Monday, March 1, 2010

How to use Group Policy to disable .PST files in Outlook 2010

First, let's forget about the reasons why you want to disable .PST files on your network. Let's forget about technologies to help you import your .PST files. Let's forget about everything except how to use Group Policy to disable the ability to use .PST files in Outlook 2010. I'll also provide information on Outlook 2007.

1. Download the Office 2010 (Beta) Administrative Template files:

http://www.microsoft.com/downloads/details.aspx?FamilyID=C3436A99-5C80-48CE-83E8-481F9C3D2288&displaylang=en&displaylang=en

If you are working with Outlook 2007, download the Office 2007 SP2 Administrative Template files. Officially, the download page refers to them as the "2007 Office system (SP2) Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool":

http://www.microsoft.com/downloads/details.aspx?FamilyID=73D955C0-DA87-4BC2-BBF6-260E700519A8&displaylang=en

2. Double click the downloaded file (AdminTemplates.exe) to extract the contents to a folder. The contents are ADM, Admin, and ADMX files (along with a nice spreadsheet with all of the settings available).

3. Launch Group Policy Management and create a new Group Policy Object (GPO). Call it "PST Disable" (or a name that matches your naming convention).

4. Edit the GPO. Expand User Configuration, expand Policies, then click to highlight Administrative Templates:Policy definitions. Right-click Administrative Templates:Policy definitions and choose Add/Remove Templates. A pop-up box will show you the current policy templates. Click Add then browse to the location where you extracted AdminTemplates.exe. Now, let's make a quick assumption here. You are editing the GPO from Windows Server 2008 or 2008 R2 and you do not have a central store. Double-click the ADM folder, then the en-us (or your language) folder. Finally, select the OUTLK12.ADM (Outlook 2007) or OUTLK14.ADM (Outlook 2010) file. If you do have a central store, you'd want to copy your ADMX file to the central store first (and then wouldn't have to do what we are doing right this moment). But that's too much detail for this post. Click Open and you should be back at the Add/Remove Templates pop-up box and the OUTLK14 (or OUTLK12) template should be listed. Click Close.

5. You've probably noticed that you have a new folder under Administrative Templates: Policy definitions. It is called Classic Administrative Templates (ADM) and underneath, you should see a folder named Microsoft Office Outlook 2007 or Microsoft Outlook 2010. Expand it. then expand the Miscellaneous folder. Click to highlight the PST Settings folder. In the right pane, you'll see the available options. I won't talk about all of the options but I'll list them and discuss the ones needed for disabling .PST usage.




The screen shot above shows what the completed settings might typically look like. I'll disable unused settings and configure settings handled in other GPOs as Not Configured. The only two settings we need to manipulate to disable .PST use completely are the first two.

6. In the right pane, double-click the first setting Prevent users from adding PSTs to Outlook prifiles and/or prevent using Sharing-Exclusive PSTs. Select the Enabled radio button. In the corresponding dropdown box below, choose No PSTs can be added. Click OK. Optionally, if you utilize SharePoint lists via Outlook, you should consider opting for the Only Sharing-Exclusive PSTs can be added setting.

7. In the right pane, double-click the second setting Prevent users from adding new content to existing PST files. Click the Enabled radio button. Then click OK. Keep in mind, if you prevent users from adding PST files in Outlook, it is pretty tough to add new content. So this second setting is really used when you want to allow users to read their old PST files but not add new content into them (and if you wanted to do that, you wouldn't prevent users from adding PST files to Outlook profiles as mentioned in the above step). I prefer to enable this additional protection as a first step sometimes. Then, as a second step, lock down use of PST files altogether. Requirements vary so you'll want to familiarize yourself with the options.
So now we have the GPO. Now what? Let's deploy it! I recommend creating a group in Active Directory to contain all users that will have PST use disabled. Even if it is the entire company. This gives you some flexibility to enable PST use under certain circumstances such as testing or e-discovery. Once you have your group created, update the security filtering on the GPO so that the new group is the only group that is listed in the security filtering of the GPO. Link the GPO to the top level OU where your users are contained (and if you have multiple top level OUs where users are contained, you may have to link to the domain level instead). Don't forget about disabling the Computer Configuration settings (since this is just a user setting). Lastly, if you are testing by adding your own account to the security filtering, wait or force replication, then log off and log back on.

Want to see what it looks like? Here are some screen shots and info:

This is what Outlook 2010 looks like by default (PST use enabled). You can go to File, Open, and you have an option to open a .PST file.



This is the Account Settings menu from Outlook 2010 while PST use is still enabled.



This is the Account Settings menu from Outlook 2010 while PST use is still enabled after clicking on the Add button (as if adding a PST for mail storage).



After disabling the use of PST files, this is what Outlook 2010 looks like from the File, Open menu. Notice that the option of opening a PST file is gone?


This is the Account Settings menu in Outlook 2010 after PST use has been disabled. The popup is the box that comes up when you try to add a new Outlook data file. By default, you'd be able to select Office Outlook Personal Folders File (.PST). However, once PST use has been disabled, you cannot select a data file and the only option is to click Cancel.


This is a shot of the left menu/folder area in Outlook 2010. This is after PST use has been disabled. Note that I still have "My Outlook Data File(1)" open? The contents of it are still available as well. As you may know, Outlook automatically opens PST files that were open when Outlook was last closed. Even if PST use has been disabled! After I right-click the data file and close it, I don't have a way to open it back up. This has ramifications when disabling PST use across an enterprise. Information like this makes its way around and users won't close their PST files (thus being able to still read info from them). So this has to be addressed. I may dive deeper into this aspect at a later time.



So, noted above, the PST is still open although PST use is disabled. The above screen shot shows what happened when I tried to add new content to the PST. That error popped up and it didn't let me add new content. Thereafter, I right-clicked and closed the data file and couldn't open it.
What happens if you try to circumvent the restrictions in the GUI by double-clicking the PST file?


This is the error that pops up when you try to double-click a PST file after PST use has been disabled. And since you can't open a PST from within Outlook, you are out of luck!

The registry is where the configuration changes actually take place. The GPO is merely setting a couple of values in the registry based on the configuration of the GPO.
HKEY_CURRENT_USER\Software\Policies\Microsoft\office\12.0\outlook (Outlook 2007)
HKEY_CURRENT_USER\Software\Policies\Microsoft\office\14.0\outlook (Outlook 2010)

A new entry is created. Type is REG_DWORD. Name is DisablePST.
Value: 0x00000001 (1) is equivalent to No PSTs can be added
Value: 0x00000002 (2) is equivalent to Only Sharing-Exclusive PSTs can be added
Value: 0x00000000 (0) is equivalent to (default) PSTs can be added
Keep in mind that the default setting in the GPO (disabled) doesn't add the DisablePST entry. So by default, there isn't anything in the registry (until you create a GPO and configure it).

25 comments:

  1. Great info! Thanks for the detailed write up. This has helped me a ton.

    ReplyDelete
  2. Do you know if mixed Outlook 2007 / 2010 environments will require separate policies or if the 2010 template is backward compatible with 2007 clients?

    ReplyDelete
  3. In the GPO there is areas for both 2007 and 2010, you dont need to create different GPOs.

    ReplyDelete
  4. Did you ever work out how to remove reference to the PST files in the user email profile.

    ReplyDelete
  5. Sorry for the delayed response - email notification wasn't working!

    I didn't come up with a method to remove the PST files in the profile but would love to hear about what others have come up with.

    ReplyDelete
  6. My administrator has added a GPO,which prevents me from creating, saving or moving email.msg to a pst file. Can I change this? I have admin rights.

    ReplyDelete
  7. Sahrens - you can look at adjusting the registry permissions so that only you have more than Read access to the HKEY_CURRENT_USER\Software\Policies\Microsoft\office\14.0\outlook key (for Outlook 2010). Remove all of the entries that were put there by the GPO and then adjust permissions so that only your user account has Full Control. Reboot and see how it goes. Let us know!

    ReplyDelete
  8. Has anyone found a way to remove PST files from every outlook profile in a domain?

    ReplyDelete
    Replies
    1. I wonder if the DELPST.exe would work....

      http://support.microsoft.com/kb/2000021

      Delete
  9. To remove all PST files from outlook but not delete.
    Run this vbscript as a login script

    'On Error resume next
    Dim objOutlook 'As Outlook.Application
    Dim Session 'As Outlook.NameSpace
    Dim Store 'As Outlook.Store
    Dim Stores 'As Outlook.Stores
    Dim objFolder 'As Outlook.Folder

    Set objOutlook = CreateObject("Outlook.Application")
    Set Session = objOutlook.Session
    Set Stores = Session.Stores

    For Each Store In Stores

    If Store.ExchangeStoreType = 3 then
    Set objFolder = store.GetRootFolder
    Session.RemoveStore objFolder
    End If

    Next

    ReplyDelete
  10. Is there a way to allow users ti view pst files but restrict users fromcreating pst files?

    ReplyDelete
    Replies
    1. Hi Thomas - if you restrict users from adding content to PSTs, that is going to drastically reduce the value of creating PST files. There is a GPO setting specifically to prevent users from adding new content to PSTs (but they can view existing content in PSTs).

      Delete
  11. Thanks for the response Brian. We are a law firm and receive pst files from external sources such as clients. We still want to be able to view those files sent from clients but restrict users fron creating new pst files. Is that possible?

    When you say existing content does that mean we can view files sennt to us from external sources? Just not add to them?

    Thank you for your help!

    ReplyDelete
    Replies
    1. Hi Thomas - yes, you can view existing content in PSTs (whether you have them or receive them from others - the source of the PSTs doesn't come into play).

      Delete
  12. This comment has been removed by the author.

    ReplyDelete
  13. Could I then create a group yo allow admins to create pst files if needed?

    Thanks!

    ReplyDelete
    Replies
    1. Hi Thomas - yes. You can have one GPO for non-admins that doesn't allow the creation of PST files. Then have a different GPO for admins that does allow the creation of PST files.

      Delete
  14. Thanks!

    What is the seeting in PST setings called to ALLOW the GPO to create pst files?

    ReplyDelete
    Replies
    1. Hi Thomas - assuming that you don't have any other settings that you want to push to admins, you can just make sure that they aren't getting the GPO you use to not allow PST creation. So if you create a GPO named NO-PST-CREATION, link it only to the non-admins. You could do this by having admins in an OU which the GPO isn't linked to or you can do it with GPO security filtering.

      Delete
  15. Hi there! so let me see if i got it right... once the GPO is applied, i cannot create a new PST, but the other ones i already had, and were open in outlook can be still accessed, can i move that info into whatever server achive system i have? or i have just read access to the data within the PST ?

    ReplyDelete
    Replies
    1. Hi Marco - correct. One the GPO is applied, you cannot create a new PST. The PSTs that you already had (but are NOT currently open in Outlook) cannot be opened. The PSTs that you had and were open in Outlook become read-only. You can move the data to an archive system or anywhere else or you can continue to use as read-only. I advise moving the data because it is highly likely that PSTs will be closed (by accident or not) by users and then never be able to be opened again (thus, don't rely on the fact that Outlook can still read the PST if it was already opened because that is likely to not last all that long).

      Brian

      Delete
    2. Brian thanks for the insight!
      hahha never trust PST's indeed!! IT law Nº1.
      My concern then is: Now lets say that there is one guy that had like 5 pst's with really old data, and he kept open just the most recent one, and only opened the others to check old info and close them again. From what i understand, i will not be able to touch the registry key again becuase the GPO will overwrite the change, therefore, information could be lost forever. (of course in that case the applying GPO would be removed, but i'm thinking as an end user). I'm concerned about that since i work in a company that has probably more than 70k accounts. I think it would be better to implement it site by site, one at the time

      Delete
    3. Hi Marco - if you decide to take on a PST archive or PST centralization project, you will need to account for grabbing all PST files from all computers as part of that. There are some third-party products to assist with such an effort. Generally, the typical order is - centralize all PST files (or import all PST data into archive servers), THEN implement a GPO to disallow the use of PSTs thereafter. Remember, even a guy has 5 PSTs (and only one open in Outlook) - the actual PST files reside on his computer (or sometimes - but hopefully not - a file server) - so the data won't be lost as long as you have a plan to grab it.

      Brian

      Delete
  16. Hello Brian..There is flaw in the GPO to prevent the growth of PST. I can create a new email and drag and drop email from my server inbox as attachment, save it to draft and then from Draft can move to PST without it getting blocked. Hope Microsoft can fix this issue.

    ReplyDelete
    Replies
    1. Interesting situation you describe. I'm not aware of it. You should consider posting it in the TechNet forums - social.technet.microsoft.com to see if others can reproduce it. Microsoft peruses those forums as well.

      Brian

      Delete