Prevent users from using PST

This article, I think, it’s pretty interesting as I’ll show you how to set up a new GPO to prevent users from using PST files in Microsoft Outlook without the need to install any Office ADM Templates.

All the GPO will do is create/modify a few registry keys (one for each version of Microsoft Office). There are two ways, depending on your environment you can choose either one or the other. The first one it’s the cleanest way to do it but it’s only supported from Windows 7 and above (and from Windows Server 2008). The second one it’s a bit more “rusty” as it basically launches a batch file and that’ll do the work. Both worked for me but at the end I chose to use option number 1 as the few XP/Vista machines we have, are about to go.

Note that I want to prevent users from growing their current PST files, this GPO will still allow them to access their existing PST files. I think this is very important. Also, they’ll be allowed to create new PST files and to attach existing ones at a later stage but they won’t be able to modify them (only create subfolders which is kind of useless).

Before showing you the configuration of both the GPOs, I will show you the core of how to prevent users from using PST files in Outlook by creating a new registry key for each Office version. For instance, if you want to deny Outlook 2016 users to add new items to their PST files, all you need to do is create this new registry Key:

And then create a REG_DWORD (value set to 1) named PstDisableGrow. You can do the same with any Office version, I went down to 11.0.

Important: This only works on the HKEY_CURRENT_USER Registry! So you must run it with the end-user account.

You can add these keys with a batch file with just a line for each version [Notice how I used echo Y | – This will skip the confirmation as it’s going to “press” it for you].

Or remove them once you want to allow the users to fully utilised PST files.

For both the GPOs, I am creating a group in Active Directory that will contain all users I want to allow PSTs for. Also, both the GPOs have been set to run only on workstations, avoiding Servers:

GPO - WMI Filtering Workstation - WMI Filter

Option #1 – Using only the standard GPO Editor (From Windows Server 2008+) for Windows 7+ clients.

  • Create a new GPO and Edit it – I called it Disable PST Grow.
  • Navigate to User Configuration\Prefernces\Windows Settings\Registry.
    • Disable PST Grow GPO Registry
  • Right click on Registry and select New > Registry Item.
  • Under Action, select Update. Fill in the rest as per the below screenshot.
    • Disable PST Grow GPO Registry - Update - General

If you also want to have an exception group, keep on reading the extra few steps.

  • Click on Common tab.
  • Select Item-level targeting.
    • Disable PST Grow GPO - Registry - Item-level targeting
  • Click on Targeting.
  • Click on New Item and select Security Group.
  • Under Item Options, select Is Not.
  • Select the group under Group. See below screenshot.
    • Disable PST Grow GPO - Registry - Targeting - Not a member - Common

Almost done!
Imagine that Nick Roberts got this GPO applied and then 2 weeks later he gets approval to get this policy disabled and you add his account to the PST Disable Grow Exception group. Nothing will happen, his client will keep prevent him from adding new items to his PST files.

In order to avoid that, we’re going to add a new Registry Item, this time you will configure it as per the two screenshots below.

  • The action is Delete. The key is the same (example below is for Office 15.0).
    • Disable PST Grow GPO - Registry - Delete - General
  • Under Common\Targeting, you will create a New Item > Security Group as before but you will select Is as you want to delete this registry key for all members of such group.
    • Disable PST Grow GPO - Registry - Targeting - Is a member - Common

That’s it! Now you want to create the same two keys for each Office version you want to cover:

Disable PST Grow GPO - Registry - ALL

Now Nick Roberts, after the GPO gets applied, will be able to add new items to his PST files.

Option #2 – Using a GPO to run a batch file (this will work on Windows XP too).

Also for this option, you will be able to Add/Delete the keys which is very useful when you want to revert the change by changing just the user’s group membership and re-applying the GPO (log off/log in).

  • Create a new GPO.
  • Navigate to User Configuration\Windows Settings\Scripts.
  • Double click on Logon.
  • Click Add.
  • Under Browse, copy and paste the script.bat that we will see shortly, select it and click Open.
    • No need to specify any Script Parameter.
  • Save and you’re done.

Let’s see the batch file. I called it PST_Disable_Grow.bat and this is its content:

I’ll go through it real quickly just to explain you the steps.
Firstly, I ping my domain (in the example it’s itdroplets.com). That’s very useful to avoid loads of errors when a laptop user is at home for instance. If the domain isn’t reachable, the script will go to end and finish.
If it’s reachable instead, it’ll check what’s the client OS, this is needed to determine what command to run to check the user’s groups membership. If it’s XP it’ll run

If it’s not XP, then it’ll run

In both cases, if the errorlevel equals 1, it’ll add the registry keys, if it equals 0, it will remove them.

Leave a Reply

Your email address will not be published. Required fields are marked *