password protection in onenote

[Franz12]

Hi! I plan to use onenote as an electronic notebook for our group in our
company. Therefore it is essentiell that the users are not able to protect
parts or chapters of the notebook by password. It is possible to deactivate
this feature in onenote? Otherwise I see no chance to use onenote in those
environments?
thanks! F

 

[Ilya Koulchin]

Hi! I plan to use onenote as an electronic notebook for our group in our
company. Therefore it is essentiell that the users are not able to protect
parts or chapters of the notebook by password. It is possible to deactivate
this feature in onenote? Otherwise I see no chance to use onenote in those
environments?

Are you trying to prevent users from password protecting sections in all
notebooks, or just the specific shared notebook?
If you want users to not be able to create password protected sections
ever, there is a registry option to do so. Set
HKCU\Software\Microsoft\Office\12.0\OneNote\General\PasswordProtectionDisabled
= 1 (there's also a group policy option to set this option somewhere).
Users then will not be able to create password protected sections, even
in their local notebooks.
There is no option to control this on a per-notebook basis, other than
pointing out to users that the notebook is shared with other people on
the team and that if they password protect it, others who don't know the
password won't be able to read it. That should be sufficient, assuming
you don't have users who are actively trying to sabotage the shared
notebook.
Note though, that even if you set the registry key noted above, there
are still ways to get password protected sections into the shared
notebook (such as copying from somewhere else), as well as multiple
other ways to make the content inaccessible (such as deleting all the
pages).

Ilya

 

[Franz12]

hi! Thanks! Yes, it would be great to disable the password protection feature
for all notebooks. However, if I understand you right, there is no way, to
disable this feature on the server side, i.e., any property of the notebook
which can disable this. The changes in registry or group policies refer to
changes on each local notebook, isn't it? Would be hard or impossible to
configure each local computer in this way....
Thus, I see a problem to use onenote in company networks... Please remember
the story, where microsoft removed a small utility which could password
protect users files in a company network within a few days, because the
company clients didn't want to see this feature, of course.... I hoped that
there would be server side way to protect our notebooks from having password
protected content, which is hard to figure our or track by the admin and
which is against the law for those purposes....
Thanks again! Franz

 

[Erik Sojka (MVP)]

OneNote is a client-side program. It has features which work well when
ON data is stored on a server, but it is essentially 100% client side
application.

If you use AD/GPO to set the reg key Ilya mentions, that should prevent
all users subject to that GPO from being able to set any passwords. I
don't want to speak for Ilya, but I think the comment was mostly to show
that it's not foolproof - even if 100% of your users have the reg key
set, and one person uploads to a server a *.ONE file that s/he downloaded
from the Internet or created at home, etc. and that file has a password,
ON will still use that password.

In other words, preventing ON from *setting* a password is different than
preventing ON from *using* a password.

Hope that clears this up

 

[Franz12]

HI, thanks! I understand that it was not intended to add such a
functionality, because ON is a client side software. However, I could imagine
that many users will have those problems and - maybe more important- such a
functionality as a suggestion to the developers might improve the acceptance
of ON at least in Europe. To get out of this: for us, it would be a
sufficient workaround to have a macro which checks routinely if any of the
chapters in an ON notebook are password protected. Is it possible to write
such as VB macro? Is an ON SDK available or what are the functions to call to
check programmatically if there is any password protection in a ON notebook?
Thanks again! Franz

 

[Olya Veselova (Microsoft, OneNote team)]

Hello Franz,

Using OneNote Extensibility, you should be able to create a script that
checks for password protected sections and removes them, or moves them to
some other notebook. When our extensibility is fully document, we will
publish the details on all the capabilities.

I am curious why you would like to disable password protection. Is this
something to do with regulations for keeping all content visible to the
company? What are some harmful consequnces of password protecting the
sections that you forsee?

Thank you,
Olya

 

[Franz12]

Hi Olya,
thank you for this info. I would appreciate it very much if you keep me
informed when this documentation about ON scripting becomes available.
Why it is so important for us? Please consider that in a company network it
is from our point of view in general not a good pratice, if the employees are
able to password protect some contents. It makes sense to protect some
regions between different groups, but always, our rules is that an admin (or
anyone) can overrule this password protection i.e. have always the right to
look into it. In our case, we have additionally some federal regulations
which says we have to document everything over years. If one of the employees
protects those data and e.g. leaves the company in between, nobody would be
able to go into these notebooks. Thus, password protection would be ok and
necessary (but can be done by NTFS rights), IF (and this is an really
important IF) there is always a "superior" right of e.g. an admin to look
into those regions...
Best regards Franz

 

[Olya Veselova (Microsoft, OneNote team)]

Hi Franz,

Thank you very much for the clarification. We had a similar reasoning when
we decided to provide admins an ability to turn off password protection by
policy. However, since we are a client app, this has to be done on each
client.
If you are deploying onenote to your organization, there is a way to
customize the setup to set this policy. That way the policy will be set on
each user's computer at the time OneNote is installed and you don't have to
go from computer to computer to set it.
Customizing setup is usually documented centrally for all of Office, so when
Office 2007 comes out, you will be able to find this documentation in the
Office deployment kit on http://office.microsoft.com.

 

[Rainald Taesler]

Olya Veselova (Microsoft, OneNote team) shared these words of wisdom:

Thank you very much for the clarification. We had a similar
reasoning
when we decided to provide admins an ability to turn off password
protection by policy. However, since we are a client app, this has
to
be done on each client.

Although ON is a client-side app, couldn't there be a way to introduce
a scheme of protection working for the file on the server?
AFAICS ON not really is a true client-side application when the data
are stored on a server. The situation to me seems not be too much
different from using database files stored on a server with an
application running locally.

Protecting a notebook (not necessarily sections as one could keep
protected materiel in separate notebooks) and removing protection IMHO
are really important and therefore an additional feature for locking
and unlocking access by an Admin would be needed.

Customized install to me seems not to be solution.

Rainald

 

[Patrick Schmid]

NTFS right provide protection on a server level.

Patrick Schmid

 

[Rainald Taesler]

NTFS right provide protection on a server level.

I know.
But this will work on a per file/directory basis.
And this IMO would not be a solution for notebboks - at least not when they
shall be used "read only" (i.e. to show the content but no changes allowed).
How would this work together with the ON system of synchronisation??

Rainald

 

[Patrick Schmid]

You protect the folder that contain .one files. Works pretty well
actually.

Patrick Schmid

 

[Rainald Taesler]

Patrick Schmid shared these words of wisdom:

You protect the folder that contain .one files. Works pretty well
actually.

Yes, protection of the folder works.

But my question on how it might work when a folder is read-only and
it's opened remotely is unanswered :-( :-(

Rainald

 

[Patrick Schmid]

It'll be editable locally, but no changes will be synced back.
So you can make your own notes on whatever you get from the server, but
will always have a correct copy of what is on the server.

Patrick Schmid

 

[Rainald Taesler]

Patrick Schmid shared these words of wisdom:

It'll be editable locally, but no changes will be synced back.
So you can make your own notes on whatever you get from the server,
but will always have a correct copy of what is on the server.

Thanks for confirming what I feared.
IMHO this does not make too much sense.
No use to let someone make comments just in vain ...

And IMO it means breaking the basic concept of ON's philiosophy of
keeping thing in sync if it's possible to have different versions of
the very same notebook on different machines.

And I'm wondering what will happen when synchronising:
a) Will there be an error message that synching was not possible if
things were edited locally?

b) Will the changes made locally stay untouched?

Rainald

 

[Patrick Schmid]

When I tested this a while ago, I remember ON syncing without any errors
and retaining the local notes. In addition it indicted the sections as
(read-only) in the title bar of the window.

Patrick Schmid

 

[Rainald Taesler]

Thanks for sharing your experience.
Sounds interesting.

Rainald

 

[Franz12]

HI again,
after discussion in our group:
thank you for your suggestion to use a policy to disable the password
feature in ON during installation. However, this will not work for us,
because some users will have to access there notebooks from outside using
their own computers (without having any access to their policies...)
So, what we really would need is a script or short VB code, which scans
through the ON files or a directory of ON files on the server and detects
(and move into another folder) those ON files which are password protected
and then, we are able to get back to those users which password protect
sections etc.
Is it possible to do this? What would be the syntax inside such a script to
detect password protection in ON files?
THANKS again! Franz

 

[Franz12]

HI again,
after discussion in our group:
thank you for your suggestion to use a policy to disable the password
feature in ON during installation. However, this will not work for us,
because some users will have to access there notebooks from outside using
their own computers (without having any access to their policies...)
So, what we really would need is a script or short VB code, which scans
through the ON files or a directory of ON files on the server and detects
(and move into another folder) those ON files which are password protected
and then, we are able to get back to those users which password protect
sections etc.
Is it possible to do this? What would be the syntax inside such a script to
detect password protection in ON files?
THANKS again! Franz

 

[Ilya Koulchin]

So, what we really would need is a script or short VB code, which scans
through the ON files or a directory of ON files on the server and detects
(and move into another folder) those ON files which are password protected
and then, we are able to get back to those users which password protect
sections etc.
Is it possible to do this? What would be the syntax inside such a script to
detect password protection in ON files?

One option, as has already been pointed out, is to use the extensibility
model. What you'd need to do is have a server running OneNote and
syncing the notebooks you're interested in (this is necessary due to the
caching behavior, and due to the fact that extensibility operates on the
cached data). Then you can have your script periodically export the
hierarchy and look to see if any section has the encrypted attribute set.
Another option is to use the IFilter interface. To make this approach
work you'd need a script that'd iterate through all the files in the
notebook and for each file instantiate the IFilter. You can then attempt
to filter the file contents - if you encounter FILTER_E_PASSWORD then
you know that the file is password protected. Depending on your
situation, this may be more code but you would not need to have OneNote
running on your server.

Ilya