New features in Active Directory Domain Services in Windows Server 2012, Part 9: Connected Accounts
Windows 8 and Windows Server 2012 are cloud-optimized Operating Systems. One of the areas where this is visible is the ability to connect domain accounts to Microsoft accounts (formerly known as Windows Live IDs).
In this blogpost I’ll show you how this functionality works and how you can disable this functionality altogether or granularly with Group Policy.
Windows 8 offers Microsoft account logins. This allows users to log on to a Windows 8 box with their Microsoft Account (formerly known as a Windows Live ID). This is a neat functionality for home-based Windows 8 installations and organizations subscribed to Office 365, since it allows the synchronization of settings between computers where you log on with the same Microsoft account.
Microsoft accounts can also be connected to Active Directory domain accounts. This allows users to build a bridge between their Microsoft Account and their Domain Account.
You could ask yourself why colleagues would want to connect their Microsoft accounts with their domain accounts. They’ll tell you (in other words, probably):
- I want to use the Windows Store.
- I want to seamlessly have access to the data in my new apps.
- I don’t to synchronize my settings between my Windows 8 and Windows RT devices.
- I want to synchronize my documents and photos with Skydrive without hassle
On the other hand, you’ve spent time securing the Windows 8 platform, configuring password, lockout and auditing policies and want your colleagues to continue to access the corporate resources without hassle.
Connected accounts offer this capability. It builds a bridge between the Microsoft accounts of your colleagues and their Domain Accounts. PCs will still be members of the Active Directory domain, your colleagues will still be subject to Group Policies and they will still need to use the logon methods you configured.
Connecting a Microsoft account
Connecting a Microsoft account to a Domain account is really easy. When a colleague wants to connect the two, simply explain the steps involved:
Open the PC Settings by either:
- Pressing Win+C, clicking on the cog icon to access the Settings, then clicking at the bottom of the panel on Change PC Settings
- Pressing Win+I and clicking at the bottom of the panel on Change PC Settings
- When the device is equipped with a touchscreen, sliding in from the right side of the screen, touching the cog icon to access the Settings, then touching Change PC Settings at the bottom of the panel
In the PC Settings screen, click on Users in the left pane. On the right an area will appear where you will see something like this:
Now, this looks like an invitation to connect the two accounts together. When you press the Connect your Microsoft account button, a ribbon appears, presenting you the following questions:
Here we see the benefits listed of connecting the two accounts together on a silver platter. By default, all synchronization options are enabled.
The wizard will next ask you for your Microsoft account information. Walk through the steps and click the Finish button when done.
You will return to the Users section of PC Settings. Here, you can now see that the two accounts are connected:
Managing Connected Accounts
Your organization might not have a need for the Connected Accounts feature, might not want anything to do with Microsoft in the cloud or might simply want to control the settings people in the organization can sync to the domain-joined computers. Luckily, for these organizations, new Group Policy settings have been introduced to fit these needs.
No, Microsoft is not force-feeding the cloud. Microsoft offers organizations cloud services on their terms.
Disabling connected accounts
If you want to disable the Connected Accounts feature in the Windows 8 installations within your Active Directory environment, make sure to set the Block Microsoft accounts Group Policy.
This Group Policy can be used to prevent users from connecting their domain accounts to a Microsoft Account and prevent them from creating user accounts based on Microsoft accounts. (if needed) This latter setting is useful in environments where colleagues might still have administrative privileges on their domain-joined computers.
The Group Policy is located in Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options and is called Accounts: Block Microsoft accounts.
Possible settings are:
- This policy is disabled
- Users can't add Microsoft accounts
- Users can't add or log on with Microsoft accounts
Managing synchronization settings
Allowing people to synchronize settings, files and folders might interfere with the defaults you might have set to make the desktops of your Windows installations look nice or with the nature of your business data.
Synchronization can be managed with the Group Policies found in Computer Configuration, Administrative Templates, Windows Components, Sync your settings. There is a Group Policy available to disable all synchronization, but there's a whole list of fine-grained synchronization Group Policy settings:
If you're worried about the uniform look on the desktops of your colleagues, I suggest you enable both the Do not personalize and Do not sync desktop personalization settings Group Policies. As you select Synchronization options to be disabled, these options will also be greyed out in the Connect your Microsoft account wizard:
Connected accounts are useful to unlock the social potential of your organization to the cloud, but fortunately Group Policy settings are available when your organization is not quite ready for that.
Five must-have Group Policy settings to create an uniform look for your Windows 8 clients
All about Connected Accounts in Windows 8
What’s the difference between a Microsoft account vs. local account in Windows 8
BUILD: Windows 8 and the future of Windows Live
Windows 8 Group Policy Settings: Blocking Connected Accounts