As part of a mail migration project from one Exchange organization to another, we need to be able to prevent users from moving/copying messages between their accounts in each organization. (Yes, users will think this is evil; no, it's not my decision; yes, users will hate us.)
Luckily, we thought, Outlook 2010 provides the DisableCrossAccountCopy registry value/policy (cf. http://technet.microsoft.com/en-us/library/ff800883.aspx). (Because you can't do multiple Exchange organizations in a single profile before Outlook 2010, this only matters on Outlook 2010. Yes, I'm ignoring for the sake of this question copy/move to/from the filesystem.)
In our test lab, in a test forest with a test Exchange organization, with a second Exchange account added to the profile in either of the "real" Exchange organizations, with the value set to "*", everything works as expected.
On a workstation in one of the production domains, however, the setting does not seem to work. We have tried it under HKCU, HKLM, HKCU\Software\Policies, and HKLM\Software\Policies. It simply seems to be ignored.
The value was set in the OCT on a test machine, but the OCT (and the ADM/ADMX file) have the wrong type for the value. We have located the value in the registry and removed it everywhere it is found, we think, and put it back in HKCU, but it still isn't taking. At the moment, a clean Outlook install is not an option - even if it was, we at this point would need to know what to do to fix the pushed copy (I didn't push the copy out to thousands of machines, I've just been asked to help clean up the current mess).
Thoughts?
So we found the answer to this after a lot of experimenting.
Essentially, Outlook 2010, by design, looks at the SMTP domain names of all of the proxy addresses on each Exchange account in the profile. If there is an SMTP domain name match between any of the proxy addresses on one account and any of the proxy addresses on the other account, then move/copy between accounts is allowed. The basic idea appears to be that this is considered intra-organization and therefore acceptable. In the test cases outlined above, there was an address match in the production environment, but not in the test environment.
Things that don't matter: which address is the primary SMTP address; the value of the mail attribute in AD.