer. I don't know how many thousands of times I've had to change Explorer features to not hide extensions, show everything, show Details and don't Arrange in Groups and always give me the Explore view for folders.
Explore mode for Folders is also hidden. IT managers want information, not pretty icons.
Users want SPEED. I still feel that Vista is a great leap backwards in usability. Server 2008 is nearly as bad.
Why in the world do you have an icon on the Start bar to close all programs and SHUTDOWN computer. It's a server for crying out loud. It never gets turned off. Same with Install Updates and SHUTDOWN. On a server it should always be RESTART.
Entire Network or Search for Computer is missing (or hidden) I do a lot of cross VPN connections and I usualy search fora computer based on IP since local DNS nows nothing of the remote private domains.
Also trying to login to an FTP site is well hidden, even if you say Open In Explorer, there is no dialog to login, nor a menu item to "Login As.."
A:
I'm sorry to hear that you are frustrated with both the new changes to Windows Server 2008 and some of the "features" that remain un-modified after several versions. I can confirm that some of your points ring true to me as well.
Microsoft now has a feedback site for you to express your opinions/requests/frustrations direct:
http://connect.microsoft.com/WindowsServerFeedback
In addition, if you don't mind, I will forward this internally as well.
Thanks your partnership and your continued persistence in making our products better.
Q: (from Kevin)
This may be a fairly rudimentary question; but I wanted clarification: If I have Windows 2008 with Hyper-V, must I have SCVMM in order to administer my guest Oss?
What is the relationship between the two; and if it’s VMM is not necessary, what more would I get from it?
A:
No, the Hyper-V management tools provide a basic level of resource allocation, image loading, monitoring, etc.
SCVMM provides more advanced functionality like letting you enable end user VM provisioning, VM placement across multiple VM hosts, load balancing, VM to Physical conversion and back. SCVMM works with both Hyper-V and our traditional machine virtualization
http://www.microsoft.com/systemcenter/scvmm/default.mspx
Q: (from Richard)
I was wondering if you could help me, as your name is the only one I have from Microsoft... We have a trade show coming up in May... I was looking for some giveaway items and or banners from Microsoft. There will be approx. 3500 people at this event mostly business owners. It is a great networking event for us and sets us up with business for the summer into the fall. I don’t seem to have any info available to contact anyone else, so maybe if you can just point me into the right direction that would be of great help. Thanks in advance.
A:
Thanks for reaching out to me. Of course I really want to find a way that you can promote yourself as well as your relationship with Microsoft. Just to warn you, however, Microsoft is very particular how our brand is used and by whom, so I did some quick research regarding your partnership level on our Solution Finder site (http://www.microsoft.com/smallbusiness/partner/results.aspx):
<<details removed to protect identity>>
Based on your Registered Partner status, here are some of the options available to you:
1) You could look into becoming an SBSC – that would give you access to the SBSC Blue Badge logo to use on your own marketing material, table cloth, etc – you would then become the only SBSC partner within 20+ miles
2) You could look into becoming a Certified Partner – a greater investment than SBSC, but more Microsoft logo rights
3) You could engage a Microsoft presenter at the event – if one of us is there, the logo can be there as well
Regarding collateral, I don’t have a budget to support an event this size, but you could engage with your local Partner Community Manager (http://www.mssmallbiz.com/pcms) to see if they do.
Q: (from Josh)
Well my Response Point training from this weekend was put to use today! I am prepare a quote for my first Response Point system.
My question is which SIP/VoIP companies work with Response Point? Is there a list of providers somewhere? I use callcentric.com (with great success) internally and had e-mailed them over the weekend….their response was We haven’t test Response Point with our system but from what we can tell it should work.
A:
From Joe Schurman (the Response Point presenter): NGT and CBeyond
But there is not a “preferred vendors” list yet. This information does appear in various Response Point blog (http://blogs.technet.com/rp) activity as well.