SOLVED: GPO To Prevent Users From Exporting to PST

Why Block PST’s?

If you work in a corporate environment your legal department may have a requirement to stop users from exporting email to PST. At first this might seem silly or over controlling but there may be a good reason for it.

REDUCE INTELLECTUAL PROPERTY THEFT

Management may want to block the export to PST is to make it much more difficult for staff that are exiting the company to take their emails, contacts, and calendar with them. Because users can forward individual emails or or even groups of emails to their personal email addresses this is hardly foolproof but it is part of good due diligence.

LEGAL DISCOVERY

We recently had a client who was fined by a judge because during legal discovery they told the court that they didn’t have more information on a given topic. The company was quite sure that that was correct because they had a seven year retention policy and most of the emails were from a decade ago. They were able to supply the court with a few hundred messages from recent conversations but little else. It then came to light that some regular staff and some IT staff Had copies of older mail stored in backed up PST files. The court was none too happy.

As a result of that mistake the company searched all computers and all data stores on their servers for pst files then deleted them. They also brought in a policy forbidding staff from printing emails, for the same reason.

GPO to Block Creation of PST’s

GPO TO DISABLE THE IMPORT / EXPORT BUTTON IN OUTLOOK

The easiest way to stop people from importing or exporting email to / from PST’s is to disable the IMPORT/EXPORT button in Outlook. This is easy to do.

  1. Download the latest admin templates for Microsoft 365 from Microsoft HERE
  2. Launch the Group Policy Management Console and either create a new GPO or edit an existing one
  3. Expand USER CONFIGURATION > ADMINISTRATIVE TEMPLATES > MICROSOFT OUTLOOK 2016 > CUSTOM
  4. Double click on DISABLE COMMAND BAR BUTTONS AND MENU ITEMS
  5. Select ENABLED
  6. Click the SHOW button
  7. Enter the number 2577
  8. Make sure you apply that GPO to the group you want to restrict outlook PST importation and exportation to

GPO TO DISABLE THE CREATION OF NEW PST’s

  1. Download the latest admin templates for Microsoft 365 from Microsoft HERE
  2. Launch the Group Policy Management Console and either create a new GPO or edit an existing one
  3. Expand USER CONFIGURATION > ADMINISTRATIVE TEMPLATES > MICROSOFT OUTLOOK 2016 > MISCELLANEOUS
  4. Double click on PREVENT USERS FROM ADDING NEW CONTENT TO EXISTING PST FILES
  5. Select ENABLED
  6. Double click on PREVENT USERS FROM ADDING PSTs TO OUTLOOK PROFILES
  7. Select ENABLED
  8. Make sure you apply that GPO to the group you want to restrict outlook PST importation and exportation to

If you want more details on this process click HERE for a Microsoft article On how to control PST’s.

How To Circumvent Export To PST Restrictions

Both of the export to PST restrictions described above take their action on Outlook so the assumption is that you are controlling the users Outlook. So you could easily get around these restrictions to export to PST by simply installing outlook on a Computer that is not managed by the company and then you would have free rein to export to PST.

We also have not tested exporting to PST from command line but we suspect you could connect to your exchange mailbox using a PowerShell and then a simple export command.


Published by
Ian Matthews

This website uses cookies.