The GPTalk Mailing List

The GPTALK mailing list is where you can send and receive email related to Windows Group Policy. You must subscribe to the list to send and receive mail from the list. The purpose of the list is to provide a forum for asking and answering technical questions related to Group Policy. Any question is fair game as long as it is related to Windows Group Policy. The Archives for this list can be found on this page.

List Posts

Unanswered Active Topics

Forums Search

Forums >GPTalk >GPTalk Mailing List

Subject: RE: [gptalk] Force Outlook to prompt for credentials

Prev Next

You are not authorized to post a reply.

Author

Messages

Martin_Hugo User is Offline

Posts:26

12/16/2009 3:01 PM
You can achieve this by forcing Outlook to use HTTP to connect to the Exchange server and set the proxy settings for this connection to your CAS server. This can be done through the Outlook Options in the Office install MSP. You can also prepend the usernames with the netbios logon domain by setting the registry key [HKEY_CURRENT_USER\Software\Microsoft\Exchange] "LogonDomain"="domainname" so that users need only type their SAMID in the username field. Post install the user would need to go to Account Properties, Connection Tab, check the Connect ot Exchange using HTTP box under Outlook Anywhere and click Exchange proxy settings. Then enter the URL of your CAS server, check the box that says "Only Connect to proxy servers that have this principal name in their certificate" and enter "msstd:casserverfqdn" in the box (no quotes of course). Check both the fast and slow network options and OK back out. User experience will be this: On machines where a user has never used Outlook; Outlook anywhere will setup profile and user will see login box to cas server with "domainname\" already in the username box (from the registry setting above) they just add samid. A second login will then appear to the mailbox server with their entire login name filled in, they just add password and login. On machines where a user has previously used Outlook; There will only be one login box to the mailbox and the username will be filled in, the user adds pwd and voila! The above presupposes your CAS server and mailbox server are different boxes. If you did not want to teach users to do this, you could create a new install point for Office, setup the MSP to just reinstall Outlook and put the options in there, then assign a batchfile to run the install in a startup script and remotely reboot all the machines at night. Hope this helps. Martin T. Hugo Network Administrator Hilliard City Schools 614-921-7102 (Ph) 614-771-7243 (Fax) [cid:image002.gif@01CA742C.E6A7A550]Think before you print From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tony Murray Sent: Thursday, December 03, 2009 2:55 PM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] Force Outlook to prompt for credentials Thanks Darren Yes, it looks like the GUID is always the same, but the profile name (Outlook in the example below) may be different. HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a] I guess that makes it tricky unless we can standardise on the profile names? The customer doesn't have the GP Preferences installed in the environment yet, but they might be open to it. Tony From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Friday, 4 December 2009 8:31 a.m. To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] Force Outlook to prompt for credentials Hey Tony- This looks like a perfect job for GP Preferences Registry extension. As long as that GUID is always the same, it can handle populating REG_BINARY values just fine. Does your customer have GP Preferences installed in their environment? Darren **** Darren Mar-Elia CTO & Founder SDM Software, Inc. "The Group Policy Experts" www.sdmsoftware.com<http://www.sdmsoftware.com/> Founder- www.gpoguy.com<http://www.gpoguy.com/> - The Group Policy Resource Site Blog: www.sdmsoftware.com/blog<http://www.sdmsoftware.com/blog> Twitter: www.twitter.com/grouppolicyguy<http://www.twitter.com/grouppolicyguy> [cid:image001.png@01CA742A.B0C3C970] Group Policy Automation Engine<http://www.sdmsoftware.com/group_policy_scripting> - 2009 Windows IT Pro Magazine Editors Choice Winner for Best Active Directory and Group Policy Product From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tony Murray Sent: Thursday, December 03, 2009 11:23 AM To: xxxxxxxxxxxxxxxx Subject: [gptalk] Force Outlook to prompt for credentials Hi all Not sure if this one has a solution, but you guys will probably know either way. One of my customers has the (somewhat bizarre) requirement for Outlook to prompt for credentials upon opening. Because this is a security requirement they want to be able to control the setting centrally, preferably via Group Policy. The setting that controls whether a user is prompted for credentials upon launching Outlook forms part of the Outlook profile. These settings are stored in the registry under the HKEY_CURRENT_USER hive. Each profile on the workstation has a corresponding entry within the registry that is represented by a GUID, e.g. HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a] Below the profile GUID, a subkey named 00036601 has a REG_BINARY value that determines whether the user is prompted or not. A value of 04 10 00 00 indicates that the user will not be prompted for credentials. A value of 0C 10 00 00 indicates that the user will be prompted for credentials. A number of Outlook 2007 settings can be controlled via Group Policy using the 2007 Office System Administrative Templates. Unfortunately the prompt for credentials doesn't seem to be one of the available settings. Any ideas on whether this can be achieved some other way? Workarounds? Tony

You are not authorized to post a reply.

Forums >GPTalk >GPTalk Mailing List > RE: [gptalk] Force Outlook to prompt for credentials

ActiveForums 3.7

Ads

The GPTalk Mailing List

List Posts

Members

Ads