Updated: 2007-02-08
In a Microsoft Windows-based network, administrators can use Group Policy settings to help control how users work with the 2007 Microsoft Office system. Administrators can use Group Policy settings to define and maintain an Office configuration on users' computers. Unlike other customizations—for example, default settings distributed in a Setup customization file—policy settings are enforced and can be used to create highly managed or lightly managed configurations.
You can use the 2007 Office system policy settings to:
-
Control entry points to the Internet from the 2007 Office system applications.
-
Manage security settings in the 2007 Office system applications.
-
Hide settings and options that are unnecessary for users to perform their jobs and that might distract users or result in unnecessary calls for support.
-
Create a highly managed standard configuration on users' computers.
You can set policy settings that apply to the local computer and every user of that computer, or that apply only to individual users. Per-computer policy settings are set under the Computer Configuration node of the Group Policy Object Editor Microsoft Management Console (MMC) snap-in and are applied the first time any user logs on to the network from that computer. Per-user policy settings are set under the User Configuration node and are applied when the specified user logs on to the network from any computer. Group Policy is also applied periodically in the background after it is initially processed at startup and logon.
For detailed information about Group Policy infrastructure, see Group Policy Technical Reference on the Microsoft TechNet site.
.gif) Important: |
|---|
| Before you implement Group Policy, you must have a good understanding of Active Directory infrastructure and Group Policy concepts. You must carefully plan and design your Group Policy solution based on your organization's business and security requirements, and you must fully test your solution in a non-production environment before you deploy the solution to users and computers. |
If you have not already deployed Active Directory and Group Policy in your organization, the following resources provide information about deployment of these technologies:
For detailed information about Group Policy deployment, see Designing a Group Policy Infrastructure and Staging Group Policy Deployments in the Designing a Managed Environment book of the Windows Server 2003 Deployment Kit on the Microsoft TechNet Web site.
For information about Active Directory deployment, see Designing and Deploying Directory and Security Services on the Microsoft TechNet Web site.
Active Directory and Group Policy
Active Directory directory service is the distributed directory service that is included with Microsoft® Windows Server 2003 and Microsoft Windows 2000 Server operating systems. Active Directory stores information about objects on a network and makes this information available to users and network administrators.
Group Policy is an infrastructure that enables administrators to implement specific computing configurations for groups of users and computers. Policy settings can also be applied to member servers and domain controllers within the scope of an Active Directory forest.
Group Policy settings are contained in Group Policy objects (GPOs), which are linked to selected Active Directory containers: sites, domains, or organizational units (OUs). The settings within GPOs are evaluated by the affected targets, using the hierarchical nature of Active Directory.
To configure Group Policy settings in GPOs, administrators use the Group Policy Object Editor Microsoft Management Console (MMC) snap-in from the Group Policy Management Console snap-in. Administrators can use Group Policy to specify configurations for a wide range of areas, such as Administrative Templates (registry-based policies), security, software installation, scripts, folder redirection, remote installation services, and Internet Explorer maintenance.
The 2007 Office system policy settings are contained in Administrative Template files (.adm and ADMX files). For more information about Administrative Templates, see the 2007 Office System Administrative Template Files section.
Group Policy settings for the 2007 Office System
Administrators can use policy settings for the 2007 Office system applications to manage most options that configure the Office user interface, including:
The 2007 Office system Administrative Template files (.adm files) also include policy settings that help you control the way in which Windows Installer functions.
Each Office policy setting represents an option or feature in a 2007 Office system application. Each policy setting also corresponds to one or more value entries in the Windows registry. All policy setting information is stored in the same area of the registry.
For example, all user-specific policy settings are stored in the HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0 sub-key, which mirrors most of the HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 sub-keys. Computer-specific policies are stored in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\12.0 sub-key. By default, both policy sub-keys are locked to prevent users from accessing them.
Group Policy settings can have one of three states:
-
Not configured—The policy setting is not enforced.
-
Enabled—The policy setting is activated. Additional settings appear in the dialog box for some policy settings. These settings determine what happens when the policy setting is enforced.
-
Disabled—For most policy settings, Disabled enforces the opposite behavior as the Enabled state. For example, if Enabled forces a feature's state to Off, Disabled forces the feature's state to On.
2007 Office System Administrative Template files
To set policy settings for the 2007 Office system applications, you use the Group Policy Object Editor snap-in and load the 2007 Office system Administrative Template files into the GPO you want to deploy. You then configure the policy settings you want to manage. You can add several .adm files and set the entire configuration of a computer at one time.
You can download the Administrative Template files for the 2007 Office system from 2007 Office System Administrative Templates (ADM) in the Microsoft Download Center. You can also download the 2007 Microsoft Office System Open XML Format converters Administrative Template (ADM) file from the Microsoft Download Center. Administrators can use this template to modify the default behavior for the Microsoft Office Word, Excel, and PowerPoint 2007 Open XML Format converters.
For information about modifying Microsoft Office 2003 and Microsoft Office XP Administrative Template files to set default File Save As options to include the new OpenXML file formats of the 2007 Microsoft Office programs, refer to KB article 932127, How to modify an existing Office policy file (ADM file) for Office 2003 and for Office XP to set the Save As default file format to include the new OpenXML file formats of the 2007 Microsoft Office programs on the Microsoft Support Knowledge Base (KB) Web site.
The following Administrative Template files are available for the 2007 Office system:
|
ADM file
|
Application
|
| office12.adm | shared Office components |
| access12.adm | Microsoft Office Access 2007 |
| cpao12.adm | Calendar Printing Assistant for Microsoft Office Outlook 2007 |
| excel12.adm | Microsoft Office Excel 2007 |
| groove12.adm | Microsoft Office Groove 2007 |
| ic12.adm | Microsoft Office InterConnect 2007 |
| inf12.adm | Microsoft Office InfoPath 2007 |
| onent12.adm | Microsoft Office OneNote 2007 |
| outlk12.adm | Microsoft Office Outlook 2007 |
| ppt12.adm | Microsoft Office PowerPoint 2007 |
| proj12.adm | Microsoft Office Project 2007 |
| pub12.adm | Microsoft Office Publisher 2007 |
| spd12.adm | Microsoft Office SharePoint Designer 2007 |
| visio12.adm | Microsoft Office Visio 2007 |
| word12.adm | Microsoft Office Word 2007 |
The policy settings in the Administrative Template files are organized in a hierarchy that, in general, follows the user interface. Application-specific settings appear in the individual templates. The policy settings for some settings that appear in multiple applications are consolidated in the Office12.adm template. For example, customizations to the Office File Open dialog box are made in the Office12.adm template.
.gif) Note: |
|---|
| Because policy settings are stored in a different area of the registry for each release of Office, you cannot use the Administrative Template files from a previous version. You must use the Administrative Template files for the 2007 Office system to configure policy settings for the 2007 Office system. |
Group Policy Management tools
Administrators use the following tools to manage Group Policy:
-
Group Policy Management Console (GPMC) MMC snap-in is used for most Group Policy management tasks.
-
Group Policy Object Editor MMC snap-in for configuring and editing policy settings in GPOs. In a domain environment, administrators can edit GPOs from GPMC, which invokes Group Policy Object Editor.
Group Policy Management Console
GPMC is an MMC snap-in that is used for managing most aspects of Group Policy: scoping, delegating, filtering, and manipulating inheritance of GPOs; and backing up (export), restoring, importing, and copying GPOs. GPMC also invokes Group Policy Object Editor to edit policy settings in GPOs in domain-based environments.
GPMC is the preferred tool for Group Policy management in a domain environment.
Resultant Set of Policy (RSoP) is a feature of Group Policy that makes implementation, troubleshooting, and planning of Group Policy easier. GPMC includes two RSoP capabilities that are provided by Windows:
-
Group Policy Results: Represents the actual policy data that is applied to a computer and user. Data is obtained by querying the target computer and retrieving the RSoP data that was applied to that computer. The Group Policy Results capability is provided by the client operating system and requires Windows XP, Windows Server 2003, or later versions of the operating system.
-
Group Policy Modeling: Simulates what policy settings are applied under circumstances specified by an administrator. Administrators can use Group Policy Modeling to simulate the RSoP data that would be applied for an existing configuration, or they can analyze the effects of simulated, hypothetical changes to their directory environment. Group Policy Modeling requires that you have at least one domain controller running Windows Server 2003, because this simulation is performed by a service running on a domain controller that is running Windows Server 2003.
| Note: |
|---|
| GPMC was provided as a separate download component for Microsoft Windows® Server 2003 and Windows XP. To download GPMC, see Download Group Policy Management Console (GPMC). In Windows Vista and Windows Server 2008, GPMC is integrated into the operating system. |
Group Policy Object Editor
Group Policy Object Editor is an MMC snap-in that is used to configure policy settings within a GPO. On computers running Windows 2000, Windows XP with the Windows Server 2003 Administration Tools Pack installed, and Windows Server 2003, the Group Policy Object Editor can be accessed from the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. Group Policy Object Editor operates as an extension to these Active Directory management tools.
If administrators edit a GPO from within GPMC, Group Policy Object Editor displays and shows the settings for that specific GPO.
To configure Group Policy settings for a local computer that is not a member of a domain, use Group Policy Object Editor to manage local GPOs.
Group Policy object permissions in Group Policy Management Console
GPMC manages GPO permissions as a single unit and displays the security filtering for the GPO on the GPO Scope tab. Administrators can use GPMC to add and remove groups, users, and computers to be used as security filters for each GPO. The security principals used for security filtering are listed on the Delegation tab for a GPO as having Read (from Security Filtering) permission, because they have read access to the GPO.
There are five permission options on GPOs in the GPMC user interface. Each option corresponds to a set of individual Windows NT permissions in Access Control List (ACL) Editor. The ACL Editor sets access control policy for Active Directory and Windows objects. The following table summarizes the correspondence.
|
GPMC user interface option
|
Corresponding permission in ACL Editor
|
| Read | Allow Read access on the GPO |
| Edit settings | Allow Read, Write, Create Child Objects, and Delete Child Objects |
| Edit, delete, and modify security | Allow Read, Write, Create Child Objects, Delete Child Objects, Delete, Modify Permissions, and Modify Owner. This grants full control on the GPO, except that the Apply Group Policy permission is not set. |
| Read (from Security Filtering) | This setting cannot be set directly, but appears on the delegation tab if the user has Read and Apply Group Policy permissions to the GPO. |
| Custom | Any other combination of permissions, including the use of Deny, displays as Custom. GPMC can only set custom permission sets by clicking the Advanced button and opening the ACL Editor. |
GPO creation privileges are required to create a GPO. By default, only domain administrators, enterprise administrators, and members of the Group Policy creator owners group can create GPOs.
Edit permissions for the GPO that you want to edit are required to edit a GPO.
Edit, delete, and modify security permissions for the GPO are required to delete a GPO.
Permissions on a GPO are managed from the Delegation tab of that GPO. For step-by-step instructions, see Delegate Group Policy tasks on the Microsoft TechNet Web site.
Using Group Policy Management Console and Group Policy Object Editor
GPMC is used for managing Group Policy tasks in a domain environment. GPMC invokes Group Policy Editor, which is used to configure policy settings within GPOs.
After you set up an Active Directory and Group Policy infrastructure in your organization, you use Group Policy Object Editor from GPMC to set Office policy settings from the Office .adm files. After you set policy settings for a GPO and link that GPO to a site, domain, or organizational unit, the operating system enforces the policy settings.
Use the following procedures to start GPMC and link GPOs in GPMC. Use Group Policy Object Editor from GPMC to create GPOs, edit GPOs, and load Administrative Template files.
| Note: |
|---|
| The following procedures assume you have already installed GPMC. You can download GPMC from the Microsoft Download Center site. See Download Group Policy Management Console (GPMC) for more information. If you are using Windows Vista, GPMC is integrated into the operating system. |
To start Group Policy Management Console
To create a Group Policy Object
-
Open GPMC.
-
In the console tree, right-click Group Policy Objects in the forest and domain in which you want to create a GPO. For example, navigate to Forest name, Domains, Domain name, Group Policy Objects.
-
Click New.
-
In the New GPO dialog box, specify a name for the new GPO and click OK.
To edit a Group Policy object
-
Open GPMC.
-
In the console tree, double-click Group Policy Objects in the forest and domain that contain the GPO that you want to edit. This is located in Forest name, Domains, Domain name, Group Policy Objects.
-
Right-click the GPO you want to modify and click Edit. This opens Group Policy Object Editor. Edit settings as appropriate in the Group Policy Object Editor console.
| Important: |
|---|
| Administrative Templates policy settings provide Explain text, which you can view by clicking the Extended tab in the details pane (right side) of the Group Policy Object Editor console. You can also see this text by double-clicking a policy setting and clicking the Explain tab in the Properties dialog box for the policy setting. Explain text provides information about the policy setting. Avoid editing the default domain policy. If you want to apply Group Policy settings to the entire domain, create a new GPO, link the GPO to the domain, and create the settings in that GPO. The default domain policy and default domain controllers policy are critical to the health of any domain. Do not edit the Default Domain Controller Policy or the Default Domain Policy GPOs, except in the following cases: It is recommended that you set account policy in the Default Domain Policy. If you install applications on domain controllers that require modifications to User Rights or Audit Policies, the modifications must be made in the Default Domain Controllers Policy. To edit the local GPO: open Group Policy Object Editor by clicking Start, then click Run, type gpedit.msc, and click OK. |
To load Administrative Template files and set Office policy settings
-
In Group Policy Object Editor, right-click Administrative Templates in the Computer Configuration or User Configuration node and select Add/Remove Templates. A list of the .adm files that are already added to the GPO is displayed.
-
To add another adm file, click Add.
A list of the .adm files in the %SystemRoot%\Inf folder of the local computer is displayed. You can also select an .adm file from another location.
-
In the Policy Templates dialog box, browse to the 2007 Office system templates that you want to add. Click Open and click Close in the Add/Remove Templates dialog box.
-
Double-click Computer Configuration or User Configuration and expand the tree under Administrative Templates to find the Office policy settings.
-
In the details pane (in the right pane), double-click the folders and double-click a policy setting to open the Properties dialog box. Configure the Office policy settings you want to use and click OK.
| Note: |
|---|
| The Explain tab on the Properties page for the policy setting provides information about the setting. |
-
Save the GPO.
To link a Group Policy object
-
Open Group Policy Management.
-
In the console tree, locate the site, domain, or organizational unit to which you want to link a GPO. These are located under Forest name, Domains or Sites, or Site name, Domain name or organizational unit name.
-
To link an existing GPO, right-click the domain or organizational unit within the domain and click Link an Existing GPO. In the Select GPO dialog box, click the GPO which you want to link and click OK.
-or-
To link a new GPO, right-click the domain or organizational unit within a domain and click Create and Link a GPO Here. In the Name box, type a name for the new GPO and click OK.
| Note: |
|---|
| To link an existing GPO to a site, domain, or organization unit, requires Link GPOs permission on that site, domain, or organizational unit. By default, only Domain Administrators and Enterprise Administrators have this privilege for domains and organizational units, and only Enterprise Administrators and Domain Administrators of the forest root domain have this privilege for sites. To create and link a GPO requires Link GPOs permissions on the domain or organizational unit to which you want to link, and you must have permission to create GPOs in that domain. By default, only Domain Administrators, Enterprise Administrators, and Group Policy Creator owners have permission to create GPOs. The Create and Link a GPO Here option is not available for sites, because it is unclear in which domain to create the GPO. The user must first create a GPO in any domain in the forest, and then use the Link an Existing GPO option to link the GPO to the site. |
For more detailed information about using GPMC, see Step-by-Step Guide to Using Group Policy Management Console and the online Help for Group Policy Management on the Microsoft TechNet Web site.
If you want to set the 2007 Office system policy settings for a local, non-domain joined computer, you can use gpedit.msc console to open Group Policy Object Editor as an MMC snap-in from the command line to edit the local GPO.
To open Group Policy Object Editor from the command line
For more information about setting Group Policy, see Step-by-Step Guide to Understanding the Group Policy Feature Set.
Download this book
This topic is included in the following downloadable book for easier reading and printing:
See the full list of available books at Office Resource Kit information.
See Also