Controlling OWA 2003 Users' Logon Options

We want to control which options users have when they log on to Outlook Web Access (OWA) 2003. What's the best way to do this?

The answer depends on exactly what you're trying to accomplish by limiting users' options. When users connect to OWA 2003 via Microsoft Internet Explorer (IE) for Windows, the OWA logon screen gives users two options: whether to use the Premium or Basic client interface and whether to log on from a public or private computer.

If you want to control whether users can pick their client type, you have a couple of choices. First, be aware that OWA automatically detects the browser with which a user connects. If that browser is anything other than IE 5.01 or later for Windows, users don't get the option to choose a client type. For example, Mac OS X users running Apple Safari never see the Premium and Basic radio buttons. If you're trying to let non-IE users choose a client type, there's no way to do so. Second, you can use OWA segmentation to control which client types are available to users. By setting the appropriate flag value, you can force all users to get the Basic client experience. Segmentation also gives you finer-grained control over other features. For example, you can turn off all access to individual folder types (e.g., Calendar), disable individual features (e.g., Secure MIME—S/MIME—support, spell checking), and otherwise control what users can do once they log on. For more information about segmentation, see the Microsoft article "How to modify the appearance and the functionality of Outlook Web Access by using the segmentation feature in Exchange 2003" (http://support.microsoft.com/?kbid=833340).

If you want to control access from public or private computers, you can set timeout values that control how long sessions from each type of computer will remain active. To do this, set the PublicClientTimeout and TrustedClientTimeout values (under the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeWebOWA registry subkey) to the number of minutes you want to apply to each timeout.

In both cases, you can also modify the logon.asp form to restrict users' options. This is the most flexible route; by changing what appears on the logon page, you get ultimate control over which options users can choose (and over what the logon screen looks like—an important issue at some companies). The Microsoft white paper "Customizing the Outlook Web Access Logon Page" (http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/owalogon.mspx) will guide you through the process of using JavaScript to customize the logon page. Remember that any customizations you make will be overwritten when you install Exchange Server service packs.