When you export from CRM to Excel the data is derived as XML, saved with an XLS file extension and Excel is invoked to open the temporary file. Unfortunately Excel checks to see if the file being opened is actually of a type which matches the file extension and tries to be helpful. Normally this is to help overcome problems such as a comma-separated variable (CSV) file being saved as an XLS file extension, which ought to mean Excel tries to read the XLS file, fails because the contents are nothing like a real Excel binary file and gives up. Instead, Excel actually looks at the content, spots that it looks very much like a CSV and allows you to open it just as if the file extension was correct in the first place. However, this cleverness is tempered somewhat by the fact that the default setting for this is to ask the user every single time what they want to do.

As always, this is probably intended to be a helpful warning and prevent people opening files which might have insecure content, but it fails to do so because most users do not understand the implications and the longwinded message is probably not even read properly anyway. Certainly the 50th time someone sees a dialog like the one below, they just click “yes” without reading and it no longer provides any benefit whatsoever (by the way, I have done nothing to this, it displays in this ridiculously wide, un-resizable window on my machine).

Whenever I have managed people in IT support roles I try to eliminate fixes which involve things like “ignore that error message, just hit OK and it will work fine”. This not only numbs people to the meaning of that particular error message but to these sorts of warnings in general. Too often I have heard users explain why they did not report a problem until it was too late, saying “well, I got an error every day saying something about faulty disk or something but I just clicked OK, like John said we should with that other one…”. Find the root cause, eliminate the error, or suppress the error somehow, don’t teach people that errors don’t matter or they just ignore them. If you went to your doctor and said “it hurts my neck when I lift my arm up” you would not be impressed if she replied “then don’t lift your arms up!”, would you?

Stop Excel asking unhelpful questions when you export records from CRM

Luckily there is a really easy way to control this behaviour across your whole network using Group Policy. You will need to download the appropriate admin files for Office 2007 or Office 2010 and add them to your Group Policy in the usual way* (either to a new policy or an existing one you might already have for applying other Office policy settings). Go to:

User configuration\Administrative templates\Microsoft Excel 2007 (or 2010)\Excel options\Security

Look for the policy setting for “Force file extension to match file type”, enable it and choose one of the three options:

• Allow different (this is the one you need to stop the warning when exporting from CRM)
• Allow different, but warn (this is the default behaviour)
• Always match file type (this stops the warning but prevents mismatched files from being opened)

This is the full explanation text which you can see in that policy setting, or in the spreadsheet of available Group Policy settings for Office:

This policy setting controls how Excel 2007 loads file types that do not match their extension. Excel 2007 can load files with extensions that do not match the files’ type. For example, if a comma-separated values (CSV) file named example.csv is renamed example.xls, Excel can properly load it as a CSV file.

If you enable this policy setting, you can choose from three options for working with files that have non-matching extensions:

• Allow different – Excel 2007 opens the files properly without warning users that the files have non-matching extensions. If users subsequently edit and save the files, Excel preserves both the true, underlying file format and the incorrect file extension.
• Allow different, but warn – Excel opens the files properly, but warns users about the file type mismatch. This option is the default configuration in Excel.
• Always match file type – Excel does not open any files that have non-matching extensions.

If you disable or do not configure this policy setting, if users attempt to open files with the wrong extension, Excel opens the file and displays a warning that the file type is not what Excel expected.

*Adding group policy ADM files to GPMC

Just in case you don’t know how to do this, here’s the quick version:

Download and unzip the ADM files you need to use, and remember where they are. Open Group Policy management Console (GPMC), find the policy you want to change, right click > Edit.

Navigate to Computer or User Configuration as necessary, then right click “Administrative templates” and choose “Add/remove templates”. Click the Add button and navigate to where you saved them. Select the policy template you need (Excel12.adm or Excel14.adm in this case) and click Open – you can use Ctrl-click to select multiple template files before clicking Open, or just double click a file if you only need one. Click Close.

Double click Administrative Templates to expand that branch, and look for your new template as a “folder” – Microsoft Excel 2007 or 2010 as appropriate.

Tagged: Dynamics; CRM; Excel; export; file format warning

?????????????? ??????? ?????? XP, Vista or Seven, ??????????????????????????????????????????????????????????????????????????????????? ???????????????????????? ?

?????????? ??????????????????????????????????????????????????? Windows Installer Services ?????????????????????? ?

????????????????????????  Start > run  > ???  ” gpedit.msc” ????????????????????????????????:

Computer Configuration > Administrative Template > Windows Component > Windows Installer

????????????????? ??????????????? ” Disable Windows Installer “   ???????????? ????????????? Enable ?

?????????????? ????? ????????????????, Windows Vista, Windows7 Tagged: ??????????, group policy

There’s a useful Office 2010 Group Policy settings reference which details 428 settings which are new versus Office 2007, 125 deprecated or removed since 2007, and 98 which write to registry locations which are not version specific (and therefore might be policies which affect older and newer versions equally). This is a useful additional companion to the main settings reference (downloaded as part of the Office 2010 admin templates as discussed in an earlier post about managing Office 2010), especially to quickly identify where you may need to make new decisions rather than just replicating your original Office 2007 group policies setting by setting.

Tagged: ADMX, Group Policy, Group Policy settings, Office 2010, RTM

The purpose of the script (SetLocalPassword.v2.txt - just rename to “SetLocalPassword.vbs”) is, to ensure assignment of unique and complex password to a specific local user account (typically the local administrator account) on a Windows client in an Active Directory (AD) domain environment.

The script can be used, if you (for one reason or another) want a specified local user account (e.g. administrator) to be active, but you still want to ensure, that the password used is unique for each computer, that the password is changed regularly (a given period of time) and that you are able to logon using the password at any time. Usually I would recommend customers to just deactivate the local administrator account, or set the password using Group Policy Preferences (preferably different passwords on different security areas), but if these solutions aren’t usable in the environment, “ChangeLocalPassword.vbs” could be the right solution.

The intention is to execute the script as a “Startup Script” within a Group Policy Object (GPO), which is aimed at the relevant computer accounts in AD (as you probably know GPO’s can be filtered by AD security groups, WMI filters, Organizational Units (OU), domain and/or site). This way we ensure that the script is executed in ”SYSTEM” context, in which we can pretty much do anything on the local computer(s). Furthermore, SYSTEM can access network resources on behalf of the computer, as long as the resource in question (a file share in this case) allows “Domain Computers”, the specific AD computer account og “Authenticated Users” to gain access.

It is crucial that the group ”Authenticated Users” is NOT given access to the network share – in that case all users within the domain will be able to read which passwords are used on all computers hit by the GPO. Share permissions (could be a hidden share$) can of course be set to Everyone Full Control, but NTFS must be set to allow only members of the group “Domain Computers” to read and write - domain administrators, and other relevant groups (e.g. helpdesk, supporters, backup account etc.) should also have read access. If you have a Distributed File System (DFS) up and running it could be used as the network share.

This illustrates the scripts cycle:

1. The SYSTEM account is used by the computer during the boot process
2. DNS and AD is contacted, and Group Policies are processed (machine policies)
3. The GPO with the Startup Script is loaded
4. The VBS script is executed (also in SYSTEM context)
5. All activity is logged to a local log file (strLocalLog)
6. Some preliminary checks are performed, this includes last modification of strLocalStamp and network access (strNetShare)
7. A password (strNewPassword) is generated from 4 different criteras (intPasswordLength, intWantNumber, intWantLcase and intWantUcase)
8. The username and password (clear text) is logged in a central log file (strnetFile)
9. The chosen local user account (strLocalUser) is assigned the newly generated password (only if 8 was completed without any errors)
10. A local timestamp file is created or modified if 9 was successfully completed

Some important notes…

First and foremost one must ensure, that the script file the GPO is pointing to cannot be modified by others than the relevant administrators. If a user gets write access to that file, he or she can do anything (locally) on all machines executing the code. This is of course true for any GPO Startup Script used.

Another important thing to note is, that if your users have local admin rights (I hope not), they will be able to “hack” the solution in a couple of ways. First of all they will of course be able to reset passwords for all local user accounts, but if they are a bit clever, they will also be able to take over the SYSTEM account (hint: AT command or PSEXEC) and access the network share we are using – and thus read or modify the log files with all the clear text passwords. But who in the world would allow users to be local administrators in the fist place, right?

A Startup Script will time out if the script takes too long to execute, but we should not have such a problem with this script (normally executed in less than a second). Startup Scripts react differently depending on whether the “Always wait for the network at computer startup and logo” setting is set or not - the script should work in both cases though.

Let’s take a look at the customizable variables.

intDays = 60
- default: 60 days between password change

strNetShare = “\\SERVER\SHARE\”
- define as a share with the correct NTFS permissions set
- is could be a hidden share, perhaps on a DFS
- remember a trailing backslash (\) or the script will fail!

strLocalLog = “C:\admpwd.log”
- placement of the local log file of all activity (except for the password itself)

strLocalStamp = “C:\admpwd.stp”
- placement of the file used as a timestamp

strLocalUser = “test-user”
- name the user account to control (e.g. “administrator”)

intPasswordLength = 12
- the number of characters the password should have (exactly)
- must be at least the same as the domains minimum password length

intWantNumbers = 1
- set whether or not the password should contain numbers (complexity requirement)

intWantLcase = 1
- set whether or not the password should contain lowercase letters (complexity requirement)

intWantUcase = 1
- set whether or not the password should contain UPPERCASE letters (complexity requirement)

An example of the strLocalLog (default “c:\admpwd.log”) local log file:

2009-05-22 13:20:26 [STARTED]
2009-05-22 13:20:26 [VARIABLES - A]
2009-05-22 13:20:26 - intDays : 1
2009-05-22 13:20:26 - strNetShare : ‘\\SERVER\SHARE\’
2009-05-22 13:20:26 - strLocalLog : ‘C:\admpwd.log’
2009-05-22 13:20:26 - strLocalStamp : ‘C:\admpwd.stp’
2009-05-22 13:20:26 - strLocalUser : ‘test-user’
2009-05-22 13:20:26 - strComputer : ‘COMPUTER1′
2009-05-22 13:20:26 - strNetFile : ‘\\SERVER\SHARE\COMPUTER1.log’
2009-05-22 13:20:26 STATUS - No local stamp file, probably first run
2009-05-22 13:20:26 SUCCESS - ALIVE:\\SERVER\SHARE\
2009-05-22 13:20:26 [VARIABLES - B]
2009-05-22 13:20:26 - intPasswordLength: 12
2009-05-22 13:20:26 - intWantNumbers : 1
2009-05-22 13:20:26 - intWantLcase : 1
2009-05-22 13:20:26 - intWantUcase : 1
2009-05-22 13:20:26 SUCCESS - PWD SET for: ‘test-user’
2009-05-22 13:20:26 SUCCESS - PWD written to: ‘\\SERVER\SHARE\COMPUTER1.log’
2009-05-22 13:20:26 SUCCESS - TIME written to: ‘C:\admpwd.stp’
2009-05-22 13:20:26 [COMPLETED]

2009-05-22 13:27:45 [STARTED]
2009-05-22 13:27:45 [VARIABLES - A]
2009-05-22 13:27:45 - intDays : 1
2009-05-22 13:27:45 - strNetShare : ‘\\SERVER\SHARE\’
2009-05-22 13:27:45 - strLocalLog : ‘C:\admpwd.log’
2009-05-22 13:27:45 - strLocalStamp : ‘C:\admpwd.stp’
2009-05-22 13:27:45 - strLocalUser : ‘test-user’
2009-05-22 13:27:45 - strComputer : ‘COMPUTER1′
2009-05-22 13:27:45 - strNetFile : ‘\\SERVER\SHARE\COMPUTER1.log’
2009-05-22 13:27:45 STATUS - STAMP last modified: 22-05-2009 13:20:26
2009-05-22 13:27:45 STATUS - STAMP younger than: 1 days!
2009-05-22 13:27:45 [COMPLETED]

An example of the strNetFile (named [computername].log) network log file:

2009-05-20 13:20:26 test-user : ‘W57Ja6c5Xcus’
2009-05-22 08:10:39 test-user : ’sdEc7s9Gbba8′

Final note:

The code could most definitely be more optimized (and prettier), but it works like a charm (and pretty fast too) on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008 and Windows 7.

I hope it will turn out to be useful to someone out there - enjoy!

.

Window 7 RC has been out for a few weeks now the TLA team has been busy learning and testing all the great new features. Your tip for today is on Windows 7 App Locker. Many of you know about Software Restriction Policies. They allow you to block the execution of a program by file name or hash calculation. Many of you probably also know how it was a race to block applications in our network with these methods. Users could change the name of the file, or applications updates so frequently that you would constantly need to generate new hash files.

Windows 7 introduces a great new feature called App Locker. App locker works under the premise that it’s easier to allow the applications you want and block the rest. If you’re running a Windows 7 machine you can see App Locker by typing gpedit.msc into your search bar and pressing enter.

You can define policies based on Executables, Windows Installers, and scripts. Creating a new policy is really simple. right click on any of the 3 categories and click new.

You can create a policy to allow or deny an executable. You can also select witch groups the rule will apply to.

You can choose to create a rule based on a publisher (the program needs to be signed) or a program path, or a file hash (usually a good choice if the program isn’t signed)

For this example I chose publisher. the Rule wizard uses the information stores application signing certificate to learn about the application. You can adjust what level of information you’ll allow for an application.

 
In the above example I set the level to allow any version of Internet Explorer. (regardless of the file name used or the version)

You can use the same steps to create exceptions for specific applications. One of the best features is the ability to automatically generate rules.

This scans your applications in the program files directory and creates permissions for those programs to run. Perfect for quickly creating a baseline set of rules for a gold image.

PowerShell integration, new functionality in Directory Services, Auditing, Direct Access, UI enhancements and... If you enjoyed this post...

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]