How can I prevent users from using Microsoft Office Outlook’s delegation feature?

Executive Summary:

Q: How can I prevent users from using Microsoft Office Outlook’s delegation feature?

A: In a standard Exchange Server organization, users can grant other employees delegate access to their mailbox or folders. This practice typically occurs when a manager grants access to an assistant, or when an employee goes on vacation and delegates mailbox access to a co-worker. However, delegation is often performed incorrectly—and sometimes even inadvertently—which can unintentionally expose information to the wrong personnel. Although I don’t know of a method for completely preventing Outlook delegation in an Exchange environment, you can prevent users from using delegation by removing access to this feature in the UI.

After an Exchange account is configured, you can add delegation functionality in Outlook as an Exchange Client Extension. To access the delegation feature, select Options from the Tools menu. Select the Delegates tab, as Figure 1 shows. The Exchange extension for this tab is called dlgsetp.dll. The file dlgsetp.ecf, which describes dlgsetp.dll, tells Outlook how to load the .dll file for Exchange Client Extensions. You can configure the UI to tell Outlook not to load this add-in. In Microsoft Office Outlook 2007, select Trust Center from the Tools menu, and click Add-ins on the left-hand menu. At the bottom of the window, select the add-ins you want to manage (i.e., Exchange Client Extensions), as Figure 2 shows, and click Go. In the Add-In Manager window that opens, which Figure 3 shows, you can clear the Delegate Access check box to remove the Delegates tab from Outlook’s UI. However, users can simply navigate back to this option and reenable it.

A solution is to delete or rename the file dlgsetp.ecf to prevent the extension from loading into Outlook. I typically rename the file from dlgsetp.ecf to dlgsetp.ecf.bak. In Outlook 2007, this file is located in \Program Files\Microsoft Office\Office12\ADDINS. The location is similar in previous versions of Outlook; for example, in Microsoft Office Outlook 2003, the path is \Program Files\Microsoft Office\Office11\ADDINS. Renaming this file doesn’t cause Outlook to fail and doesn’t even generate an error message; the action simply prevents the Delegates tab from loading. The Delegates tab isn’t visible because the Exchange Client Extension isn’t able to load into Outlook. You might need to restart Outlook for the change to take effect.

From an enterprise perspective, you might want to use a logon script or another centrally managed solution with access to the file system to rename the file dlgsetp.ecf. Keep in mind that installing patches or service packs might apply a new dlgsetp.ecf file, thereby restoring the Delegates tab. You’d then need to rename the file again.

Although this solution is a bit of a hack, it might be worthwhile in your organization. Preventing users from using Outlook’s delegation feature is often easier than dealing with the ramifications of incorrect or inappropriate delegation.