Thursday 20 June 2013
Windows 8 family safety - I wish someone had told me
Or the story of how I finally got to the bottom of why parental controls were not working!
Ok, here's the deal. I have two wonderful sons. Son 1 has been running quite happily on a windows 7 laptop ever since he started senior school 3 years ago. We bought him the laptop to do his homework, though I think it's used more for facebook and youtube if truth be told.
Anyway, now Son 2 is about to go to senior school in September, and knowing that his big brother received a new laptop is eagerly awaiting the arrival of his. He knows I'm using it right now, and is busting a gut to get at it - but I won't let him have it until i'm sure it's working ok and (above all) that family safety is switched on!
the new laptop is an acer aspire V5-572p - a basic 6GB Core i3 system with the big plus point of a touch screen - which is a real boon given the great difficulty you can have trying to get a system running windows 7 these days.
As a relative newcomer to Windows 8, I've spent a good few hours trying to work out how everything works. Even closing apps is an absolute nightmare - everything seems a lot more difficult than it needs to be! Anyway, I digress. The one thing I thought would be a simple thing to achieve was to configure the family safety features, and prevent (or at least delay) my youngest from an untimely education of an entirely different kind than the type the laptop is intended to assist with. Things were not as simple as I expected.
Firstly, I set up the accounts - the 'user' account (first windows 8 account) for me and a standard account for him - both linked to Windows Live so that we could take advantage of all the cloud storage functionality that Windows 8 touts. I then went into the control panel (which took some finding) and into the family safety settings.
I happily set up the hours he was allowed to use the system (though not the total hours he was allowed to use it because that would be unfair when we can't do the same for his big bro -- you really need to backport that functionality Microsoft!) And I also enabled website filtering and activity reporting (because no blacklist is 100%!). I set him at 'online communication' level to block out the real nasties but still allow him to do all the social networking normally associated with teenagers.
Then I logged onto his account, deleted all the ubiquitous 'bloatware' that was clogging the start screen, and went into IE to test it was working. Selecting something not too controversial (after all, the wife IS lying on the bed next to me) I went to www.playboy.com.
BANG! - straight into the site. No blocking, no warning, no checking of any kind. Of course, I must have made some sort error. I went back to the family safety configuration control panel app..... Nope. Everything looks ok. Took the detour onto the family safety configuration website - nope everything looks ok there too! - although I did note that because i'd used his live ID, it had set him up a new account completely separate to the windows live family safety configuration he already had for our family computer.|
So, here was the proof. I really am an old fuddy duddy - playboy.com is obviously too mild a site these days to be considered 'porn' and isn't getting blocked. I went back into my son's new account, opened up google and typed in the most obvious word 'Porn' and selected one of the first few entries on the screen - That ought to do it.
BANG! - and that's a big bang if ever there was one - straight into the home page of a full-on porn site with video clips & everything!. Fortunately the wife is currently in the kitchen making tea, so I quickly close the site and move on.
What's going on? Have Microsoft released a family safety package that just doesn't work? - I can't see that happening without it hitting prime time news so something fundamental is obviously wrong.
Google searches found a few people having similar problems, and no really satisfactory answers. Somebody suggested it was a clash with AVG - interesting. I haven't installed AVG - but I DO have more bloatware, a fully fledged 60 day trial of Mcafee installed by my hardware vendor for my 'convenience' - in the hope that i'll renew it when it expires.
It transpires that Mcafee has its own family safety package. Because of this it seems, it stops the default windows 8 "Family Safety" service and sets it to manual. For some strange reason, the family safety app does not capture this tiny config flaw and warn you about it - leading you into a false sense of security that everything is set up and working.
My resolution for now was to configure the parental controls within the Mcafee package - which seem to work quite well tbh. At least I did my google search for 'porn' again and got no results. Requests for www.playboy.com were similarly restricted!
Of course, in a few weeks i'll be removing the Mcafee package for one of my choosing - at which time I will set the Microsoft 'family safety' service to automatic and start it and check it's running correctly.
The problems here are multiple:
1) The Microsoft tools don't warn (as far as I can see) that the family safety settings you have set up are inoperative because the service is not started. - this could lead you to assume that everything is ok and your children are safe from a premature education when the truth is very far from this
2) The Mcafee tools do not block access to the Microsoft control panel app, or provide any form of warning to the user of the pre-configured laptop that the settings you are trying to configure have been disabled
3) From the google searching I did, i'm not the only one to have stumbled across this problem - though there's nothing comprehensive to fix it. A support article from either Microsoft or Mcafee (or better yet both) should be first page on a google search - allowing those who HAVE been careful enough to test their family safety settings are working to quickly find out why!
I hope this article stops others having to spend multiple hours troubleshooting an issue that really should not be an issue.
PS: If you're interested in family safety, I recently became aware that if you use the OPENDNS name servers and set yourself up an account with them (free) you can have another layer of blocking. This would make a good backstop to whatever other family safety package you're using. It seems to work quite well - and ALSO blocks all those other devices that family safety packages often miss - ipods/ipads, friend's computers, games consoles, tablets, mobile phones (when configured for wifi) ... check them out at opendns.com - full instructions there on how to set up your wifi router to enable this functionality
Wednesday 25 July 2012
70-417 What to expect
As you may be aware, at the time of posting Microsoft have announced the upgrade paths from Windows 2008 MCITPs to Windows 2012, but have not yet announced the set of knowledge domains that will be tested on exam 70-417 (Upgrading Your Skills to MCSA Windows Server 2012) So what if you want to get a head start for studying for that exam - maybe even take it as one of the new (paid for) pre-release beta exams?
Well, what they HAVE released is the structure of course 20417A (which is in development for release next month) - including a module breakdown. They specifically state that this course DIRECTLY MAPS to exam 70-417. More details are here http://www.microsoft.com/learning/en/us/course.aspx?id=20417a&locale=en-us
Taking the information from the module breakdown, my best guess is that the knowledge domains for 70-417 will be as follows:
Installing and Configuring Servers Based on Windows Server 2012
-Install Windows Server 2012 Including Core
-Configure Windows Server 2012 Including Core
-Configure Remote Management for Windows Server 2012 Servers Including Core
Monitoring and Maintaining Windows Server 2012 Servers
-Monitor Windows Server 2012
-Implement a backup plan using Windows Server Backup
-Implement a backup plan using Microsoft Online backup
-Implement Server and Data Recovery
Managing Windows Server 2012 with Windows PowerShell 3.0
-Understand and describe Windows PowerShell 3.0
-Use PowerShell 3.0 to Manage AD DS
-Manage Servers with PowerShell 3.0
Managing Storage for Windows Server 2012
-Understand and utilize new storage features and functionality in Windows Server 2012 Storage
-Configure iSCSI Storage
-Configure Storage Spaces in Windows Server 2012
-Configure BranchCache in Windows Server 2012
Implementing Network Services
-Implement DHCP and DNS Enhancements
-Implement IP Address Management (IPAM)
-Give an overview of Network Access Protection (NAP)
-Implement Network Access Protection (NAP)
Implementing DirectAccess
-Understand and describe DirectAccess in Windows Server 2012
-Implement and Configure DirectAccess
Implementing Failover Clustering
-Understand and describe Failover Clustering
-Implement a Failover Cluster
-Configure Highly-Available Applications and Services on a Failover Cluster
-Maintain a Failover Cluster
-Implement a Multi-Site Failover Cluster
Implementing Hyper-V
-Configure Hyper-V Servers
-Configure Hyper-V Storage
-Configure Hyper-V Networking
-Configure Hyper-V Virtual Machines
Implementing Failover Clustering with Hyper-V
-Give an overview of the Integration of Hyper-V with Failover Clustering
-Implement Hyper-V Virtual Machines on Failover Clusters
-Implement Hyper-V Virtual Machine Movement
-Manage Hyper-V Virtual Environments by Using System Center Virtual Machine Manager(SCVMM) 2012
Implementing Dynamic Access Control
-Understand and describe Dynamic Access Control core concepts
-Plan for a Dynamic Access Control Implementation
-Implement and Configure Dynamic Access Control
Implementing Active Directory Domain Services
-Deploy AD DS Domain Controllers
-Configure AD DS Domain Controllers
-Implement Service Accounts
-Implement Group Policy in AD DS
-Maintain AD DS
Implementing AD FS
-Understand and describe Active Directory Federation Services
-Deploy Active Directory Federation Services
-Implement AD FS for a Internal SSO in an organization
-Deploy AD FS in a business to business Federation scenario
Enjoy :)
Well, what they HAVE released is the structure of course 20417A (which is in development for release next month) - including a module breakdown. They specifically state that this course DIRECTLY MAPS to exam 70-417. More details are here http://www.microsoft.com/learning/en/us/course.aspx?id=20417a&locale=en-us
Taking the information from the module breakdown, my best guess is that the knowledge domains for 70-417 will be as follows:
Installing and Configuring Servers Based on Windows Server 2012
-Install Windows Server 2012 Including Core
-Configure Windows Server 2012 Including Core
-Configure Remote Management for Windows Server 2012 Servers Including Core
Monitoring and Maintaining Windows Server 2012 Servers
-Monitor Windows Server 2012
-Implement a backup plan using Windows Server Backup
-Implement a backup plan using Microsoft Online backup
-Implement Server and Data Recovery
Managing Windows Server 2012 with Windows PowerShell 3.0
-Understand and describe Windows PowerShell 3.0
-Use PowerShell 3.0 to Manage AD DS
-Manage Servers with PowerShell 3.0
Managing Storage for Windows Server 2012
-Understand and utilize new storage features and functionality in Windows Server 2012 Storage
-Configure iSCSI Storage
-Configure Storage Spaces in Windows Server 2012
-Configure BranchCache in Windows Server 2012
Implementing Network Services
-Implement DHCP and DNS Enhancements
-Implement IP Address Management (IPAM)
-Give an overview of Network Access Protection (NAP)
-Implement Network Access Protection (NAP)
Implementing DirectAccess
-Understand and describe DirectAccess in Windows Server 2012
-Implement and Configure DirectAccess
Implementing Failover Clustering
-Understand and describe Failover Clustering
-Implement a Failover Cluster
-Configure Highly-Available Applications and Services on a Failover Cluster
-Maintain a Failover Cluster
-Implement a Multi-Site Failover Cluster
Implementing Hyper-V
-Configure Hyper-V Servers
-Configure Hyper-V Storage
-Configure Hyper-V Networking
-Configure Hyper-V Virtual Machines
Implementing Failover Clustering with Hyper-V
-Give an overview of the Integration of Hyper-V with Failover Clustering
-Implement Hyper-V Virtual Machines on Failover Clusters
-Implement Hyper-V Virtual Machine Movement
-Manage Hyper-V Virtual Environments by Using System Center Virtual Machine Manager(SCVMM) 2012
Implementing Dynamic Access Control
-Understand and describe Dynamic Access Control core concepts
-Plan for a Dynamic Access Control Implementation
-Implement and Configure Dynamic Access Control
Implementing Active Directory Domain Services
-Deploy AD DS Domain Controllers
-Configure AD DS Domain Controllers
-Implement Service Accounts
-Implement Group Policy in AD DS
-Maintain AD DS
Implementing AD FS
-Understand and describe Active Directory Federation Services
-Deploy Active Directory Federation Services
-Implement AD FS for a Internal SSO in an organization
-Deploy AD FS in a business to business Federation scenario
Enjoy :)
Tuesday 24 January 2012
a little problem with DSquery & DSget
Just came across a knotty little issue with one of our domains, and it went something like this:
2nd line support engineer: Can you write me a script to give me a list of all the users whose accounts have expiry dates and whether those accounts are disabled or not
Me: no need. Just use
2nd line support engineer: that's only showing me users that don't have expiry dates - and i know for a fact that some of them do.
Me: (Assuming that the items wanted were simply being swamped by the vast number of accounts that didn't have an expiry date)
ok, then try this:
I supplied a copy of grep.exe from the gnu unix utils ports, as i couldn't make find work after two pipes for some reason
http://sourceforge.net/projects/unxutils/
2nd line support engineer: now i'm getting nothing at all
Me:
It's at this point I decide it's probably worth shadowing the engineer's TS session and having a look for myself what is going on
After deconstructing the pipe and using text files:
dsquery user -limit 0 > users.txt (Worked fine)
type users.txt | dsget user -samid (produced some results and then failed with the error:
dsget failed: Directory object not found.
type dsget /? for help.
followed by a PARTIAL list of user samid's (causing the error to scroll off-screen and making it difficult to find))
Looking at the last samid on the list, i searched for that user in users.txt - then looked at the next user in the list. Gotcha!!!!
The next user in the list had an apostrophe in his name! - very strange.... I'd have expected microsoft to sort that one out fairly quickly.
did a google - found http://www.rlmueller.net/CharactersEscaped.htm which (although suggesting that ' was a valid character) also suggested deconstructing the command using text files and manually editing the user DSNs. - not my favorite solution
With a little but of poking around in the help for the ds command, i found a couple of highly interesting switches
-uco output unicode
-uci input unicode
-uc both of the above
and so, with a few judicious switches on the initial syntax, the command ran through without errors:
Dsquery user –uc –limit 0 | dsget user –uci –samid –acctexpires –disabled | grep –v “never”
Problem solved.
Hope this can help someone else out there with a similar problem!
2nd line support engineer: Can you write me a script to give me a list of all the users whose accounts have expiry dates and whether those accounts are disabled or not
Me: no need. Just use
dsquery user -limit 0 | dsget user -samid -acctexpires -disabled
2nd line support engineer: that's only showing me users that don't have expiry dates - and i know for a fact that some of them do.
Me: (Assuming that the items wanted were simply being swamped by the vast number of accounts that didn't have an expiry date)
ok, then try this:
dsquery user -limit 0 | dsget user -samid -acctexpires -disabled | grep -v "never"
I supplied a copy of grep.exe from the gnu unix utils ports, as i couldn't make find work after two pipes for some reason
http://sourceforge.net/projects/unxutils/
2nd line support engineer: now i'm getting nothing at all
Me:
It's at this point I decide it's probably worth shadowing the engineer's TS session and having a look for myself what is going on
After deconstructing the pipe and using text files:
dsquery user -limit 0 > users.txt (Worked fine)
type users.txt | dsget user -samid (produced some results and then failed with the error:
dsget failed: Directory object not found.
type dsget /? for help.
followed by a PARTIAL list of user samid's (causing the error to scroll off-screen and making it difficult to find))
Looking at the last samid on the list, i searched for that user in users.txt - then looked at the next user in the list. Gotcha!!!!
The next user in the list had an apostrophe in his name! - very strange.... I'd have expected microsoft to sort that one out fairly quickly.
did a google - found http://www.rlmueller.net/CharactersEscaped.htm which (although suggesting that ' was a valid character) also suggested deconstructing the command using text files and manually editing the user DSNs. - not my favorite solution
With a little but of poking around in the help for the ds command, i found a couple of highly interesting switches
-uco output unicode
-uci input unicode
-uc both of the above
and so, with a few judicious switches on the initial syntax, the command ran through without errors:
Dsquery user –uc –limit 0 | dsget user –uci –samid –acctexpires –disabled | grep –v “never”
Problem solved.
Hope this can help someone else out there with a similar problem!
Thursday 24 February 2011
TFS: restricting administrators to the admin console
Now, let's start with a caveat. I detest the way Microsoft have coded TFS. Because of some fundamentally flawed design decisions, the system is next to impossible to run securely.
The service account requires writeable access to the master database, & serveradmin & securityadmin - I think most people just give it sysadmin & live with it, but at my place of work the auditors deem this a serious issue
Full access is required the data sources on the analysis services database
The system requires a dedicated instance of reporting services
and finally, to run the administration tool, you require local admin rights to the application server!
Whilst i can't help with most of the above, I did figure a way to reduce the impact of giving end-users access to the admin tool.
1) Create local accounts on the server for each user - due to the number of rights allocated, this should be kept to a minimum. The name should match their domain username. These users should be placed in a local group called something like TFS_Admins, which we will use later
2) For each local account, set the following script as the start-up application (the environment tab of the user object)
(Example) "C:\Program Files\Microsoft Team Foundation Server 2010\Tools\runit.bat"
The script file should read as follows:
@echo off
runas /user:((DOMAIN))\%username% "c:\Program Files\Microsoft Team Foundation Server 2010\Tools\tfsmgmt.exe"
((DOMAIN)) is your domain name. If you installed TFS to a drive & folder other than c:\program files, alter the above accordingly.
You're now in a position where, if the user logs on to the server via RDP using their local server account, they will be prompted for their domain password, and (assuming they're configured as TFS admins, and their domain accounts have local admin rights) they will be thrown into the admin tool without any explorer start bar being run - Result. The RDP window will close 0-60 seconds
The next problem to tackle is that, since the users are domain admins, they can just rdp directly to the server & use their domain account.
3) Create a domain group containing the domain accounts of your TFS admins (DO NOT include those who are normal server admins!). Create a DENY ACCESS security entry on the file C:\Windows\Explorer.exe
This does 2 things. Firstly it stops the users from logging on remotely (which could also admittedly be done by adding them to the security policy "Deny log on through terminal services") but it ALSO prevents them from running explorer.exe via a backdoor, like the "open logs folder" link on the logs page of the administration console. - 2 birds, one stone. I'm sure you can see the reason for not adding server admins to this domain group!
One final issue to resolve: The locally logged-on user can still initiate the security dialog by using CTRL-ALT-END on the RDP session. This allows the ability to shut down & restart the system, and to run Task Manager from which all sorts of nefarious applications could be started - including explorer.exe - we didn't block the local users from running it.
4) DENY the TFS_Admins group created earlier access to c:\windows\system32\taskmgr.exe - again this should not contain normal local administrators
5) in the local security policy (or better still using a GPO) remove local administrators from the
"Shut down the system" and "Force shutdown from a remote system" rights. Replace them with domain admins, or potentially another local group to which your regular server operators can be added
6) Turn off default shares!
Hive: HKEY_LOCAL_MACHINE Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Name: AutoShareServer Data Type: REG_DWORD Value: 0
Idiot proof note: If you can't find the value in the registry under the exact location (i.e. it does not exist) - please right click in the right pane of the window and create it.
(Thanks Dan Petri)
And now you have a way to lock down the administration rights that need to be granted to TFS administrators to prevent your users mucking with the server config.
I'm sure it's not completely bulletproof, and someone somewhere will find a way in - for a start, I haven't looked at disabling remote WMI, disabling remote registry editing etc, However, it is a **** lot better than how it looks out of the box.
Enjoy.
The service account requires writeable access to the master database, & serveradmin & securityadmin - I think most people just give it sysadmin & live with it, but at my place of work the auditors deem this a serious issue
Full access is required the data sources on the analysis services database
The system requires a dedicated instance of reporting services
and finally, to run the administration tool, you require local admin rights to the application server!
Whilst i can't help with most of the above, I did figure a way to reduce the impact of giving end-users access to the admin tool.
1) Create local accounts on the server for each user - due to the number of rights allocated, this should be kept to a minimum. The name should match their domain username. These users should be placed in a local group called something like TFS_Admins, which we will use later
2) For each local account, set the following script as the start-up application (the environment tab of the user object)
(Example) "C:\Program Files\Microsoft Team Foundation Server 2010\Tools\runit.bat"
The script file should read as follows:
@echo off
runas /user:((DOMAIN))
You're now in a position where, if the user logs on to the server via RDP using their local server account, they will be prompted for their domain password, and (assuming they're configured as TFS admins, and their domain accounts have local admin rights) they will be thrown into the admin tool without any explorer start bar being run - Result. The RDP window will close 0-60 seconds
The next problem to tackle is that, since the users are domain admins, they can just rdp directly to the server & use their domain account.
3) Create a domain group containing the domain accounts of your TFS admins (DO NOT include those who are normal server admins!). Create a DENY ACCESS security entry on the file C:\Windows\Explorer.exe
This does 2 things. Firstly it stops the users from logging on remotely (which could also admittedly be done by adding them to the security policy "Deny log on through terminal services") but it ALSO prevents them from running explorer.exe via a backdoor, like the "open logs folder" link on the logs page of the administration console. - 2 birds, one stone. I'm sure you can see the reason for not adding server admins to this domain group!
One final issue to resolve: The locally logged-on user can still initiate the security dialog by using CTRL-ALT-END on the RDP session. This allows the ability to shut down & restart the system, and to run Task Manager from which all sorts of nefarious applications could be started - including explorer.exe - we didn't block the local users from running it.
4) DENY the TFS_Admins group created earlier access to c:\windows\system32\taskmgr.exe - again this should not contain normal local administrators
5) in the local security policy (or better still using a GPO) remove local administrators from the
"Shut down the system" and "Force shutdown from a remote system" rights. Replace them with domain admins, or potentially another local group to which your regular server operators can be added
6) Turn off default shares!
Hive: HKEY_LOCAL_MACHINE Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Name: AutoShareServer Data Type: REG_DWORD Value: 0
Idiot proof note: If you can't find the value in the registry under the exact location (i.e. it does not exist) - please right click in the right pane of the window and create it.
(Thanks Dan Petri)
And now you have a way to lock down the administration rights that need to be granted to TFS administrators to prevent your users mucking with the server config.
I'm sure it's not completely bulletproof, and someone somewhere will find a way in - for a start, I haven't looked at disabling remote WMI, disabling remote registry editing etc, However, it is a **** lot better than how it looks out of the box.
Enjoy.
Thursday 20 August 2009
Excel evaluated functions
Yay, finally, something else obscure to blog about - evaluated functions in excel
What you say? use Real english? - well if you insist. I'm talking about the ability to treat a text string in an excel cell as if it were a formula, and to evaluate it (work out what the answer would be - happy?)
Suppose, for example, you had a spreadsheet set out as follows:
The value in E4 is the result of a formula which reads
=CONCATENATE("=sum(",E2,":",G2,")")
This creates a nice formula as seen in cell E4, but it's no use to us at present, because excel sees it as text and doesn't treat it as a formula. (Typically, you might put an intermediate result like this into a hidden column or row somewhere so as not to confuse the user)
The typical (but problematic) answer given to this conunderum on the net is as follows:
1) right-click on e4 and select "Name a range"
2) modify the "Refers to" field as shown below and press ok
3) in your target (answer) cell enter =Name (in our case the cell will read =Mysum.) You end up with a spreadsheet that looks something like this....
Which is exactly what you wanted, right? - errm it might look that way, but watch what happens if you change one of the source values - let's say we change a6 to 999
Oops - the data value has changed - but the calculated total has not. Why not? Well that's because when Excel decides whether a cell needs recalculating, it works out whether any of the cells that the formula depends upon have changed.
In this case E5 depends upon E4, E4 depends upon E2 and G2. However E2 and G2 are plain text, they don't depend on anything - they're not cell references (at least as far as excel knows). Because none of the prerequisites have changed, there's no need to recalculate.
There are 2 easy work-rounds for this. You can change either of the values in E2 or G2, or force a complete recalculation using ctrl-shift-F9.
But is there a more elegant solution that doesn't require user input? - use your noggin - i wouldn't have asked the question if there weren't :)
unfortunately, it requires the use of a (very small) macro, which means you need to use a macro-enabled workbook, but you can't have everything.
So the new way to implement is like this:
1) press ALT-F11 to bring up the VBA interface
2) Add a module to your spreadsheet as follows:
In the module we're going to create a very small UDF (user defined function)
5) We also need to modify cell E4 to remove the "=" in front of the sum
=CONCATENATE("sum(",E2,":",G2,")")
Once you've set this up, you will find that the result updates automatically every time a data value changes.
Job done
So how does this little piece of magic work?
The key is in the line
Application.Volatile True
This tells excel that the function value cannot be depended upon, and that the value should be recalculated on every worksheet change. Without this line, the macro would function in exactly the same way as the earlier method using cell names. It's the same method Excel uses internally to ensure that functions like now() get update regularly.
Enjoy
What you say? use Real english? - well if you insist. I'm talking about the ability to treat a text string in an excel cell as if it were a formula, and to evaluate it (work out what the answer would be - happy?)
Suppose, for example, you had a spreadsheet set out as follows:
The boxes in yellow are those you have highlighted for user input. The aim of the spreadsheet is to allow the user to select a range of dates to add the values together for.
The value in E4 is the result of a formula which reads
=CONCATENATE("=sum(",E2,":",G2,")")
This creates a nice formula as seen in cell E4, but it's no use to us at present, because excel sees it as text and doesn't treat it as a formula. (Typically, you might put an intermediate result like this into a hidden column or row somewhere so as not to confuse the user)
The typical (but problematic) answer given to this conunderum on the net is as follows:
1) right-click on e4 and select "Name a range"
2) modify the "Refers to" field as shown below and press ok
3) in your target (answer) cell enter =Name
Which is exactly what you wanted, right? - errm it might look that way, but watch what happens if you change one of the source values - let's say we change a6 to 999Oops - the data value has changed - but the calculated total has not. Why not? Well that's because when Excel decides whether a cell needs recalculating, it works out whether any of the cells that the formula depends upon have changed.
In this case E5 depends upon E4, E4 depends upon E2 and G2. However E2 and G2 are plain text, they don't depend on anything - they're not cell references (at least as far as excel knows). Because none of the prerequisites have changed, there's no need to recalculate.
There are 2 easy work-rounds for this. You can change either of the values in E2 or G2, or force a complete recalculation using ctrl-shift-F9.
But is there a more elegant solution that doesn't require user input? - use your noggin - i wouldn't have asked the question if there weren't :)
unfortunately, it requires the use of a (very small) macro, which means you need to use a macro-enabled workbook, but you can't have everything.
So the new way to implement is like this:
1) press ALT-F11 to bring up the VBA interface
2) Add a module to your spreadsheet as follows:
In the module we're going to create a very small UDF (user defined function)
Presented here for easy cut and paste:
Public Function MyEval(s)
Application.Volatile True ' forced recalc every time
MyEval = Evaluate(s)
End Function
3) save and close the VBA interface.
5) We also need to modify cell E4 to remove the "=" in front of the sum
=CONCATENATE("sum(",E2,":",G2,")")
Once you've set this up, you will find that the result updates automatically every time a data value changes.
Job done
So how does this little piece of magic work?
The key is in the line
Application.Volatile True
This tells excel that the function value cannot be depended upon, and that the value should be recalculated on every worksheet change. Without this line, the macro would function in exactly the same way as the earlier method using cell names. It's the same method Excel uses internally to ensure that functions like now() get update regularly.
Enjoy
Wednesday 28 January 2009
Skippy's List
If you've never seen it then "Skippy's list" is a laugh a minute.
http://skippyslist.com/list/
213 things Skippy is no longer allowed to do in the U.S. Army.
http://skippyslist.com/list/
213 things Skippy is no longer allowed to do in the U.S. Army.
Technical resources
Having one technical issue in this blog so far, it was with suprise that I was able to use it to assist in a technical query for someone on the activedir.org mailing list
If you don't know this list, it's an amazing resource for those involved in implementing and maintaining AD, run by a published author on AD and populated with the highest density of AD professionals I've ever encountered. If you work with AD, subscribe.
If you don't know this list, it's an amazing resource for those involved in implementing and maintaining AD, run by a published author on AD and populated with the highest density of AD professionals I've ever encountered. If you work with AD, subscribe.
Subscribe to:
Posts (Atom)