SolutionBase: Exercise control over Outlook using Group Policy

Microsoft designed Outlook to be a flexible tool for end users. The problem is Outlook can be a little too flexible, allowing users to get into trouble if they're not careful. Here's how you can use Group Policy with Outlook to exercise some control over what users can do.

One of the things that I have always liked about Microsoft Outlook is that you can completely fine tune it to fit your own tastes. You can turn various features on and off, you can control the screen layout, and just about anything else that you can imagine. Any time that you can customize an application to suit your own tastes it's nice, but being that I spend so much time working in Outlook, I've found the customization features especially helpful.

Unfortunately, having the ability to completely customize Outlook is a double edged sword. Customizations can be very helpful, but they can also be a support nightmare. Imagine what your help desk staff would go through when trying to help users with Outlook problems if every single user's copy of Outlook were configured differently.

Don't worry though. You don't have to give your users complete control over their Outlook settings. By using group policy, you can affect control over what users can and can't do with Outlook.

Tread lightly

I'm not saying that I think that you should lock down Outlook to the point that users can't change anything though. I know that this won't be a popular statement in this time of overzealous security and rampant paranoia, but I think that the users should be able to maintain at least some control over the look and feel of Outlook. Having said that though, there are some things that the users definitely should not be touching. For example, you don't want the users to try to reconfigure Outlook's connection to the mail server.

Another example of a feature that you may not want users messing with is the preview pane. In my own organization, I keep the preview pane turned off because the preview pane will display the contents of any message that is selected, even if the user hasn't actually opened the message. If a message happens to contain malicious HTML code, previewing the message could theoretically cause the code to execute.

What ever your philosophy regarding what users should and should not be allowed to do in Outlook, it hasn't really mattered much until recently. That's because Outlook was designed for the end user, not for the administrator. It lacks the basic tools that an administrator needs in order to maintain control over Outlook's various settings. When you deploy Outlook, you have for the most part been at the mercy of your users not to mess with the settings.

Microsoft to the rescue

All of this has recently changed though. Microsoft has released a new utility that allows you to manage Outlook 2003 through a group policy. The utility allows you to gain very tight, granular control over even the most obscure of Outlook's settings.

Before I show you how to download, install, and use this utility, there are a couple of things that you need to know. For starters, the group policy settings that I am about to show you are only effective against computers that are running Outlook 2003. Older versions of Outlook do not respond to group policies.

Another thing that you need to know is that many of the group policy settings that I will be showing you are only effective against newly created Outlook profiles. They have no effect on existing profiles. You may therefore find yourself in a situation in which you have to start out by gaining control over new user accounts, and then gradually start replacing existing Outlook profiles.

Acquiring the utility

Since Windows does not include Outlook related group policy objects by default, you will have to download an administrative template and import it into your effective group policy. You can download the necessary administrative templates from Microsoft's Web site.

The file that you are downloading is a self extracting executable that contains administrative templates for most of the Microsoft Office applications (Word, Excel, Outlook, PowerPoint, etc.) I have chosen to focus this article on Outlook though, because it usually doesn't create any major headaches if a user changes a few settings in Microsoft Word, but that isn't the case with Outlook.

Installing the Outlook administrative template

To import the Outlook template, open the Group Policy Editor for your effective group policy and navigate to User Configuration | Administrative Templates. Now, right-click on the Administrative Templates container and select the Add / Remove Templates command from the resulting shortcut menu. When you do, you will see the Add / Remove Templates dialog box appear.

Click the Add button and you will be prompted for the template that you wish to import. Select the OUTLK11.ADM file from the folder where you extracted the various Microsoft Office administrative templates, and click Open followed by Close. The template is now imported into the Group Policy Editor.

Locking down Outlook

Now that you've gotten the administrative template installed, let's talk about how you can go about locking down Outlook. If you open the Group Policy Editor, you can find all of the Outlook related group policy objects located at User Configuration | Administrative Templates | Microsoft Office Outlook. Unfortunately, the administrative template for Outlook contains several dozen individual group policy objects.

There is no way that I can possibly talk about all of them within the amount of space that I have to work with. That being the case, I'm going to talk about some of the settings that I have found to be the most useful, rather than just presenting you with a long list of group policy objects.

Blocking e-mail attachments

Different companies have different needs when it comes to E-mail attachments. Some companies despise E-mail attachments because they are the most commonly used mechanism for spreading viruses. Other companies depend on being able to use E-mail attachments. For example, when I finish writing this article, I will send it to my Editor as an E-mail attachment.

Which ever philosophy you buy into, the administrative template for Outlook can help. You can use the template to either forbid E-mail attachments or to make sure that E-mail attachments aren't prohibited.

To do so, navigate through the Group Policy Editor to User Configuration | Administrative Templates | Microsoft Office Outlook 2003 | Security. The Security container contains two group policy objects that relate to E-mail attachments, but you must only enable one of these policies because they contradict each other. If you want to prevent users from being able to open E-mail attachments, then you will want to enable the Disallow Access to E-Mail Attachments policy.

If on the other hand, you want to allow users to receive E-mail attachments, you don't actually have to do anything, because users can receive E-mail attachments by default. You can however configure the group policy so that access to E-mail attachments can't be accidentally blocked. To do so, you would enable the Allow Access to E-Mail Attachments policy.

Plain text

Earlier, I mentioned that I don't like to use the preview pane because of the possibility of messages containing malicious HTML code. To get around this problem, you could prevent users from using the preview pane, but if users have gotten used to being able to preview messages, then you might have a riot on your hands if you block that capability.

An alternative is that you can require users to read E-mail messages as plain text rather than viewing messages in HTML format. You can access the plain text related policy objects at: User Configuration | Administrative Templates | Microsoft Office Outlook 2003 | Tools | Options | Preferences | E-Mail Options.

When you select the E-Mail Options container, the pane on the right side of the console will display two different options related to plain text E-mail. The options are: Read E-Mail As Plain Text, and Read Signed E-Mail As Plain Text. The reason for the two different options is that if an E-Mail message contains a valid digital signature, Outlook assumes that the message is from a trustworthy source and displays the message as the sender intended. This is usually safe to do, but you can prevent digitally signed messages from being displayed in anything other than plain text if you choose.

PST files

One of the trickiest administrative tasks related to Outlook is managing PST files. PST files are files that can be used to store messages, calendar entries, and any other type of Outlook data. The problem with PST files is that they have a size limit. Older PST files were limited to storing a maximum of 2 GB worth of data. The size limit itself wasn't so much of a problem; it was the way that Microsoft chose to deal with the size limit.

Outlook doesn't contain any safeguards to prevent users from exceeding a PST file's maximum size. When a PST file gets to be too large, it stops working. There is a really messy repair process that you have to go through to return the file to a functional state, and the process almost always results in at least some data loss.

Fortunately, you can use the administrative template for Outlook to regulate PST file sizes. You can set policies that set the point at which Outlook will no longer allow you to add data to a PST file, and you can set an absolute maximum size for PST files. Best of all, the administrative template is smart enough to know the difference between a legacy PST file (with a 2 GB limit) and a large PST file (Large PST files, also known as Unicode PST files have a 20 GB limit by default).

You can set PST thresholds at User Configuration | Administrative Templates | Microsoft Office Outlook 2003 | Miscellaneous | PST Settings.

Menu options

One of the areas that you probably want to make sure to lock down is the menu bar. I'm not saying that you should disable the entire Outlook menu bar, but there are some menu choices that you probably don't want curious users tampering with. A classic example of this is the Tools menu. If a user chooses the E-Mail accounts option from the Tools menu, they could potentially disconnect from the Exchange Server or connect outlook to their personal (not corporate) mailbox.

As you have probably already guessed, the administrative template for Outlook allows you to lock down Outlook's menu bar. What might surprise you though is that you don't have to lock users out of entire menus. You can instead choose to disable individual menu options.

For example, let's pretend that you wanted to disable the E-Mail Accounts option on the Tools menu, but nothing else. To do so, you could go to User Configuration | Administrative Templates | Microsoft Office Outlook 2003 | Disable Items in User Interface | Predefined. When you select the Predefined container, you will see a couple of options appear in the console's Details pane. Right-click on the Disable Command Bar Buttons and Menu Items option and select the Properties command from the shortcut menu. When you do, you will see a dialog box appear that allows you to disable individual menu commands.

The options on this menu are a little bit confusing at first glance. In our example, we were going to disable the E-Mail Accounts option on the Tools menu. That option is listed on the dialog box as Inbox: Tools | E-Mail Accounts. The reason why the console words things this way is because Outlook presents different menu options based on what the user is doing.

For example, if the user is working in their Inbox, they will have a different set of menu items than they would if they were looking at their calendar. Therefore, each item on this dialog box starts out by displaying which section of Outlook the user is working in (in this case, Inbox).

After the mode, there is a colon, the menu name, and the option name. Therefore the Inbox: Tools | E-Mail Accounts option refers to the E-Mail Accounts choice on the Tools menu that is presented when the user is working in their Inbox.


So far in this article, I have talked mostly about settings that affect your organization's security. I couldn't live with myself if I concluded this article without talking about the spelling option though. It's probably because I am an author, but I have a serious pet peeve regarding E-mail messages containing misspelled words. I hate having to read E-mail messages in which the sender butchers the English language.

For now, the administrative template for Outlook does not contain an option for cleaning up the spelling and grammar on inbound messages, but you can mandate a spell check for the users on your network. OK, I know that most of you probably don't really care whether E-mail messages from your co-workers are grammatically correct or not. Even so, a mandatory spell check isn't a bad idea. The spell check only takes a second, and if you have employees who send E-mail messages to clients or partners, then the spell check will help to keep your clients and partners from perceiving your employees as illiterate.

You can find the spell check options at User Configuration | Administrative Templates | Microsoft Office Outlook 2003 | Preferences | Spelling. There is only one group policy object in the Spelling container. It is named General. If you right-click on the General object and select the Properties command from the shortcut menu though, you will see a dialog box that allows you to enable or disable a number of spelling related policies.

Gaining a little control

Although I believe in allowing users to customize some aspects of Microsoft Outlook, there are some settings that can pose security risks or that can result in help desk calls if modified by users. By downloading, installing, and configuring an administrative template, you can gain administrative control over Outlook and keep your users from getting themselves into trouble.