Monday, March 1, 2010

How to use Group Policy to disable .PST files in Outlook 2010

First, let's forget about the reasons why you want to disable .PST files on your network. Let's forget about technologies to help you import your .PST files. Let's forget about everything except how to use Group Policy to disable the ability to use .PST files in Outlook 2010. I'll also provide information on Outlook 2007.

1. Download the Office 2010 (Beta) Administrative Template files:

If you are working with Outlook 2007, download the Office 2007 SP2 Administrative Template files. Officially, the download page refers to them as the "2007 Office system (SP2) Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool":

2. Double click the downloaded file (AdminTemplates.exe) to extract the contents to a folder. The contents are ADM, Admin, and ADMX files (along with a nice spreadsheet with all of the settings available).

3. Launch Group Policy Management and create a new Group Policy Object (GPO). Call it "PST Disable" (or a name that matches your naming convention).

4. Edit the GPO. Expand User Configuration, expand Policies, then click to highlight Administrative Templates:Policy definitions. Right-click Administrative Templates:Policy definitions and choose Add/Remove Templates. A pop-up box will show you the current policy templates. Click Add then browse to the location where you extracted AdminTemplates.exe. Now, let's make a quick assumption here. You are editing the GPO from Windows Server 2008 or 2008 R2 and you do not have a central store. Double-click the ADM folder, then the en-us (or your language) folder. Finally, select the OUTLK12.ADM (Outlook 2007) or OUTLK14.ADM (Outlook 2010) file. If you do have a central store, you'd want to copy your ADMX file to the central store first (and then wouldn't have to do what we are doing right this moment). But that's too much detail for this post. Click Open and you should be back at the Add/Remove Templates pop-up box and the OUTLK14 (or OUTLK12) template should be listed. Click Close.

5. You've probably noticed that you have a new folder under Administrative Templates: Policy definitions. It is called Classic Administrative Templates (ADM) and underneath, you should see a folder named Microsoft Office Outlook 2007 or Microsoft Outlook 2010. Expand it. then expand the Miscellaneous folder. Click to highlight the PST Settings folder. In the right pane, you'll see the available options. I won't talk about all of the options but I'll list them and discuss the ones needed for disabling .PST usage.

The screen shot above shows what the completed settings might typically look like. I'll disable unused settings and configure settings handled in other GPOs as Not Configured. The only two settings we need to manipulate to disable .PST use completely are the first two.

6. In the right pane, double-click the first setting Prevent users from adding PSTs to Outlook prifiles and/or prevent using Sharing-Exclusive PSTs. Select the Enabled radio button. In the corresponding dropdown box below, choose No PSTs can be added. Click OK. Optionally, if you utilize SharePoint lists via Outlook, you should consider opting for the Only Sharing-Exclusive PSTs can be added setting.

7. In the right pane, double-click the second setting Prevent users from adding new content to existing PST files. Click the Enabled radio button. Then click OK. Keep in mind, if you prevent users from adding PST files in Outlook, it is pretty tough to add new content. So this second setting is really used when you want to allow users to read their old PST files but not add new content into them (and if you wanted to do that, you wouldn't prevent users from adding PST files to Outlook profiles as mentioned in the above step). I prefer to enable this additional protection as a first step sometimes. Then, as a second step, lock down use of PST files altogether. Requirements vary so you'll want to familiarize yourself with the options.
So now we have the GPO. Now what? Let's deploy it! I recommend creating a group in Active Directory to contain all users that will have PST use disabled. Even if it is the entire company. This gives you some flexibility to enable PST use under certain circumstances such as testing or e-discovery. Once you have your group created, update the security filtering on the GPO so that the new group is the only group that is listed in the security filtering of the GPO. Link the GPO to the top level OU where your users are contained (and if you have multiple top level OUs where users are contained, you may have to link to the domain level instead). Don't forget about disabling the Computer Configuration settings (since this is just a user setting). Lastly, if you are testing by adding your own account to the security filtering, wait or force replication, then log off and log back on.

Want to see what it looks like? Here are some screen shots and info:

This is what Outlook 2010 looks like by default (PST use enabled). You can go to File, Open, and you have an option to open a .PST file.

This is the Account Settings menu from Outlook 2010 while PST use is still enabled.

This is the Account Settings menu from Outlook 2010 while PST use is still enabled after clicking on the Add button (as if adding a PST for mail storage).

After disabling the use of PST files, this is what Outlook 2010 looks like from the File, Open menu. Notice that the option of opening a PST file is gone?

This is the Account Settings menu in Outlook 2010 after PST use has been disabled. The popup is the box that comes up when you try to add a new Outlook data file. By default, you'd be able to select Office Outlook Personal Folders File (.PST). However, once PST use has been disabled, you cannot select a data file and the only option is to click Cancel.

This is a shot of the left menu/folder area in Outlook 2010. This is after PST use has been disabled. Note that I still have "My Outlook Data File(1)" open? The contents of it are still available as well. As you may know, Outlook automatically opens PST files that were open when Outlook was last closed. Even if PST use has been disabled! After I right-click the data file and close it, I don't have a way to open it back up. This has ramifications when disabling PST use across an enterprise. Information like this makes its way around and users won't close their PST files (thus being able to still read info from them). So this has to be addressed. I may dive deeper into this aspect at a later time.

So, noted above, the PST is still open although PST use is disabled. The above screen shot shows what happened when I tried to add new content to the PST. That error popped up and it didn't let me add new content. Thereafter, I right-clicked and closed the data file and couldn't open it.
What happens if you try to circumvent the restrictions in the GUI by double-clicking the PST file?

This is the error that pops up when you try to double-click a PST file after PST use has been disabled. And since you can't open a PST from within Outlook, you are out of luck!

The registry is where the configuration changes actually take place. The GPO is merely setting a couple of values in the registry based on the configuration of the GPO.
HKEY_CURRENT_USER\Software\Policies\Microsoft\office\12.0\outlook (Outlook 2007)
HKEY_CURRENT_USER\Software\Policies\Microsoft\office\14.0\outlook (Outlook 2010)

A new entry is created. Type is REG_DWORD. Name is DisablePST.
Value: 0x00000001 (1) is equivalent to No PSTs can be added
Value: 0x00000002 (2) is equivalent to Only Sharing-Exclusive PSTs can be added
Value: 0x00000000 (0) is equivalent to (default) PSTs can be added
Keep in mind that the default setting in the GPO (disabled) doesn't add the DisablePST entry. So by default, there isn't anything in the registry (until you create a GPO and configure it).