SolutionBase: Customize Outlook security using the Outlook Administrator Pack

Microsoft Outlook has many customizable security settings, but they're not always easy to get to. Here's how the Outlook Administrator Pack can help.

Microsoft's Office 2003 Resource Kit provides a set of tools that help you administer and fine tune its signature Office suite. Here's a look at the Outlook Administrator Pack, a utility that allows you to customize server-side security settings.

What it does

The Outlook Administrator Pack gives you a centralized way to customize server-side security settings for users of Outlook 98, 2000, XP, and 2003. Using the Pack, you have access to Outlook settings that are normally locked down. This allows you to tailor settings such as allowed attachments and warning levels to your organization as a whole or to groups of users.

Why you need it

The Outlook Administrator Pack simplifies administration of Outlook security, provided your enterprise uses a server on which global security settings can be applied (such as Exchange Server). Using this utility you can adjust your settings as needed.


The Outlook Administrator Pack will not apply to enterprises where users run Outlook with PST mailboxes. Rather, it is intended for organizations running Outlook with Microsoft Exchange Server and either Mailbox (MDB) or Offline folders (OST). In addition, the administration machine must use Microsoft Windows 2000 or later.

Download and installation

The Outlook Administrator Pack (OAP) is one of many tools that come with Microsoft's Office 2003 Resource Kit (ORK). Other utilities include the

  • Custom Installation Wizard
  • Custom Maintenance Wizard
  • MST File Viewer
  • Profile Wizard

A custom installation will allow you to specify which utilities to install. Run the Setup file any time after that to add or remove components. For more information on the ORK's tools, see Microsoft's Office 2003 Editions Resource Kit Web page. Download the resource kit (7.3 MB) from Microsoft's Web site.

Oddly, the Outlook Administrator Pack is not installed with the rest of the ORK, even if you do a custom installation. Instead, Setup copies the self-extracting installation file for the Outlook utility to your hard drive. Installing the OAP is an additional step.

Installing the Office 2003 ORK

To install the Microsoft Office 2003 Resource Kit, double-click the file Ork.exe. Accept the license agreement. Choose the type of installation you want: Install Now (this choice contains the default installation), Complete Installation, or Custom Installation.

Accept the default installation directory, or type in your own. If you chose a Custom Installation, the Advanced Customization screen will appear. Otherwise, the ORK will be installed at this time. For a Custom Installation, drill down into each tool and select either Run From My Computer, Run All From My Computer, or Not Available. Click Next to confirm your choices.

Once installation is complete, the ORK tools will be available in the Start Menu. Choose Start | All Programs | Microsoft Office | Microsoft Office Tools | Microsoft Office 2003 Office Resource Kit.

Installing the Outlook Administrator Pack

After installing the Office 2003 Resource Kit, use My Computer to navigate to Program Files | ORKTOOLS | ORK11 | TOOLS | Outlook Administrator Pack. Double-click the self-extracting file ADMPACK.EXE. Accept the license agreement. Next, indicate where you want the installation program to place the extracted files, such as C:\OAP. If the folder doesn't exist, the installation program will create it for you. Four files are created in the location you specify:

  • Comdlg32.ocx and Hashctl.dll enable Trusted Code controls and set up this COM add-in as a Trusted Code.
  • OutlookSecurity.oft is the Outlook template you'll use for customizing server-side Outlook security settings.
  • Readme.doc contains detailed instructions for configuring and using the Outlook template.

Installing and registering the Trusted Code controls on an administrative computer allows users to execute COM add-ins that bypass built-in security blocks. In other words, the COM add-ins are registered as "trusted" by the application. The control only needs to be set up on the administrative machine(s), not on the systems of each user.

To install the Trusted Code control:

On your administrative computer(s), place a copy of Hashctl.dll and Comdlg32.ocx in your Windows operating system's System32 directory. It's possible you may need to replace a previous version of Comdlg32.ocx.

Register these files by choosing Start | Run and typing the commands regsvr32 hashctl.dll, and then regsvr32 hashctl.dll.

Creating a Public Folder for security settings

In order for your modified security settings to apply to all users, you need to create a Public Folder on Exchange Server called either Outlook Security Settings or Outlook 10 Security Settings (make sure to spell it exactly as indicated). Place this new folder in the root of the Public Folders tree. Next, set the Security Settings folder's Access Control List (ACL) to give read-access to all users.

If you plan to share administration, at this time you should also specify which additional users have the authority to create, edit, and delete files in this folder. For convenience, you may wish to set up a security group with owner permissions.

Publishing the new security form

Once you have installed the Outlook Administrator Pack, registered the Trusted Code control, and set up the Outlook Security Settings Public Folder, you are ready to set up the security template. Double-click the file Comdlg32.ocx in the directory in which you installed the Outlook Administrator Pack. Next, point the template to the Outlook Security Settings folder you created on the Exchange Server. The template will open.

From the template menu, select Tools | Forms | Publish Form. Name the form Outlook Security Form unless you have a previous security form you are overriding. In that case, use the same name as the previous form. Click Publish. When the form is saved, close the template. Do not save changes when asked.

Configuring the Outlook Security Form

To configure security settings for your users, open Microsoft Outlook on your administrative machine. Select Tools | Forms | Choose Forms. Navigate to your new template and select it. Click Open.

You will see a form with three tabs:

  • Outlook Security Settings
  • Programmatic Settings
  • Trusted Code

Outlook Security Settings

In the Outlook Security Settings tab, create the customizations for Default Security Settings for All Users by selecting that radio button and making the desired changes (Figure A). Alternatively, you can set security settings for specific groups. The procedure is the same, except that in the Security Group Name box, you name the group for which you are customizing settings and add the member names in the box below. Note: For Exchange Server 2000 and later versions, you can use distribution lists in place of member names.

Figure A

Use the Outlook Security Settings tab to customize the behavior of attachments, scripts, and controls.

Here is a rundown of changes to attachment file types you can make:

  • Level 1: File attachments in this category can't be opened, saved, or printed. By default, Level 1 attachments include .bas, .bat, .chm, .cmd, .com, .cpl, .exe, .hlp, .inf, .js, .mdb, .msi, .mst, .pif, .reg, .scr, .url, .vbs, .wsh, and others. You can add new file types or remove attachments form this list. Removing them puts them in a Level 2 category. For a complete list of restricted file types, see the Readme.doc file that installs with the OAP.
  • Level 2: File attachments in this category have to be saved to disk before viewing or editing. By default, there are no Level 2 file attachments. You can add new file types or remove attachments from this list. When you add extensions that are on the Level 1 list, they are also demoted from Level 1 to Level 2 status.

On this tab, you can also specify how Outlook scripts and controls are handled: Prompt User, Automatically Approve, and Automatically Deny. Finally, you can change the way end users manage their own Outlook security by checking any of the Miscellaneous Attachment Settings.

Programmatic settings

The Programmatic Settings tab contains various actions Outlook takes in response to program conditions, such as sending items or responding to meeting requests. You will probably want to leave the values in this tab set to Prompt User. But if you wish, you can change these responses to Automatically Approve or Automatically Deny.

Trusted Code settings

In the Trusted Code tab, add or remove DLL files for COM add-ins. Each COM add-in placed in this tab will run on client computers, bypassing Outlook's security, provided the DLL file exists on the client machine.

When you've finished adjusting settings, choose File | Close.

Enabling new security settings for users

Once you have configured customized security settings, you may need to take an additional step to set up client computers to use them. If you installed Microsoft Office with system polices, no further action is necessary. Otherwise, create the following registry DWORD key on client computers:


The values of the key are as follows:

  • 0 - Use Outlook's default administrative settings.
  • 1 - Use the custom administrative settings in the folder called Outlook Security Settings.
  • 2 - Use the custom administrative settings in the folder called Outlook 10 Security Settings.
  • Any other value or no key present - Use Outlook's default administrative settings.

Highlight the new registry key and export it using the Selected Branch option. Install the key on client machines. Some installation options include using remote administration, adding the installation to a login script, e-mailing users a shortcut to the file (files with .reg extensions can't be run as Outlook attachments), or giving users the location of the .reg file on a shared directory and instructing them to install it.

Additional notes and cautions

Remember that when you change file types from Level 1 to Level 2 status, or allow users to customize Outlook file extensions and add files to Trusted Code status, you introduce security risks. To reduce the danger to your network, use these settings with care.

The first time your users run Outlook after you change security settings, the program will still use the default settings. Users will need to close Outlook and reopen it again to incorporate the new security policy.

Even if you allow users to manipulate some security settings, the values you set for Level 1 as an administrator will override values set by users. And if you haven't explicitly checked Allow Users To Lower Attachments To Level 2, any user settings will be ignored.

The Outlook Administrator Pack is a useful form-based tool for setting customized global security settings. By creating several of these forms in the Public Folders' Outlook Security Settings folder, you can specify different security options for different groups of users. The main problems to watch out for are getting the required client-side registry entry set up if you are not running Office with policies, keeping up with new security requirements and user groups, and getting users to start Outlook twice to incorporate new changes.