Disable Outlook Programmatic Access Via Group Policy
This procedure can be used to remove the prompts that appear when trying to send an email from a program other than Outlook (through Outlook). The key scenario for this is when emailing invoices through MYOB. At this stage this procedure only applies to, and had been tested on, Office 2010 (Office 14).
NOTE: this explicitly disables a security feature designed to prevent the spread and effectiveness of certain types of malicious software and as such the application of this work-around should be limited to as few users as possible.
To disable Programmatic Access in Outlook follow these steps;
Preparation:
1. Download the appropriate Office 2010 Administrative Template Files for the version of Office you have installed (32 or 64 bit) from here; http://www.microsoft.com/en-us/download/details.aspx?id=18968
a. Install this on the server running Active Directory – Follow the onscreen prompts to complete this. Make sure you extract to a location you can remember.
2. Download the following ADM package; http://download.microsoft.com/download/6/D/1/6D113C3D-4651-4DE3-A501-7B602B0E0DEC/Outlk14-simplemapi.adm
a. Save this file in a memorable location on the Active Directory Server.
Setup:
1. Open Group Policy Management on the Active Directory Server.
2. Right Click Group Policy Objects and select New. Give the Policy a descriptive name and click OK.(leave Source Starter Policy set to (none))
3. Right Click your newly created GPO and click Edit. A new window will appear
4. Expand Policies and right click Adminstrative Templates and select Add/Remove Templates…
5. Click Add and browse to the location of the folder you extracted/downloaded the files to during the Preparation steps and add them. You will need the Outlk14.adm file from the location you downloaded the Office 2010 Administrative Template files to. You will then need the Outlk14-simplemapi.adm file you downloaded in Preparation step 2.
6. Once this has been done your Add/Remove Templates window should look like below;
7. Click Close and you should now have Classic Administrative Templates (ADM) under Adminstrative Templates. Expand this and go to Microsoft Outlook 2010\Security\Security Form Settings
8. Double click Outlook Security Mode to edit this policy. Set to Enabled and then set the Outlook Security Policy to Use Outlook Security Group Policy then click OK.
9. Go to Programmatic Security and you should see the following list settings;
10. Edit Configure Simple MAPI sending prompt and set it to Enabled and the Guard Behavior to Automatically Approve then click OK.
11. Repeat this for Configure Simple MAPI name resolution prompt, Configure Simple MAPI message opening prompt and Configure Outlook object model prompt when sending mail.
12. You should now have 4 policies enabled. Close the Group Policy Management Editor window.
13. Go back to the Group Policy Management window and select your new Policy.
14. Make sure the Scope tab is selected and then click Add… under Security Filtering.
15. Add the security group/users you which to apply this policy to. Remember to confine this policy only to the users that absolutely need it due the security issue this policy poses.
Once these steps have been done you can close all open Group Policy windows and log off the server. To test log in as a User with membership to the group you applied the GPO to and try to send an invoice as an email from MYOB. If all is done correctly the email will send immediately with no further prompting required from the user.
*UPDATE* Please be aware that if the test user was already logged in at the time the GPO was applied, you will need to log out and back in for the settings to take affect. Gpupdate /force can be run from the cmd prompt before logging out in order to speed up the process.
Awesome, thanks very much for that!
I also found that users had to reboot for the new setting to be properly applied – a gpupdate /force alone didn’t help.
I have made an update to make it a bit clearer that the user must be logged out and back in for the GPO can take affect.
A full restart should not be required as the GPO only makes changes to the current user and not the local machine.
Thanks for your feedback.
Yeah, I thought that logging off and on would be sufficient, but it doesn’t take a whole lot more time to just reboot these days.
This seems to be a big, annoying GPO trap – even though you’d think a gpupdate would make these sorts of application-level settings take effect straight away, sometimes you really do need to log off or reboot!
Anyway, thanks again – you’ve made an office full of MYOB users very happy 🙂
If the problem persists, despite having tried the solution given, then try my solution:
You will need to add 3 new reg in the following REGEDIT path:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\(Your outlook version)\Outlook\Security
Inside Security folder you must add or modify :
o PromptSimpleMAPISend
o PromptSimpleMAPINameResolve
o PromptSimpleMAPIOpenMessage
All of them must be DWORD and have value 2 hex.
After this you must check the following path :
HKEY_LOCAL_MACHINE/SOFTWARE /Microsoft/Office/(here you choose your outlook version)/Outlook/Security
If the path doesn’t exist, then create it.
Inside security folder must be a DWORD named “ObjectModelGuard” with value 2 hex.
Then restart and try again.
I have tried this on W.XP & W7.
Best Regards,
Eduardo Fernández
Thanks Eduardo, This is basically the manual work through of what the group policy does for you. Anyone having issues getting the group policy to work (or those not in a domain) can apply the above to disable this.
Its amazing that after all this time and so many people struggling with this that MYOB still refuse to play ball with Microsoft in getting certified.