With a baseline understanding of how Group Policy functions in a Windows Active Directory Domain environment, Microsoft Exchange 2003 administrators can look at how Group Policy, GPOs, and templates can be leveraged to enhance the ability to manage applications like Microsoft Outlook 2003 in the enterprise. Working with predefined Group Policy templates available from Microsoft, administrators can now manage areas and control access and changes, ranging from restrictions and preventing configuration modifications to controlling the look and feel that affects the overall user experience when working with application software. In this section, we will review the tools and options for managing an application such as the Microsoft Outlook 2003 client software, specifically using Group Policy and predefined templates. We will also explore the options available with Group Policy when deploying and working with the Outlook client, Outlook Group Policy templates, and the steps for configuring administration privileges for managing the Exchange client through Group Policy. Outlook Client Policy OptionsTo further enhance the management functionality when working with an application like the Outlook 2003 software, the Office Resource Kit (ORK) provides a predefined template for managing Outlook clients using the Group Policy functionality of Windows domains. Called Outlk11.adm, this template enables administrators to centrally manage and configure many of the preferences and security functions normally required to be configured at each individual Outlook client. Using Outlk11.adm, administrators can fully manage and configure the following areas:
Adding the Outlook Administrative TemplateBecause the additional administrative templates are not installed by default when Windows Server 2003 is installed, administrators must download or install the Outlook administrative template manually. Available on the ORK, Outlk11.adm is placed on the local drive of the systems where the ORK is installed. To begin setting up the Outlook administrative template, start by installing the GPMC on the domain controller where the policy will be administered. Next, install the Microsoft ORK on a system where the template can be accessed from a domain controller for import into the Domain Group Policy. Tip The Office 2003 Resource Kit can be downloaded from the Microsoft Office Web site at http://www.microsoft.com/downloads. After the ORK is installed, the Outlk11.adm file is automatically extracted and placed in the C:\Windows\Inf directory (where C: represents the drive where the Windows installation resides) on the local system drive where the ORK was installed. To import the Outlook security template Outlk11.adm into the Domain Group Policy using the Group Policy Management Tool, use the following steps: Tip When importing the Outlk11.adm security template, it is best to import the template to the Default Domain Group Policy.
You should now see the Microsoft Outlook 2003 template under the Administrative Templates folder in the Group Policy Editor. Assigning Group Policy DelegatesAlthough Group Policy has traditionally been the management task of Windows domain administrators, with delegation, permissions can be assigned to additional resources and accounts to manage Microsoft Outlook clients. Using the Delegation Wizard of the GPMC, accounts can assign and delegate rights to add, modify, and delete Group Policy Objects. It is important to delegate the proper rights for administrators to manipulate Outlook 2003 group policies. Using the delegation option of the GPMC, administrators can assign a very small group of users permission to edit Outlook policies at the domain level. To enhance this functionality, it is also possible to allow diverse groups of administrators to configure group policies at lower levels of the Active Directory domain tree. When assigning permissions, administrators can delegate the following rights:
How to Delegate Rights over GPOsTo understand the steps required to assign rights over GPOs, let's look at the following scenario to assign one Active Directory account permission at the domain level. The rights that will be assigned to the account will be the Edit Group Policy Objects Only permissions. To begin, open the GPMC by selecting Start, All Programs, Administrative Tool, Group Policy Management. Then follow these steps:
The account has now been assigned rights to edit the domain-level GPO. Review the information and test settings to ensure that the permissions have been applied correctly. Managing Group Policy ConfigurationsThrough Group Policy, Outlook configuration settings can be configured and applied differently depending on how the GPO is applied. Exchange administrators can not only centrally manage one group of Outlook clients, but they can configure and apply a completely different set of options enforced on a different group or OU in the domain by following these steps:
Tip When linking the GPOs, access to the GPMC can be obtained through the Active Directory Users and Computers (ADUC) snap-in. Select the properties of the domain you are working with and select the Group Policy tab. Defining Baseline Outlook PreferencesOne option that group policies enable organizations to accomplish when managing an application like the Outlook client is the ability to design, develop, and implement a baseline configuration for every client configuration in use. Often, this was not an option because of the exhaustive amount of administration involved, along with the inability to secure configurations from modification. With the option of standardizing configuration for all Outlook client systems, administrators must wonder which options can be configured to improve the productivity and functionality of the network client for every user. Using the Group Policy Object settings to define simple Outlook configuration settingssuch as Saving Sent Items, Spell Checking Messages Before Sending, and Auto Archive Settingscan not only improve the functionality of the Outlook client, but can also reduce administrative management overhead when supporting workstations and users. Email OptionsSome of the most useful email options available when configuring settings using Group Policy include the following:
Calendar OptionsIn addition to the email options available, the following calendar options can be defined to establish a base functionality for all Domain Outlook users:
Contact OptionsOne interesting setting is the option in the Outlook security template for contacts. Administrators can define how each contact will be filed and displayed. For example, the Display Name can be set as First, [Middle], Last Name, and the File As option for the contact as Last, First. There are many options available when configuring the Outlook client. Review the options and descriptions for each before applying settings and changes to the Outlook Group Policy Objects. Managing the Look and Feel of the Outlook ClientAnother powerful function of using group policies is the ability for an administrator to define the look and feel of the Outlook client. Administrators can now configure options to create a specific look and feel when using Outlook. Group Policy preferences can be defined to customize the look of the Outlook client. Options can be set to allow users access to information Web sites and SharePoint Portal Server sites, providing an enhanced user's experience and data access option not previously available. Web Options OverviewUsing the Preferences options of the GPO, settings can be defined to integrate and redirect Outlook users to valuable Web data using technologies such as Microsoft SharePoint Portal and Internet Information Services:
Configuring and Applying Outlook Group Policy SettingsWith all the information gathered in the previous sections, administrators can now apply settings and configuration options using the GPMC and Outlook 2003 security template. To better understand the settings for applying a group policy, review the following mock installation scenario. In this scenario, you create and apply a standard set of preferences to create an Outlook client baseline configuration for one OU in the Active Directory domain. As described earlier, one additional setting is applied to redirect the client's Outlook Today setting and direct users to a company Internet home page. To begin, open the GPMC by selecting Start, All Programs, Administrative Tools, Group Policy Management and then follow these steps:
From this point, you can begin to enable options and apply preferences to the GPO. After options are enabled, they appear in the GPMC to be tested through RSoP and applied to the OU. In this scenario, you apply the HTML/Microsoft Word Email Editor options and redirect the Outlook Today page to point to a Web page called www.CompanyABC.com. To apply these settings, complete these steps:
When the configuration is completed, it is good practice to back up the configuration and ensure that all the settings are enabled on the GPO by selecting Action/GPO Status. Customizing Administrative Group Policy TemplatesBeyond using the custom and default templates, it is possible for you to create your own customized Administrative template to enforce a Registry change. The changes appear in the Group Policy GUI format and can be configured through the GPMC or ADUC the way normal Group Policy would be configured. Customized templates can be very useful in a highly customized environment or one where the default choices are not sufficient. To best determine how to write a custom template, you must first consider what you are trying to control or change. You must also discover whether the Registry change is in the User or Computer hive area and then also note the actual Registry path and Registry value. After you have determined these items, coding a new basic administrative template is not too complex. Administrative templates vary from the very basic to the extremely complex (look at the common.adm that is installed with Windows 2003). However, they can be extremely useful tools with which to customize any environment using Group Policy. |