Restrict Outlook Access Only To Domain Joined PCs?

We have contractors that use their employers laptops to access various LAN resources on our network such as access to shared network drives, printers, Remote Desktop and access to our Intranet sites. They have mailboxes on our Exchange servers and
we would like their mailbox access to be restricted to EAS and OWA, not Outlook unless they are using one of our domain-joined computers.
The main reason for this is to restrict these users from downloading their mailbox contents into into a personal folder. We can create PST restrictions on our domain-joined PCs via group policy, but these policies would not apply to computers not joined
to our domain.
Of course we would also like to prevent Outlook access to their mail from their home PCs that they may have installed Outlook on, but we still need seamless remote access to Outlook on domain-joined laptops used remotely.
How can this be done?

PS -- Andy are you going to MEC ?
Cheers,
Rhoderick
Microsoft Senior Exchange PFE
Blog:
http://blogs.technet.com/rmilne
Twitter:   LinkedIn:
  Facebook:
  XING:
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
I will be there will bells on!
Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

Similar Messages

Create a certificate for non domain-joined PCs

We have a standard AD domain wit a CA and SharePoint/Exchange servers, hosted internally and externally with TMG 2010 as our firewall. For the external hosting, we have an external certificate from one of the main certificate providers. Internally, our domain-joined
PCs look to the CA to get their trusted certificate from.
This is the issue I am encountering:
Our external users (the ones whose PC is not joined to our domain) are fine when they access our SharePoint and Exchange services externally.
However, when they are connected via VPN, they receive a certificate error and when I look in Certificate > Certification path, I can see that it says:
"DOMAIN NAME" Issuing CA1 > "NAME OF SHAREPOINT WEBSITE".
When such a PC connects to the same website when NOT connected via VPN to the domain, they receive:
"DOMAIN NAME" Root CA > "DOMAIN NAME" Issuing CA1 > "NAME OF SHAREPOINT WEBSITE".
How can I create a certificate for these non-domain joined PCs so that I can import the certificate in the Trusted Root Certification Authorities store? Thank you!

It sounds like the question you are really asking is :
How do I designate the internal root CA as a trusted root CA
Run certutil -addstore root RootCert.crt (this must be run from an administrative command prompt)
This designates the root CA as a trusted root on the client. You also may want to install the intermediate cert to the store (you are not clear on what VPN product you are using, so it may or may not do proper chain building).
Run Certutil -addstore CA IssuingCA.crt
Brian

Restrict program access ( only three user at a time)

Hi
I want to restrict the program only two users at a time ( with out using authorization object ).
Thanks & Regards,
K.Gunasekar.

Just an idea:
create a table with one column to store the userid. Each time the program ist started, you execute a SELECT COUNT( * ) on that table and EXIT from your program as soon as the table contains more that 2 entries. In case the table does not contain more than two entries, you can proceed after adding the SY-UNAME to that table. At the end of the prgram you have to delete SY-UNAME from that table.

Restricted/View Access Only - User

Hi,
I have a need to create a user account on our ASA (8.x code) device but only allow them read access; particularly, view the overall config and interface statistics.
I have tested with an account, but my attempts at setting the privilege level seem to be ineffective at restricting accesss. How might I accomplish this task?
thanks,
Jim

Jim, you should get it working after reference this thread.
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=true&CommCmd=MB?cmd=display_location&location=.2cc2c575/4
If still have issues let us know.
B.regards

Do SCCM clients need to be domain joined for Windows Patch Deployments

Hi,
We have SCCM 2012 R2 deployed in an environment with both workgroup and domain joined machines. Currently only the domained joined machines have the SCCM client installed. We were thinking of bringing patching into SCCM rather than WSUS but were wondering
if we install the SCCM client on workgroup machines do they need to be domain mebers to work or do they just need to be able to resolve the SCCM server?BAsically, I'm looking for confimation that we can patch non-domain joined machines via SCCM.
Thanks,
Simon

Here's a nice blog post that adds some gotcha and additional detail:
http://blogs.technet.com/b/configurationmgr/archive/2014/07/01/managing-workgroup-clients-in-system-center-2012-configuration-manager.aspx
Ultimately, ConfigMgr doesn't care if systems are domain joined or not but there are some nuances and caveats that must be accounted for.
Jason | http://blog.configmgrftw.com | @jasonsandys

Domain Joining Related

Hi Dear,
I would like to know that whenever i am joining the new pc in the existing domain
do i need to enable the remote settings...allowed on that pc or not.
Please assist.
Regards, Ravi Kumar

HI
You need to manually allow RDP access on each domain joined PC or you can Create a Group Policy to enable it.

Problems connecting a non-domain joined outlook to exchange

Hello,
i'm having issues configuring outlook (be it 2007, 2010 or 2013 all fail the same) on non-domain joined computers in the LAN to a exchange 2013 server.
I select manual config, in server we put "mail.domain.local" and user "domain\user" and it bounces with "cannot complete action, the connection to exchange is not available, outlook must be online".
We tried with external full email address, nothing
tried setting the outlook anywhere proxy, same, tried using ip address, same
it simply refuses to configure.
any ideaS?

Hi,
Generally, the external non-domain joined computers can connect to Exchange 2013 by using Outlook Anywhere and the Autodiscover service to auto-setup the Exchange account.
If the auto-setup for Exchange account fails, please check the Autodiscover service and Outlook Anywhere configuration by the following command:
Get-OutlookAnywhere | FL
Directly access the following URL in IE respectively, and check whether an Error 600 returns:
Https://autodiscover.domain.com/autodiscover/autodiscover.xml
Https://mail.domain.com/autodiscover/autodiscover.xml
Please make sure the the ExternalHostName parameter for Outlook Anywhere is configured to your external namespace for Exchange 2013 (for example: mail.domain.com).
In Exchange certificate, please make sure the namespace mail.domain.com is included in your trusted certificate which is assigned with IIS service.
For manual Exchange account setup, please run the following command to get the mailbox GUID for server name configuration:
Get-Mailbox UserA | FL Identity,ExchangeGuid
Then go to Control Pane > Mail to configure the Outlook profile. In Server Settings, import the [email protected] into the Server box and click Check Name to have a try.
Regards,
Winnie Liang
TechNet Community Support

How to restrict AS02 access to certain fields only

How to restrict AS02 (Asset Master Record) access to certain fields only. Currently when you assigned AS02 to a certain user, this will enable the user to change all the fields in the asset master record. Suppose i want only the user to restrict the access to certain field eg.NDJAR (Life in Yrs).
Thanks for your inputs.
Regards,
Robert

hello,
basis has to assign the proper activity with object A_S_ANLKL. in this case they have to allow activity 03 only with combination of Cocode,asset class. see some more details below.
This authorization object is the first part of the object "asset master record."
The definition at this level determines whether the user is authorized to process data in a given company code. The activity type for the transaction is also defined here. This authorization object is used for master data transactions, for the display of value fields, and for reporting.
Defined Fields
The following fields are assigned to the authorization object
Asset class (specified by entering a value in the pop-up window)
Company code (specified by entering a value in the pop-up window)
Activity type - there are three different activity types:
01 = Create
02 = Change (including blocking and deleting)
03 = Display

Restricting the user to access only one view in or database

A user wants to create a database link , so that he can view one of our views. We want to restrict permission, so that he can access only that view, and not any of our tables. What is the best way to proceed?
Thanks in advance,
Gayatri

Pl do not post duplicate threads - Restricting the user to access only one view in or database

ISE - Restrict Full WiFi Access only to Authorized Devices

Hi All,
We have a WLC HA (Code 8.0.100.0) setup with an ISE pair (version 1.2) , and all that works fine.
Currently ISE is configured to authenticate users from AD. Our corporate SSID is setup with WPA2+AES with 802.1x PEAP authentication, so users can connect Wifi from their devices after they put in their AD credentials.
We would now want to Restrict our Internal network Access through WiFi only to Authorized Devices like company issued Laptops/Tablets etc. For all the other devices like Personal Smartphones/Tablets/Laptops users can only have Internet Access only if they are Authenticated/Authorized to do so.
For the Rest of the devices like Printers, Apple TV's etc we already have a separate SSID running on which we are doing Mac Filtering through WLC, so none of the browser less devices would be connecting to the Corporate SSID.
Assuming We have the Mac Addresses of all the company issued devices Laptops/Tablets (Most of which are Apple Devices), what is the best approach to go about this utilizing ISE.

Yes, I am evaluating MDM solutions too, but budget being a constraint I am not sure if that would be approved or not.
There is lack of free MDM solutions which can be integrated with ISE, I did found the Meraki's Systems Manager worth a shot, but I guess the free version does not integrates with ISE, unless you go for the Enterprise Version. There were a few Rumors that ISE 1.4 is coming up with inbuilt MDM.
For now I will go ahead and import the mac address database to ISE in an Identity Group called Corporate-Devices and will edit the auth profile to check for the Identity Group Along with AD.

How to restrict a User to access only 2-3 views in MM01/MM02 ???

Hi,
Can anyone tell me how can I restrict a User to access only 2-3 views in MM01/MM02 and also the User should not be allowed to change the View selection by clicking on the Select Views button ?.
Regards,
Lucky

Hi Prashant,
Can this only be done through changes in Authorization Objects ? Is not there any setting which can be done in SPRO for this ?
Hi Sheshagiri,
I could not exactly understand how the access to MM Views can be restricted to User through TCode OMT3B i.e. in SSeq. 01 and Screen 07 ? Subscreen 2154 is for Mat. Groups ? Please explain your answer in detail.
Regards,
Lucky

Windows 2012 R2 ADRMS domain controller version and Non-domain-joined Mac Client with outlook 2011

Hi,
What is the AD version for Windows 2012R2 ADRMS? Is it possible to have Windows 2003 R2 DC with Windows 2012R2 ADRMS?
Any installation guide Non-domain-joined Mac Client with outlook 2011?
What is the SQL version for Windows 2012R2 ADRMS?
Please advise. Thanks.
Kelvin Teang

Hi Kelvin -
There is no RMS Client for Macs. That functionality is actually provided through the Office for Mac application (this is different compared to the PC). Domain-joined clients will autodiscover the RMS server and should be able to create and consume
protected content. Non-domain-joined clients cannot automatically discover their RMS server. In this scenario, prepare a protected document or email from a domain-joined machine and send it to your non-domain-joined users. They will open
the document or email up and the URLs contained in the publishing license of the document will direct them to the correct RMS server.
I hope that helps!
Micah LaNasa
Synergy Advisors
synergyadvisors.biz

Restricting Access only for APPS account using SQLNET

Dear Friends,
Recently we have an incident that a functional consultant has cracked the Apps password. I don't know how.
Now what we are planning is to restrict the database access to only the dba team using sqlnet.ora file and its tcp.validnode_checking parameter.
However, the problem is that we want to continue the APPSRO(which is an Apps Read Only Account) access to them.
Is there any way possible to restrict access only for a particular database user account using sqlnet.ora
please help.
Thanks.

Recently we have an incident that a functional consultant has cracked the Apps password. I don't know how.
Now what we are planning is to restrict the database access to only the dba team using sqlnet.ora file and its tcp.validnode_checking parameter.
However, the problem is that we want to continue the APPSRO(which is an Apps Read Only Account) access to them.
Is there any way possible to restrict access only for a particular database user account using sqlnet.ora
Now what we are planning is to restrict the database access to only the dba team using sqlnet.ora file and its tcp.validnode_checking parameter.
However, the problem is that we want to continue the APPSRO(which is an Apps Read Only Account) access to them.
Is there any way possible to restrict access only for a particular database user account using sqlnet.oraNo (and even if it exists, I believe this does not fix the main issue with the apps password which could be cracked again).
The proper way would be changing the apps password and meet the security requirements in these docs.
Secure Configuration Guide for Oracle E-Business Suite 11i [ID 189367.1]
Secure Configuration Guide for Oracle E-Business Suite Release 12 [ID 403537.1]
FNDCPASS Utility New Feature: Enhance Security With Non-Reversible Hash Password [ID 457166.1
Thanks,
Hussein

FAGLB03 - Restrict user access to view only two GL accounts.

We want certain users to access only two GL accounts using transaction FAGLB03. Any help will be highly appreciated.

Hi
I do not think we have any authorization object based on GL Account value for T Code FAGLB03. However, you could probably write an FI validation rule based on GL Account No and user id. You can maintain the user id in a set
Prerequisite
Company Code = XXXX and System T Code = FAGLB03 and GL Account = XXXXXX
Check User ID = ABCD
If the check fails, system should throw an error message
Regards
Sanil Bhandari

Is there a way to restrict Outlook Anywhere by IP Address

We are currently able to restrict OWA to certain Public IP's so workers in remote offices can login. Is there a way to do that for Outlook Anywhere as well?
OptfinITy Support Staff

Hi,
You can block Outlook for external users by setting IIS IP Domain restrictions on the Server by allowing only internal IP ranges and denying All on the RPC Website.
More details:
HOW TO: Restrict Site Access by IP Address or Domain Name
http://support.microsoft.com/kb/324066/en-us
We can also use following command to define whether clients can connect to Outlook by using Outlook Anywhere.
Set-CASMailbox -Identity Alias -MAPIBlockOutlookRpcHttp $True
More details:
http://technet.microsoft.com/en-us/library/bb125264(v=exchg.141).aspx
Thanks

Restrict Outlook Access Only To Domain Joined PCs?

Similar Messages

Maybe you are looking for