We are evaluating Windows 7 and Office 2010 in a secure environment and have a strange issue when saving opened Office attachments from Outlook 2010.

If an Office (Word, Excel or Powerpoint) file is opened from a received email within Outlook 2010 and a user then attempts to save, they are presented with a restriction error message as below:

This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.

Upon clicking OK, they are then presented with a Save As dialogue box in the correct location (i.e. their redirected Home Drive location on a network share).

 

We block any access to the C:\ drive (or any local drives other than the optical drive) and the users have a roaming non-cached profile.

The OutlookSecureTempFolder value in the registry is C:\Users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\RANDOMSTRING\

 

I tried altering this to a network location which I knew the user would have write access over, but Outlook just overwrote my custom value with a new one of its own.

I ran ProcMon and determined that the machine is getting ACCESS_DENIED when trying to create files in that location.

 

Any ideas?

Hi Ed,

What was the location you changed the securetempfolder setting in the registry to?  The reason I ask is sometimes when setting this item, if the path cant be found, it will default to the temporary internet files location.  I have mine currently set to "U:\\" and this seems to work.  The only real issue I have, is in the "U" drive, it still puts it into a OLKXXX folder, but at least I know where the attachments are and that the user will have access.

 

Hope that helps,

ivanmor

Hi Ivanmor,

I altered it to a UNC path to my user's home drive (in my case \\Fileserver\HomeShare$\%username%\My Documents\OutlookTemp)

H:\\ would work (universal home drive letter for all staff) so I'll give that a go, cheers! :)

Hi Ed,

another option, one that I still have yet to impliment but initial testing looks good.

RESOLUTION:

=============

1.       Renamed the old reg key and recreated OutlookSecureTempFolder to be an **reg_EXPAND_sz** value instead of just Reg_SZ and gave it the value of “%userprofile%\my documents”

a.       No OLKxxxx folder created and when you click File >> Save As – Then Office 2003/2007 always opens in My Documents; the same behavior as in Office 2010

 

Cheers,

ivanmor

The Reg_Expand_SZ doesn't seem to work for me. I've tried %userprofile%\My Documents along with %userprofile%\\My Documents and a few other variations, none had the desired effect.

What I've found is that pointing the path to H:\\ redirects successfully without the error message, but doesn't create an OLKxxxx folder. When saving a document, two versions of it appear as if they've already been saved in that location.

The concern is that this isn't so user-friendly, as they appear as DocumentName and DocumentName(2), which gives the illusion of having already saved the file to that location.

An additional update; as well as having the two files already in the save location, trying to save with the provided filename (i.e. the files that are already there) gives an error about the file being read only.

Hi Ed,

I am not seeing the issue you have, but I'm on a box where I am Local Admin and have full access.

From HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security; I modify the value for "OutlookSecureTempFolder" from the default <root drive>:\Users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\RANDOMSTRING\ to a shared folder on another machine. -- \\testServer\TempFolder

I then restarted Outlook 2010, selected a mail with an XSLX attachment and opened the file. The file was successfully added to the folder share and the XLSX file was displayed without error.

To back up a bit and speak about the OutlookSecureTempFolder's directory being recreated, when Outlook checks the value of OutlookSecureTempFolder the following occurs.

If the registry value does not exist, or if the value points to an invalid location, Outlook 2010, Outlook 2007, or Outlook 2003 creates a new subdirectory under the Temporary Internet Files directory and then puts the temporary file in the new subdirectory. The name of the new subdirectory is unknown and is randomly generated, depending on your version of Outlook.

Since your logging ACCESS DENIED trying to write files to your alternate location, this would cause Outlook to overwrite the value you've set and populate it with <root drive>:\Users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\RANDOMSTRING\

One suggestion I would make is to browse out to that location from the user's machine and see if you can create a new text file in that directory. Are you able to do that? If you can do that, are you able to save another file with the same name into the folder to create New Text Document(2).txt? Are you able to open the txt and make a change and save it?

Hope that helps to get things started.

Jahawk MSFT

Hi Jawhawk,

Thanks for the information, though I think I may have been unclear as to the problem.

 

I'm logging ACCESS DENIED when trying to save when the "OutlookSecureTempFolder" value is <root drive>:\Users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\RANDOMSTRING\ which is, of course, the default.

The file DOES save to Documents, but gives an error message beforehand which is undesirable.

I altered this value to another (following your message, I set up a test folder on a file server and tried that) \\fileserver\shareroot$\OLK2010TempTest .

This does away with the error message and ACCESS DENIED logs, and the registry value does not change, so OLK is seeing this as a valid location.
I would expect OLK to create a random string under this location, and default the user's Save As dialogue box to Documents as per the original value. However it does not.

Instead, the user sees a Save As dialogue with the OLK test folder as the active folder, and the file they are about to save is already there (as a temporary file).
So the user cannot save directly to that folder without renaming their file (or else they'll get an error), or they have to manually navigate back to Documents.

I'll also note that I can't gain access to the Temporary Internet Files folder at all.

As a standard user, I'm prevented from seeing the C:\ drive at all.

As an administrative user, I can get as far as Microsoft\Windows, but then Temporary Internet Files does not appear to me at all, and I can't navigate into it manually either.

I stumbled across a Microsoft KB which suggests adding C:\temp0\ to the local drive and then pointing the TempFolder at that location.

When trying to save, a temp file is successfully created in that location, the Save As ... dialog box opens with Documents ... but I still get the error message. This is frustrating!

Did you find a solution for this? I'm having the same problem on my new Windows Server 2008 R2 (RDS) server, with Office 2010 installed. The end users get an error when trying to save the document they've been working on, because it was originally an attachment in outlook.  So the UNC doesn't work when redirecting the key to \\fileserver\users\%username%\Documents\OutlookTemp??

Hi Jon,

Unfortunately not, I've been pulled off on other things but still no fix :(

I am having the same issue did you happen to find a resolution?

I have exactly the same issue, I have managed to point the location to a network drive but as previously stated this is un-useable from a users point of view.  the two copies are created as temp files so you cant save in the current location.

Has anyone found a fix for this issue as yet?

I'm seeing the same issue.  Would love if someone had a solution to share that works.

Sadly I left the company some time ago and haven't come across a similar setup or the issue since, don't know if they ever solved it.

I Have managed to get around this issue for MS Office attachments in Outllook 2010 i.e. Word, Excel, PowerPointetc, by
configuring the following GPO settings for Office 2010.

With these GPO settings in place there is no need to set the "OutlookSecureTempFolder" registry entry as the temp files are still created in the Local drive location, but the error does not appear when you attempt to save the document.

Group Policy
Settings:

User Configuration/Administrative
Templates/Microsoft Office 2010/File Open/Save dialog
box/Restricted Browsing

Activate Restricted
Browsing: Enabled

Microsoft Access Enabled
Microsoft Excel
Enabled
Microsoft SharePointDesigner Enabled
Microsoft
InfoPath Enabled
Microsoft OneNote Enabled
Microsoft Outlook
Enabled
Microsoft PowerPointEnabled
Microsoft Project
Enabled
Microsoft Publisher Enabled
Microsoft Visio Enabled
Microsoft
Word Enabled

Approve Locations:Enabled

List of Approved Locations:
%HOMEDRIVE%\, H:\ and any other you
may need etc....

This setting is also great for preventingusers saving Office Docs to UNC paths and DFS namespace if you are using folder redirection.

Good luck...

I Have managed to get around this issue for MS Office attachments in Outllook 2010 i.e. Word, Excel, PowerPointetc, by
configuring the following GPO settings for Office 2010.

With these GPO settings in place there is no need to set the "OutlookSecureTempFolder" registry entry as the temp files are still created in the Local drive location, but the error does not appear when you attempt to save the document.

Group Policy
Settings:

User Configuration/Administrative
Templates/Microsoft Office 2010/File Open/Save dialog
box/Restricted Browsing

Activate Restricted
Browsing: Enabled

Microsoft Access Enabled
Microsoft Excel
Enabled
Microsoft SharePointDesigner Enabled
Microsoft
InfoPath Enabled
Microsoft OneNote Enabled
Microsoft Outlook
Enabled
Microsoft PowerPointEnabled
Microsoft Project
Enabled
Microsoft Publisher Enabled
Microsoft Visio Enabled
Microsoft
Word Enabled

Approve Locations:Enabled

List of Approved Locations:
%HOMEDRIVE%\, H:\ and any other you
may need etc....

This setting is also great for preventingusers saving Office Docs to UNC paths and DFS namespace if you are using folder redirection.

Good luck...

I've enabled this and added the following as my default locations but when I click on File>Save, only the first one is displayed.

Home Folder %homedrive%\my documents

Shared Folder \\servername\share name

Please advise,

Thanks

Has anyone seen a fix for this problem at all?

In our circumstance by redirecting secure temp folder to a temporary location the user doesnt get the warning message but then default save as location is the temporary folder rather than their My Docs (although GPO is configured to set to their My Documents)??

I've the same problem too.

to have more than one approuved locations displayed, you have to enable this policy too:

Places Bar Locations the office 2010 GPO.

Specify the same locations you have approuved in the other GPO

click User Configuration, click Administrative Templates, click Microsoft Office 2010, double-click File Open/Save dialog box, and then click Places Bar Locations.

Problem solved for me.

Thanks to all of you. I've spend a lot of time on this problem.