Best Practices Guide

Lock down Microsoft Outlook 2007 to prevent .PST file access

After migrating users' data from .PST files to Exchange Server 2007 mailboxes, you must to lock down Microsoft Outlook to prevent further access to remaining .PST files. Previously, we implemented a group policy setting that let users open existing .PST files, but prevented them from placing any additional data into those files. This tip explains how to completely deny users the ability to open .PST files in Exchange Server environments.


To completely deny users the ability to open .PST files, you must lock down Microsoft Outlook's

    Requires Free Membership to View

AutoArchive and Outlook Data File options. Disabling the AutoArchive option supposedly can be accomplished through a group policy setting, but I wasn't able to locate any specific instructions on how to do this.

I did, however, find some registry settings that you can use to disable Microsoft Outlook 2007's AutoArchive menu completely, and remove the AutoArchive option from the Other tab in the Options properties sheet. Access the Options properties sheet by choosing the Options command in Outlook 2007's Tools menu.

Note: Because you will be editing the registry, I recommend embedding these commands in a script and testing that script on a lab machine before attempting these modifications on a production machine.

Next, set the value of each of the following registry keys to 0:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12\Outlook\Preferences\ArchiveDelete
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12\Outlook\Preferences\ArchiveMount
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12\Outlook\Preferences\ArchiveOld
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12\Outlook\Preferences\DeleteExpired
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12\Outlook\Preferences\DoAging
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12\Outlook\Preferences\PromptForAging

Now we're going to disable the use of .PST files on users' workstations. To do so, the administrative template for Microsoft Outlook must be installed.

Open the Group Policy Object Editor and navigate through the group policy tree to: User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Miscellaneous -> PST Settings.

I recommend verifying that the group policy setting Prevent Users From Adding New Content to Existing .PST Files is still enabled. Next, enable the Prevent Users From Adding .PSTs to Outlook Profiles and/or Prevent Using Sharing-Exclusive PSTs.

More on Microsoft Outlook .PST files and group policies:
Control Microsoft Outlook .PST file size and usage via the registry

Microsoft Outlook .PST file FAQs

Troubleshooting a Microsoft Outlook group policy

 

When you enable this setting, you need to decide which setting you want to use. The default setting lets users continue to add .PST files. Therefore, simply enabling the policy setting doesn't help reach our goal.

The next option is to disallow the addition of .PST files. While this may seem like the best option, it does have some nasty side effects. If you block all .PST files, then some Microsoft Outlook features, such as SharePoint lists and Internet calendars, will cease to function.

The final option is to add only sharing-exclusive .PSTs. This is usually your best option because it prevents users from copying mail items to and from .PST files. It also won't prevent certain Outlook features from working.

I prefer to use the Group Policy Object Editor to lock down .PST files. However, some Exchange administrators prefer to use a registry setting that removes the Outlook Data File option from the menu when a user selects the New command from Outlook's File menu. If you want to try this approach, go to the following registry key and set its value to 5575:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12\Outlook\DisableCmdBarItemsList\TCID1

About the author: Brien M. Posey, MCSE, has previously received Microsoft's MVP award for Microsoft Exchange, Windows Server and Internet Information Server (IIS). He has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

This was first published in September 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: