You are on page 1of 10

MONDAY, MARCH 1, 2010

How to use Group Policy to disable .PST files in Outlook 2010


First, let's forget about the reasons why you want to disable .PST files on your network. Let's forget about technologies to help you import your .PST files. Let's forget about everything except how to use Group Policy to disable the ability to use .PST files in Outlook 2010. I'll also provide information on Outlook 2007. 1. Download the Office 2010 (Beta) Administrative Template files: http://www.microsoft.com/downloads/details.aspx?FamilyID=C3436A99-5C80-48CE83E8-481F9C3D2288&displaylang=en&displaylang=en If you are working with Outlook 2007, download the Office 2007 SP2 Administrative Template files. Officially, the download page refers to them as the "2007 Office system (SP2) Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool": http://www.microsoft.com/downloads/details.aspx?FamilyID=73D955C0-DA87-4BC2BBF6-260E700519A8&displaylang=en 2. Double click the downloaded file (AdminTemplates.exe) to extract the contents to a folder. The contents are ADM, Admin, and ADMX files (along with a nice spreadsheet with all of the settings available). 3. Launch Group Policy Management and create a new Group Policy Object (GPO). Call it "PST Disable" (or a name that matches your naming convention). 4. Edit the GPO. Expand User Configuration, expand Policies, then click to highlight Administrative Templates:Policy definitions. Right-click Administrative Templates:Policy definitions and choose Add/Remove Templates. A pop-up box will show you the current policy templates. Click Add then browse to the location where you

extracted AdminTemplates.exe. Now, let's make a quick assumption here. You are editing the GPO from Windows Server 2008 or 2008 R2 and you do not have a central store. Double-click the ADM folder, then the en-us (or your language) folder. Finally, select the OUTLK12.ADM (Outlook 2007) or OUTLK14.ADM (Outlook 2010) file. If you do have a central store, you'd want to copy your ADMX file to the central store first (and then wouldn't have to do what we are doing right this moment). But that's too much detail for this post. Click Open and you should be back at the Add/Remove Templates pop-up box and the OUTLK14 (or OUTLK12) template should be listed. Click Close. 5. You've probably noticed that you have a new folder under Administrative Templates: Policy definitions. It is called Classic Administrative Templates (ADM) and underneath, you should see a folder named Microsoft Office Outlook 2007 or Microsoft Outlook 2010. Expand it. then expand the Miscellaneous folder. Click to highlight the PST Settings folder. In the right pane, you'll see the available options. I won't talk about all of the options but I'll list them and discuss the ones needed for disabling .PST usage.

The screen shot above shows what the completed settings might typically look like. I'll disable unused settings and configure settings handled in other GPOs as Not Configured. The only two settings we need to manipulate to disable .PST use completely are the first two. 6. In the right pane, double-click the first setting Prevent users from adding PSTs to Outlook prifiles and/or prevent using Sharing-Exclusive PSTs. Select the Enabled radio button. In the corresponding dropdown box below, choose No PSTs can be added. Click OK. Optionally, if you utilize SharePoint lists via Outlook, you should consider opting for the Only Sharing-Exclusive PSTs can be added setting.

7. In the right pane, double-click the second setting Prevent users from adding new content to existing PST files. Click the Enabled radio button. Then click OK. Keep in mind, if you prevent users from adding PST files in Outlook, it is pretty tough to add new content. So this second setting is really used when you want to allow users to read their old PST files but not add new content into them (and if you wanted to do that, you wouldn't prevent users from adding PST files to Outlook profiles as mentioned in the above step). I prefer to enable this additional protection as a first step sometimes. Then, as a second step, lock down use of PST files altogether. Requirements vary so you'll want to familiarize yourself with the options. So now we have the GPO. Now what? Let's deploy it! I recommend creating a group in Active Directory to contain all users that will have PST use disabled. Even if it is the entire company. This gives you some flexibility to enable PST use under certain circumstances such as testing or e-discovery. Once you have your group created, update the security filtering on the GPO so that the new group is the only group that is listed in the security filtering of the GPO. Link the GPO to the top level OU where your users are contained (and if you have multiple top level OUs where users are contained, you may have to link to the domain level instead). Don't forget about disabling the Computer Configuration settings (since this is just a user setting). Lastly, if you are testing by adding your own account to the security filtering, wait or force replication, then log off and log back on. Want to see what it looks like? Here are some screen shots and info:

This is what Outlook 2010 looks like by default (PST use enabled). You can go to File, Open, and you have an option to open a .PST file.

This is the Account Settings menu from Outlook 2010 while PST use is still enabled.

This is the Account Settings menu from Outlook 2010 while PST use is still enabled after clicking on the Add button (as if adding a PST for mail storage).

After disabling the use of PST files, this is what Outlook 2010 looks like from the File, Open menu. Notice that the option of opening a PST file is gone?

This is the Account Settings menu in Outlook 2010 after PST use has been disabled. The popup is the box that comes up when you try to add a new Outlook data file. By default, you'd be able to select Office Outlook Personal Folders File (.PST). However, once PST use has been disabled, you cannot select a data file and the only option is to click Cancel.

This is a shot of the left menu/folder area in Outlook 2010. This is after PST use has been disabled. Note that I still have "My Outlook Data File(1)" open? The contents of it

are still available as well. As you may know, Outlook automatically opens PST files that were open when Outlook was last closed. Even if PST use has been disabled! After I right-click the data file and close it, I don't have a way to open it back up. This has ramifications when disabling PST use across an enterprise. Information like this makes its way around and users won't close their PST files (thus being able to still read info from them). So this has to be addressed. I may dive deeper into this aspect at a later time.

So, noted above, the PST is still open although PST use is disabled. The above screen shot shows what happened when I tried to add new content to the PST. That error popped up and it didn't let me add new content. Thereafter, I right-clicked and closed the data file and couldn't open it. What happens if you try to circumvent the restrictions in the GUI by double-clicking the PST file?

This is the error that pops up when you try to double-click a PST file after PST use has been disabled. And since you can't open a PST from within Outlook, you are out of luck! The registry is where the configuration changes actually take place. The GPO is merely setting a couple of values in the registry based on the configuration of the GPO. HKEY_CURRENT_USER\Software\Policies\Microsoft\office\12.0\outlook (Outlook 2007) HKEY_CURRENT_USER\Software\Policies\Microsoft\office\14.0\outlook (Outlook 2010)

A new entry is created. Type is REG_DWORD. Name is DisablePST. Value: 0x00000001 (1) is equivalent to No PSTs can be added Value: 0x00000002 (2) is equivalent to Only Sharing-Exclusive PSTs can be added Value: 0x00000000 (0) is equivalent to (default) PSTs can be added Keep in mind that the default setting in the GPO (disabled) doesn't add the DisablePST entry. So by default, there isn't anything in the registry (until you create a GPO and configure it).
More on backing up / Selected Registry tweaks
AN INTRODUCTION TO DWORD VALUES Other articles on this website have explained the basic structure of the Windows Registry, from the five main Root Keys (Hives) of HKCR / HKCU / HKLM / HKU / HKCC, through to their various Keys and SubKeys. In this article we will look at a common Registry key/subkey "value" called the DWORD. VALUES When we define a Registry key all we have done is describe a "path" that leads us to the actual information that the Windows computer needs. The Registry stores all its information in what are called Value Entries. Each Value is made up of three parts: Name, Data and Type - see Fig 1.0 below. In the Windows Registry Editor (Regedit.exe) there are panes. The left pane contains the key's/subkey's and the right hand pane contains the values and is known as the value pane.

Fig 1.0 - The Registry Editor Value Pane A key and subkey can have more than one value associated with them, and in fact it is normal to find many values present. Every key needs a value and the first is always called the DEFAULT. The Value Name has to be unique to each key or subkey; however it can be used again in another key or subkey without problems. The Value Data depends on the Value Type but it is worth noting that it can be empty, null or contain data. Value Data can be a string of text, hexadecimal notation or decimal notation. TYPES Every Value has what is called a Value Type. This is used to describe the kind of data that it contains. As an example, if you open up My Documents on your computer you will probably see text documents, Word documents, PDF documents, Excel documents and many others. These ALL have a document extension so that your computer can recognise them and know how to treat them e.g. .txt, .doc, .pdf and .xls. This is very similar with Value Entries in the Registry. There are different types of data used in the Registry that the computer can understand and take action on. There are around 15 different Value Types of which only 5 are only actually seen very often. The DWORD Value REG_DWORD, or just plain DWORD as it is often known as, is the most common Value Type found in the Registry. The DWORD value entry can consist of 32 bit numbers expressed in decimal or hexadecimal notation, for example: 622675 or 0x00098053

The DWORD value entry can also consist of an entry into the Registry that is measured in time. It will always be expressed as Milliseconds and be in Decimal so a DWORD value of the entry of 4 hours is shown as 14400000 - see Fig 1.1.

Fig 1.1 - A REG_DWORD Showing 4 Hours As Milliseconds The DWORD value entry is commonly used when you want to create a Value Type that is a True or False entry (called a Boolean flag). For example: where 0 = Enable (True) and 1 = Disable (False). See Fig 1.2.

Fig 1.2 - A REG_DWORD Showing a True or False entry The term DWORD simply stands for "double word." A word is the natural unit of computing, when Windows was originally developed, the system word size on Intel x86 processors was 16 bits. Consequently, WORD was defined as being 16 bits and DWORD as 32. Today however we now have 64 bit processors and so 64bit word sizes, but the term DWORD remains in use. Speed Up Your PC: Scan & Fix your Registry automatically in 3 Mins.

You might also like