Lock down Microsoft Outlook 2007 to prevent .PST file access

Lock down Microsoft Outlook 2007 to prevent .PST file access

After migrating users' data from .PST files to Exchange Server 2007 mailboxes, you must to lock down Microsoft Outlook to prevent further access to remaining .PST files. Previously, we implemented a group policy setting that let users open existing .PST files, but prevented them from placing any additional data into those files. This tip explains how to completely deny users the ability to open .PST files in Exchange Server environments.

To completely deny users the ability to open .PST files, you must lock down Microsoft Outlook's

    Requires Free Membership to View

    Login

    When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by Exchange professionals today working with Exchange, Outlook and other related technologies.

    Margie Semilof, Editorial Director

    By submitting your registration information to SearchExchange.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchExchange.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

AutoArchive and Outlook Data File options. Disabling the AutoArchive option supposedly can be accomplished through a group policy setting, but I wasn't able to locate any specific instructions on how to do this.

I did, however, find some registry settings that you can use to disable Microsoft Outlook 2007's AutoArchive menu completely, and remove the AutoArchive option from the Other tab in the Options properties sheet. Access the Options properties sheet by choosing the Options command in Outlook 2007's Tools menu.

Note: Because you will be editing the registry, I recommend embedding these commands in a script and testing that script on a lab machine before attempting these modifications on a production machine.

Next, set the value of each of the following registry keys to 0:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12\Outlook\Preferences\ArchiveDelete
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12\Outlook\Preferences\ArchiveMount
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12\Outlook\Preferences\ArchiveOld
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12\Outlook\Preferences\DeleteExpired
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12\Outlook\Preferences\DoAging
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12\Outlook\Preferences\PromptForAging

Now we're going to disable the use of .PST files on users' workstations. To do so, the administrative template for Microsoft Outlook must be installed.

Open the Group Policy Object Editor and navigate through the group policy tree to: User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Miscellaneous -> PST Settings.

I recommend verifying that the group policy setting Prevent Users From Adding New Content to Existing .PST Files is still enabled. Next, enable the Prevent Users From Adding .PSTs to Outlook Profiles and/or Prevent Using Sharing-Exclusive PSTs.

More on Microsoft Outlook .PST files and group policies:
Control Microsoft Outlook .PST file size and usage via the registry

Microsoft Outlook .PST file FAQs

Troubleshooting a Microsoft Outlook group policy

When you enable this setting, you need to decide which setting you want to use. The default setting lets users continue to add .PST files. Therefore, simply enabling the policy setting doesn't help reach our goal.

The next option is to disallow the addition of .PST files. While this may seem like the best option, it does have some nasty side effects. If you block all .PST files, then some Microsoft Outlook features, such as SharePoint lists and Internet calendars, will cease to function.

The final option is to add only sharing-exclusive .PSTs. This is usually your best option because it prevents users from copying mail items to and from .PST files. It also won't prevent certain Outlook features from working.

I prefer to use the Group Policy Object Editor to lock down .PST files. However, some Exchange administrators prefer to use a registry setting that removes the Outlook Data File option from the menu when a user selects the New command from Outlook's File menu. If you want to try this approach, go to the following registry key and set its value to 5575:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12\Outlook\DisableCmdBarItemsList\TCID1

About the author: Brien M. Posey, MCSE, has previously received Microsoft's MVP award for Microsoft Exchange, Windows Server and Internet Information Server (IIS). He has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

This was first published in September 2008

Back to top