Steven JW Kennedy

My Blog

Archive for February, 2011

YLSNED: You Learn Something New Every Day

Posted by Steven Kennedy on February 28, 2011


Seems that this is a known acronym. I’ve decided to use it because I already have two posts who’s titles are; You learn something new every day and You Learn Something New Every Day. This could get confusing so I’m going to prefix each one with YLSNEV: and then a unique title. Hopefully make it easier to identify each of the entries.

Posted in General | Tagged: | Leave a Comment »

YLSNED: Kindle ‘Share’ button’

Posted by Steven Kennedy on February 24, 2011


I was reading a book on Cloud Security and Privacy on my Kindle to day and there was a section that I wanted to make a note about but I didn’t have my laptop with me, or a note pad. I thought about using my ‘droid to take the note but I remembered that the Kindle allows you to highlight sections, so that’s what I did.

In doing so I saw that there was an button to Share the highlight and the note associated with it. When I clicked on the Share button I was given the option of sharing via Twitter or Facebook. I choose Twitter. I then had to link my Kindle to my Twitter account.

Once I ‘d completed the link I went back to the eBook I was reading and went through the sharing process again, only to run in to an issue. It wouldn’t let me! Turns out you can only make use of this feature for books that you’ve purchased via Amazon. The one I was reading I’d loaded on to my Kindle myself, it’s an eBook from O’Reilly that I converted to Kindle format.

So the good new is you can ‘Share’ comments and notes from the Kindle via Twitter. The bad news is you can only use for books obtained from Amazon.

You can see an example of the Tweet below, followed by a screen shot of where the tweet link takes you.

Tweet

Kindle - Sharing via Twitter

Posted in Kindle | Tagged: | Leave a Comment »

Aaargh!

Posted by Steven Kennedy on February 24, 2011


I’ve a Microsoft Rights Management Service server setup on my home network. I have it working with Office 2010 and Exchange 2010. Then I found a reference on-line to the fact that RMS could be made to work with Office for the Mac 2011. So I followed the instructions and I can open and read RMS protected Office documents but the icon to set permissions is grayed out. That’s when I found the following reference in the Word:Mac Product Guide;

Creating IRM-protected documents with Office for Mac 2011 requires the volume license edition of Office 2011, as well as a Rights Management server running Windows Server 2008 R2. SP1 Opening IRM-protected content to which you have been given access can be done from any edition of Office for Mac 2011 or from Office 2003 for Windows or later.

The version I have is the ordinary retail version of Office for Mac 2011. So I can open and read protected documents but I cannot create them. I have a TechNet account and I checked the version available there and it’s; Office for Mac 2011 Home and Business, the same version as I already have. Guess I’m not going to be testing RMS with the Mac anytime soon.

Crying face

Posted in AD RMS, Apple Macintosh | Tagged: | Leave a Comment »

Using the Exchange Simple Display Name

Posted by Steven Kennedy on February 23, 2011


A couple of years ago I found that it was possible in an Exchange Server 2003 environment to change the display name that external users see on your email, to the Simple Display Name rather than the Display Name that appears in the GAL. Unfortunately this ‘feature’ went away in Exchange 2007, at least initially, it cam e back in a Service Pack update. SP 1 RU4 or later I believe but you should check to make sure.

When I was working on my home setup, which uses Exchange 2010, I came across the Simple Display Name field again and it occurred to me to check to see if Exchange 2010 supported this capability. I did an Internet search and low and behold I found the steps required to turn this capability on, only they didn’t work!

Not only did the steps not work but as I dug in to it I found the Microsoft documentation indicated it should work. My problem, it seems, is that while the Microsoft documentation said that the Set-RemoteDomain command supported the –UseSimpleDisplayName parameter my setup didn’t. Issuing a Get-Help Set-RemoteDomain didn’t show the UseSimpleDisplayName parameter. What’s going on? Then the light bulb went off. I checked my version of Exchange against the latest and yes mine was Exchange Server 2010 while the latest available was Exchange Server 2010 SP1.

Unfortunately I didn’t take any screen shots of the PowerShell error that I got when I tried to implement the Set-RemoteDomain command but if you do a simple check to find out what Exchange build you have you can then determine if the command will work.

You can issue a Get-ExchangeServer –Identity <server> | FL command to identify the build. You can see the build number under AdminDisplayVersion, as shown in the screen shot below. Microsoft have a list of Exchange Server versions and associated build numbers. These can be viewed at; Build numbers and release dates for Exchange Server. For Exchange Server 2010 the build was 14.00.0639.021. For Exchange Server 2010 SP1 the build was 14.01.0218.015 which show up under AdminDisplayVersion as 14.0 (Build 639.21) and 14.1 (Build 218.15) respectively.

Identify_Exchange_Server_Version - Annotated

You could also use the Get_Help Set-RemoteDomain command and see if the help shows the UseSimpleDisplayName parameter or not. The screen shot below shows the result of the Get-Help Set-RemoteDomain command for Exchange 2010 SP1.

Get-Help_Set-RemoteDomain - Annotated

Once I’d determined that I didn’t have Exchange 2010 SP1 I went and downloaded it went through the update process. Once I completed the update I was able to use the Set-RemoteDomain command with the –UseSimpleDisplayName parameter.

Reminder! To enable the use of Simple Display names for external email you have to be running Exchange 2010 SP1 or better

The command to enable Simple Display Names for external email domains is;

Get-RemoteDomain | Set-RemoteDomain –UseSimpleDisplayName $true

The Get-RemoteDomain pipes all remote domains to the Set-RemoteDomain command so that all outbound messages will use the Simple Display name. You could explicitly define which external domains will see the Simple Display name and which will see the Display Name. It’s probably a lot easier to implement and manage if you just go ahead and apply the change to all external emails.

Set-RemoteDomain_-UseSimpeDisplayName_command

To test that it’s working I updated the properties on my mail box to define a Simple Display name of; Kennedy, Steven. My Display Name being set to Kennedy, Steven (SJWK). As you can see from the following screen shots it works fine. The first screen shot is of the email as seen by an Internal recipient. As indicated by the red arrows the internal user see the Display Name. In this case with a (SJWK) appended to the display name.

Internal_email_sample - Annotated

The second screen shot shows the same email but as seen by an external recipient, my Gmail account. In this case it’s had a disclaimer notice prepended to it but as indicated the Internal users show up with their Simple Display name showing.

External_email_sample - Annotated

 

Some things to note.

Adding a Simple Display name on my home system was pretty easy. I only have a few accounts and it was pretty easy to update. In a business however you’ll need a process, or preferably an automated way, to generate the Simple Display name. You’ll also need some sort of governance model around it. You probably don’t want users pestering IT to set either or both of the display names to what they want.

You should also be aware that if an internal user Forwards or Reply’s to an email (Reply or Reply All) then the message body will show the internal Display Names. The point being that you cannot depend on the use of the Simple Display name to ‘hide’ whatever you’re using for an Display Name. However, external recipients will only see various address fields of the email; From, To, CC, Bcc etc..

Some possible scenarios for using this capability would be to have a Display name that included an indicator to the users office or perhaps country as in; Kennedy, Steven (Los Angeles), or Kennedy, Steven (USA) with perhaps the Simple Display name being set to the company name; Kennedy, Steven (Acme)

Posted in Exchange 2010 | Tagged: | 3 Comments »

AD RMS: Client side

Posted by Steven Kennedy on February 22, 2011


Both Windows Vista and Windows 7 come with the AD RMS client built-in. For Windows XP you’ll need to download a client, from Microsoft, and install it. In my case I’m using Windows 7 Enterprise 32bit.

Even with the client built-in there’s some configuration that has to take place before you can start using AD RMS templates.

In order to update the templates to a users local PC a scheduled job runs that copies the templates from the previously defined location, in my case \\RMS\Users\Public, to the users PC. Where these templates are located is defined in the registry. This is where I started to have some issue. For me at home it’s not a big deal. I can just use Regedit to setup the key and value. In a business environment that’s not so practical. So you’ll have to resort to defining the registry settings via Group Policy, which is where I ran in to an issue. I’ll address this a bit later on in the this post.

First off you need to enable the scheduled tasks, that’ll update the policy templates on the client PC. You do this by opening up the task scheduler, via the Control Panel.System and Security.Scheduled tasks (this for for Windows 7). You’ll then expand the Task Scheduler Library and expand down through Microsoft.Windows and then select Active Directory Rights Management Services Client. see the screen shot below.

AD_RMS_Task_Scheduler - Annotated

As you can see from the screen shot the Status for the task is Disabled. You’ll need to enable both tasks by selecting each one in turn and clicking on Enable. In my case I had to do this using an administrator account because my normal user account doesn’t have local privileges and a privileged account is required to make these changes. You can also make these changes via Microsoft’s Systems management Server or using Group Policy using the following command; schtasks /Change /TN “\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)” /ENABLE (from Microsoft TechNet posting here). I haven’t tried this yet. This same posting on TechNet tells you how to enter the registry key to point to the location on the local machine where the templates will go. It’s when I tried to use a GPO to do this that I ran in to an issue.

I decided to try using a GPO to make the relevant registry settings. So I down loaded the Office 2010 Administrative templates and applied them. I then went in to Group Policy Manager and activated the template specific for AD RMS clients and entered in the path; %LocalAppData%\Microsoft\DRM\Templates

Specifiy_Permissons_Policy_Path

Specifiy_Permissons_Policy_Path_Dialog_box

I then logged off and back on on my client PC, to get the GPO applied. yes I know I could do it via GPUPDATE /Force but I also wanted to force the scheduled task to run. Turns out I had to do that manually or wait up to an hour for it to run.

Anyway, once I was logged back in image my surprise but that the policy propagation wasn’t working. After a bit of digging I found that the Office 2010 Administrative templates defined the key value for AdminTemplatePath as REG_SZ, where it needed to be REG_EXPAND_SZ. As there seemed to be no way to change the administrative template, I didn’t look or try that hard, I ended up using the Preference setting capability that’s now available within AD 2008. In the same GPO editor select User Configuration.Preferences.Registry and define a key, as shown in the screen shot below, by right clicking on Registry and selecting New.Registry Item

admintemplatepath_-_preferences

(Note! the key path is: Software\Policies\Microsoft\office\14.0\common\drm)

More posts to follow on Exchange and SharePoint and AD RMS and also what the client side sees and can do, specifically with Office 2010.

Posted in AD RMS | Tagged: | Leave a Comment »