Environment
- Microsoft Windows Active Directory
- Windows Server 2003
- Terminal Server (Remote Desktop) environment
- All users use read only mandatory profile
- Outlook 2010 installed only for purpose of opening .msg files
- Outlook 2010 configured with fake user account so new account wizard does not run when users try to open .msg files
Issue
When opening .msg file on the terminal server, users get following error message:
Microsoft Outlook – Cannot start Microsoft Outlook
When trying to open Control Panel > Mail users get following error:
Your System needs more memory or system resources. Close some windows and try again
This does not affect users with domain or local administrator rights.
Cause
Issue was caused by restrictive permissions on registry key and sub-keys located under:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
When new Outlook profile is created, user who created the profile gets assigned Full Access permissions. Other domain users (apart administrators) don’t have any rights to these registry keys. Normally this is not an issue, however, in terminal server environment with mandatory profiles, this meant that only administrators and user whose profile was used to initially setup mandatory profile had access to this part of registry.
Solution
- Change mandatory profile to normal roaming profile
rename ntuser.man to ntuser.dat - Login as a use with administrator right
- Open Registry (regedit.exe) and navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem
- Right click on Windows Messaging Subsystem and click on Permissions > Advanced
- Make sure you have Domain Users group with Full Control permissions. If not add it
- Select Replace permissions entries on all child objects … and press Apply
This will propagate permissions to all child registry sub-keys - Log off and change profile back to mandatory
rename ntuser.dat to ntuser.man
Note: Every time Outlook is opened permissions on these registry sub-keys gets changes again. Don’t open Outlook (and any .msg files) after registry permissions change until you log off and change profile back to read-only (mandatory). After that it will not cause any issues as changes will not be saved to mandatory profile.
Leave a Reply