“How to disable vault cache on a per machine basis”
Background
When setting a machine to be used in kiosk mode, Terminal Services, or Vmware View, it is usually best practice to optimize the operating system for multiple user logins. That means disabling unnecessary features and caching to increase speed, reduce disk space and I/O. Most of you are probably aware of the big ones like Outlook Cached Exchange Mode and Offline Files, but I have found Symantec Enterprise Vault (SEV) cache to be just as resource intensive. SEV is an email archive utility which helps to keep users within their mailbox quotas for Exchange Mail Servers.
Problem
The problem I encountered is that most of the users that have SEV are laptop users who would require access to their offline vaults when they are out of the office. But when those same users log in to a multi-user computer (in this particular case, Vmware View desktops) SEV would automatically begin synchronizing their archived mail. In this situation, it would be best to somehow enable vault cache for dedicated computers like laptops and desktops, but disable it for multi-user machines like Vmware View desktops. Unfortunately, according to this forum post and the conversation that I had with support, it seems as though SEV’s interface only allows for the disablement of vault cache per mailbox and not per machine. But fear not, we can script our way out of this one fairly easily.
Solution
In this soltution, I will attempt to explain a way to disable vault cache for all users logging in to a particular machine. The answer to this problem lies in the registry. When you install SEV on a computer, you can configure a registry value called OVEnabled, which enables or disables: <0\1> vault cache. OVEnabled can exist in two *possible* locations:
HKEY_CURRENT_USER\Software\KVS\Enterprise Vault\Client\<StoreID Key>
and/or
HKEY_CURRENT_USER\Software\KVS\Enterprise Vault\Client
The differentiating factor between the two locations above is the Store ID key which is a unique, 32 character registry key, specifying the user’s mailbox.
If the SEV outlook add-in has not yet been initialized, you probably won’t find a store ID key under the Client key. In this case, you can create the OVEnabled value under the Client key. This will copy the OVEnabled value to all newly created Store ID keys, ultimately disabling vault cache for any mailbox initialized thereafter.
If one (or possibly more) Store ID’s are already there, they each have to be addressed on an individual basis. This is done by creating the OVEnabled value under each of the Store ID keys and setting it to 0. In conjunction with this, you may also set OVEnabled under the Client key in order to disable vault cache for all future mailboxes.
These unique Store IDs are the reason why I said that we could use a “script” to solve this problem. A registry group policy setting would only work for newly created vault caches, it would not disable any preexisting caches because of the unique registry paths. And because of the fact that OVEnabled only works under the HKCU key, we would have to decide on a way to run the script for all users that log in to a particular computer, but more on that later.
In short, we will need a script that will perform the following functions:
- Set OVEnabled to 0 under the Client key.
- Find all preexisting Store ID keys under the Client key.
- Set OVEnabled to 0 for all Store ID keys.
- Find the actual disk path of all preexisting vault caches and delete those vault caches from disk.
I’ve made such a script, and it can be found here.
Conclusion
This script has worked well for me, but keep in mind there are a few caveats:
First, we still need to “decide on a way to run the script”. You are going to want to run this for all users that log in to a particular computer, but you do not want the script to run at logon when the user is on their dedicated workstation. I’ve found that enabling loop-back processing: (merge) on the multi-user computer and applying this log on script to the target computer OU is generally the best route. Just be sure to carefully review the user settings that may already exist in GPOs applied to the target computer OU.
Secondly, if you have roaming profiles enabled in your environment, be sure to either use a different profile or disable them for the multi-user computers. For View desktops, I use Personas. Otherwise, when the users log in to their regular workstations, the registry changes may follow them.
Script(s) Used in This Post:
Disable Vault Cache (https://adameyob.com/scripts/disable-enterprise-vault-cache/)