Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

New features in Active Directory Domain Services in Windows Server 2012, Part 9: Connected Accounts

Windows 8 and Windows Server 2012 are cloud-optimized Operating Systems. One of the areas where this is visible is the ability to connect domain accounts to Microsoft accounts (formerly known as Windows Live IDs).

In this blogpost I’ll show you how this functionality works and how you can disable this functionality altogether or granularly with Group Policy.

  

What’s New

Windows 8 offers Microsoft account logins. This allows users to log on to a Windows 8 box with their Microsoft Account (formerly known as a Windows Live ID). This is a neat functionality for home-based Windows 8 installations and organizations subscribed to Office 365, since it allows the synchronization of settings between computers where you log on with the same Microsoft account.

Microsoft accounts can also be connected to Active Directory domain accounts. This allows users to build a bridge between their Microsoft Account and their Domain Account.

The benefits

You could ask yourself why colleagues would want to connect their Microsoft accounts with their domain accounts. They’ll tell you (in other words, probably):

  • I want to use the Windows Store.
  • I want to seamlessly have access to the data in my new apps.
  • I don’t to synchronize my settings between my Windows 8 and Windows RT devices.
  • I want to synchronize my documents and photos with Skydrive without hassle

On the other hand, you’ve spent time securing the Windows 8 platform, configuring password, lockout and auditing policies and want your colleagues to continue to access the corporate resources  without hassle.

Connected accounts offer this capability. It builds a bridge between the Microsoft accounts of your colleagues and their Domain Accounts. PCs will still be members of the Active Directory domain, your colleagues will still be subject to Group Policies and they will still need to use the logon methods you configured.

      

Connecting a Microsoft account

Connecting a Microsoft account to a Domain account is really easy. When a colleague wants to connect the two, simply explain the steps involved:

Open the PC Settings by either:

  • Pressing Win+C, clicking on the cog icon to access the Settings, then clicking at the bottom of the panel on Change PC Settings
  • Pressing Win+I and clicking at the bottom of the panel on Change PC Settings 
  • When the device is equipped with a touchscreen, sliding in from the right side of the screen, touching the cog icon to access the Settings, then touching Change PC Settings at the bottom of the panel

In the PC Settings screen, click on Users in the left pane. On the right an area will appear where you will see something like this:

Your account in PC Settings

Now, this looks like an invitation to connect the two accounts together. When you press the Connect your Microsoft account button, a ribbon appears, presenting you the following questions:

Connect your Microsoft account questions on synchronization (click for the original screenshot)

Here we see the benefits listed of connecting the two accounts together on a silver platter. By default, all synchronization options are enabled.

The wizard will next ask you for your Microsoft account information. Walk through the steps and click the Finish button when done.

You will return to the Users section of PC Settings. Here, you can now see that the two accounts are connected:

Connected Accounts

Managing Connected Accounts

Your organization might not have a need for the Connected Accounts feature, might not want anything to do with Microsoft in the cloud or might simply want to control the settings people in the organization can sync to the domain-joined computers. Luckily, for these organizations, new Group Policy settings have been introduced to fit these needs.

Note:
No, Microsoft is not force-feeding the cloud. Microsoft offers organizations cloud services on their terms.

Disabling connected accounts

If you want to disable the Connected Accounts feature in the Windows 8 installations within your Active Directory environment, make sure to set the Block Microsoft accounts Group Policy.

This Group Policy can be used to prevent users from connecting their domain accounts to a Microsoft Account and prevent them from creating user accounts based on Microsoft accounts. (if needed) This latter setting is useful in environments where colleagues might still have administrative privileges on their domain-joined computers.

The Group Policy is located in Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options and is called Accounts: Block Microsoft accounts.

Possible settings are:

  • This policy is disabled
  • Users can't add Microsoft accounts
  • Users can't add or log on with Microsoft accounts

Managing synchronization settings

Allowing people to synchronize settings, files and folders might interfere with the defaults you might have set to make the desktops of your Windows installations look nice or with the nature of your business data.

Synchronization can be managed with the Group Policies found in Computer Configuration, Administrative Templates, Windows Components, Sync your settings. There is a Group Policy available to disable all synchronization, but there's a whole list of fine-grained synchronization Group Policy settings:

Sync Your Settings-related Group Policies (click for larger screenshot)

If you're worried about the uniform look on the desktops of your colleagues, I suggest you enable both the Do not personalize and Do not sync desktop personalization settings Group Policies. As you select Synchronization options to be disabled, these options will also be greyed out in the Connect your Microsoft account wizard:

The Connect your Microsoft account wizard controlled with Group Policies (click for larger screenshot) 

       

Concluding

Connected accounts are useful to unlock the social potential of your organization to the cloud, but fortunately Group Policy settings are available when your organization is not quite ready for that.

Related posts

Five must-have Group Policy settings to create an uniform look for your Windows 8 clients  

Further reading

All about Connected Accounts in Windows 8  
What’s the difference between a Microsoft account vs. local account in Windows 8 
BUILD: Windows 8 and the future of Windows Live 
Windows 8 Group Policy Settings: Blocking Connected Accounts 

Posted: Tuesday, September 04, 2012 6:45 PM by Sander Berkouwer

Comments

No Comments

Anonymous comments are disabled