The GPTalk Mailing List

The GPTALK mailing list is where you can send and receive email related to Windows Group Policy. You must subscribe to the list to send and receive mail from the list. The purpose of the list is to provide a forum for asking and answering technical questions related to Group Policy. Any question is fair game as long as it is related to Windows Group Policy. The Archives for this list can be found on this page.

List Posts

Unanswered Active Topics

Forums Search

Forums >GPTalk >GPTalk Mailing List

Subject: RE: [gptalk] Force Outlook to prompt for credentials

Prev Next

You are not authorized to post a reply.

Author

Messages

omar

Posts:97

12/16/2009 3:01 PM
Yes work around- Prompt out of the box- No. Here is the issue- If you are using Outlook in Cached Mode- the OST file cannot be password protected- this is where the problem lies. Otherwise prompt for credentials and restricting pst creation (also disable auto archive) can do the trick. Workaround: Option1- restrict email client access to Front End and CAS servers and restrict Outlook Settings 1. Block direct client to mailbox server access and use proxy, CAS or Front End Exchange servers. 2. Restrict e-mail access to Outlook Web Access or Outlook over the Internet for Outlook 32bit clients. 3. Configure Outlook to not allow Cached mode or PST file creation using Outlook Administrative templates or custom installation 4. Configure Outlook to force Outlook over the Internet settings to use basic authentication and always prompt for password. (this is done in part on outlook client with group policy and is also configure/restricted on the Exchange CAS or FE server) I would have to review the admin template to verify the restrict PST creation but I think I may have seem that at some point. Option 2-Remove Outlook from the Desktops and use the Deploy Apps functionality of Windows 2008 or 2008 R2 to provide Outlook Centrally. You can deploy Outlook on a Remote Desktop Session Host server system (aka terminal server). Deploy the app shortcut and configure the server security to always prompt for password. Then you also get the bonus of centralized security of email. Hope that helps some omar From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tony Murray Sent: Thursday, December 03, 2009 11:23 AM To: xxxxxxxxxxxxxxxx Subject: [gptalk] Force Outlook to prompt for credentials Hi all Not sure if this one has a solution, but you guys will probably know either way. One of my customers has the (somewhat bizarre) requirement for Outlook to prompt for credentials upon opening. Because this is a security requirement they want to be able to control the setting centrally, preferably via Group Policy. The setting that controls whether a user is prompted for credentials upon launching Outlook forms part of the Outlook profile. These settings are stored in the registry under the HKEY_CURRENT_USER hive. Each profile on the workstation has a corresponding entry within the registry that is represented by a GUID, e.g. HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a] Below the profile GUID, a subkey named 00036601 has a REG_BINARY value that determines whether the user is prompted or not. A value of 04 10 00 00 indicates that the user will not be prompted for credentials. A value of 0C 10 00 00 indicates that the user will be prompted for credentials. A number of Outlook 2007 settings can be controlled via Group Policy using the 2007 Office System Administrative Templates. Unfortunately the prompt for credentials doesn't seem to be one of the available settings. Any ideas on whether this can be achieved some other way? Workarounds? Tony

You are not authorized to post a reply.

Forums >GPTalk >GPTalk Mailing List > RE: [gptalk] Force Outlook to prompt for credentials

ActiveForums 3.7

Ads

The GPTalk Mailing List

List Posts

Members

Ads