Mac Does Stuff

Month: November 2014

  • Enabling PIN Login on Windows 8/8.1

    A lot of people I know have started using Windows tablets of one sort or another – and a question that keeps cropping is why when their machines are members of the domain can they not use the PIN login method?

    By default on the domain this feature is turned off.

    As a side note, it’s interesting the resistance you can run in to enabling the PIN login method….It’s INSECURE shout/rant etc. It may be insecure – but it’s interesting that the same people who shout & moan about this don’t moan about 4 pin locks for people’s phones & iPads, and they arguably can contain very similar data-sets?

    Anyways, where is the Group Policy setting? Under the Computer Policy, go to Administrative Templates\System\Logon.

    Under there you should see the option for ‘Turn on PIN Sign-In’.

    If you open the local group policy editor you can see it here:

    2014-11-21 GPO

    You can also set it directly in the registry at this path (for example if your edition of Windows doesn’t have the Group Policy editor in it):

    HKML\SOFTWARE\Policies\Microsoft\Windows\System AllowDomainPINLogon REG_DWORD

    Set it to 1 to enable, 0 to disable.

  • Managing your Presence – It’s a tool!

    What feels like a long, long time ago I wrote an entry about how people can and should manage their presence – you can see it here:

    The Etiquette of Presence Long gone, sorry!

    Presence isn’t that unusual any more – people are use to it…. that’s not to say people are always using it in the best way however.

    I still see people who the first thing they do when they get in or online is put their Status on busy. So much so you ignore the busy – you IM anyway, are you really busy or just on busy? Hello?

    Of course their response or lack of it tells me whether the busy is real or not…but that’s not very good is it? I may as well just ignore their presence and call whenever I want. What’s the point of that?

    In addition to that it’s obvious to me that some people bang up the times on their inactive and away settings:

    2014-11-03Presence

    They set them so that even when they wander off from the their PC for ages they’re still showing as available. Again, what is the point of that? Trying to IM someone when available only to see them rock in from the sandwich/coffee shop chatting away can be a little frustrating.

    Why do people do that? Why want to appear to be available when you’re not? My guess is it’s down the fear of the ‘Big Brother’ as in oh my, if I’m away for ages people will assume I’m lounging around watching Homes under Hammer.

    The reality of course is that few people do view this in such a way.

    You can also do custom presence states with Lync too – for example I have a few extra on my presence options:

    2014-11-03Presence

    You can see I’ve got a few extra states at the bottom – all designed to help people understand the best way to contact me.

    Mobile clients are also now massively on the rise. Personally for example I tend to leave my Lync client on my phone running all the time – I may logout at the weekends totally, but that’s only if I remember. I’m OK with that – I would get why a lot of people wouldn’t be of course.

    Presence is a great tool if managed and used properly. Constantly on busy – people will ignore it. Constantly available but not, people will ignore it – and get frustrated with you in the process.

  • Disabled in Active Directory, Enabled in Lync

    One common workflow that is often missed in the Lync world is what happens when you disable a user in Active Directory? For example, if a user has left? Well, the user will remain enabled for Microsoft Lync, and in some situations will still be able to logon to Lync as well:

    Disabled AD User Account can still login to Lync

    In reality you need to work in disabling a user for Lync when disabling their Active Directory account as well. Now, fortunately it’s fairly easy to find out who those disabled users are, and to disable them – so let’s have a look at that here.

    How Many Are There?
    Firstly, you may want to know exactly how many Disabled AD Users that are enabled for Lync – it’s pretty easy to find out using this command:

    Get-CsAdUser -ResultSize Unlimited | Where-Object {$_.UserAccountControl -match “AccountDisabled” -and $_.Enabled} | Measure-Object

    Note the above may be wrapped on your browser – it should be entered as a single command. The output of this will show you how many disabled accounts you have – like this:

    2014-11-03DisabledAccounts

    So in the system I’m looking at there’s 461 accounts – quite a few.

    Who are they?
    Next, you’ll want to know who those accounts are? Well, again that’s pretty easy to do with PowerShell – like this:

    Get-CsAdUser -ResultSize Unlimited | Where-Object {$_.UserAccountControl -match “AccountDisabled” -and $_.Enabled -eq $true} | Format-Table Name

    This will give a text output of the disabled accounts – if you want, you can push to a text file by putting >Output.TXT or similar on the end.

    How can I disable them for Lync?
    Again this is very easy with PowerShell – you can use this command. Bear in mind this will disable all of those identified users for Lync. All of them! Consider this for example if you have some AD disabled accounts you use for Synthetic Tests and the like. Anyway, the command is this:

    Get-CsAdUser -ResultSize Unlimited | Where-Object {$_.UserAccountControl -match “AccountDisabled” -and $_.Enabled} | Disable-CsUser

    Summary
    All of the above commands are built in the same way and should be fairly obvious. PowerShell is a fantastic tool for the scaled systems Adminstrator – how people managed without it I don’t know. Well, VBScript I guess? Still a big fan of that for down & dirty quick stuff.