Microsoft's blind implementations end up breaking it's own systems
Microsoft is so huge that they often implement new features in isolation without consulting their teams from other sections and they often end up breaking their systems as a result. Recently, I have encounter two of them:
1. Microsoft has implemented an enhanced security call [Remote Desktop with Network Level Authentication] which is suppose to improve security for Remote Desktop Users, but it end up becoming so secured that even the validated users themselves are prevented from logging in!
What happen is that Microsoft has unknowingly created a perfect Catch 22 situation whereby when the option for [user must change password at next login is selected] (or when their password has expired), they will have to change their password first before they are allow to login. However, because of the enhanced NLA security, they now have to login first before they are able to access to the Windows login screen to change their password.
But because they cannot login first and change password, nor can they change password first and login, the only solution is to disable NLA from the server side and hack the Remote Desktop Connection on the client-side (because there is no option to disable this on the client-side due to oversight by Microsoft). The step by step solution can be found here: https://mssec.wordpress.com/2015/12/26/forced-password-change-at-next-logon-and-rdp/
2. Microsoft has implemented a Live account for Windows and Office. The idea is that it allows end users personalization to follow them regardless of the devices they use.
What happen is that Microsoft has unknowingly created another near Catch 22 situation as majority of their licenses are device-base. But because Live ID is user-base licensing, Microsoft end up creating a double restrictions situation by combining the two conflicting licensing model together!
A Windows computer support multiple user profiles where every Windows account get it's own personalization in both Windows and Office Applications. But because Microsoft has insisted that all OEM and Retail Office licenses must be registered under a Live ID, these per-device licenses end up getting attached and restricted to that particular Live ID.
Company purchased retail licenses now have to be registered with individual employee live account. What happen when these employees left the company?
My workaround is to create a generic company live account and register all of them to this single account. However, I met 2 further problems with this approach.
- There is no way to tell the licenses apart. I end up activating some licenses too many time and left others totally unused. Even when you select to activate it by product key instead of Live ID, it will still lead you to login your Live ID and force you to select the product key again from your Live ID account. Can you tell these licenses apart?
When you select the wrong license, Microsoft will refuses to let you activate the product. And there is no option to let you correct the product key as well. What make it even more tricky is that the product key you enter is NOT the product key used to register the Office license. Live ID actually generate another product key from your product key, making this needlessly complex. (The only way to change the product key is to login to your Live ID and select [Install from a disc] to retrieve the real product key and use the ospp.vbs script to update this)
- When our users amend any documents, the username used to be their windows login. Now it's all the same company live account. So there is no way we can tell who have edited what.
I hope someone in Microsoft is reading this. Please help to spread the word!