Using Group Policy to Restrict the use of PST Files

Comments 0

Share to social media

Outlook Personal Folder Files (PST files) are a data store that can be used by all versions of Outlook to store e-mail data.  PST files have long been seen as a way to archive mail out of an Exchange mailbox, often to get the mailbox under a quota limit.  However, the use of PST files causes Exchange administrators some serious pain when it comes to managing e-mail.

Briefly, these are some of the problems with PST files:

  • Microsoft does not support using PST files over a LAN or WAN network (KB267019). Using PST files located on network shares can slow down Outlook and can cause corruption of the PST file.
  • Anti-virus countermeasures cannot be implemented on PST files as easily as Exchange Server mailbox databases.
  • It is difficult to accurately report on PST file use, making reporting on organisational mail storage and planning for future growth difficult.
  • Managing content of PST files is difficult.  Exchange Server provides tools to manage the content of mailboxes (such as Messaging Records Management) and to export or remove data from mailboxes (such as the Export-Mailbox cmdlet) but there are no such tools to manage the content of PST files.
  • Local PST files are difficult to back up, making them vulnerable to data loss.

Fortunately for the Exchange administrator, it is possible to restrict the ability to use PST files.  There are two settings available, and both can be applied using Group Policy registry changes – PSTDisableGrow and DisablePST. PSTDisableGrow prevents new data being added to existing PST files, and DisablePST prevents users creating or opening PST files altogether.

Description

Registry Path

Registry Value

Disable PST files

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook

DisablePST

Prevent PST file

growth

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\PST

PstDisableGrow

Table – PST Restriction Registry Values

Note: The registry paths are specific to Outlook versions “12.0” refers to Outlook 2007, the registry path for Outlook 2003 would be “…\Office\11.0\Outlook” and so on.

In an environment where PST files already exist, these settings can be applied separately or together to phase out their use.  The first step could be to implement restrictions on the growth of PST files using PSTDisableGrow which would allow users to access existing data but not allow it to be added to.  Subsequently, all PST file use could be disabled by implementing DisablePST.

In a new Exchange environment, or one where PST files are not used (and the Exchange administrator wants to keep it that way), the DisablePST setting can be applied on its own to stop users being able to add PST files to Outlook.

In any Exchange environment it is probably worth considering implementing a server-side archiving solution before disabling PST files.  Server-side archiving has many benefits compared to PST files, and as many users are determined to keep large quantities of historic e-mail it is better to have a managed solution than unmanaged ad-hoc PST file use – a scenario often know as “PST hell”.

If you are ready to disable PST file use the settings can be applied to Outlook 2007 with Group Policy using the Office 2007 Group Policy Administrative Templates.

Applying PST Group Policy for Outlook 2007

  1. Download the Office 2007 ADM Templates and extract the files

    http://www.microsoft.com/downloads/details.aspx?FamilyID=92d8519a-e143-4aee-8f7a-e4bbaeba13e7&displaylang=en

  2. Launch the Group Policy Management Console, click Start -> Administrative Tools -> Group Policy Management
  3. Expand the Forest, Domains, and domain containers then select “Group Policy Objects”

    836-BenLye2.jpg 

  4. Right-click “Group Policy Objects” and select “New”.  Give the new GPO a name, for example “PST Policy”, and click OK.  (Skip this step if you want to add these settings to an existing GPO.)
  5. Right-click “PST Policy” (or the existing policy you wish to edit)and choose “Edit”
  6. Expand “User Configuration”, right-click “Administrative Templates” and choose “Add/Remove Templates”
  7. Click the “Add” button and browse to the location of the files extracted in step 2.  Open the “ADM” folder and the appropriate language subfolder (en-us for English), select the file named “outlk12.adm” and click “Open”
  8. Click “Close” to close the “Add/Remove Templates” dialogue box
  9. Expand “User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Miscellaneous\PST Settings”

    836-BenLye3.jpg 

  10. To implement the DisablePST restriction enable the “Prevent users from adding PSTs to Outlook profiles…” setting and set the option to “Only Sharing-Exclusive PSTs can be added”.  This will allow PST files for application such as SharePoint lists, but will prevent user-created PST files from being added.

    836-BenLye4.jpg

  11. To implement the PSTDisableGrow restriction enable the “Prevent users from adding new content to existing PST files.” setting.

If the PSTDisableGrow setting is implemented users will still be able to create and open PST files, but they will not be able to add any data to any PST files. If they try they will receive this error message:

836-BenLye5.jpg

If the DisablePST setting is implemented the user will see changes in the Outlook user interface.  While any PST files which were already loaded will remain part of the profile, the options to create new PST files or to open any other existing PST files will no longer be in the menu.  Archive options will also be removed.

836-BenLye6.jpg

DisablePST not implemented                                                       Disable PST implemented

PST files can be a headache for Exchange administrators, but they don’t have to be.  With easily-applied Group Policy settings the use of PST files can be limited, and the problems they cause can be eradicated. 

Load comments

About the author

Ben Lye is a senior systems administrator at a multi-national software company. He has over 10 years experience supporting and administering Windows and Exchange, and has been MCSE and MCP certified since 1999. Ben is passionate about automating and streamlining routine tasks, and enjoys creating and using tools which make day-to-day administration easier.