How to prevent users from delegating their own mailboxes

Delegation is a great feature of outlook where users can allow their mailbox contents to be shared with their colleagues within the team. It also reduces the load on exchange administrators or the helpdesk to grant full mailbox permissions at the server level.

Though this feature is greatly helpful in many scenarios it becomes a concern when users share their mailbox folders, calendars or contacts with folks who are not supposed to see the information and the information is also sensitive enough to be confidential. For many other reasons like server performance, IT department may not want their users to have the ability to share mailbox contents with others (though delegation may not cause heavy performance impact on servers compared to other things).

Now the question is how to disable this for users in bulk? Delegation is an outlook feature and exchange supports it with few attributes on the delegated as well delegate’s user account in AD and rules in both mailboxes. Outlook deployment within your network is the only place where you can control this. But the trouble in doing so is that administrative templates in group policy for outlook and other office products do not have any provision for this. Here are few steps to make it possible:

1. According to KB 948894 for a single user you can edit few registry keys and make it happen":

A point to be noted here before proceeding is if you have outlook 2003 then you must, must have hotfix package 948893 installed. This hotfix provides some new policies in the form of new registry settings which will later needs to be created and modified.

Once you have the above mentioned hotfix installed for an outlook 2003 client you can create and enable the registry settings written by this hotfix. The settings those need to be modified are below:

Locate and then click the following registry subkey:

  • HKEY_CURRENT_USERSoftwareMicrosoftOffice11.0OutlookOptionsFolders

  • On the Edit menu, point to New, and then click DWORD Value.

     

    image

     

  • Type DisableEditPermissions, and then press ENTER.

     

    image

  • Right-click DisableEditPermissions, and then click Modify.
  • In the Value data box, type 1, and then click OK.

     

    The same method applies to Outlook 2007 as well. The only change in the procedure will be creating the Folders key under the path HKEY_CURRENT_USERSoftwareMicrosoftOffice12.0OutlookOptions

     

    Restart your outlook and you are good to go.

     

    2. For multiple users:

    Above configuration is feasible to be done for a single or up to 10 users but it will become a pain if this needs to be done organization wide and again, keeping track of users is not easy. So what you can do is deploy these registry settings by a GPO.

    Just to not duplicating the information I would not run through the whole process here when its already available at Microsoft DS team’s blog. Please refer the article below to deploy the registry changes.

    Deploying Custom Registry Changes through Group Policy

    Before you deploy this setting using GPO you need to understand that users not having their outlook configured on a domain joined machine and are using RPC/HTTP(S) to use access mailboxes will not be affected by this GPO.

    At last, I would like to highlight that when you open the registry editor you may not see the Folders key created automatically and you will have to create that manually.

  • 2 thoughts on “How to prevent users from delegating their own mailboxes”

    1. Kelly,
      Thaks for your feedback. I was not aware this is available on internet in some other form. My content comes from a disucssion in a public group. I will make sure to have uniqueness among all future posts.

    Comments are closed.