Each GPO to which you’ve deployed Office-related policy is updated to include the Administrative Templates you selected for installation. The Office 2003 Administrative Templates contain over 2500 policy settings.
Note
Appendix D highlights some of the more commonly used settings in each template file. The updated Administrative Templates for Office 2003 Service Pack 1 also include an Excel spreadsheet called "Office 2003 Group Policies.xls." This spreadsheet describes all of the settings available.
Most of Office-related policies are configured under User ConfigurationAdministrative Templates as shown in Figure 10-3. Only a select few are configured under Computer ConfigurationAdministrative Templates.
Each policy represents an option or feature of an Office application. When working with these policies keep the following in mind:
The Office-related policies configured under User Configuration are used to set per-user policies. Per-user policies affect individual users, typically for users within a particular OU.
The Office-related policies configured under Computer Configuration are used to set per-computer policies. Per-computer policies affect all users of computers for which a GPO applies.
Because there are so few per-computer policy settings for Office, you’ll primarily work with per-user policy settings.
The Office-related policies in both configuration areas are divided into two broad categories:
Global settings for all Office applications, configured under Microsoft Office 2003.
Application-specific settings, configured through a policy folder named after the application to which the policy settings apply.
For general management of Office and its configuration, the global settings should be the first you examine and modify. Global settings are used to configure the standard options, tool bars and menus, language settings, messaging and collaboration features, and security settings that will be used in all Office applications. For example, you can use User Templates Path policy under User ConfigurationAdministrative TemplatesMicrosoft Office 2003Shared Paths to set a standard folder location for template files. If you specify a network share as the folder location, all users for which the current GPO applies would, use this location as the default path for template files.
When you want to fine-tune the configuration of a specific application, you’ll use the application-specific settings. Every Office application has a separate policy folder. Most also have Disable Items In User Interface policy as well, which you can use to disable specific command bar buttons and menu items.
Tip
Don’t overlook the power of Disable Items In User Interface to help you optimize your Office configurations and restrict use of features that might compromise security or cause problems in your environment. You can use Disable Items In User Interface policy to disable a predefined set of options and create your own custom sets of disabled options as well. For details, see "Preventing Users from Changing Office Configurations."
Unlike other administrative template files that you might encounter, the Office-related policy templates have a feature that can be confusing at first. Specifically, some policy items require you to select the state of the policy (Not Configured, Enabled, or Disabled) and then select an additional check box to enable the policy. Figure 10-4 shows one such policy.
To enable this policy, you need to select the Enabled state and the Check To Enforce Setting On; Uncheck To Enforce Setting Off" check box. If you do not select this check box, the policy will revert to a Disabled state when you apply it. Keep this in mind when you configure Office policies because this is different behavior than what you will find for normal Windows administrative templates.
When working with Office policy settings keep the following in mind as well:
Clearing an Enabled policy setting doesn’t reverse the policy. It only changes the behavior set through the policy. To reverse the policy, you should set it to Not Configured.
Setting a previously enforced policy to Not Configured removes enforcement and restores the setting or option to either the standard default or the last setting specified by a user.
Setting a policy to Disabled is generally the same as setting the policy to Not Configured. That is to say, in most cases, the policy settings return to their default behavior, and users will be able to manage the related settings as they could before a restriction or change was applied.
Note
This behavior is specific to Office-related policy. For other policy settings, the behavior for the Enabled, Disabled, and Not Configured states is as described elsewhere in this book. See "Understanding Group Policy Settings and Options" in Chapter 1 for an overview.
If you deploy Office-related policies, you might notice that the policy settings you’ve specified are delivered as expected but it appears that the user can still change the settings to some other value. In other areas of policy, an option is usually dimmed when the user can’t change it. This is not the case with Office-related policies.
With Office-related policy, restricted options are not dimmed. Any changes users make to restricted options are temporary. When a user exits and restarts the application, the application uses the value from policy.
It is possible, however, to completely prevent users from accessing a given menu option within an Office application. Every Office administrative template, with the exception of those for OneNote, Project, and Publisher, includes Disable Items In The User Interface policy. You can use this policy to control what menu options a user actually sees.
For example, say that we want to disable the Startup Task Pane in Word 2003. This option is set under Tools, Options, View. However, we don’t want users to even be able to see this option. What we can do is use the Word 2003 policies to disable parts of the Word 2003 user interface to prevent the Options command from appearing on the Tools menu.
Now, when users open the Tools menu, Options is dimmed and unavailable. This approach allows you to tightly control what your users can and can’t do with their Office configurations. This in turn, can reduce unwanted help desk calls when they accidentally change a setting that they shouldn’t have touched and if used correctly, it can also help increase the security of your environment.
If you want to inform your users why certain options are grayed out (to prevent them from having to call the help desk to determine the reason), you can attach a custom ToolTip to disabled menu items. The custom message will appear to the user when her mouse hovers over any menu item that has been disabled by policy. See "Configuring Notification for Disabled Menu Items and Options" for details.
Disable Items In The User Interface policy controls what menu options a user actually sees. You can use this policy to prevent configuration changes in all Office applications, except OneNote, Project, and Publisher. To do so, complete the following steps:
Access User ConfigurationAdministrative Templates and then expand the node for the Office application for which you want to disable menu options.
Double-click Disable Command Bar Buttons And Menu Items under Disable Items In User InterfacePredefined.
In the Properties dialog box, select Enabled. As shown in Figure 10-5, you will then see a list of menu options you can disable.
Select the checkboxes for the menu options you want to disable.
Note
The menu items and options listed are only the ones that you might commonly want to disable. If you don’t see the menu option you want to disable, it doesn’t mean you can’t disable that option. See "Disabling Office Menu Items and Options Using Custom Options."
Click OK.
The previous section discussed how to disable menu items using a predefined set of options. As you might have already seen, these predefined options are rather limited. To extend this list, you can create a custom option to disable a menu item and in this way, you can disable menu items and options that aren’t included in the predefined list. Doing so is a multiple part process.
The custom policy expects a unique ID for the menu item you want to disable. Every menu item and button bar in Office applications has a unique ID. To determine that unique ID, you need to run some VBA code within the Office application you’re trying to control. Follow these steps:
Start the Office application for which you are trying to determine a menu ID. Press Alt+F11 or select Tools, Macro, Visual Basic Editor to start the Visual Basic Editor.
In the Visual Basic Editor, select View, Immediate Window. When the immediate window appears in the bottom portion of the screen, paste the following command into it:
? CommandBars("menu bar").controls("MenuName").controls("MenuItem").idwhere controls("MenuName") and controls("MenuItem") represent the menu item whose ID you want to return. For example, if you wanted the control ID for Tools | Options you would use the following command:
? CommandBars("menu bar").controls("Tools").controls("Options...").idPress Enter and the value is returned just below the command in the Immediate window. In this case, the value returned is 522.
If you are familiar with Visual Basic, you can extend this approach by running a macro that enumerates the top-level options on a toolbar. Example 10-1 provides the code you would use to do this. In this example, you examine the Tools menu, but you can easily change the name of the menu you are enumerating by modifying the Controls value assigned.
Once you get the menu bar ID, you can enter use it to configure a custom disable policy. When the policy is deployed, the designated menu item will be grayed out for the user.
To create or modify custom disable policy, follow these steps:
Access User ConfigurationAdministrative Templates and then expand the node for the Office application for which you want to disable menu options.
Double-click Disable Command Bar Buttons And Menu Items under Disable Items In User InterfaceCustom.
In the Properties dialog box, select Enabled and then click Show.
The Show Contents dialog box provides a list of any menu IDs that are currently disabled as shown in Figure 10-6.
To disable an additional menu item for the selected application, click Add. In the Add Item dialog box, enter the menu item ID and then click OK.
To enable a menu item that was previously disabled, select the menu item in the Command Bar ID list and then click Remove.
When you disable menu items and options through policy, you might also want to notify users about this. One way to do this is to set a global ToolTip which is displayed when users try to access a disabled menu item or option. While the ToolTip can be something as simple as "This feature has been restricted due to security or compatibility concerns," it can help to ease users frustration over not being to select a menu item or option.
To configure a global tool tip for disabled menu items and options:
Access User ConfigurationAdministrative TemplatesMicrosoft Office 2003Disable Items In User Interface.
Double-click ToolTip For Disabled Toolbar Buttons And Menu Items under Predefined.
In the Properties dialog box, select Enabled and then enter the descriptive text for the ToolTip as shown in Figure 10-7. This text can be up to 69 characters in length.
Click OK.
You’ll often want to control where users open and save Office documents. For example, in Terminal Server environments where Office is installed you might want not want users to store files on the Terminal Server itself. While this scenario is ultimately controlled using NTFS file system and share permissions, you can use Office Administrative Template policy to steer the user in the right direction. Each Office 2003 policy template includes options for specifying the default document location.
Say you want to ensure Excel 2003 workbooks are always opened and saved from a shared Excel folder on your network that is backed up nightly. You can configure the default file open and save location for Excel 2003 and then specify a path to the location where you want files to be stored. The default path is the user’s My Documents folder. You can also specify a drive letter mapped to a server share or a UNC path. The paths you provide can use environment variables as. For example, if you have defined home directories for your Active Directory user objects and you want to ensure that Excel files are always stored in a subfolder of the user’s home directory called Excel, you can enter a path such as this:
%homeshare%excelThis variable—%homeshare%—is resolved to the UNC path where the user’s home directory resides when you open or save a file in Excel. If you want to prevent user from changing that path, such as might be the case in Terminal Server environments, you might want to disable the related option in policy. In this case, you would disable the Tools, Options, General option in Excel, as described in the "Preventing Users from Changing Office Configurations" section in this chapter.
To set the default database folder location for Access 2003, follow these steps:
Double-click Default Database Folder under User ConfigurationAdministrative TemplatesMicrosoft Office Access 2003Tools | Options...General.
As shown in Figure 10-8, select Enabled and then enter the default path to use in the Default Database Folder field.
Click OK.
To set the default My Notebook folder location for OneNote 2003, follow these steps:
Because e-mail is prone to containing content that might be harmful to your environment, it’s important that the e-mail applications your users run are secured from the most common types of problems. The first and most important step you can take is to prevent your users from modifying Outlook attachment security, which controls which attachments types are visible. You can enforce this setting by enabling Prevent Users From Customizing Attachment Security Settings under User ConfigurationAdministrative TemplatesMicrosoft Office Outlook 2003Tools | OptionsSecurity. In addition, you can prevent users from creating exceptions to the list of extensions that are covered by Outlook attachment security by disabling Allow Access To E-mail Attachments under User ConfigurationAdministrative TemplatesMicrosoft Office Outlook 2003Tools | Options...Security.
You might also want to disable access to Tools, OptionsSecurity in the Outlook interface. To do this, you will need to create a custom disable policy as shown here:
Access User ConfigurationAdministrative TemplatesMicrosoft Office Outlook 2003Disable Items In User InterfaceCustom.
Double-click Disable Command Bar Buttons And Menu Items. In the Properties dialog box, select Enabled and then click Show.
Click Add. In the Add Item dialog box, enter the menu item ID for the Tools, Options menu, which is 522.
Click OK twice.
If you support a worldwide environment with users running many different language versions of Windows and Office, it might be useful to be able to control which language Office applications start in, depending on where the user is located. For example, you could create a site-linked GPO that sets one language when the user is in the United States and another when she is visiting France. Assuming the user has the appropriate language packs for Office installed on her computer, she will get the appropriate language version as she moves around.
You can set global language settings for Office by completing the following steps:
In the site-linked GPO access User ConfigurationAdministrative TemplatesMicrosoft Office 2003Language SettingsUser Interface.
Double-click Display Menus And Dialog Boxes In. In the Properties dialog box, select Enabled, use the list provided to choose the language to use, and then click OK. The default (same as the system) is to use whatever language Windows is currently running.
Double-click Display Help In. In the Properties dialog box, select Enabled, use the list provided to choose the language to use, and then click OK.
In most cases, if you’ve configured Office-related policy in a GPO and linked the GPO appropriately, the settings usually are delivered to and process by clients as expected. If you find that Office isn’t configured as expected, you can troubleshoot to try to determine where the breakdown is occurring.
Follow these general troubleshooting steps:
Start by running the Group Policy Results Wizard against the user and computer that is having problems. See "Determine the Effective Group Policy Settings and Last Refresh" in Chapter 3 for details.
As shown in Figure 10-9, under User ConfigurationsAdministrative Templates, you’ll see results that you whether Office policy is being applied.
If you discover that the policy is not being applied, check the following:
Make sure the GPO is properly linked
Make sure the GPO doesn’t have security or WMI filtering that is preventing the user or computer from processing it
Make sure the GPO isn’t being blocked by a conflicting policy setting with higher precedence
If the wizard shows that the policy is being applied, but Office isn’t configured as expected there might be a problem with how the application is reading the related policy. Check to ensure the policy is set as expected for the specific version of Office being used. For example, you might have configured a policy for Office XP but not for Office 2003 which is being used.
Note
Certain policy options that appear in the Office 2003 Administrative Template files don’t always work as expected. This is primarily due to changes in the way features are implemented in Office applications from version to version and the Administrative Template files not keeping up with those changes. For example, there is an Outlook policy to prevent a user’s signature from being included in new messages as well as replies and forwards. This policy is found under User ConfigurationAdministrative TemplatesMicrosoft Office Outlook 2003Tools | Options...Mail FormatSignature. However, in Office 2003 signatures are stored per e-mail account, and if you set this policy, Outlook simply ignores it because the value is now stored in a different location in the registry. These kinds of issues are often found in the Microsoft Knowledge Base (http://support.microsoft.com). You can save yourself a lot of time by searching there first if you discover a situation like this.
Tip
If everything seems to be configured correctly, you can check the Registry to confirm that the related registry value is set as expected. If it’s a per-user policy, changes are made to the HKEY_CURRENT_USER hive of the registry; otherwise, computer policies are made to HKEY_LOCAL_MACHINE. One way you can find out which key and value a particular policy is setting by looking at the Office 2003 Group Policies spreadsheet included in the Office 2003 Resource Kit Service Pack 1. If a value is not being set, there might be problems with registry permissions. Or if it’s in a user’s profile (HKEY_CURRENT_USER), corruption issues might be preventing proper writing of those values. In this case, creating a new temporary profile for the user can confirm whether this is the problem.