As we know, we can set Outlook's "Safe Senders list", "Block Senders list" and "Safe Recipients list" to help people protect Spam. However, allowing all users to modify their lists is time-consuming and inconvenient. Now, we can use the following steps to deploy such lists throughout your organization (we will use "Safe Sender list" as example).
1. Create a share folder on server, say Junk E-mail, and give everyone read permission. Create a text file name SafeSender.txt. Input email addresses into file (one address one line).
2. Install "Microsoft Office 2003 Resource Kit" on the Domain Controller.
3. Start Active Directory Users and Computers (ADUC), Right Click on the OU in which users account is present, Go To "Properties", Click on "Group Policy" tab.
4. Select the Policy in effect, click on "Edit". It will open "Group Policy Object Editor". Right click on "Administrative Templates" under "User Configuration" -> All Tasks -> "Add/Remove Templates" -> Click on "Add" -> Select "Outlk11.ADM" and click "Open" -> Click "Close".
5. Expand "Microsoft Office Outlook 2003" under "Administrative Templates" -> Expand "Tools | Options" -> Expand "Preferences" -> Click on "Junk E-mail".
6. In the right pane double click on "Specify path to Safe Senders list".
7. Click on "Enabled" and under "Specify full path and filename to Safe Senders list" type UNC path of SafeSender.txt file (e.g.\\Server\JunkE-mail\SafeSenders.txt).
8. Double Click "Overwrite/Append Junk Email Import List" to configure if you want to keep user's own list.
9. Click on OK. Close "Group Policy Object Editor". Click OK again. Close Active Directory Users and Computers.
10. Log on to client machine and edit the following registry entry:
HKey_Current_User\Software\Microsoft\Office\11.0\Outlook\Options\Mail
DWORD = JunkMailImportLists
Value = 1
Note: This registry key should be deployed to the client machines for successfully deploying the Safe Senders List. We can use Group policy again to deploy this key. The value of this registry key will turn back to zero after Outlook applies the safe sender list from group policy. So if you need to modify the list, please change the value to 1 again.
11. Log off from the client machine and log on again.
12. Launch Outlook. Now you can see the email addresses in the Safe Sender list.
NOTE: The same procedure described above can be used to specify "Safe Recipients" and "Blocked Senders" list.
We also can use the Custom Installation Wizard or the Custom Maintenance Wizard to deploy such lists. Please refer to the following article for more information.
How to use the Custom Installation Wizard or the Custom Maintenance Wizard to customize user profiles to load default junk e-mail filter lists in Outlook 2003
http://support.microsoft.com/?id=927470
This article also applies to Outlook 2007. We can replace Outlk11.ADM with Outlk12.ADM file from "Microsoft Office 2007 Resource Kit".
Windows XP and Windows Server 2003 provide many enhancements in the area of data protection— especially Encrypting File System (EFS). This article provides some common issues and file recovery practices to prevent encrypted files being inaccessible.
We often encounter problems when accessing encrypted files. For example, not able to access the data and getting permissions denied. To prevent EFS related issues, it is necessary to be aware of some common problems before you make any changes to an EFS environment.
Here we first list some common issues when trying to access an encrypted file:
a. Cannot access files after disjoining or joining a domain
When joining a computer to a domain that has EFS encrypted files, move keys from local account profile to new domain account profile for EFS access.
b. Cannot decrypt EFS files after resetting a password
Change the user’s password back to what it was before the reset.
c. Cannot access remote EFS encrypted files from Windows 9x or Windows NT 4.0 clients
By design the server blocks Pre-windows 2000 machines from opening a remote encrypted file.
d. Access Denied error attempting to access EFS encrypted files
Locate the private key for the appropriate certificate and import it onto this computer using the Certificates snap-in. We recommend that you back up the recovery certificate (*.CER) and the private key files (*.PFX) to a safe location.
In addition, before we implement EFS, it is necessary to designate other users or recovery agents in case there are problems with the original user who encrypt the file. The following users can access the encrypted file.
1. The original user who encrypts the file
2. Users being added to give cryptographic access to that file.
Cryptographic access means the users are able to decrypt and encrypt the file, as well as add and remove other users. To add users to a file gives them cryptographic access to that file:
e. Right click on the folder or file, click Properties
f. Click Advanced. Click to check “Encrypt contents to secure data”
g. Click on the Details button brings up the Encryption Details dialog.
h. Add users to transparently access the file
3. Recovery Agents.
The Recovery Agent is optional on Windows XP Professional and Windows Server 2003 in order to provide organizations with greater flexibility in implementing data recovery strategies. The domain Administrator is the default recovery agent. To assign a Data Recovery Agent:
i. Logon to a computer with the account that you are going to be using for the EFS recovery agent.
j. Run MMC.exe and load Certificates for the current User.
k. Right click on the Personal Store. Click All Tasks, click Request New Certificate…
l. Chose the Recovery agent Certificate
m. Once you have the Recovery agent Cert. Export the Cert (without the private key to a .Cer file)
n. Copy the Cert to a DC
o. Open Active Directory Users and Computers. Edit your Default Domain Policy
p. Under Computer Configuration\Windows Settings Security Settings\Public Key Policies
q. Right Click on Encrypting File System and click on Add a recovery agent
r. Choose Folders. Browse to the .CER file and finish the wizard.
s. This will add the Recovery agent to all machines once Group Policy processing is done
The next time a new file is encrypted it will add the recovery agent to that file.
To recover an encrypted file or folder if you are a designated recovery agent:
a. Use Backup or another backup tool to restore a user's backup version of the encrypted file or folder to the computer where your file recovery certificate and recovery key are located.
b. Open Windows Explorer.
c. Right-click the file or folder and then click Properties.
d. On the General tab, click Advanced.
e. Clear the Encrypt contents to secure data check box.
f. Make a backup version of the decrypted file or folder and return the backup version to the user.
Some of the fun we have in product support is that, once a new product is released nowadays, we get to navigate the uncharted waters of new security settings interoperating with our customers’ real world environments.
With Windows XP and Server 2003 we saw that there were challenges brought about by the SMB signing, and LMCompatibility level security settings. SMB Signing is a way of guaranteeing the originator of the traffic since it is signed by that node. LMCompatibility, put simply, is a way of telling your computer to not use less than a certain version of NTLM authentication since older versions are less secure.
Both of these are good things from a security perspective. Frankly, if they are disabled or lessened, then your systems are less secure.
But in the real world there are plenty of people who have old computers (Windows 9x, NT) that may not be compliant with enhanced security. These types of things are may not always be disseminated well at a product’s release and we are forced to play catch up. If you saw my post regarding TCP Auto-Tuning a few months ago then you’ve heard this tune before.
LM Compatibility level is a way of setting your Windows computer to use only a specified level of LanMan authentication (NTLM). This is done via a registry value which is noticed by the LSA at boot:
hklm\system\currentcontrolset\control\lsa
Why am I bothering to post about this “old hat” stuff? Well, Vista defaults to LMcompatibliltylevel = 3. This is more secure, but can cause problems with other products that do not interoperate smoothly with some of the more secure mechanisms. Some Unix based network file sharing devices, for example. In fact, if you have an account lockout policy specified, you could end up locking out your user account if you ran into this when trying to connect to a file share on such a device.
Please check if the below symptom happens based on our support experience:
- Your problem occurs only when connecting to the resource from a Vista client, but may not occur from other operating systems
-You do not specify a custom LMcompatibliltylevel setting in any of your group policies
-Doesn’t necessarily have to be a network file sharing device back end…but more likely to be.
-Network traffic will appear similar to that below (SMB negotiation details excepted for brevity):
No. Time Source Destination Protocol Info
152 07:48:17.447552 34.52.40.213 34.224.36.2 SMB Negotiate Protocol Request
153 07:48:17.449232 34.224.36.2 34.52.40.213 SMB Negotiate Protocol Response
164 07:48:17.458380 34.52.40.213 34.224.36.2 SMB Session Setup AndX Request, User: DOMAIN\user1; Tree Connect AndX, Path: \\LOCALFILESVR\IPC$
182 07:48:20.410098 34.224.36.2 34.52.40.213 SMB Session Setup AndX Response, Error: STATUS_LOGON_FAILURE
How can you work around this behavior? Well, the best way would be to bring the same minimum level of security to all devices involved. This can be a difficult thing to do when you are stuck with inherited infrastructure and a limited budget.
If you can’t have all devices meet that minimum security then you will be forced to allow less secure authentication in order to get your business flowing. To do that, lower the LMcompatibliltylevel to a lower number that the other device can handle. Then reboot for that to take effect.
Here’s a link article that goes into good detail about NTLM authentication and what the LMcompatibliltylevel setting does:
http://www.microsoft.com/technet/technetmag/issues/2006/08/SecurityWatch/?related=/technet/technetmag/issues/2006/08/SecurityWatch
Customer may experience a bluesreen after they install security update 925902.
• You receive the following Stop error message on a blue screen:
*** Stop 0x0000007f (0x00000000, 0x00000000, 0x00000000, 0x00000000)
UNEXPECTED_KERNEL_MODE_TRAP
This problem occurs when a printer driver makes a call that has invalid parameters to the Win32K.sys component. Microsoft has confirmed that this problem affects the following printer drivers:
• Ricoh LAN Fax Driver
• Gestetner P7026n PCL
• Ricoh Laser AP2600N PCL
• HP LaserJet 9050
• HP LaserJet 4200
• HP 4050 PCL6
This problem has also been reported in relation to printing from SQL Reporting Services to a Printer Command Language (PCL) printer.
For more details and resolution of this issue, please refer to the article below for the resolution:
935843 Stop 0x0000007F error when you try to print from computers that are running Windows XP or Windows 2000 and that have GDI security update 925902 installed.
http://support.microsoft.com/kb/935843/en-us
The Office team published a great “how to” on installing Office 2007 using Group Policy. The Office 2007 Resource Kit includes this documentation. You can view it online at the Microsoft TechNet site. Here’s a direct link
http://technet2.microsoft.com/Office/en-us/library/efd0ee45-9605-42d3-9798-3b698fff3e081033.mspx?mfr=true
Office team has released an update for Outlook 2007 which addresses the performance problems customers have reported to us, especially when working with large .PST and .OST files. We highly recommend applying this patch on all systems with Outlook 2007 installed.
Refer to the following KB article for more details about the problem that has been fixed in this update:
932086 You may experience performance problems when you are working with items in a large .pst file or in a large .ost file in Outlook 2007 http://support.microsoft.com/kb/932086/
http://support.microsoft.com/kb/932086/
As this update is not available in Microsoft Update or Office Update, you may need to download it directly from the Microsoft Download Center at:
Update for Outlook 2007 (KB933493) http://www.microsoft.com/downloads/details.aspx?FamilyID=c262bcfd-1e09-49b6-9003-c4c47539df66&DisplayLang=en
http://www.microsoft.com/downloads/details.aspx?FamilyID=c262bcfd-1e09-49b6-9003-c4c47539df66&DisplayLang=en
Please note: If you are using Microsoft Outlook Business Contact Manager (BCM) – there is a known issue. Refer to the following KB article for more information::
935569 Error message when you start a 2007 Office program on a computer that is running Outlook 2007 with Business Contact Manager: "Office application version does not match" http://support.microsoft.com/kb/935569
http://support.microsoft.com/kb/935569
For more information about this update, refer to:
933493 Description of the update for Outlook 2007: April 13, 2007 http://support.microsoft.com/?kbid=933493
http://support.microsoft.com/?kbid=933493
Recently, we have been seeing a number of issues with Windows Server 2003 SP 2 not installing due to corrupt catalogs in the catroot. The installation may fail with the following popup error:
Service Pack 2 Setup Error
Failed to install catalog files.
Select OK to undo the changes that have been made.
Additionally, Windows Server 2003 SP2 may fail to install if there are too many hotfixes being installed.
Actually, this problem is not SP2 specific. It’s not a new issue to us either. We have several resolutions documented in the following KB articles:
822798 You cannot install some updates or programs http://support.microsoft.com/kb/822798
http://support.microsoft.com/kb/822798
925931 You may be unable to apply more updates at a certain point on a Windows Server 2003-based computer http://support.microsoft.com/kb/925931
http://support.microsoft.com/kb/925931
Do you know how to export a mailbox that is larger than 2 gigabytes (GB) to a PST file? Do you know how to do that by using the new features in Exchange 2007 SP1? Check out this blog post for more details
How to Export and Import mailboxes to PST files in Exchange 2007 SP1
http://msexchangeteam.com/archive/2007/04/13/437745.aspx
More and more customers are consolidating their server by virtualization. Some customer may raise some performance issue regarding the virtual server. This article will cover following topics.
You can improve throughput for virtual hard disks by using the following techniques:
•
Use a hard disk solution that allows fast access, such as a SCSI hard disk, a redundant array of independent disks (RAID), or storage area network (SAN).
Put each virtual hard disk on a dedicated volume, SCSI hard disk, RAID, or SAN. It is easiest to put virtual hard disks together with their associated virtual machine configuration files on a RAID or SAN because this keeps everything in one place.
Put virtual hard disks on a different physical disk than the host operating system. In particular, you want to put virtual hard disks on a different physical disk than the host page file.
Compact virtual hard disks to free more physical disk space.
For more information about improving virtual hard disk performance, see Optimizing virtual hard disks .
You can improve network performance by using the following techniques:
Distribute the networking load. If you are running multiple instances of Virtual Server, you can distribute the networking load between them in the same manner as you would with physical servers. To do this, run a mix of network-intensive and non-network-intensive applications on a single instance of Virtual Server.
Add physical network adapters. For best performance, dedicate at least one physical network adapter to each virtual machine.
You can improve processor performance by using the following techniques:
Adjust the CPU allocation for virtual machines according to their CPU requirements. You can use monitoring software, such as Microsoft Operations Manager (MOM), to ascertain CPU utilization for each virtual machine. For more information about adjusting CPU allocation, see Configuring CPU resources for virtual machines .
You can improve the performance of Virtual Server by making the following configuration changes on the host operating system:
Increase the acceleration of your graphics hardware to full, as follows. On the Display control panel, click the Settings tab, and then click Advanced. Click the Troubleshoot tab, and then move the Hardware acceleration slider to Full.
Disable all unnecessary pointer options, such as pointer trails and shadow cursors, as follows. On the Mouse control panel, click the Pointer Options tab, and clear the check boxes of any options that you do not need.
Optimize system settings for performance, as follows. On the System control panel, click the Advanced tab. Under Performance, click Settings, and then click Adjust for best performance. Click the Advanced tab, select Background services, and then click OK twice.
You can improve the speed with which the Administration Website Master Status page displays and refreshes by hiding the virtual machine thumbnails that appear under Remote View. You can do this by clearing the Remote View check box on the Administration Website Properties page.
For more information of virtual server operation guide ,please visit Virtual Server 2005 Technical Library
There has been a big change in recipient management from Exchange 2003 to Exchange Server 2007. Exchange Recipient Management is the second biggest administration component of Exchange 2007, which ranks as top Exchange key component with respectable incident volume and an amount of supporting labor.
In Exchange Server 2007, you can do most of your recipient management tasks in both the Exchange Management Shell and the Exchange Management Console. For tasks that involve single recipients, it is usually simpler to use the Exchange Management Console (unless you are immune to typos). However, when you are trying to configure multiple recipients, there simply is no alternative to the power and ease of using the Exchange Management Shell. A new article was recently released that aims to help customers deal with bulk exchange recipient management more efficiently. Please click the link below to view this article at TechNet for details:
Using the Exchange Management Shell for Bulk Recipient Management
http://technet.microsoft.com/en-us/library/bb310752.aspx
In some instances, organizations may want to put their logo and logon page on Outlook Web Access. Now it is easy to customize Microsoft Outlook Web Access by using your organization's logo and colors. Customizing Outlook Web Access is a great way to help build an identity for your organization into a tool on which many users rely and to impress your users and management.
The following article shows you how to customize the logon, language selection, and logoff pages, and how to create a theme by using a custom header.
Customizing the Look of Outlook Web Access
http://technet.microsoft.com/en-us/library/bb310750.aspx
File Share Witness
The file share witness feature is an improvement to the current Majority Node Set (MNS) quorum model. This feature lets you use a file share that is external to the cluster as an additional "vote" to determine the status of the cluster in a two-node MNS quorum cluster deployment. Consider a two-node MNS quorum cluster. Because a MNS quorum cluster can only run the majority of the cluster nodes that are available, a two-node MNS quorum cluster is unable to sustain the failure of any cluster node. This is because the majority of a two-node cluster is two. To sustain the failure of any one node in an MNS quorum cluster, you must have at least three devices that can be considered as available. The file share witness feature enables you to use an external file share as a witness. This witness acts as the third available device in a two-node MNS quorum cluster. Therefore, with this feature enabled, a two-node MNS quorum cluster can sustain the failure of a single cluster node.
Configurable Cluster Heartbeats
The configurable cluster heartbeats feature enables you to configure cluster heartbeat parameters. This may help you avoid unnecessary cluster failovers. These failovers occur because of a temporary network problem that may cause packets to be dropped or delayed. The configurable cluster heartbeats feature may help in an environment where cluster nodes are geographically dispersed.
For details, please refer to the KB article listed below:
http://support.microsoft.com/kb/921181
An update is available that adds a file share witness feature and a configurable cluster heartbeats feature to Windows Server 2003 Service Pack 1-based server clusters
After we deployed Live Communications Server in Active Directory, LCS service may not work after the password of the service account has expired. When this happens, users may find that they are unable to log in to Live Communications Service. Also when the administrator tries to restart the LCS service, the service does not start.
A similar problem can also occur for the Communicator Web Access service when the service account password has expired.
We can set the service accounts as “Password Never Expires” as a prevention method. This way, we can avoid the symptoms mentioned above.
You cannot host Transmission Control Protocol (TCP) connections when Receive Side Scaling is enabled in Microsoft Windows Server 2003 with Service Pack 2 (SP2). The TCP connections are reset.
This problem occurs if you use Network Address Translation (NAT) and if the host computer is configured to be an Internet Connection Sharing host server computer. For example, Microsoft Internet Security and Acceleration Server running on Windows 2003 Service Pack 2.
This problem may also occur when you use Windows Server 2003 Service Pack 1 (SP1) together with the Windows Server 2003 Scalable Networking Pack.
To work around this problem, disable Receive Side Scaling when the computer is configured as an Internet Connection Sharing gateway. For example, Microsoft Internet Security and Acceleration Server running on Windows 2003 Service Pack 2.
For more detailed information on how Receive Side Scaling works and how to disable it, please refer to this knowledge base article:
Support for the following products ends on 10-Apr-2007
l Windows Server 2003 Service Pack 0 (RTM)
l Windows XP Embedded Service Pack 1
l Internet Security and Acceleration Server 2004 Service Pack 1
Symptom
========
You may receive 0x8007003 errors when installing windows updates.
From Windows Update.log file, you can find the error information as below:
2007-03-17 12:14:47:639 6128 a54 Handler Post-reboot status for package Package_for_KB932246~31bf3856ad364e35~x86~~6.0.1.2: 0x80070003.2007-03-17 12:14:47:639 6128 a54 Handler WARNING: Got extended error: "POQ Operation LoadDefaultUserHive"
Cause:
=======
This error can happen if the ntuser.dat file is missing from the \user\default folder. Some users have deleted it or for some reason it’s missing.
Solution:
The solution is very simple. Just creating that folder and copying over a ntuser.data in default user folder from another machine.
As mentioned before in the newsletter, ITMU (SMS 2003 Inventory Tool for Microsoft Updates) should be upgraded to version 3 now as lower versions will not detect new software updates from March 2007. This is becoming a hot issue recently, so some customers may still not be aware of this. Thus, It’s necessary to notify them again.
Why should ITMU upgrade to v3? Please refer to ITMU v3 General FAQ
For more ITMU v3 and upgrade information, go to ITMU Overview, What’s New in ITMU Revision 3
Accompanying with the release of Systems Center Operations Manager 2007, some related resources are becoming available on the website.
Systems Center Operations Manager 2007 documentation:
http://www.microsoft.com/downloads/details.aspx?FamilyID=d826b836-59e5-4628-939e-2b852ed79859&DisplayLang=en
System Center Operations Manager 2007 Instructional Videos:
These three to four minute demos offer helpful screenshots and narrations to address product FAQ’s from a how-to perspective.
http://www.microsoft.com/technet/prodtechnol/mom/opsmgr/webcasts.mspx