custom forms security notification problem

[Radost]

Dear All,

At my company we've been using several customized outlook forms. They are
published in the "Organizational Forms Library".
To check the name of the logged-on user, the following code is used:
sCurrentUser = Application.GetNameSpace("MAPI").CurrentUser.Name

The client computers are installed with Outlook 2000.

After some of the latest Outlook Security updates, the following strange
behaviour of the forms appeared: When we try to open a form, an warning msg
appears, saying:
"A program is trying to access e-mail addresses you have stored in Outlook.
Do you want to allow this?
If this is unexpected, it may be a virus and you should choose "No".
Allow access for ... minutes"

Is there a work around to prevent this msg from appearing?
It is very annoying for all the users to get this msg all the time when
opening the forms.
Is there a way to define the organizational forms like "secure" and prevent
the appearance of this msg. Anyway, quite high level of privileges are
needed for organizational forms publishing, so why would they be treated as
unsecured ...?

Or, if the problem is only in reading the name of the current user
(Application.GetNameSpace("MAPI").CurrentUser.Name), then is there another
way to get the name of the user, avoiding the security notifications?

We really need these forms working, and working properly, so, please, help!

Uninstallation of the security updates is not on option in our case.

Thank you very much for you help in advance!

Best Regards, Radost

 

[Sue Mosher [MVP]]

The security dialogs that pop up when an application tries to access certain Outlook properties and methods are designed to inhibit the spread of viruses via Outlook; see http://www.slipstick.com/outlook/esecup.htm#autosec. They cannot be simply turned on or off with a user option or registry setting.

However, Outlook 2003 does not show security prompts on three specific types of applications:

-- VBScript code in published, non-oneoff Outlook forms

-- Outlook VBA code that uses the intrinsic Application object

-- Outlook COM add-ins properly constructed to derive all objects from the Application object passed by the OnConnection event

In earlier versions of Outlook, standalone users can use a free tool called Express ClickYes (http://www.express-soft.com/mailmate/clickyes.html) to click the security dialog buttons automatically. Beware that this means if a virus tries to send mail using Outlook or gain access to your address book, it will succeed.

If you're the administrator in an Exchange Server environment, you can reduce the impact of the security prompts with administrative tools. See http://www.slipstick.com/outlook/esecup/admin.htm

If it's an application you wrote yourself and either your application needs to support versions besides Outlook 2003 or your application runs extenal to Outlook, you have these options for modifying your program to avoid the security prompts (roughly in order of preference):

-- Use Extended MAPI (see http://www.slipstick.com/dev/mapi.htm) and C++ or Delphi; this is the most secure method and the only one that Microsoft recommends. However, it applies only to COM add-ins and external programs; you cannot use Extended MAPI in Outlook forms or VBA.

-- Use Redemption (http://www.dimastr.com/redemption/), a third-party COM library that wraps around Extended MAPI but parallels the Outlook Object Model, providing many methods that the Outlook model does not support

-- Use SendKeys to "click" the buttons on the security dialogs that your application may trigger. See http://www.slipstick.com/outlook/esecup.htm#autosec for a link to sample code.

-- Program the free Express ClickYes (http://www.express-soft.com/mailmate/clickyes.html) tool to start suspended and turn it on only when your program needs to have the buttons clicked automatically.

--
Sue Mosher, Outlook MVP
Outlook and Exchange solutions at http://www.slipstick.com
Author of
Microsoft Outlook Programming: Jumpstart
for Administrators, Power Users, and Developers

 

[Radost]

Dear Sue,

Thank you very much for your fast and comprehensive answer!!!

Yes, this is an application, we developed ourselves. It consists of several
Outlook 2000 custom forms and public folders.
Before we consider applying big environment changes, I have the following
question. In our forms we only need the name of the currently logged-on user
(not their address-books, or what ever). We retrieve this information
through
Application.GetNameSpace("MAPI").CurrentUser.Name
and this seems to cause the security warnings.

Is there another way to get the name of the Current User, avoiding the
security problems?

Thank you very much once again!

Best Regards, Radost



The security dialogs that pop up when an application tries to access certain
Outlook properties and methods are designed to inhibit the spread of viruses
via Outlook; see http://www.slipstick.com/outlook/esecup.htm#autosec. They
cannot be simply turned on or off with a user option or registry setting.

However, Outlook 2003 does not show security prompts on three specific types
of applications:

-- VBScript code in published, non-oneoff Outlook forms

-- Outlook VBA code that uses the intrinsic Application object

-- Outlook COM add-ins properly constructed to derive all objects from
the Application object passed by the OnConnection event

In earlier versions of Outlook, standalone users can use a free tool called
Express ClickYes (http://www.express-soft.com/mailmate/clickyes.html) to
click the security dialog buttons automatically. Beware that this means if a
virus tries to send mail using Outlook or gain access to your address book,
it will succeed.

If you're the administrator in an Exchange Server environment, you can
reduce the impact of the security prompts with administrative tools. See
http://www.slipstick.com/outlook/esecup/admin.htm

If it's an application you wrote yourself and either your application needs
to support versions besides Outlook 2003 or your application runs extenal to
Outlook, you have these options for modifying your program to avoid the
security prompts (roughly in order of preference):

-- Use Extended MAPI (see http://www.slipstick.com/dev/mapi.htm) and C++
or Delphi; this is the most secure method and the only one that Microsoft
recommends. However, it applies only to COM add-ins and external programs;
you cannot use Extended MAPI in Outlook forms or VBA.

-- Use Redemption (http://www.dimastr.com/redemption/), a third-party
COM library that wraps around Extended MAPI but parallels the Outlook Object
Model, providing many methods that the Outlook model does not support

-- Use SendKeys to "click" the buttons on the security dialogs that your
application may trigger. See
http://www.slipstick.com/outlook/esecup.htm#autosec for a link to sample
code.

-- Program the free Express ClickYes
(http://www.express-soft.com/mailmate/clickyes.html) tool to start suspended
and turn it on only when your program needs to have the buttons clicked
automatically.

--
Sue Mosher, Outlook MVP
Outlook and Exchange solutions at http://www.slipstick.com
Author of
Microsoft Outlook Programming: Jumpstart
for Administrators, Power Users, and Developers

 

[Anita Gupta]

You can use this VBA code to get the name of the currently logged on user
without the security prompt:

Set NS = Application.GetNamespace("MAPI")
Set TopFolders = NS.GetDefaultFolder(olFolderInbox) 'Or use:
NS.GetDefaultFolder(0) for vbscript environment
strUser = CStr(TopFolders.Parent)
myUser = Split(strUser, " - ", -1, vbTextCompare) 'Or use:
Split(strUser, " - ", -1, 1) for vbscript environment
strCurrentUser = myUser(1)

Anita