Boswell's Q&A

Neither Rain Nor Snow Nor Security Popups

A baffled administrator finds a solution in the Office Resource Kit for an Outlook application accessing error. Plus: XP SP2 installation stories from the trenches.

Question: Our company has overseas customers who won't pay until they get an invoice. Naturally, our company wants payment as soon as possible. FedEx costs $45. So we decided to send a .PDF file of the invoice in an e-mail attachment. Our office runs Windows 2003 and Exchange 2003. The Outlook clients are Outlook 2000.

MAPI was giving us some issues, so we decided to try VBA on Outlook. We got it to run, but we receive a Windows message from Outlook requesting our permission to allow the application to access Outlook. A nice security feature to be sure, but it's driving the ladies in production control nuts. Any suggestions?
— Tim

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

Answer: The Office Resource Kit has a security management tool, the Outlook E-mail Security Administrator Package, that's designed to handle problems like the one you're having. The tool has an overview discussion in KB 290499, "INF: How to Configure SQL Mail" http://support.microsoft.com/view/tn.asp?kb=263556.

You can download the Office Resource Kit from http://www.microsoft.com/office/ork/xp/default.htm (Office XP) or http://www.microsoft.com/office/ork/2000/appndx/toolbox.htm (Office 2000).

To extract the Security Administrator Package, first install ORK on a desktop or server. In the files it installs, find the admpack.exe file. It should be in C:\Program Files\ORKTOOLS\ORK11\TOOLS\Outlook Administrator Pack (ORK10 for Outlook 2000).

When you run admpack.exe, it deposits four files in the folder of your choice. They are:

  • comdlg32.ocx
  • hashctl.dll
  • Outlook
  • Security.oft
  • readme.doc

The readme.doc will tell you to copy hashctl.dll to the %windir%\system32 directory then register it: regsvr32 hashctl.dll

The readme.doc also tells you to do the same for comdlg32.ocx. Hold on, though. If you're running XP on the desktop, don't copy comdlg32.ocx to the %windir%\system32 directory. The version of comdlg32.ocx in XP works just fine.

Now, on the machine where you installed the ORK, take a look at the %windir%\inf folder. You should see a new set of ADM template files that represent Group Policy settings for Office. The Outlook ADM file, OUTLK10.ADM, contains a policy setting called "Outlook Virus Security Settings." This policy setting results in a Registry entry that the Readme.doc for the security management tool discusses:

HKCU\Software\Policies\Microsoft\Security\CheckAdminSettings

By using a GPO to apply this setting, you won't have to push out any Registry hacks. To use the ADM template:

  1. Create a new Group Policy Object called ORK (you can call it anything you like) and link the GPO to the OU that contains your Outlook users.
  2. Right-click the Administrative Templates object under User Configuration and select Load Templates from the flyout menu.
  3. Double-click the OUTLK10.ADM file to load the template settings.
  4. In the main Group Policy Editor window, drill down to the Outlook Virus Security Settings icon under User Configuration | Administrative Templates | Microsoft Outlook 2002 | Tools|Options... | Security.
  5. Enable this policy and check the option to Apply Individual Settings for Outlook Virus Security.

To make this setting take effect immediately on an XP desktop, use this command: gpupdate /force (The /force switch isn't strictly required, but I like the sound of it.) On a Windows 2000 desktop, use this command:

secedit /refreshpolicy user_policy /enforce

Okay, so now you're ready to apply the security setting:

  1. Create a public folder in the Exchange public folder tree and call it Outlook Security Settings. This is the required name.
  2. At a client desktop that has Outlook installed, log in using an account with Exchange administrator privileges.
  3. Launch Outlook then double-click the OutlookSecurity.oft file.
  4. Before the form (defined by the oft file) launches, you'll be prompted to select a folder. Use the tree control to select the Outlook Security Settings folder in the public folder tree.

The Outlook Security form is fairly complex because it deals with programmatic forms and things like that. If you only want to send a message without getting the popup warning, do this:

  1. Select the Programmatic Settings tab.
  2. On the line that starts, When Sending Items Via Outlook Object Model, click the radio button under Automatically Approve.
  3. Click Post to post the settings to the Outlook Security Settings public folder.
  4. Close Outlook.

Now, log on as an average user at the desktop where you will be running your script to send the .PDF files. Run your script and see if it works without prompting the user.

Hope this helps!

XP SP2 Deployments: What You've Said

I got a few replies to my request for feedback on XP SP2 deployments in my column from last week. Here's one from Kathel:

My company has elected to hold off installing XP SP2. I wish my relatives had, as well. I've had three relatives call me in a panic asking for help because of various issues with the service pack. The first relative called after he installed the service pack and found he was no longer able to uninstall programs through add/remove programs. The change/remove buttons disappeared.

The second called after her computer began spontaneously rebooting within seconds of logging in. This one was difficult because, as we all know, relatives rarely give you a complete picture of what that they do to their computers. It took several torture sessions before she 'fessed up to allowing the XP SP2 update to run. Relative three had intermittent loss of video, mouse, and keyboard functionality.

All three were back in business after I removed XP SP2, but I wonder how other, non-computer-literate home users are faring who don't have the luxury of free support. The removal process can be complex for the uninitiated.

Dewayne contributed this information:

I struggled with disabling the Domain profile of Windows Firewall by default when installing SP2 for the first time. I found some TechNet articles on it, but they all indicated I needed to deploy SP2 with a RunOnce reg entry and auto-logon by an admin after install to make the run-once settings take effect. What a pain.

Instead, I installed SP2 in batch mode, then copied in our custom netfw.inf file, overwriting the one SP2 delivered. Then, just before the reboot, the batch script runs NETSH FIREWALL RESET to apply the settings in the custom netfw.inf. I wasn't sure if applying the settings before the reboot would carry the settings through, since the system is still, in reality, SP1 until the reboot happens — but it does work! So, now we can deploy SP2 in our enterprise without worrying about Windows Firewall breaking apps by being enabled by default for the domain profile.

Also, regarding firewall profiles, this is really slick! The domain profile is set to disable the firewall, but as soon as you plug into a private network (i.e. take your laptop home) the firewall is enabled. Or, if you join a workgroup it is enabled, then when joining the domain again, it's disabled. MS was really thinking on that one. Here's the Firewall guide that has instructions for building a custom .INF file for the firewall settings:

http://download.microsoft.com/download/6/e/f/6efdbda6-ca9e-4122-9787-3fd7ca7d7f33/WFINF_Guide.doc

And finally, Greg had this to say about convincing small business owners to pay for deploying SP2 in their networks:

We have been proactively managing LANs — and that includes deploying software upgrades and SP's via group policy — since 2001. We know that takes 2.5 hours to download, extract, create the policy and test the SP install on 3-4 workstations. If you contrast that with the standard the cost of individually getting your mitts on a keyboard for the same amount of time times each PC, then no problem. If you are a good field engineer/tech and do the " justification " (Mr. Customer, I can do this via Group Policy in about 2.5 hours + say 2 hours for follow up once or, I can hit each PC for three-fourth of an hour of billable time per PC times number of PCs), then it is a no-brainier.

If you know your customer, then you should be able to say something akin to: "If we do not do this, then please consider this Mr. CFO/CIO/CEO; Joe Sales guy and his laptop goes into the world, misses an update or virus update, gets a worm, comes back and floods the LAN and you are down for three hours. Since you have 25 employees and your billable productivity = $2,300 per hour (for all billable productivity use this: (billable actions) - (cost actions) = (billable productivity rate)) then missing the update equals $6,900 in lost income plus our time to fix it."

But that's just business 101 right?

Do you have good information to help other admins through the SP2 deployment? Be sure to write me at mailto:[email protected].

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

comments powered by Disqus
Most   Popular