Customizing Security Settings by Using the Outlook Security Template

You can modify default security settings for the Microsoft® Office Outlook® 2003 client by using the Outlook Security template, which you install as a form in Outlook. The template contains three tabs:

  • Outlook Security Settings
  • Programmatic Settings
  • Trusted Code

The settings on each of these tabs are described in Outlook Security Template Settings.

 Note   If you are a user who wants to learn more about why some Outlook attachments are blocked, see Blocked attachments: The Outlook feature you love to hate. In addition, you can find methods for sharing files that are blocked by Outlook by reading About unblocking attachments.

When you first load the template, the settings are configured to enforce default security settings on the client.

Outlook Security Settings tab in the Default Security Settings dialog box

Creating a public folder for the security settings

Before modifying the security settings, you must create a public folder named Outlook Security Settings or Outlook 10 Security Settings on the Microsoft Exchange server on which you keep public folders. You create this folder by using one of those names exactly, in the root folder of the Public Folder tree. You must set the folder access control lists (ACLs) so that all users can read all items in the folder. However, only those users for whom you want to create or change security settings should have permission to create, edit, or delete items in the folder.

If you want multiple users to be able to edit or create items, and if the list of users can change at any time, you must create a security group that includes all users for whom you want to give permission to create or change security settings. This security group should have Owner permissions on the security folder.

After you create the folder, you can install the Outlook Security template and then make the changes you need.

Installing the Outlook Security template

Before you can modify security settings by using the Outlook Security template, you must publish the template as a form in the special public folder you created.

To install the Outlook Security template

  1. On a computer running Outlook, open OutlookSecurity.oft from the working directory where you installed the Outlook security tools.
  2. When prompted to select a folder, select the Outlook Security Settings or Outlook 10 Security Settings public folder that you created on the Exchange server, and then click the Open button.

The template opens in Compose mode.

  1. On the Tools menu of the template, point to Forms, and then click Publish Form.

The folder selected should be your current folder: Outlook Security Settings or Outlook 10 Security Settings.

  1. In the Form Name box, type Outlook Security Form.

If you are using the security form from Outlook 2000, and if you are updating the form by publishing the newer form to the Outlook Security Settings folder, then in the Form Name box, type the same name as the previous security form (that is, you overwrite the previous security form). For more information about publishing a new security form over a previous one, see the next section.

  1. Click the Publish button to publish the security template in the Security Settings folder.

You can now close the Outlook Security template. Do not save when prompted to save while closing the template.

Publishing a new security form over a previous version

There are two versions of the Outlook security form. The first version was released with the Outlook 2000 SR-1 security patch. The second version was released with later versions of Outlook, starting with Outlook 2002.

If you installed the security update for Outlook 2000, you may have an earlier version of the security form already published to the security folder. In this scenario, you should overwrite the previous form with the new copy, using the same name and message class. This installs the new form in place of the old one in the security folder.

If there are other forms in the security folder, you must open these forms and close them by using the Close button to correctly register any changes.

Modifying the default security settings

Use one of the following procedures to modify the default security settings in Outlook and store the new settings configuration in the special public folder you created for saving the settings. You can create a configuration for all Outlook users, or you can set up a configuration for a specific set of users.

To specify a default Outlook security setting for all users by using the Outlook Security template

  1. In Outlook, click the drop-down arrow next to New on the toolbar, and select Choose Form.
  2. Navigate to the template you created earlier (in the "Installing the Outlook Security Form" section), select the template by name, and then click Open.
  3. Click Default Security Settings for All Users, and specify the security settings you want.
  4. Scroll to the bottom of the template, and then click Close.

Alternatively, you may choose to create a group of customized security settings for a specific set of Outlook users.

To specify a group of custom security settings for a set of Outlook users by using the Outlook Security template

  1. In Microsoft Outlook, click the drop-down arrow next to New on the toolbar, and select Choose Form from the list.
  2. Navigate to the template you created earlier (in the "Installing the Outlook Security Template" section), select the template by name, and then click Open.
  3. Click Security Settings for Exception Group, and then type a name in the Security Group Name box that describes the group.
  4. In the Members box , type the name of each user who must have custom security settings.

If the Exchange server you are running is an Exchange 2000 or later server, you can use distribution lists (only server-created security groups, not Outlook Contacts distribution lists) in the Members box. Otherwise, you cannot use distribution lists, and adding users from the Contacts Address Book is not supported.

  1. Specify the settings you need, and then click Close.

 Note    For a security setting to apply to a user who is an administrator of the security settings public folder, the user (administrator) must be added to the member list of the security setting. It is not sufficient to have the administrator be a member of a distribution list that is listed in the member's box of the setting. You must add each administrator's name to the security setting. If you are using only a single default security group, you do not need to add the administrators' names.


The method that Outlook uses to determine which security settings to apply depends on the version of the Exchange server. Note that in all versions, however, Outlook finds custom security settings items based on the time the item was created, not the time it was last modified. If a user's name is entered as a member of more than one security group, the settings of the most recently created group apply.

If you are using Microsoft Exchange 5.5, item-level permissions are not applied to the custom security settings, so every user sees all of the custom security settings in the folder. When Outlook determines which item to use, it selects the most recently created item that applies for that user. Note that if the Default Security Settings item is the last item created, it is applied to the user even if the user is a member of an exception item. So that this problem does not occur, make sure that the Default Security Settings item is always the first item created in the folder. Any exception items—created later— take precedence over the Default Security Settings item.

If you are using Microsoft Exchange 2000 or later, item-level permissions are applied to the custom security settings, so users only see those items that apply to them. Unlike with Exchange 5.5, Outlook used with Exchange 2000 and later finds the correct custom security settings item, regardless of when the Default Security Settings item was created.

Details on all fields, values, and settings for the template can be found in the topic Outlook Security Template Settings.

Ensuring that security settings are properly created

In previous versions of Outlook, every time a setting was created you were prompted twice for credentials. This is no longer the case. In Outlook 2003, you are prompted for credentials only the first time you save a setting. You are not prompted for credentials on subsequent saves until you shut down and restart Outlook. Also, Outlook must be running in classic online mode, not cached mode or offline mode, in order to save security settings.

If no credentials are entered or if the wrong credentials are entered, an Operation Failed error message appears. At this point, the security setting has been created but does not work correctly because item-level permissions have not been applied. You must delete the security item and re-create it. If the item created is not deleted, the item is applied to everybody, including users to whom you did not intend to apply the item.

Editing security settings

If you add a user to the Members field of an existing security form, make sure that all aliases already present in the form are current and active.


 Note    If you add the alias of a new member to an existing security form, the change may not be correctly registered unless you make other changes to the form as well. For example, you might toggle another setting on and off, or otherwise activate the form through some interaction. After you have added the new alias and activated the form, you can select Save from the File menu of the form to save your changes.