Recently, an Exchange administrator I know asked how to partially disable the Recover Deleted Items functionality in Outlook. He wanted the "dumpster" to operate as usual, retaining deleted items for a specified number of days for each mailbox store, but he wanted to grant only administrators the ability to recover deleted items. His company needed to be able to recover deleted items for litigation purposes but didn't want the rank and file to be able to intentionally or accidentally destroy evidence.

I suggested that he use Group Policy to disable the Recover Deleted Items command on the Tools menu for everyone but administrators. In fact, you can use Group Policy to disable any toolbar or menu command, but the catch is that you must obtain unique IDs for each command you want to disable. Let's walk through the process.

The first step is to obtain the policy template files from the Microsoft Office resource kit. You can use the version of the resource kit from the Office XP or Outlook 2002 enterprise CD-ROM, or you can download orktools.exe from http://www.microsoft.com/office/ork/xp/appndx/appa18.htm and run the file to install the tools. The policy templates are .adm files that are installed automatically in your winnt\inf or windows\inf folder. If you install the resource kit tools on a user workstation, you can copy the office10.adm (for general Office XP settings) and outlk10.adm (for Outlook 2002) files to the same winnt\inf (or windows\inf) folder on your domain controller (DC).

Next, you create the Group Policy. Windows applies Group Policies at the domain or organizational unit (OU) level in Active Directory (AD). You can apply more than one policy for each domain or OU, setting an order of precedence. I recommend creating a separate policy that applies to Outlook settings instead of appending the Outlook settings to an existing policy. If you create a separate policy for Outlook settings, you can delegate management of that policy to an administrator who is familiar with Outlook.

To create a new policy, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, right-click the OU to which you want to apply the policy, then choose Properties. On the Properties dialog box, click the Group Policy tab, which Figure 1 shows, then click New. Next, change the name from New Group Policy Object, the default, to something more descriptive.

After you create the new Group Policy, you can return to the Group Policy tab and click Edit to edit the policy. The policy contains two hierarchies: Computer Configuration and User Configuration. Because you'll typically apply Outlook settings on a per-user basis, you'll work with User Configuration settings most often.

To add the Outlook 2002 policy template from the Outlook resource kit, expand the User Configuration hierarchy, right-click Administrative Templates, then choose Add/Remove Templates. In the Add/Remove Templates dialog box, click Add, then select and open the outlk10.adm template that you copied to the winnt\inf folder. Do the same for the office10.adm template. Then, close the Add/Remove Templates dialog box.

The policy templates represent virtually all the Outlook and general Office options that appear in the UI, plus a few extras. For example, if you want to prevent users from using Visual Basic for Applications (VBA) to customize their Office applications, look under Microsoft Office XP, Security Settings to find a policy that lets you Disable VBA for Office applications. Many of these options are also available in the Custom Installation Wizard. The advantage of using a policy is that you control the setting centrally, enforcing it whenever users that the policy applies to start Outlook.

Because you want to disable a toolbar command, you would typically look in the Microsoft Outlook 2002 policy list under Disable items in the user interface. Unfortunately, the Recover Deleted Items command doesn't appear on the list of predefined commands that the policy template supports. However, under Custom is a Disable command bar buttons and menu item policy, which is exactly what you need.

The next step is to locate the ID for the Recover Deleted Items command. The Microsoft article "OL97: How to Use Command Bars in Outlook Solutions" (http://support.microsoft.com/?kbid=173604) explains how to use VBA code to generate a list of toolbar and menu command IDs. However, I find it easier to use Dmitry Streblechenko's OutlookSpy developer tool (http://www.dimastr.com) to look up the ID. The ID for the Recover Deleted Items command is 5654.

To use Group Policy to disable one or more commands, open the Disable command bar buttons and menu items policy, as Figure 2 shows, select Enabled to make that policy active, then click Show. Click Add, then enter the IDs for the commands you want to disable. When you finish adding IDs, click OK, then click OK again to save the changes to the policy.

Next, you can use one of the Office policies to add an explanation in the form of a tooltip to your disabled toolbar and menu commands. From the Microsoft Office XP policies, under Disable items in user interface, open the Tooltip for disabled toolbar buttons and menu items policy. Select Enabled to turn on the policy, then type your tooltip text into the box provided. Click OK to save the policy change.

The finishing touch is to set the permissions for the Group Policy. Right-click the Group Policy, choose Properties, then select the Security tab, which Figure 3 shows. By default, any new Group Policy applies to all authenticated users. You can choose to remove the Authenticated Users group and add another security group that includes the users you want the policy to apply to, and you can add an administrator or security group of administrators that you want to administer the policy.

After you configure this Group Policy, the Recover Deleted Items command will be disabled for users to whom the policy applies the next time they log on to Windows and start Outlook. If these users hold the mouse pointer over the Recover Deleted Items command, they'll see the tooltip you added. You can use this technique to disable any toolbar or menu command in Outlook or in other Office programs if you add the appropriate .adm file to the Group Policy.