Monthly Archives: July 2011

Updated on 8/9/2011

Author: Zahir Hussain Shah

Preventing PST Creation in your environment after implementing Archiving Solution

Tags: How to prevent Outlook PST Creation | How to prevent PSTs in Outlook 2003 / 2007 / 2010 | Disable PST creation in Outlook

Introduction:
Once you have Email Archiving Infrastructure ready to support your Exchange 2010 Messaging Infrastructure, you would be planning to restrict end-users to increase their PSTs, and to some extent you would be more interested to allow them to user their existing PSTs, but in the same time, restrict them from doing the following:

· Cannot create more PSTs

· Cannot add more data into their existing PSTs

Solution:

Let me show you how you can achieve this using Group Policy for Microsoft Office GPO Administrative Templates…

You have to download the Microsoft Office Administrative Template, for each MSOFFICE version, you can easly download it by serach it.

Like one I’m going to use here is Office 2010 Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool

http://technet.microsoft.com/en-us/library/cc178992.aspx (Download it)

Ø Once you download it, open Group Policy Management Console, create new GPO and in the User section, for Administrative Teamplates, import it as follows:
Open the “ADM” folder and the appropriate language subfolder (en-us for English), select the file named “outlk12.adm” and click “Open”.

Ø Once you import it, then setup the PST policies according to your requirement:

Once you are done with changes, close it and let the user to log off and login back.

Since we allowed users to create new PSTs, but when they will try to put anything inside the PSTs, they will get “ACCESS DENIED” error.

You can also enable setting in the GPO, which will completely disabled creation of PSTs as well.

I recommend before you apply this to production users, first test if for some test users and then apply it for production use.

Update: 

Later after writing this article, I was informed about a scenario, where Microsoft Outlook considers the Enterprise Vault (Cache) as same as PST, so in this case, it won’t allow the EV Policies to move data from Exchange Mailbox to EV Vault, and which breaks the EV Client Side Policies, and therefore I was asked to find a solution for this so, even I’m restricting the DisabledPSTGrow but in the same time, I want the EV Vault Cache to work fine, so in this case, there is another Registry Entry you have to create, which will instruct Outlook to allow Authenticated entities like EV Vault to work with moving emails from mailbox to them.

• Enterprise Vault 2007 Service Pack 3 or higher
• Microsoft Outlook 2007 hotfix

• The following registry keys:

• Enterprise Vault 2007 Service Pack 3 or higher
• Microsoft Office Outlook 2003 SP3
• Microsoft Outlook 2003 Hotfix

• The following registry keys:

For more information, please see this link

Cheers!

Zahir Hussain Shah
Infrastructure Practice Consultant – Messaging Solutions
MCSE, MCTS, MCTIP Enterprise Administrator, ITIL
Blog: http://zahirshahblog.com | LinkedIn | Twitter 

Author: Zahir Hussain Shah

Symantec Enterprise Vault (EV) 2010 issues for Exchange 2010 SP1 OWA while securely published (SSL OFFLOAD) using Juniper SSL VPN SA 2500

Tags: After archiving emails in Exchange 2010 OWA email icons are not getting change | EV Archive explorer is not opening in Exchange 2010 OWA | Enterprise Vault integration problems with Exchange 2010 OWA | Enterprise Vault 2010 extension problems for Exchange 2010 OWA | How to configure Juniper SSL VPN SA 2500 for securely publish Exchange 2010 OWA / Enterprise Vault 2010

Introduction:
As we all love Exchange 2010, for all its features and functionalities, where Exchange 2010 provides Email Archiving as a native features, which was one of the most exciting feature, where users can archive their historical email data into their secondary Online Archive Mailbox, with the release of Exchange 2010 SP1, Microsoft introduced some more great features, which extended Exchange 2010 Online Archive Features, such as keeping users archive mailbox in different Mailbox Database, where the primary mailbox is located.

With a short example of Exchange 2010 native archiving functionality, we do know at the same that Exchange is not a Email Archiving Solution, and therefore if we look at the current market price for Email Archiving Solutions, we find Symantec Enterprise Vault as one of the best Email Archiving Solution, which also provides File Level and other type of extensive archiving functionality.

Scenario:
Recently we implemented Enterprise Vault 2010 in our Messaging Environment, where we do have Exchange 2010 SP1, and when we integrated our Exchange 2010 Messaging Infrastructure with EV 2010, so we saw some issues or Exchange 2010 OWA, which are as follows:

Note:
This article mainly focus on identifying the issues for Juniper SSL VPN SA 2500 Version:-System Version 7.0R4 (build 17289), which acts as Reverse Proxy here, to securely publish Exchange 2010 OWA and EV 2010.

Problem:

· When users try to archive any item from OWA (Externally), the icon of that item was not getting change, so it notifies to user that item has successfully archived.

· When users where trying to open Archive explorer within OWA (externally), it was not opening, and while opening inbox, it was failing.

· While debugging and enabling logs in EV Configuration File on Exchange 2010 CAS Servers, we found the below error entries in the log files:

Solution:

For fixing this problem, you have to configure your Juniper SSL box to publish Exchange 2010 OWA and EV, with the following URLs (Resources) in Juniper SLL box:

Resource:
http://*/exchange/*
https://*/exchange/*

http://*/OWA/*
https://*/OWA/*

http://mail.domain.com/OWA/* (external URL of OWA)
https://mail.domain.com/OWA/* (external URL of OWA)
http://mail.domain.com/EnterpriseVault/* (external URL of OWA)
https://mail.domain.com/EnterpriseVault/* (external URL of OWA)

For more information, please refer to this KB from Symantec

Cheers!

Zahir Hussain Shah
Infrastructure Practice Consultant – Messaging Solutions
MCSE, MCTS, MCTIP Enterprise Administrator, ITIL
Blog: http://zahirshahblog.com | LinkedIn | Twitter 

Author: Zahir Hussain Shah

Password Policies V/S Exchange 2010 Outlook Web Application (OWA)

Tags: Allow users to change their passwords from Exchange 2010 OWA | Exchange 2010 OWA Password change issues

Problem:
If you reset an Exchange Mailbox User to change his password at next login, where user is a remote users, and sitting in a remote internet PC, and trying to open his mailbox over OWA, so he will not be able to open it, because in AD, his user is set to change password at next login, and where OWA does not provide welcome him to change password, while logging in the OWA.

So how to fix this problem? L

Well, with the great addition to Exchange family, Exchange 2010 SP1 introduced a new feature “Users to Change Expired Passwords” to reset their passwords on the OWA website, which is very nifty feature for users to change their password, on the OWA site.

Now let me tell you how you enable this.

Note:
If you don’t have Form based Authentication enabled on your Exchange 2010 OWA, this solution will not work for you, because if you are using Integrated Windows Authentication, which straights away take you to the OWA, and where you will not be able to authenticate yourself, and it also dose not provide any kind of area, where you can change your password, so you need to use Form based authentication to use this solution.

Solution:
You have to add a registry entry on your Exchange 2010 CAS Servers to enable this feature.

Note:
Please take backup of your registry before modifying or adding any new entry, Microsoft or myself will not be responsible for any problem cause of wrong modifying registry.

Enable Users to Change Expired Passwords

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the “Outlook Web App Registry Editor” entry in the Client Access Permissions topic.

1. Log on to the Client Access server.

2. Start Registry Editor (regedit).

3. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange OWA.

4. Create the following DWORD value if it doesn’t already exist: ChangeExpiredPasswordEnabled. The value type will be REG_DWORD.

5. Set the value of ChangeExpiredPasswordEnabled to 1.

6. Exit Registry Editor.

For more information, you can see the below TechNet KB:
http://technet.microsoft.com/en-us/library/bb684904.aspx

Cheers!

Zahir Hussain Shah
Infrastructure Practice Consultant – Messaging Solutions
MCSE, MCTS, MCTIP Enterprise Administrator, ITIL
Blog: http://zahirshahblog.com | LinkedIn | Twitter

Discover, Analyze and Inject (Upload) PSTs directly into Exchange using “Microsoft Exchange 2010 – PST Capture Tool” – Coming Soon!

It’s like “Christmas in July”!

Microsoft Exchange Team blog has recently announced that later this year, they are going to release “PST Capture” tool part of Microsoft Exchange 2010, where administrator can discover PSTs on its users network, and then based on the analysis he does, he can directly insert the PSTs into the Exchange Mailbox Stores, this will be a free release, and it will not replace the New-MailboxImportRequest, and would be running parallel to New-MailboxImportRequest.

For more information, see the below URL:
http://blogs.technet.com/b/exchange/archive/2011/07/05/coming-soon-pst-capture-tool.aspx

Cheers!

Zahir Hussain Shah

Author: Zahir Hussain Shah

Zahir Hussain Shah
MVP Exchange Server
Infrastructure Consultant
Blog: http://zahirshahblog.com | LinkedIn | Twitter