wsspectacular

I just got interviewed by Microsoft!

On Wednesday I was at the Visio 2010 booth and I guess I impressed them enough that they wanted to interview me, on camera, talking about what I’ve done with the product. I told them about when I designed a Visual Basic solution for Visio 2000 that would capture the connection event (when two shapes are connected by a line) on a drawing, where it would track the connections between objects in a back end SQL database. And I told them about the Systems Documentation “Data Viz” solution I did, where Visio is connected to a set of SharePoint lists that track servers, SQL instances, and databases, so you can map out your entire SQL farm with data-connected images. They liked that. They said they were going to put it on their Visio page.

Wow! I was so NOT ready to be on camera!

One of the new things rolling out with Office 2010 is called PowerPivot, which can be best explained as “building an OLAP Cube in memory.”  If the preceding sentence sounds like gibberish to you, let me smile and say IT DOESN’T MATTER.  PowerPivot for Excel allows the user to casually pull in data from lots of different sources and build interactive Chart/Table solutions. 

You can, for example, show a table with product sales, then stick a chart next to it, then put a “vertical slice” above it (populated with buttons you can multi-select to show only certain categories) then put a “horizontal slice” next to it (again populated with buttons you can multi-select to show certain countries).

The Microsoft guy at the Excel PowerPivot booth demonstrated this for me on a spreadsheet that had over 4 million rows of data.  Each change, whether sorting or filtering or transforming data, was applied almost instantly.  The longest it took was when he added a calculated column to the 4 million-row spreadsheet, took about 5 seconds.  He had a 64-bit machine with 6GB, but he said that was because it was also running SQL, SharePoint, and Exchange.  On his 2GB laptop, it also screams.

Excel can now pull data in from a variety of sources, including “feeds”.  He said in SQL 2008 R2 Reporting Services, there is a small button you can click to “enable ATOM feed”.  Then this report’s data source can be exposed and consumed elsewhere.  Excel will read the data source and pull in a live resultset.

The cool part comes when you publish this to SharePoint.  The Excel spreadsheet itself can be referenced as an OLAP cube. 

BAM!  A user has just become a BI designer.

I was going to write about how Microsoft Office 2010 and SharePoint 2010 are a fabulously awesome mix of pixie dust and candy stars, but John Anderson’s blog over at Bamboo Solutions beat me to it.  The guy might have been sitting next to me.  You should go read it now.  G’head, I’ll wait. 

So what I’ll talk about instead is the coolness that is Project Server, in particular, the upgrade path.  What I learned is:

• Project Server 2010 is VERY worthwhile.  You can do lots of new and valuable things.  It is worth an upgrade.  I won’t go into detail here because frankly it’s overwhelming and I need to reread it.
• Project Server 2010 ONLY runs on SharePoint 2010 Enterprise.  But if you have a current Project Server 2007 deployment (on WSS 3.0) and have Software Assurance, this will cover the upgrade.  So you’ll end up with SharePoint 2010 Enterprise along with Project Server 2010 Enterprise.
• Project 2003, 2007, 2010 can connect to PS 2010 when it is in Backward Compatibility Mode.  BCM is a compromise, because some (but not all) new features are disabled.
  • The experience is that:
    • Project Pro 2007 will ignore new features.
    • Project Pro 2010 will light up to reveal the new features that are available.  The unavailable features will be grayed out, and mousing over them displays a message that the product is connected in Compatiblity Mode.
  • To enable all functionality, you can move from BCM to native mode but this is one-way only.  Once you’ve disabled BCM, you can’t go back.
• Project Pro 2010 cannot connect to Project Server 2007
• Project Pro 2007 and 2010 can be installed on the same machine, but cannot run at the same time.  This is likely to be a common scenario while users are moving between versions of MS Project.

Here are some observations about the animal behaviors of Geeks.

 Geeks are a peculiar breed of human being.  Predominantly male, these creatures find that their preoccupation with abstract concepts places them far outside the social mores of commonly accepted behavior. 

 Geeks have a marvelously short attention span.  Geeks standing in line will, within 3-25 seconds, whip out any mobile or electronic device and begin (playing/texting/speaking/staring off into space).  Studies have found that it doesn’t matter how long the line is, and in fact they may even be in the front.  Any stationary Geek will need to preoccupy himself with something.  (Note: Geeks who do not have mobile devices are outcasts even in their own outcast subculture.)

 Geeks do not feel embarrassed about sitting on the floor if it means they can use their laptops.  They may even reject an available chair if it is not close to an electrical outlet.

Geeks with “bling” will proudly display it.  Logos, name badges, wristbands, hats, and all other types of adornment are seen as status symbols, even if 99.999% of the public has no idea what the slogans or logos mean.  Geeks seek status within their own outcast subculture.

Even for Geeks, sex sells.  If a vendor is advertising a relatively boring product, they may seek to employ a non-geek “hottie” who will do her best to dress scantily, wink, and flirt with Geeks passing by, to get them to stop and listen.  To wit: a “SharePoint Fairy” dressed in a costume with wings and wand can stop a Geek at a hundred paces.  A “SharePoint businesswoman” with a southern drawl and an easy wink can gather a throng of Geeks in minutes.  Geeks even be aware of this manipulation, but don’t care.  They are, after all, predominantly male.

Geeks don’t dance.  Ever.  A large sampling of 7500 Geeks at a recent Huey Lewis and the News concert shows that Geeks won’t do more than nod their heads to the beat even at the most catchy of tunes.  During this time it was observed that one Geekette was dancing, but she may have only been marginally Geeky.

First, a couple of links to items of interest:

• Windows 7 preorders even topped Harry Potter 7?  Inconceivable!!
• SharePoint 2010: Developer and IT Professional Learning Plan
• Now that SharePoint 2010 has been announced, it’s interesting to take a look at the different flavors of it.  I was going to write this up, but fortunately it’s already done for me.

At the end of his keynote on Monday at Sharepoint 2009, an interviewer asked Steve Ballmer about social computing. Ballmer recounted a story about a friend of his, a CEO for a Fortune 50 company. He said the guy is adamant in his opposition to social computing in his company. But if he had assurances that corporate data would be safe, then it might be a different story.

It was an interesting end to Ballmer’s keynote. It was all Ballmer, practically yelling at the crowd to make his point about the ways the social web will make it into the enterprise. 

http://www.youtube.com/watch?v=KI90RTD6kOw 

Ballmer sounded like a guy rallying his troops. He kissed his fingertips as if he were talking about a masterpiece. He then told the audience that after the conference they would be equipped to tell the Sharepoint story. And they will be the ones who bring social computing into the enterprise. 

This may seem like arrogance to some, but we are further convinced that Ballmer’s remarks do reflect the monumental fears that top management has about social services like Twitter and Facebook. But it is also important to look at what Ballmer says and temper it with the reality of the market.

What’s so damn special about SharePoint 2010? 

If you read the tech news, this sounds like a minor upgrade, adding a “handful of new features“.  (I guess when you’re a journalist for a tech magazine it takes a lot to impress you).  But from what I’ve seen, the new features are nothing compared to what happens under the hood.

Performance 

For one thing, it performs a lot better.  Old SharePoint (Versions 2003 and 2007) were classic ASP.NET applications, which meant that when you load a page for the first time, you have to wait for it to compile and then successive page loads are much faster because they’re cached.  In all the demos I saw yesterday, SharePoint was lightning fast.  These were undoubtedly premium machines, overloaded with RAM and processing power, but nonetheless impressive, as it shows the possibilities of SharePoint in production.  Every page load and search result was returned nearly instantly.  It was refreshing to see, I can tell you, because SharePoint’s performance is usually the first thing people complain about.

In that vein, at a later session I learned about some of the IT features for SharePoint administrators.  There is an entire database devoted to logging and performance monitoring, and some of the metrics you can collect are what a user is doing, which pages are popular, etc.  but the one that caught my eye was the “slowest pages” report.  You can identify which pages or items are performing the slowest, and (if you’re an administrator) each page in SharePoint can be loaded in “diagnostic mode”, which reveals a panel at the bottom of the page with all kinds of information about what the page is doing.  So in the case of the demo, we had a very large graphic that someone had scaled down instead of resizing, and it was adding 5 seconds to the load time.  Once we swapped it out with a resized image, the load time went to zero.

Scale

SharePoint 2010 can now handle a much larger scale of data than it used to.  In MOSS 2007, they strongly advise you to limit document libraries to under 2000 items (because then they take a very long time to load in the web browser).  But the new SharePoint boasts of the capability to host millions, if not hundreds of millions, of documents in a single library.  SharePoint is now positioned to challenge file shares as an effective document storage solution.  Although storing data in SharePoint is still more expensive, there is a greater degree of control over the disposition and metadata of a document. 

Disaster Recovery

Backup, restore, and disaster recovery in general has been revamped, addressing another (some would say unforgivable) weakness in SharePoint.  Now you can perform any level of backup and restore, from a multiserver farm to an item level restore. 

Search

They spent a long time showing off the new search features.  With the current version of SharePoint, you have a rather dumbed-down experience that might return unpredictable results, and performs rather slowly.  Microsoft purchased a company named FAST, which has a very nice search technology, and this has been grafted in to SharePoint.  What this now means is that you can very quickly search or drill down via keywords until you have a small resultset of relevant items.  If you’ve seen the Bing! Search engine, it is very similar (except SharePoint doesn’t automatically assume you want to go shopping).  This search dialog, which appears as a sidebar in most places, also works on very large lists and libraries: in the example, one document library had over a million items, and the search dialog was able to narrow the results down, refreshing the resultset with each new filter, until we had just what we were looking for.  What impressed me, again, was the speed.  The demonstrators often channeled Emeril, shouting “BAM!” to emphasize how quickly the search worked. 

PowerShell

SharePoint, along with all the next generation of servers being released in 2010, is heavily integrated with PowerShell.  There are over 500 new cmdlets you can use to administer and manipulate SharePoint.  Better face it guys, PowerShell isn’t going away.  Think of it as the return to the DOS prompt.

Project Server 2010

 I attended a couple of sessions on Project 2010 and Project Server 2010.  While the first one almost put me to sleep, the second one was very interesting.  Project 2003 and 2007 make extensive use of legacy code and ActiveX controls, so you could only use Internet Explorer to browse the Project Web Access sites.  But it’s now been rewritten in Javascript, which means you can use any browser.  And the functionality of the interface is so good, I could not tell right away if we were working in Project Professional or Project Server.  They have simplified Project Server a great deal, so a once-daunting Project Server solution becomes a lot more straightforward and powerful. 

Hands-On Labs

Maybe the best thing I did all day was take the time to sit through a couple of Hands-On Labs.  Here I got to work directly with Office 2010 and SharePoint, and it was very cool.

So… What’s so damn special about SharePoint 2010? 

Let me make a comparison here.  One of my complaints about SharePoint 2007, for all its awesomeness, is that users do not feel compelled to use it.  They load the site, poke around, then go do something else.  They don’t feel inspired to play around.  They don’t think it’s “okay” to change anything.  It looks like your standard, boring, webmaster-controlled website.  Sorry Microsoft, but that’s the truth.

When I got my new iPhone, I felt the exact opposite.  Here was something that just naturally flowed, form following function, inviting me to learn more and do it all.  I think the new SharePoint is a step in this direction.  It’s still not as simple as a finger drag, but it doesn’t suck either.  I’m not comparing interfaces here, I am talking about the “invitiveness” of the interface.  When I see the new SharePoint site I immediately start thinking about how I would like to customize it.  It’s like handing a blank notepad and a box of crayons to a little kid.  It’s exciting.  That’s what I’m talking about.

I have written a PowerShell script to “walk” the security structure of each SQL instance to find:   

• Each Login (Windows or SQL)
  
  • Its Server Roles
  • Every database to which the login is mapped
  • The associated “Database User” for this login
    
    • Its Database roles
    • Any explicitly assigned permissions 

This is not an “all encompassing” look at every piece of security, but it does give a pretty comprehensive look at who has access to what.  I wrote a script because gathering this information manually would be very, very time consuming.  As far as I know, there is no function in SQL Server to collect all this information into one place.  I guess I could have used a series of TSQL scripts to pull the info out by other means, but I am on a PowerShell kick, and I wanted to do it this way.

 Besides, using my method, you can automate the process and audit multiple instances at once. Sound like fun?

 I wrote this quick-and-dirty so there is no error handling. There is, of course, no warranty expressed or implied and you should use caution when running this (or any other script you find on the Internet). That said, all of my calls to SQL are read-only, so I don’t think you’ll have any problems.  

I’ll go ahead and paste the script and then explain it below:

# =================================================================================
#
# NAME: InventorySQLUserSecurity.ps1
#
# Comment: This script is designed to “walk” the security structure of each SQL instance to find:
#
#    · Each Login (Windows or SQL)
#          o Its Server Roles
#          o Every database to which the login is mapped
#               § The associated “Database User” for this login
#                    · Its Database roles
#                    · Any explicitly assigned permissions
#
# The script is hard-coded to locate a text file with a list of instance names (Hostname\instancename format).
# The text file should contain one instance per line.
# All output is dumped to console.
# About the only error checking included is to check whether a database is online before analyzing it.
#  =================================================================================

#  =================================================================================
#
# Declare Functions
#
#  =================================================================================

Function GetDatabaseUser($Dbase)
{
 if ($dbase.status -eq “Normal”)
   {$users = $Dbase.users | where {$_.login -eq $SQLLogin.name}
       foreach ($u in $users)
        {
           if ($u)
               {
                 write-host $spc5 “===== Database: ” $Dbase.Name
                 write-host $spc5 “Login’s Database Mappings: ”
                 #$u | select-object name, login, parent, createdate, datelastmodified, DefaultSchema, HasDBAccess
                    Write-host $spc10   “Name             : ” $u.Name
                    Write-host $spc10   “Login            : ” $u.Login
                    Write-host $spc10   “CreateDate       : ” $u.createdate
                    Write-host $spc10   “DateLastModified : ” $u.datelastmodified
                    Write-host $spc10   “DefaultSchema    : ” $u.DefaultSchema
                    Write-host $spc10   “HasDBAccess      : ” $u.HasDBAccess

                 write-host $spc5  “Database Roles for this DBUser:”
                 $DBRoles = $u.enumroles()
                 if ($DBRoles)
                    {$spc10 + $DBRoles}
                 Else
                {Write-host $spc10 “None.”}
                write-host $spc5  “Explicit Database Permissions for this DBUser:”
                $DBExplict = $Dbase.EnumObjectPermissions($u.Name) | select-object objectname, permissiontype, permissionstate
                if ($DBExplict)
                    {$spc10 + $DBExplict}
                Else
                    {Write-host $spc10  “None.”}
           }
 # This is commented out to make the output less wordy.
        #else
        #{Write-host $spc10 “None.”}

     } # Next user in database

    }

 # This is commented out to make the output less wordy.
    #else
    #{write-host $spc10 “InventoryUserSecurity.PS1: Error connecting to database ” $db.name “.  Skipping to next database.”}

}

#  =================================================================================
#
# Main Program Starts Here
#
#  =================================================================================

[reflection.assembly]::LoadWithPartialName(“Microsoft.SqlServer.Smo”) | out-null
[string] $spc5 = “     ”
[string] $spc10 = “          ”

foreach ($SQLsvr in get-content “C:\SomePath\Instances.txt”)
{
    $svr = new-object (“Microsoft.SqlServer.Management.Smo.Server”) $SQLsvr
    write-host “=================================================================================”
    write-host “—–”
    write-host “—–         SQL Instance: ” $svr.name
    write-host “—–”
    write-host “=================================================================================”
    Write-host “SQL Version:” $svr.VersionString
    Write-host “Edition:” $svr.Edition
    Write-host “Login Mode:” $svr.LoginMode

    $SQLLogins = $svr.logins
    foreach ($SQLLogin in $SQLLogins)
    {
        write-host “———————————————————————————”
        write-host “—– Login: ” $SQLLogin.name
        write-host “———————————————————————————”
        write-host $spc5  “Login Type: ” $SQLLogin.LoginType
        write-host $spc5  “Created: ” $SQLLogin.CreateDate
        write-host $spc5  “Default Database: ” $SQLLogin.DefaultDatabase
        write-host $spc5  “Has Access to this instance: ” $SQLLogin.HasAccess
        write-host “     —————————————————————————-”

        write-host $spc5  “Server Roles for:” $SQLLogin.name
        $SQLRoles = $SQLLogin.ListMembers()
        if ($SQLRoles)
            {$spc10 + $SQLRoles}
        else
            {Write-host $spc10 “None.”}

        Write-host $spc5  “This login maps to database users in the following databases:”

 # $SQLLogin.EnumDatabaseMappings(): this line of code first checks to see if the login is mapped to any databases. 
 # If not, it won’t bother running through all the different databases.  This results in a cleaner output,
 # but it does slow things down a bit. 

        if ($SQLLogin.EnumDatabaseMappings())

            {Write-host ” ”
            foreach ( $DB in $svr.Databases)
                {
                GetDatabaseUser($DB)
                } # Next Database
           }
        Else
            {Write-host $spc10 “None.”}
    } # Next Login
} # Next Server

The basic flow of the script is:

• Open the Instances.txt file, which is a simple text file with one instance per line.
  • The script will loop through each of the instances and prepare a report for each of them.
• Provide some basic information about the instance.
• For each Instance:
  • Connect to the instance’s “Logins” collection.
    • For each Login:
      • Provide basic information about the login:
        • Whether it is SQL or Windows security
        • When the login was created
        • What the login’s default database is
        • Whether or not the login currently has database access (i.e. disabled or not)
        • List any server roles
        • Find if the Login is associated with any database users.
          • If the Login has any database users (i.e. the $SQLLogin.EnumDatabaseMappings() is not null) then:
            • For Each Database:
              • If the database is online (i.e. its status is “Normal”) then:
                • Show the SQL Login and its associated Database Username
                • When it was created/modified
                • What its default schema is
                • Whether or not it has access to the database (i.e. denied or granted)
                • The Database user’s DB roles
                • Any explicitly granted permissions (e.g. to tables or stored procedures)
            • Next Database
    • Next Login
• Next SQL instance

The output of this is a somewhat-formatted and fairly detailed look at what each person has access to. I’m sure I could have done this a myriad of other ways, but I was in a hurry.

Note that, depending on the number of logins and databases, this could chug for quite a while and output a lot of information (one instance I audited gave a 374-page report). The output is dumped to the console, which in PowerShell ISE is not a problem because it has a very large buffer. The next version of this will have the option to write to a text file, which isn’t much more difficult; I just didn’t have the reference in front of me on how to do that. So what I’ve been doing is copy/pasting the text into Word and finessing it from there.

My next version of this will probably be database-connected. I have been working on a PowerShell-based solution to inventory all SQL Servers on a network, including information on Hosts, SQL instances, Databases, Filegroups, and files; the end result is to have a comprehensive look at who owns what data and what resources the Business Units are consuming (e.g. Do the HR division’s databases take up more disk space than the Administration division’s databases?) This security audit data will be grafted into the database. If anyone’s interested I can write about that, too.