Managing Outlook 2007 through Group Policies

[patris1]

کد:

http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/managing-outlook-2007-through-group-policies-part1.html

PART-1

Introduction

In this article series we are going to use Group Policies to help exchange administrators to manage some Outlook 2007 features. There are a lot of questions about Outlook 2007 configuration in Microsoft Technet forums, and most of those questions can be addressed through Group Policy. I can not remember all of them, but here are some topics that we will cover in this article that may be useful in your environment: outlook automatic configuration, outlook attachments, PST, calendar and how to allow/deny configuration of POP3/IMAP4 accounts.
Deploying Office 2007 System Administrative Template files...

First things first, let us download the Office 2007 System Administrative Template files from Microsoft Download Center. Double click on the downloaded file and a license agreement page will be displayed, read the agreement and if you are okay with that, click on Accept the terms and click on Continue. The process will create three folders and an xls file in the folder specified during the extract process, as shown in the Figure 1.

Figure 1
The file Office2007GroupPolicyAndOCTSettings.xls has three worksheets, the first one basicly says which are the files responsible for each Office program, in our case we are going to use Outlook12.* files. The second worksheet has all ADM settings that can be configured in this template file and the last worksheet has all configurations that can be used by Office Customization Tool. In our article we are going to use just the second worksheet of that file where we can find in detail all registry keys, possible values, explanation, default settings and possible settings that we can use for each item.
Now that we know how to use the excel file which comes with the Office 2007 Administrative templates, we can move forward and add those template files in our current environment. A good practice when playing with group policies is to create a test Organization Unit and move some test users and/or computers to that test OU, create a Group Policy and link to that test OU, and then validate the results on the objects. Finally, document the entire process and create a strategy to roll back the situation if required and then you will be good to use the new Outlook Policies in a production environment.
The procedures to add the templates may vary depending on your environment. We extracted two different formats (ADM or ADMX) where ADM files are used by Windows Server 2003 and previous versions and ADMX is the new format adopted by Windows Server 2008 and future versions. In the next section we are going over the process to add this template pack on both scenarios.
Windows Server 2008

In Windows Vista and Windows Server 2008 operating systems, the ADM files are replaced by ADMX files, which use an XML-based file format to display registry-based policy settings. The new format is not stored in each GPO, and we can use a central store location for the templates and these store locations will be replicated among all Domain Controllers of the domain.
If you have not set up the central store location we can start from this point, following these steps:

1. Log on as administrator on a domain controller
2. Click on Start, Run and type in \\<Domain-Controller-Name> and click on OK
3. Double click on SYSVOL
4. Double click on <Your Domain FQDN>
5. Click on Policies
6. Click on File, New and Folder
7. Type in PolicyDefinitions (Figure 2)

Figure 2

1. Open the new PolicyDefinitions folder
2. Create a folder for each language supported by your organization using the format En-US.

Note:
The following document can help you to validate your correct locate identifier.
Okay, we already have a Central Location configured. Let us populate our central location using the Outlook 2007 templates that we extracted at the beginning of this article. Basically we need to move the admx extensions to the root of PolicyDefinitions folder and adml extensions to the folder with your language locale, as shown in Figures 3 and 4.

Figure 3

Figure 4
Because we are using Windows Server 2008, let us click on Start, All Programs, Administrative Tools and click on Group Policy Management Editor. Select the OU created for this test and right-click on it and click New GPO, and fill out the new GPO Name and click on OK. Right click on the GPO that was just created and click on Edit.
Expand User Configuration, expand Policies, and expand Administrative Templates: Policy definitions (ADMX files) retrieved from the central store, expand Microsoft Office Outlook 2007, and we will see all components that can be configured through this policy, as shown in Figure 5.

Figure 5
Windows Server 2003

The process to add a template on a Windows 2003 Group Policy is pretty straight forward. We can edit a Group Policy directly from object properties and then Group Policy tab or using Group Policy Management Console that can be downloaded from Microsoft downloads.
Both methods are valid, as soon as we have the Group Policy opened, let us expand User Configuration, right-click on Administrative Templates, click Add/Remove Templates…, in the new window click on Add.., and locate the file outlk12.adm from the extracted files of the Office 2007 Administrative Template package, the result is going to be similar to the Figure 6.

Figure 6
The result will be all Group Policies related to Outlook 2007 will be listed and we can start playing with them.
Conclusion

In this first article we saw how to add Outlook 2007 templates on both operating system (Windows Server 2003 and Windows Server 2008) using ADM or ADMX formats. In the next article we are going to play with existent Templates to block PST, attachment filtering, and how to block users to add POP3/IMAP4 account profiles in Outlook.

---

موضوعات مشابه:

• Managing Hardware Restrictions via Group Policy
• SolutionBase: Outlook 2007's new features and how they work with Exchange Server 2007
• ASA/PIX: Mapping VPN Clients to VPN Group Policies Through LDAP Configuration Example
• Managing Printers Using Group Policy

---

[patris1]

کد:

http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/managing-outlook-2007-through-group-policies-part2.html

PART-2

Introduction

In the last article we saw the process involved in downloading and adding templates on both operating System Windows Server 2003 and Windows Server 2008 to add Outlook 2007 extensions to a Group Policy. In this article we are going to play with some features that are usually required for most of the administrators such as PST management, management attachment security and etc…
PST files

PST can be a nightmare for some Exchange Administrators, and they may become difficult to manage and to create a protection strategy in a medium/large organization. PSTs can be fully managed through Group Policies and through this section we will learn how to eradicate PST usage from a network or at least change some default settings.
There are some archive products that play with PST files where the archive solution can search the network and move PST files to the archive repository. In this kind of scenario, the usage of PST can be banned from the network.
Note:
All PST settings can be found on the following path in the Group Policy: User Configuration / Administrative Templates / Microsoft Office Outlook 2007 / Miscellaneous / PST Settings.
By default, PSTs can be added to an Outlook profile. In order to prevent new PSTs to be added, we can enable the setting Prevent users from adding PSTs to Outlook profiles and/or prevent users using Sharing-Exclusive PSTs, and then click on Enabled and select No PSTs can be added (Figure 1).

Figure 1
The result will be that an end-user will not be able to pick up any option if it tries to add a PST, as shown in Figure 2.

Figure 2
Now that we have blocked end-users from adding PST files, we can also configure the current PSTs to be just a read only file which the end-user would not be able to create or delete content from. The setting that controls this behavior is Prevent users from adding new content to existent PST files, shown in Figure 3.

Figure 3
Using the previous setting the result will be an error message when a user tries to add any new content to an existent PST (Figure 04).

Figure 4
Okay, let us say that we have an internal policy where PSTs are allowed locally and we want to keep all of them in a standard path to facilitate the process to protect them changing the default location for PST and also OST files. To configure this setting, double click on Default location for PST and OST filesand type in the new path (environment variables can be used), as shown in Figure 5.
Note:
The new path will be used by all PST or OST created after the policy has been applied.

Figure 5
Besides of the configuration that we have just seen, we can also change other settings related to PST, such as PST maximum size, file format and etc.
Managing Attachments

Outlook 2007 handles attachments using security level. Outlook uses 3 (three) different groups: Level 1 (unsafe attachments), Level 2 (they must be saved on the disk before opened) and others attachments where the end-user is able to open an attachment directly from Outlook.
We can use Group Policies to add and remove extensions from level 1 and level 2 groups. Just to keep us on the same page, these are the default extensions included in the Level 1 of Outlook 2007: .ade, .adp, .app, .asp, .bas, .bat, .cer, .chm, .cmd, .com, .cpl, .crt, .csh, .der,, .exe, .fxp, .gadget, .hlp, .hta, .inf, .ins, .isp, .its, .js, .jse, .ksh, .lnk, .mad, .maf, .mag, .mam, .maq, .mar, .mas, .mat, .mau, .mav, .maw, .mda, .mdb, .mde, .mdt, .mdw, .mdz, .msc, .msh, .msh1, .msh2, .mshxml, .msh1xml, .msh2xml, .msi, .msp, .mst, .ops, .pcd, .pif, .plg, .prf, .prg, .pst, .reg, .scf , .scr, .sct, .shb, .shs, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .tmp , .url, .vb, .vbe, .vbs, .vsmacros, .vsw, .ws, .wsc, .wsf, .wsh, .xnk.
If you do not get the picture about attachments yet, we can look at Figure 6 where the attachment with .xxx extension has a Level 1 assigned to it. If you look at that figure you will see that there is no way for the user to play with that file and Outlook displays Outlook block access to the following potentially unsafe attachments: <attachment name>.

Figure 6
However, if we have the same .XXX extension is configured as Level 2, the end user will be able to see the file on the message (Figure 7), but, the message in Figure 8 will be displayed which will force the end user to save the file on the disk and does not allow it to run directly from Outlook 2007.

Figure 7

Figure 8
In order to manage the file extensions for Level 1 and Level 2 we need to change the Outlook Security Mode setting. Expand Security, and click on Security Forms Settings. Let’s select Enabled and select Use Outlook Security Group Policy, and click on OK, as shown in Figure 9.

Figure 9
Now that we defined the Outlook Security Mode in the previous step, we can expand the Attachment Security and on this location we can either Add, Remove or Disable Level 1 and Level 2 as well. In Figure 10 we are adding the extension XXX to the level 1, as soon as the client receives the Group Policy definitions and Outlook is restarted the extension XXX will be considerate level 1 which does not allow an end-user to play with the file.

Figure 10
We can also add/remove Level 1 and Level 2 extension, allow Level 1 to be displayed in Outlook and so on.
Blocking account types

Outlook 2007 supports a variety of account types to be configured through Outlook profile creation process. Using group policies we can control which protocols will be available to the end user during the profile creation. We can prevent these following protocols to be configured: HTTP, Exchange, POP3, IMAP4 and any other type.
To block specific protocols, the option Prevent users from adding e-mail account types has to be configured for that. Click on Enable and tick all services that you want to prevent to the final users (Figure 11).

Figure 11
The result of the previous configurations is that the service configured in the Group Policy will not show up during the profile creation.
Conclusion

In this article we went over the process of configuring some Outlook 2007 settings using Group Policy. You can use this article series as a base to create your own policies based on your company requirements.

[patris1]

کد:

http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/managing-outlook-2007-through-group-policies-part3.html

PART-3


Automatic Profile Configuration

Exchange Server 2007 with Outlook 2007 drastically increases the user experience when creating a profile through the Autodiscover feature. When a company has the proper certificates and web-services in place, a new user just needs to click on the Outlook 2007 icon and her/his data (Name and e-mail) will be filled out automatically. All the user needs to do is click on Next and Finish to start using Outlook. The entire process is shown in Figure 1 and Figure 2 below.

Figure 1

Figure 2
What if we can improve the user experience a little bit more? If instead of clicking on the Outlook icon, Next and Finish we can change the process to just a click on Outlook and start using it right way, it would be cool, right? So, when using Group Policies these steps should be followed:

1. Expand Microsoft Office Outlook 2007
2. Expand Tools | Account Settings
3. Click on Exchange
4. Double click on Automatically configure profile based on Active Directory Primary SMTP Address item
5. The possible values are Not Configured, Enabled and Disabled. Let’s click on Enabled as shown in Figure 3

Figure 3
Now, in a workstation where the user has received the Group Policy, we can log on as a new user and make sure that the user has a mailbox enabled on Exchange Server. Then, double click on the Outlook 2007 icon, and that’s basically it. The user will now be able to access his/her mailbox without any special requirement.
By default, Outlook validates if the Windows Desktop Search 3.0 (or later) is installed. If it is not prompted, it will be automatically displayed. If your organization does not intend to install it at this point (or at least you want to avoid giving the end-user this decision during the first running of Outlook) we can use Group Policies. The following steps can be done to avoid that initial prompt:

1. Expand Microsoft Office Outlook 2007
2. Expand Tools | Options
3. Expand Preferences
4. Click on Search Options
5. Double-Click on Prevent installation prompts when Windows Desktop Search component is not present item and click on Enabled

Outlook Auto Archive settings

After having installed Outlook for the first time, the end-user will receive an automatic message about AutoArchive. The AutoArchive settings are configured, by default, to run every 14 days and to inform the user when it runs. To configure the default AutoArchive settings, click on Tools, Options, Other tab, and click on the AutoArchive button. Figure 04 shows what will appear next.

Note:
The end-user is able to right click on any folder, click on Properties and a tab called AutoArchive will be displayed. A different Autoarchive configuration can then be done at folder level.

Figure 4
In order to manage those aspects related to the previous AutoArchive settings (such as Archive or delete old items settings Show archive folder in folder list setting and so forth) we can use the AutoArchive Settings item, which can be found in the following Group Policy path: Expand Tools / Options, expand Other item, click on AutoArchive and double click on the AutoArchive Settings item as shown in Figure 5. We can use the same spot to disable AutoArchive by clicking on Disable.

Figure 5
If you are using another Archiving solution, you should disable AutoArchive to avoid any conflicts and missing information which could affect your current solution. To disable the end-user from using AutoArchive manually, we can double click on Disable File|Archive and the users will not be able to archive items from the File menu, as shown in Figure 6.

Figure 6
If we disable the AutoArchive feature, the option will disappear from Other tab that can be found on Outlook options, as shown in Figure 7.

Figure 7
Managing user’s abilities to manage permissions on Outlook folders...

By default in Outlook 2007, any user can right-click on any folder of its Mailbox and define permissions for users on the Global Address List. We can however change this default behavior using Group Policies, the option can be found by following this next path:

1. Expand Microsoft Office Outlook 2007
2. Expand Tools | Account Settings
3. Click on Exchange
4. Double click on Do not allow users to change permissions on folders item
5. The possible options are Not Configured, Enabled or Disabled.
6. Click on Enabled which will disable the end-user to change permissions

After applying group policy on the client computer, the end-user can click on the Properties of any folder and go on the Permissions tab. Here, they will receive an error message and the Permissions tab will appear like before but without a chance to change any value, as show in Figure 8.

Figure 8
Note:
This group policy does not change the current permissions.
Outlook balloons and Desktop Alert configuration

This is not common, but, I have seen some companies that want to define some default behavior for Outlook balloons and also the Desktop Alert configuration.
Outlook balloons will indicate certain messages to the end-user when a connection is lost with the Exchange Server or if the client is having RPC delays when communicating with the exchange server. This may indicate connection issues. Some companies have remote offices and poor bandwidth between those locations and Exchange Servers. These kind of balloons may create some unnecessary help desk calls from remote users. By using group policy we can manage the balloons to increase the time when that information will be displayed. The following are the two options that we have to manage in order to set up an Outlook balloon for a client:

• Time before notifying of pending RPC via balloon
• Time before notifying of pending RPC via notifications tray icon

The path for this configuration is Microsoft Outlook 2007 followed by the Outlook System Tray Icon.
Note:
Changes should be well documented and also remembered when you are troubleshooting an Outlook performance issue in machines that are affected by this Group Policy.
The second component of this section is the desktop Alert, which is the component that shows up every time a new message arrives on a user’s mailbox. We can manage many aspects of the desktop alert, such as the duration of Desktop Alert in several scenarios (before fade, on mouse over, fade out), opacity (if we want it enabled or disabled). In order to change these settings, the following steps can be used. In this example we are going to disable the Desktop Alert in the current group policy, as follows:

1. Expand Microsoft Office Outlook 2007
2. Expand Tools | Options …
3. Expand Preferences
4. Expand E-mail Options
5. Expand Advanced E-mail options
6. Click on Desktop Alert
7. Double click on Do not display New Mail alert for users and tick the Disable radio button

Using the previous setting, any new message which arrives in the user mailbox affected by the Group Policy will not be displayed through Desktop Alert feature.
Conclusion

In this final article of our series about Group Policy and Outlook 2007 we have seen how to configure automatic profile configuration for Outlook, Auto Archive settings, how to disable permissions on Outlook and Desktop Alert settings.