Removing "Reply All" Functionality for Outlook Users Who Participate in Reply-All Storms, via Group Policy: what to do


Just recently I was speaking to a Microsoft Premier Field Engineer (PFE) who had just returned home from a rather arduous onsite dispatch. While onsite he was tasked with unwinding a phenomenon commonly referred to as a “Reply-All” storm (defined below). This task had been so tedious that he half-jokingly mentioned that he was thinking about submitting a formal Design Change Request to the Exchange/Outlook Product Groups with a proposal to remove Reply-All functionality from within Outlook. Well this got me thinking… “could the removal of Reply-All functionality actually be done with the tools at an Administrator’s immediate disposal today”? Eventually curiosity got the best of me and I started performing some basic research on the issue. Throughout the course of this research I found a jumbled set of different articles and blog posts that appeared rather half baked in scope to me. That being said, what did become abundantly clear was that there were a significant number of administrators (as well as standard users) who have expressed interest in this functionality and have actually been looking for it for some time.

Presto: Blog idea.

To be clear there are a number of different approaches for achieving the goal of disabling Reply-All in Outlook. The most common technique would appear to be the creation and deployment of custom Outlook toolbars. Far more infrequent are macros in Outlook as well as custom Group Policy Objects (the primary topic of this post). Additionally, while future versions of Exchange will include features to deal with this problem much better (read about Exchange 2010 Conversation View here) – I wanted something that people can use now, with versions of software they currently have.

As previously noted, this post is going to focus on the use and deployment of a custom Group Policy to disable the Reply-All functionality in Outlook. This post will not focus on disabling Reply-All in OWA (which would require modifications to the ASP Pages) and will also not cover disabling this functionality in Windows/Outlook Mobile.

My hope is that you will find this post interesting; that it helps clear up some of the confusion on the subject; and that you learn some new skills along the way. Should and when you choose to deploy a scenario like this, I hope this document serves to aid you in increasing the stability of your messaging environments and networks as a whole.

As you will soon see, this post has a little bit of everything, Exchange, Active Directory, Group Policies, Outlook and even some “old/new school” VBA.

I hope you enjoy it and learn something new in the process!

Back Story:

Nearly every user within a corporate messaging environment has at one time or another been the unfortunate chance victim of a “Reply-All Storm”.

It starts out innocently enough:

  • Typically a formal communication it sent out to a large internal distribution list.
  • A member of the distribution list strays off course or asks to be “taken off the distribution list”.
  • A series of people start replying “ME TOO” via a Reply-All.
  • Another member of the list, “Replies All” to the request, and asks everyone to “PLEASE DO NOT REPLY ALL !!!!@!!@!!!”.
  • Cycle perpetuates itself over and over.
  • Users come into the office and notice literally hundreds of emails all with the same subject sitting in their inbox.
  • They read the most recent thread, whisper to themselves (geez…not this again), then proceed to delete the entire thread and possibly miss the actual intention of why the original mail was sent out in the first place.

Not only is this extremely annoying, but obviously has larger corporate and financial implications as well:

  • Loss of productivity for client base.
  • Potential service interruptions for a variety of different reasons.
  • Storage implications on the Exchange Back-End.
  • Puts unnecessary strain on Exchange, Active Directory and network links.
  • A host of Administrative implications ranging from increased backup times, etc.
  • Loss of credibility (if say an external contact was a member of the list or even your immediate manager or “higher ups”, etc.)

Upon first read this may seem funny but it is actually a very serious problem. For a blow by blow of the infamous “BEDLAM DL3” issue that occurred internally here at Microsoft several years ago I suggest a review of the following post: http://msexchangeteam.com/archive/2004/04/08/109626.aspx. The issue is definitely real and varying degrees of the problem are most likely occurring somewhere in the world at this very second.

Before Getting Started:

I want to stress that the steps outlined below are not going to resolve an immediate Reply-All storm. However, it is very possible that they may help reduce or mitigate a future problem from occurring once your user base learns (either by word of mouth or “the hard way”) that there are potential consequences for perpetuating one. Again, I’m talking about helping to bring about positive educational change in your user base over time.

The steps outlined below will effectively remove a user’s ability to use the Reply-All functionality in Outlook via creation and deployment of a custom Group Policy Object (GPO). The examples presented below will target a dedicated Active Directory Organizational Unit. This OU will ultimately become the target for the deployment of the GPO as well as the container where user objects that have Reply-All removed will be homed in the Active Directory. That being said, the techniques presented here could be adapted to a broader environmental context based upon the discretion/desire of the administrator.

Thus to perform the steps here you will need at your immediate disposal:

  • Access to the Active Directory.
  • The ability to create a dedicated Organizational Unit.
  • The rights to move members of your user base to said Organizational Unit.
  • The ability to modify and/or create a new custom GPO.
  • The ability to link/deploy said GPO.

Hypothetical Scenario and Steps:

You come into the office and your immediate manager mentions that the messaging group has been tasked with removing Reply-All ability for all users who participated in a recent Reply-All storm that impacted a large internal distribution list. Upper management has made a decision to not implement bulk message restrictions to the Distribution List itself (e.g. limiting who can send or reply to messages on the DL), but to simply remove Reply-All ability for all users who played a part in perpetuating the storm. The removal of this functionality will be accomplished via deployment of a GPO as opposed to leveraging other potential options.

Step-1:

Obtain and review the most recent thread in the Reply-All storm and build a list of all individual user accounts that either caused or played a part in perpetuating the storm. Build a master list of these users and denote the current location of their user objects within the Active Directory. Once done, receive “buy-off” from management that these users can and will eventually be moved into a dedicated Organizational Unit that will have a GPO applied that prevents the Reply-All button from being active within Outlook.

Step-2:

Once you have obtained buy-off, build a new Organizational Unit with an obvious clear name. To do so, go into Active Directory Users and Computers, right-click a user container, then select New, Organizational Unit, then provide it with a clear name.

In the examples to follow my OU will be titled: “Users who have Reply All Removed”

Step-3:

Move the users into the new” Users who have Reply All Removed” organizational unit via Active Directory Users and Computers (or your favorite LDAP tool) created in Step-2.

Step-4:

If not already available proceed to download the appropriate Office Administrative Template files. In my scenario all my users can be assumed to be using Outlook 2007 Service Pack 2. The template files can be downloaded here:

http://www.microsoft.com/downloads/details.aspx?FamilyId=73d955c0-da87-4bc2-bbf6-260e700519a8&displaylang=en

Legacy Office Administrative Template Files can be downloaded from Office Online. So if your client base is running Outlook 2003, go here: http://www.microsoft.com/office/orkarchive/2003ddl.htm

Step-5:

Extract the Administrative Template files by running AdminTemplates.exe. Once extracted you should have 3 folders created (ADM, ADMIN, and ADMX):

Step-6:

Build a new Group Policy that links users of the “Users who have Reply All Removed” organizational unit. To do so:

  • In Active Directory Users and Computers get Properties of the “Users who have Reply All Removed” organizational unit.
  • Select the Group Policy Tab.
  • On the Group Policy Tab, select New and give the policy a clear and applicable name such as “Remove Reply-All Ability”
  • Once named, select Edit.
  • The Group Policy Editor (GPE) opens.

Step-7:

Add the Office/Outlook Administrative Templates

In Group Policy Editor:

  • Navigate to User Configuration\Administrative Templates.
  • Right-Click Administrative Templates and select Add/Remove Templates.

  • On the Add/Remove Templates page select: Add
  • Browse to the Outlook Administrative Template and Select Open (in my case I uncompressed the file to my desktop so the path was: c:\Documents and Settings\ericnor\Desktop\OLK2K7 Admin Templates\ADM\en-us\outlk12.adm):

If performed successfully you should now see that the Microsoft Office Outlook 2007 Administrative Template files have been added in Group Policy Editor:

Step-8:

Once you have successfully added the Outlook Administrative Template, you need to properly define and enable the necessary policies. To successfully block “Reply All” functionality we need to enable and define two specific policies in the Administrative Template:

  • A policy to disable the actual command button as well as the menu option.
  • A policy to disable the keyboard shortcut.

To accomplish:

  • In Group Policy Editor navigate to the following path: User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Disable Items in User Interface\Custom.
  • Once here you will notice 2 policies that will currently show as “Not Configured”:
    • Disable Command Bar Buttons and Menu Items.
    • Disable ShortCut Keys.
  • To disable the Command Bar Reply-All button we need to select the Disable Command Bar Buttons and Menu Items Policy.
    • Once the policy is open set the State of the policy to Enabled then select the “Show…” button.
    • Any and all Outlook Command Bar Buttons that are currently disabled will be present here in a numerical context (although presumably this would be the first time working with the template so you would not see any numerical values present). Click Add, and in the “Enter the Item to Be Added” field, type 355. Once done click OK. You will be returned to the Show Contents page which should now resemble the following. Click OK:

(It’s worth making a note here: All command buttons and menu options are referenced by their numerical Command IDs. I will show you how to determine these values in a follow-up post, so that you can apply what you have learned to other command buttons and short-cuts should you desire).

    • Back on the Disable Command Bar Buttons and Menu Items policy page, select Apply and OK.
    • The “state” of the policy should now show as Enabled.
  • Now we need to disable the keyboard shortcut for Reply All. To do so, we need to open the Disable Shortcut Keys policy, configure our settings and enable it. To do so:
    • Select and open the”Disable Shortcut Keys” policy.
    • Select Enable, and then click the “Show…” button.
    • This will bring up the Show Contents page.
    • Select Add.
    • In the Add Item Window type the following: 82,12
    • Click OK which will shift the focus back to the Show Contents pane. Your value should look like this:

(Short-cut keys are always distinguished via the decimal representation of their ASCII character value. In addition the keyboard modifier (e.g. the keyboard combination used to activate the short-cut) needs to be converted to decimal notation and referenced here. As previously noted, I will detail how these values are calculated and converted in a follow-up post).

    • Back on the Disable Shortcut Keys property pages, select Apply and OK.
    • Back in Group Policy Editor, both policies should now show as Enabled:

  • At this point both of your policies are enabled and configured.
  • Close Group Policy Editor.
  • You will be returned to the Group Policy tab for the “Users who have Reply All Removed” Organizational Unit. Click Apply then Close.

Step-9:

Provide “The List” to Help Desk.

You should inform the Help Desk that there is a very high probability that users on “the list” will be calling in to complain that their Reply-All functionality no longer works. Your Help-Desk personnel should know why.

Step-10:

Create a Distribution List then and add all members of “the List”. Send an informational to all users informing them that their “Reply-All” functionality has been removed due to misuse and for “x” amount of time. Once the GPO has been applied to the user workstation, these users will notice that the “Reply to All” button is disabled. If one of these users were to hover their mouse over the disabled button they will be presented with the following information:

They will also notice that the menu option for Reply-All is now disabled:

If the user attempts to issue the keyboard shortcut for Reply-All (CTRL + SHIFT + R), nothing will happen.

I will cover additional related “Techy stuff” on this process in a follow-up post!

Happy Trails!

Eric Norberg

Comments (13)
  1. Roady [MVP-Outlook] says:

    Sadly, this will disable also the use of Reply to All for proper purposes such as when working in a team and informing each other about the follow up is crucial. You have that indeed covered in your guide by only blocking people who has abused the Reply to All button.

    Note that they still can go nuts by using the "Resend this message" action in Outlook as it would leave the addressing fields intact.

    You could also put sending restrictions on the people who "advertize" the use of the Reply to All button. People who need to send out messages to large groups should train themselves to use the Bcc field instead. If it is absolutely needed to expose the other senders as well but it is not the intention that the receivers should reply to everyone, then the sender can copy and paste the Bcc field address into the message body as an FYI.

    This is what I train my users to do and it is quite effective and saves you from implementing a technical limiting environment.

  2. Johan J. says:

    I agree with Roady, and the disabling reply-to-all is a key im communicating in teams. If you want to restrict specific users, update the user settings, or go for acl’s on separate smtp-servers, seprating trusted users with high recipient count, and bad behaving users with low recipient count.

    You can change the individual usersettings on:

    ADUC -> recipient -> properties | Exchange General tab | Delivery Options | Recipient Limits.

  3. Eric Norberg says:

    Roady, thanks for taking the time to read the article and provide some feedback.

    I wanted to take some time to respond directly to some of the points you have raised here.

    First and foremost, I’m not specifically saying that this approach should be used carte blanche in each and every enviornment that is being tasked with such a problem. It is up to the discretion of the company, management, and administrators.  The point here is really to show one aspect or approach to potentially dealing with such a problem.  Chances are the approach will be multi-faceted (technical, user education, etc.).

    I fully agree that there is no decision tree (e.g. its enabled here, not enabled here) when removing “Reply All”.  It is all or nothing. Thus, I completely agree this could potentially limit a user’s ability to efficiently perform some aspects of their job responsibilities.  Again a decision to implement or not implement is best left up to the company/management chain.

    While I do agree that the user may still have the ability to “Resend the Message” to the complete contents of the DL or other large lists that may still reside within Sent Items, I think that each additional instance of the behavior would need to be looked at individually if it constitutes a problem.  If he/she was doing it in a malicious way (e.g. to cause more intentional mail flooding), I would probably disable his/her mailbox until that user situation could be dealt with appropriately.

    Lastly, as far as adding large DLs to the BCC line, I share the sentiment that it is a best practice.   However, that really boils down to user education.    The good users do it, “sometimes” the bad ones don’t.  A company, could for example, make that type of best practice training mandatory for having a user’s Reply All ability restored…or perhaps it would just be part of Company 101 training.  It really boils down to the policies in place at a company and each one is going to be a bit different.

    My 2 cents.

    E.

  4. Sham says:

    I tried to apply this policy for Windows Server 2008 and Clint Windows 7 with Outlook 2010, but it couldn’t work.

  5. Matt says:

    Would the use of message delivery restrictions on distro groups help the situation? – ie, only allow your execs to send email to the "all users" distro group.

  6. Eric Norberg says:

    Matt and Johan,

    I completely agree that user restrictions are an effective way to block a user’s ability to send to a DL.  That technique should also be used as a best practice to prevent accidental storms to large DLs, etc. That being said, the point of the post is more to show that there are some additional options available post-storm, that could assist with helping mitigate a future storm.  Moreover, once Part II is posted (presumably this week), you can take what has been layed out here and apply it to other menu options and short-cuts.  The second post will cover how the Command ID, and shortcut modifiers can be ascertained.  This is actually a more common request than you might  immediately imagine.  

    Again take from the excerpt above:

    "Upper management has made a decision to not implement bulk message restrictions to the Distribution List itself"

    E.

  7. Steve Smith says:

    Eric…this is really cool.  I had absolutely no idea that you could disable items in the Outlook UI like this.  Adding this to my favorities!!!!

  8. Joseph Durnal says:

    I’ve done this a few times, but not all of it.  I tend to lean toward if your employees are that insubordinate, you need some new employees, but hey, the customer is always right, and if they want me to remove reply to all, I’ll remove reply to all.  I have never removed the shortcut key though.  Generally the folks that would use the reply to all button inappropriately, aren’t going to use the shortcut keys anyway.

  9. You generally are keeping a loophole open with OWA doing this. Why not just adjust the transport settings to have a max number of recipients of 100 or 200 and lock down the big distribution groups? That works a lot better.

  10. Ilantz says:

    Well,

    Limiting the possible Recipients and controlling a better security on DL will accomplish the better in the long run no ?

  11. Chris Lehr says:

    Two comments/suggestions.

    1) Wouldnt a security filtered GPO make more sense genercially for AD planning (I presume the poster was trying to show the easiest way, but planning wise, it’s not very convenient.

    2)  This *seems* to only hide the shortcut.  Does it really eliminate reply all?  Can I still Ctrl-Shift-R to avoid this GPO?

    Chris

  12. Eric Raff says:

    In our org, we have halted these reply to all storms by simply setting up a Transport rule that looks for the specific subject of the email thread. We actually leave a transport rule ready to enable for this purpose, so to enact once a storm has started, just edit existing transport rule, modify the subject string, and then enable it. Let it run for a day or two, and then disable it again. If you are worried about blocking mail that you should not, just set the action to discard and BC a temp mailbox so you can review all the messages that you prevented from getting to the recipients. Also allows you a quick count of how many messages you stopped by dropping them all into a new mailbox.

    Only down side is you have to be in a storm and know about it to get it shut down with the rule.

    Thanks

    E.R.

  13. Mike Sperry says:

    Hi Eric,

     Great article!  

     It seems to me that over the years its becoming more clear that it is mostly a training/education issue.  That said, I agree with Roady and the others that a drastic action like shutting off the functionality altogether is a bit extreme because it is necessary to keep co-workers in the loop in the normal course of business.

     We find here at Sperry Software that a simple reminder to people – usually a prompt like "Are you SURE you want reply to everyone?" – is enough to make their training kick into gear and we created our Reply To All Monitor Outlook add-in based on this.  

     In my opinion, the Mailtips feature coming out in Outlook 2010 (whereby you get warnings about restricted recipients or a large number of recipients) will be enough to prevent many "BEDLAM DL3" events because it closely mirrors the concepts in our add-in…to just give the senders a chance to _think_ before they hit send.  In fact, the Mailtips feature might be enough to drop the concerns about taking the Reply To All functionality out of Outlook altogether!

     Mike Sperry

     President

     Sperry Software

Comments are closed.