GP-Oh…

One of the many joys of working in a corporate environment is the security needed to keep enterprising employees from doing things they shouldn’t.  Where I work we don’t like people using PSTs for various legal reasons that don’t concern me.  What does is that we use Sharepoint.  And Sharepoint calendar integration. 
 
Many administrators use the wonderful DisablePST registry value that keeps users from adding PST files to their mail profile.  Unfortunately, not many people fully maximize the benefits of GPO’s in their organization.  The geeky among us have been using registry "hacks", for lack of a better term, to configure user desktops since the birth f the registry itself.  This is great and I had been one of those geeks until the advent of Group Policy Objects.  The problem with deploying registry changes outside of GPO?  What happens if you need to change a setting?  It’s time to bang out a script that you need to run on thousands of PCs.  Not a problem you say?  You’re the VBScript master?  Well, I’m not so bad myself.  But compared to opening the Policy Editor and changing a drop down or radio button selection, I’d say it’s a waste of time.
 
So how do I configure GPOs for Office?  Here are links to the Office 2003 and Office 2007 administrative template downloads.  Extract the files to a directory on your PC.  When you open Active Directory Users and Computers or the Group Policy Management Console and create a new policy object you can right click on Administrative Templates, choose Add\Remove Templates, click the Add button, and then browse for your ADM file you’d like to import.  When you expand Administrative Templates you should see a new folder depending on what you added.  Microsoft Office 2007 or Microsoft Outlook 2007 for instance.
 
Outlook 2007 comes with a brand new option "Only Sharing-exclusive PSTs can be added".  Now you can restrict access to PST files used to auto-archive or offload email to a hard disk and still allow users to participate in the Sharepoint experience!
 
Uh-oh, you use Outlook 2003?  And you’ve added the administrative template and there is no such option? Hmmm, you’d be correct.  So we have to get create and write our own ADM file!  This is a little complex, but if you are a scripter I think you’ll be able to identify what we are doing pretty easily.  First, let me post the code:
 
CLASS MACHINE
CATEGORY "Custom Policy Settings"
 CATEGORY "Outlook 2003"
  KEYNAME "Software\Microsoft\Office\11.0\Outlook"
  POLICY "Disable PST Files"
   EXPLAIN "Disables PST use in Outlook 2003.  To reverse this setting you must leave the policy enabled and change the setting to Enabled."
     PART "PST usage in Outlook 2003"
      DROPDOWNLIST REQUIRED
      VALUENAME "DisablePST"
       ITEMLIST
        NAME "Disabled" VALUE NUMERIC 1 DEFAULT
        NAME "Enabled" VALUE NUMERIC 0
       END ITEMLIST
     END PART
   END POLICY
   POLICY "Enable Sharepoint PST Files"
   EXPLAIN "Enables Sharepoint PST use in Outlook 2003.  To reverse this setting you must leave the policy enabled and change the setting to Disabled."
     PART "Sharepoint PST usage in Outlook 2003"
      DROPDOWNLIST REQUIRED
      VALUENAME "AlwaysAllowSharePointPST"
       ITEMLIST
        NAME "Disabled" VALUE NUMERIC 0
        NAME "Enabled" VALUE NUMERIC 1 DEFAULT
       END ITEMLIST
     END PART
   END POLICY
 END CATEGORY
END CATEGORY
 
Try copying this code into a text file and added it to your PC by using gpedit.msc.  If you don’t have Outlook 2003 you can still play with it and check the registry to see the changes.  NOTE: Because this is not a proepr policy in order to see the settings in the group policy editor you will need to go to View, Filtering and unselect the box for "Only show policy settings that can be fully managed".
 
So let’s start at the beginning with "CLASS MACHINE".  This tells us this is a computer configuration policy and not a user configuration policy.  This is important because a little later you’ll notice we are modifying a key in HKEY_LOCAL_MACHINE hive, so having the class set right is crucial.
 
Next we choose a category.  I like to keep all my custom settings under "Custom Policy Settings" and then make sub categories underneath.  In this case that sub category is "Outlook 2003".  Ney we supply the key name.  as I mention earlier, the class sets the hive, so these setting will go under HKLM.  You can also set the key farther down if individual policies will affect different keys. Until you end this category the supplied keyname is in effect.
 
Now we get down to the fun part, policies!  These are the items actually listed in the right hand pane of the group policy editor.  First we supply the name you will see the policy pane with POLICY "Disable PST Files".  Next we supply the info that will appear in the details pane and on the explanation tab – EXPLAIN "Disables PST use in Outlook 2003.  To reverse this setting you must leave the policy enabled and change the setting to Enabled."  If you read the explanation here it brings up an important point.  What we are doing is modifying registry keys, not implementing policy.  The difference is that whan I change the policy to "Not Configured" or "Disabled" the value remains tattooed, it does not go away.  I must remember to include a normalization value with my policy.
 
Next we specify the options you have after the policy is Enabled.  PART "PST usage in Outlook 2003" shows the text and then DROPDOWN REQUIRED sets up a drop down menu.  Then we have the VALUENAME.  This is the actual name of the registry value we will be modifying, like "DisablePST". Next we have the item list:
 ITEMLIST
  NAME "Disabled" VALUE NUMERIC 1 DEFAULT
  NAME "Enabled" VALUE NUMERIC 0
 END ITEMLIST
The NAME is what shows on the drop down and the VALUE is what will go in the registry.
 
This ADM file handles two registry entries under HKLM\Software\Microsoft\Office\11.0\Outlook, DisablePST and AlwaysAllowSharePointPST.  Setting DisablePST to a value of 1 prevents users from adding PSTs, period!  But using AlwaysAllowSharePointPST with a value of 1 allows the Sharepoint application to add a special PST that is only used by the application to store calendar and other information.
 
So that’s a little bit about how to use Group Policy Objects to manage your computers and how you can create your own ADM files to manage registry settings that are not part of an existing policy.  Please feel free to post if you have questions or would like some extra detail!