Updated: 2008-10-02

In this article:

In a Windows-based network, administrators can use Group Policy settings to help control how users work with the 2007 Microsoft Office system. Administrators can use Group Policy settings to define and maintain an Office configuration on users' computers. Unlike other customizations — for example, default settings distributed in a Setup customization file — policy settings are enforced and can be used to create highly managed or lightly managed configurations.

You can use the 2007 Office system policy settings to:

You can set policy settings that apply to the local computer and every user of that computer, or that apply only to individual users. Per-computer policy settings are set under the Computer Configuration node of the Group Policy Object Editor Microsoft Management Console (MMC) snap-in and are applied the first time any user logs on to the network from that computer. Per-user policy settings are set under the User Configuration node and are applied when the specified user logs on to the network from any computer. Group Policy is also applied periodically in the background after it is initially processed at startup and logon.

For detailed information about Group Policy infrastructure, see Group Policy Technical Reference on the Microsoft TechNet site.

ImportantImportant:

Before you implement Group Policy, you must have a good understanding of Active Directory infrastructure and Group Policy concepts. You must carefully plan and design your Group Policy solution based on your organization's business and security requirements, and you must fully test your solution in a non-production environment before you deploy the solution to users and computers.

If you have not already deployed Active Directory and Group Policy in your organization, the following resources provide information about deployment of these technologies:

For detailed information about Group Policy deployment, see Designing a Group Policy Infrastructure and Staging Group Policy Deployments in the Designing a Managed Environment book of the Windows Server 2003 Deployment Kit on the Microsoft TechNet Web site.

For information about Active Directory deployment, see Designing and Deploying Directory and Security Services on the Microsoft TechNet Web site.

Active Directory and Group Policy

Active Directory directory service is the distributed directory service that is included with Microsoft® Windows Server 2003 and Microsoft Windows 2000 Server operating systems. Active Directory stores information about objects on a network and makes this information available to users and network administrators.

Group Policy is an infrastructure that enables administrators to implement specific computing configurations for groups of users and computers. Policy settings can also be applied to member servers and domain controllers within the scope of an Active Directory forest.

Group Policy settings are contained in Group Policy objects (GPOs), which are linked to selected Active Directory containers: sites, domains, or organizational units (OUs). The settings within GPOs are evaluated by the affected targets, using the hierarchical nature of Active Directory.

To configure Group Policy settings in GPOs, administrators use the Group Policy Object Editor Microsoft Management Console (MMC) snap-in from the Group Policy Management Console snap-in. Administrators can use Group Policy to specify configurations for a wide range of areas, such as Administrative Templates (registry-based policies), security, software installation, scripts, folder redirection, remote installation services, and Internet Explorer maintenance.

The 2007 Office system policy settings are contained in Administrative Template files (.adm and ADMX files). For more information about Administrative Templates, see the 2007 Office system Administrative Template Files section.

Group Policy settings for the 2007 Office system

Administrators can use policy settings for the 2007 Office system applications to manage most options that configure the Office user interface, including:

  • Menu commands and their corresponding toolbar buttons

  • Shortcut keys

  • Most options in the Options dialog box

The 2007 Office system Administrative Template files (.adm files) also include policy settings that help you control the way in which Windows Installer functions.

Each Office policy setting represents an option or feature in a 2007 Office system application. Each policy setting also corresponds to one or more value entries in the Windows registry. All policy setting information is stored in the same area of the registry.

For example, all user-specific policy settings are stored in the HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0 sub-key, which mirrors most of the HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 sub-keys. Computer-specific policies are stored in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\12.0 sub-key. By default, both policy sub-keys are locked to prevent users from accessing them.

Group Policy settings can have one of three states:

  • Not configured—The policy setting is not enforced.

  • Enabled—The policy setting is activated. Additional settings appear in the dialog box for some policy settings. These settings determine what happens when the policy setting is enforced.

  • Disabled—For most policy settings, Disabled enforces the opposite behavior as the Enabled state. For example, if Enabled forces a feature's state to Off, Disabled forces the feature's state to On.

2007 Office system Administrative Template files

To set policy settings for the 2007 Office system applications, you use the Group Policy Object Editor snap-in and load the 2007 Office system Administrative Template files into the GPO you want to deploy. You then configure the policy settings you want to manage. You can add several .adm files and set the entire configuration of a computer at one time.

You can download the Administrative Template files for the 2007 Office system from 2007 Office system Administrative Templates (ADM) in the Microsoft Download Center. You can also download the 2007 Microsoft Office system Open XML Format converters Administrative Template (ADM) file from the Microsoft Download Center. Administrators can use this template to modify the default behavior for the Microsoft Office Word, Excel, and PowerPoint 2007 Open XML Format converters.

For information about modifying Microsoft Office 2003 and Microsoft Office XP Administrative Template files to set default File Save As options to include the Open XML Formats of the 2007 Microsoft Office programs, refer to KB article 932127, How to modify an existing Office policy file (ADM file) for Office 2003 and for Office XP to set the Save As default file format to include the new OpenXML file formats of the 2007 Microsoft Office programs on the Microsoft Support Knowledge Base (KB) Web site.

NoteNote:

In Windows Vista and Windows Server 2008 operating systems, .adm files are replaced by ADMX files, which use an XML-based file format to display registry-based policy settings. For more information about ADMX files in Windows Vista and Windows Server 2008, see Managing Group Policy ADMX Files Step-by-Step Guide, Requirements for Editing Group Policy Objects Using ADMX Files, and Scenario 2: Editing Domain-Based GPOs Using ADMX Files on the Microsoft TechNet Web site.

The policy settings contained in the Office 2007 ADM and ADMX files are the same.

The following Administrative Template files are available for the 2007 Office system:

ADM file Application

office12.adm

shared Office components

access12.adm

Microsoft Office Access 2007

cpao12.adm

Calendar Printing Assistant for Microsoft Office Outlook 2007

excel12.adm

Microsoft Office Excel 2007

groove12.adm

Microsoft Office Groove 2007

ic12.adm

Microsoft Office InterConnect 2007

inf12.adm

Microsoft Office InfoPath 2007

onent12.adm

Microsoft Office OneNote 2007

outlk12.adm

Microsoft Office Outlook 2007

ppt12.adm

Microsoft Office PowerPoint 2007

proj12.adm

Microsoft Office Project 2007

pub12.adm

Microsoft Office Publisher 2007

spd12.adm

Microsoft Office SharePoint Designer 2007

visio12.adm

Microsoft Office Visio 2007

word12.adm

Microsoft Office Word 2007

The policy settings in the Administrative Template files are organized in a hierarchy that, in general, follows the user interface. Application-specific settings appear in the individual templates. The policy settings for some settings that appear in multiple applications are consolidated in the Office12.adm template. For example, customizations to the Office File Open dialog box are made in the Office12.adm template.

NoteNote:

Because policy settings are stored in a different area of the registry for each release of Office, you cannot use the Administrative Template files from a previous version. You must use the Administrative Template files for the 2007 Office system to configure policy settings for the 2007 Office system.

Preventing policy setting conflicts between Office 2003 and the 2007 Office system

Policy setting information for Office 2003 and for the 2007 Office system is stored in separate locations in the Windows registry.

Policy settings for Office 2003 are in the HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0 subkey for user-specific policy settings, and in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\11.0 subkey for computer-specific policy settings.

Policy settings for the 2007 Office system are in HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0 subkey for user-specific policy settings, and in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\12.0 subkey for computer-specific policy settings.

However, there are a few policy settings for Office 2003 and Office 2007 that have the same name and function for which the policy setting information is stored in the identical registry subkey, regardless of Office version. For these policy settings, if you had previously configured the Office 2003 versions, you must set those policy settings to their Not Configured state before you remove the previous Office 2003 ADM files and load the 2007 Office system ADM files. This removes the registry key information for the policy setting from the registry. The reason for this is that if an .adm file is removed, the settings that correspond to the .adm file do not appear in Group Policy Object Editor; however, the policy settings that are configured from the .adm file remain in the Registry.pol file and continue to apply to the appropriate target client or user.

These policy settings are listed in the following table.

Application Policy setting name Location in Group Policy Object Editor console tree Registry key location

Office Excel

Connection File Locations

Microsoft Office Excel <version>\Data Access Security

Software\Policies\Microsoft\Office\Common\Server Links\Published

Office Groove

Groove Account Configuration Code Required

Microsoft Office Groove <version>

Software\Policies\Microsoft\Office\Groove

Office Groove

Groove Manager Server Name

Microsoft Office Groove <version>\Groove Manager

Software\Policies\Microsoft\Office\Groove\Manager

Office System

Graphics filter import

Microsoft Office <version> system <computer_name>\Security Settings

Software\Policies\Microsoft\Office\Common\Security\AllowLists\GraphicsFilterImport

Office System

Restrict ActiveX Install

Microsoft Office <version> system <computer_name>\Security Settings\IE Security

Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL

Office System

Restrict File Download

Microsoft Office <version> system <computer_name>\Security Settings\IE Security

Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD

Office System

Add-on Management

Microsoft Office <version> system <computer_name>\Security Settings\IE Security

Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT

Office System

Local Machine Zone Lockdown Security

Microsoft Office <version> system <computer_name>\Security Settings\IE Security

Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN

Office System

Consistent Mime Handling

Microsoft Office <version> system <computer_name>\Security Settings\IE Security

Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING

Office System

Mime Sniffing Safety Feature

Microsoft Office <version> system <computer_name>\Security Settings\IE Security

Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING

Office System

Object Caching Protection

Microsoft Office <version> system <computer_name>\Security Settings\IE Security

Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING

Office System

Scripted Window Security Restrictions

Microsoft Office <version> system <computer_name>\Security Settings\IE Security

Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS

Office System

Protection From Zone Elevation

Microsoft Office <version> system <computer_name>\Security Settings\IE Security

Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION

Office System

Information Bar

Microsoft Office <version> system <computer_name>\Security Settings\IE Security

Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND

Office System

Disable user name and password

Microsoft Office <version> system <computer_name>\Security Settings\IE Security

Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

Office System

Bind to object

Microsoft Office <version> system <computer_name>\Security Settings\IE Security

Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT

Office System

Saved from URL

Microsoft Office <version> system <computer_name>\Security Settings\IE Security

Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK

Office System

Navigate URL

Microsoft Office <version> system <computer_name>\Security Settings\IE Security

Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL

Office System

Block popups

Microsoft Office <version> system <computer_name>\Security Settings\IE Security

Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT

Office System

Graphic filter legacy mode

Microsoft Office <version> system <computer_name>\Miscellaneous

Software\Policies\Microsoft\Shared Tools\Graphics Filters

Office System

More Smart Tags URL

Microsoft Office <version> system\Tools | AutoCorrect Options... (Excel, Word, PowerPoint, Access)\Smart Tags

Software\Policies\Microsoft\Office\Common\Smart Tag

Office System

Check for new actions URL

Microsoft Office <version> system\Tools | AutoCorrect Options... (Excel, Word, PowerPoint, Access)\Smart Tags

Software\Policies\Microsoft\Office\Common\Smart Tag

Office System

Flag Repeated Words

Microsoft Office <version> system\ Tools | Options | Spelling

Software\Policies\Microsoft\Shared Tools\Proofing Tools\1.0\Office

Office System

Ignore words in UPPERCASE

Microsoft Office <version> system\ Tools | Options | Spelling

Software\Policies\Microsoft\Shared Tools\Proofing Tools\1.0\Office

Office System

Ignore words with numbers

Microsoft Office <version> system\ Tools | Options | Spelling

Software\Policies\Microsoft\Shared Tools\Proofing Tools\1.0\Office

Office System

Ignore Internet and file addresses

Microsoft Office <version> system\ Tools | Options | Spelling

Software\Policies\Microsoft\Shared Tools\Proofing Tools\1.0\Office

Office System

Suggest from main dictionary only

Microsoft Office <version> system\ Tools | Options | Spelling

Software\Policies\Microsoft\Shared Tools\Proofing Tools\1.0\Office

Office System

German: Use post-reform rules

Microsoft Office <version> system\ Tools | Options | Spelling

Software\Policies\Microsoft\Shared Tools\Proofing Tools\Spelling

Office System

Allow accented uppercase in French

Microsoft Office <version> system\Tools | Options | Spelling

Software\Policies\Microsoft\Shared Tools\Proofing Tools\1.0\Office

Office System

French Language Options

Microsoft Office <version> system\Tools | Options | Spelling

Software\Policies\Microsoft\Shared Tools\Proofing Tools\1.0\Office

Office System

ActiveX Control Initialization

Microsoft Office <version> system\Security Settings

Software\Policies\Microsoft\Office\Common\Security

Office System

Load Controls in Forms 3

Microsoft Office <version> system\Security Settings

Software\Policies\Microsoft\VBA\Security

Office System

Automation Security

Microsoft Office <version> system\Security Settings

Software\Policies\Microsoft\Office\Common\Security

Office System

Prevent Word and Excel from loading managed code extensions

Microsoft Office <version> system\Security Settings

Software\Policies\Microsoft\Office\Common\Smart Tag

Office System

Disable All ActiveX

Microsoft Office <version> system\Security Settings

Software\Policies\Microsoft\Office\Common\Security

Office System

Disable Smart Document's use of manifests

Microsoft Office <version> system\ Smart Documents (Word, Excel)

Software\Policies\Microsoft\Office\Common\Smart Tag

Office System

Completely disable the Smart Documents feature in Word and Excel

Microsoft Office <version> system\ Smart Documents (Word, Excel)

Software\Policies\Microsoft\Office\Common\Smart Tag

Office System

Disable Office Diagnostics

Microsoft Office <version> system\Office Diagnostics

Software\Policies\Microsoft\Office\Common\OffDiag

Office System

Disable Check For Solutions

Microsoft Office <version> system\Office Diagnostics

Software\Policies\Microsoft\Office\Common\OffDiag

Office System

Disable Compatibility Diagnostic

Microsoft Office <version> system\Office Diagnostics

Software\Policies\Microsoft\Office\Common\OffDiag

Office System

Disable Disk Diagnostic

Microsoft Office <version> system\Office Diagnostics

Software\Policies\Microsoft\Office\Common\OffDiag

Office System

Disable Memory Diagnostic

Microsoft Office <version> system\Office Diagnostics

Software\Policies\Microsoft\Office\Common\OffDiag

Office System

Disable Setup Diagnostic

Microsoft Office <version> system\Office Diagnostics

Software\Policies\Microsoft\Office\Common\OffDiag

Office System

Disable Update Diagnostic

Microsoft Office <version> system\Office Diagnostics

Software\Policies\Microsoft\Office\Common\OffDiag

Office System

Help Desk Web Address

Microsoft Office <version> system\Office Diagnostics

Software\Policies\Microsoft\Office\Common\OffDiag

Office System

Disable Office Sessions Logging

Microsoft Office <version> system\Office Diagnostics

Software\Policies\Microsoft\Office\Common\OffDiag

Office System

Disable Japanese IME Misconversion Logging

Microsoft Office <version> system\IME (Japanese)

Software\Policies\Microsoft\TipShared\4.0\CustomerFeedback\1041

Office System

Workflow Cache 1

Microsoft Office <version> system\Miscellaneous\Workflow Cache

Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow1

Office System

Workflow Cache 2

Microsoft Office <version> system \Miscellaneous\Workflow Cache

Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow2

Office System

Workflow Cache 3

Microsoft Office <version> system \Miscellaneous\Workflow Cache

Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow3

Office System

Workflow Cache 4

Microsoft Office <version> system \Miscellaneous\Workflow Cache

Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow4

Office System

Workflow Cache 5

Microsoft Office <version> system \Miscellaneous\Workflow Cache

Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow5

Office System

Workflow Cache 6

Microsoft Office <version> system \Miscellaneous\Workflow Cache

Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow6

Office System

Workflow Cache 7

Microsoft Office <version> system \Miscellaneous\Workflow Cache

Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow7

Office System

Workflow Cache 8

Microsoft Office <version> system \Miscellaneous\Workflow Cache

Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow8

Office System

Workflow Cache 9

Microsoft Office <version> system \Miscellaneous\Workflow Cache

Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow9

Office System

Workflow Cache 10

Microsoft Office <version> system \Miscellaneous\Workflow Cache

Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow10

Office System

Workflow Cache 11

Microsoft Office <version> system \Miscellaneous\Workflow Cache

Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow11

Office System

Workflow Cache 12

Microsoft Office <version> system \Miscellaneous\Workflow Cache

Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow12

Office System

Workflow Cache 13

Microsoft Office <version> system\Miscellaneous\Workflow Cache

Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow13

Office System

Workflow Cache 14

Microsoft Office <version> system\Miscellaneous\Workflow Cache

Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow14

Office System

Workflow Cache 15

Microsoft Office <version> system\Miscellaneous\Workflow Cache

Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow15

Office System

Control Blogging

Microsoft Office <version> system\Miscellaneous

Software\Policies\Microsoft\Office\Common\Blog

Office System

Enable Workflows on My Site

Microsoft Office <version> system\Miscellaneous

Software\Policies\Microsoft\Office\Common\Workflow\Home

Office System

Home Workflow Library

Microsoft Office <version> system\Miscellaneous

Software\Policies\Microsoft\Office\Common\Workflow\Home

Office System

Web Folders: Managing pairs of Web pages and folders

Microsoft Office <version> system\Miscellaneous

Software\Policies\Microsoft\Windows\CurrentVersion\Explorer

Office System

Block updates from the Office Update Site from applying

Microsoft Office <version> system\Miscellaneous

Software\Policies\Microsoft\Office\Common\OfficeUpdate

Office OneNote

OneNote Spelling Options

Microsoft Office OneNote <version>\Tools | Options…\Spelling

Software\Policies\Microsoft\Shared Tools\Proofing Tools\1.0\Office

Office Outlook

Do not record listed Outlook items in Journal

Microsoft Office Outlook <version>\Tools | Options…\Preferences

Software\Policies\Microsoft\Shared Tools\Outlook\Journaling

Office Outlook

Automatically journal these items

Microsoft Office Outlook <version>\Tools | Options…\Preferences

Software\Policies\Microsoft\Shared Tools\Outlook\Journaling

Office Outlook

S/MIME password settings

Microsoft Office Outlook <version>\Security\Cryptography

Software\Policies\Microsoft\Cryptography\Defaults\Provider\Microsoft Exchange Cryptographic Provider v1.0

Office Outlook

Display option for downloading OAB changes since last Send/Receive

Microsoft Office Outlook <version>\Tools | Account Settings\Exchange\Offline Address Book

Software\Policies\Microsoft\Exchange\Exchange Provider

Office Outlook

Offline Address Book: Limit number of full OAB downloads

Microsoft Office Outlook <version>\Tools | Account Settings\Exchange\Offline Address Book

Software\Policies\Microsoft\Exchange\Exchange Provider

Office Outlook

Offline Address Book: Limit number of incremental OAB downloads

Microsoft Office Outlook <version>\Tools | Account Settings\Exchange\Offline Address Book

Software\Policies\Microsoft\Exchange\Exchange Provider

Office Outlook

Offline Address Book: Limit manual OAB downloads

Microsoft Office Outlook <version>\Tools | Account Settings\Exchange\Offline Address Book

Software\Policies\Microsoft\Exchange\Exchange Provider

Office Outlook

Offline Address Book: Prompt before Downloading Full OAB

Microsoft Office Outlook <version>\Tools | Account Settings\Exchange\Offline Address Book

Software\Policies\Microsoft\Exchange\Exchange Provider

Office Outlook

Use only OABv4

Microsoft Office Outlook <version>\Tools | Account Settings\Exchange\Offline Address Book

Software\Policies\Microsoft\Exchange\Exchange Provider

Office Outlook

Return e-mail alias if it exactly matches the provided e-mail address when searching OAB

Microsoft Office Outlook <version>\Tools | Account Settings\Exchange\Offline Address Book

Software\Policies\Microsoft\Exchange\Exchange Provider

Office Outlook

Maximum wait time for Offline Address Book downloads

Microsoft Office Outlook <version>\Tools | Account Settings\Exchange\Offline Address Book

Software\Policies\Microsoft\Exchange\Exchange Provider

Office Outlook

Define custom label for SharePoint store

Microsoft Office Outlook <version>\Tools | Account Settings\SharePoint Lists

Software\Policies\Microsoft\Office\Common\Offline\Options

Office PowerPoint

Use contextual spelling

Microsoft Office PowerPoint <version>\PowerPoint Options\Proofing

Software\Policies\Microsoft\Shared Tools\Proofing Tools\1.0\Office

Office Word

Enable Context Sensitive Spelling for Word

Microsoft Office Word <version>\Word Options\Proofing

Software\Policies\Microsoft\Shared Tools\Proofing Tools\1.0\Office

Office Word

Check spelling as you type

Microsoft Office Word <version>\Word Options\Proofing

Software\Policies\Microsoft\Shared Tools\Proofing Tools\1.0\Office

Office Word

Mark grammar errors as you type\Color for marking grammatical errors

Microsoft Office Word <version>\Word Options\Proofing

Software\Policies\Microsoft\Shared Tools\Proofing Tools

Office Word

Mark formatting inconsistencies\Color for marking inconsistencies

Microsoft Office Word <version>\Word Options\Advanced\Smart Cut and Paste

Software\Policies\Microsoft\Shared Tools\Proofing Tools

Office Word

Translation direction

Microsoft Office Word <version>\Tools | Language\Chinese Translation…

Software\Policies\Microsoft\Shared Tools\Proofing Tools\TCSC Translator

Office Word

Use Taiwan, Hong Kong SAR and Macao SAR character variants

Microsoft Office Word <version>\Tools | Language\Chinese Translation…

Software\Policies\Microsoft\Shared Tools\Proofing Tools\TCSC Translator

Office Word

Translate common terms

Microsoft Office Word <version>\Tools | Language\Chinese Translation…

Software\Policies\Microsoft\Shared Tools\Proofing Tools\TCSC Translator

Group Policy management tools

Administrators use the following tools to manage Group Policy:

  • Group Policy Management Console (GPMC) MMC snap-in is used for most Group Policy management tasks.

  • Group Policy Object Editor MMC snap-in for configuring and editing policy settings in GPOs. In a domain environment, administrators can edit GPOs from GPMC, which invokes Group Policy Object Editor.

Group Policy Management Console

GPMC is an MMC snap-in that is used for managing most aspects of Group Policy: scoping, delegating, filtering, and manipulating inheritance of GPOs; and backing up (export), restoring, importing, and copying GPOs. GPMC also invokes Group Policy Object Editor to edit policy settings in GPOs in domain-based environments.

GPMC is the preferred tool for Group Policy management in a domain environment.

Resultant Set of Policy (RSoP) is a feature of Group Policy that makes implementation, troubleshooting, and planning of Group Policy easier. GPMC includes two RSoP capabilities that are provided by Windows:

  • Group Policy Results: Represents the actual policy data that is applied to a computer and user. Data is obtained by querying the target computer and retrieving the RSoP data that was applied to that computer. The Group Policy Results capability is provided by the client operating system and requires Windows XP, Windows Server 2003, or later versions of the operating system.

  • Group Policy Modeling: Simulates what policy settings are applied under circumstances specified by an administrator. Administrators can use Group Policy Modeling to simulate the RSoP data that would be applied for an existing configuration, or they can analyze the effects of simulated, hypothetical changes to their directory environment. Group Policy Modeling requires that you have at least one domain controller running Windows Server 2003, because this simulation is performed by a service running on a domain controller that is running Windows Server 2003.

NoteNote:

GPMC was provided as a separate download component for Microsoft Windows® Server 2003 and Windows XP. To download GPMC, see Download Group Policy Management Console (GPMC). In Windows Vista and Windows Server 2008, GPMC is integrated into the operating system.

Group Policy Object Editor

Group Policy Object Editor is an MMC snap-in that is used to configure policy settings within a GPO. On computers running Windows 2000, Windows XP with the Windows Server 2003 Administration Tools Pack installed, and Windows Server 2003, the Group Policy Object Editor can be accessed from the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. Group Policy Object Editor operates as an extension to these Active Directory management tools.

If administrators edit a GPO from within GPMC, Group Policy Object Editor displays and shows the settings for that specific GPO.

To configure Group Policy settings for a local computer that is not a member of a domain, use Group Policy Object Editor to manage local GPOs.

Group Policy object permissions in Group Policy Management Console

GPMC manages GPO permissions as a single unit and displays the security filtering for the GPO on the GPO Scope tab. Administrators can use GPMC to add and remove groups, users, and computers to be used as security filters for each GPO. The security principals used for security filtering are listed on the Delegation tab for a GPO as having Read (from Security Filtering) permission, because they have read access to the GPO.

There are five permission options on GPOs in the GPMC user interface. Each option corresponds to a set of individual Windows NT permissions in Access Control List (ACL) Editor. The ACL Editor sets access control policy for Active Directory and Windows objects. The following table summarizes the correspondence.

GPMC user interface option Corresponding permission in ACL Editor

Read

Allow Read access on the GPO

Edit settings

Allow Read, Write, Create Child Objects, and Delete Child Objects

Edit, delete, and modify security

Allow Read, Write, Create Child Objects, Delete Child Objects, Delete, Modify Permissions, and Modify Owner. This grants full control on the GPO, except that the Apply Group Policy permission is not set.

Read (from Security Filtering)

This setting cannot be set directly, but appears on the delegation tab if the user has Read and Apply Group Policy permissions to the GPO.

Custom

Any other combination of permissions, including the use of Deny, displays as Custom. GPMC can only set custom permission sets by clicking the Advanced button and opening the ACL Editor.

GPO creation privileges are required to create a GPO. By default, only domain administrators, enterprise administrators, and members of the Group Policy creator owners group can create GPOs.

Edit permissions for the GPO that you want to edit are required to edit a GPO.

Edit, delete, and modify security permissions for the GPO are required to delete a GPO.

Permissions on a GPO are managed from the Delegation tab of that GPO. For step-by-step instructions, see Delegate Group Policy tasks on the Microsoft TechNet Web site.

Using Group Policy Management Console and Group Policy Object Editor

GPMC is used for managing Group Policy tasks in a domain environment. GPMC invokes Group Policy Editor, which is used to configure policy settings within GPOs.

After you set up an Active Directory and Group Policy infrastructure in your organization, you use Group Policy Object Editor from GPMC to set Office policy settings from the Office .adm files. After you set policy settings for a GPO and link that GPO to a site, domain, or organizational unit, the operating system enforces the policy settings.

Use the following procedures to start GPMC and link GPOs in GPMC. Use Group Policy Object Editor from GPMC to create GPOs, edit GPOs, and load Administrative Template files.

NoteNote:

The following procedures assume you have already installed GPMC. You can download GPMC from the Microsoft Download Center site. See Download Group Policy Management Console (GPMC) for more information. If you are using Windows Vista, GPMC is integrated into the operating system.

Start Group Policy Management Console

  • Click Start, click Control Panel, click Administrative Tools, and click Group Policy Management.

Create a Group Policy object

  1. Open GPMC.

  2. In the console tree, right-click Group Policy Objects in the forest and domain in which you want to create a GPO. For example, navigate to Forest name, Domains, Domain name, Group Policy Objects.

  3. Click New.

  4. In the New GPO dialog box, specify a name for the new GPO and click OK.

Edit a Group Policy object

  1. Open GPMC.

  2. In the console tree, double-click Group Policy Objects in the forest and domain that contain the GPO that you want to edit. This is located in Forest name, Domains, Domain name, Group Policy Objects.

  3. Right-click the GPO you want to modify and click Edit. This opens Group Policy Object Editor. Edit settings as appropriate in the Group Policy Object Editor console.

    ImportantImportant:

    Administrative Templates policy settings provide Explain text, which you can view by clicking the Extended tab in the details pane (right side) of the Group Policy Object Editor console. You can also see this text by double-clicking a policy setting and clicking the Explain tab in the Properties dialog box for the policy setting. Explain text provides information about the policy setting.

    Avoid editing the default domain policy. If you want to apply Group Policy settings to the entire domain, create a new GPO, link the GPO to the domain, and create the settings in that GPO.

    The default domain policy and default domain controllers policy are critical to the health of any domain. Do not edit the Default Domain Controller Policy or the Default Domain Policy GPOs, except in the following cases:

    We recommend that you set account policy in the Default Domain Policy.

    If you install applications on domain controllers that require modifications to User Rights or Audit Policies, the modifications must be made in the Default Domain Controllers Policy.

    To edit the local GPO: open Group Policy Object Editor by clicking Start, then click Run, type gpedit.msc, and click OK.

Load Administrative Template files and set Office policy settings

  1. In Group Policy Object Editor, right-click Administrative Templates in the Computer Configuration or User Configuration node and select Add/Remove Templates. A list of the .adm files that are already added to the GPO is displayed.

  2. To add another adm file, click Add.

    A list of the .adm files in the %SystemRoot%\Inf folder of the local computer is displayed. You can also select an .adm file from another location.

  3. In the Policy Templates dialog box, browse to the 2007 Office system templates that you want to add. Click Open and click Close in the Add/Remove Templates dialog box.

  4. Double-click Computer Configuration or User Configuration and expand the tree under Administrative Templates to find the Office policy settings.

  5. In the details pane (in the right pane), double-click the folders and double-click a policy setting to open the Properties dialog box. Configure the Office policy settings you want to use and click OK.

    NoteNote:

    The Explain tab on the Properties page for the policy setting provides information about the setting.

  6. Save the GPO.

Link a Group Policy object

  1. Open Group Policy Management.

  2. In the console tree, locate the site, domain, or organizational unit to which you want to link a GPO. These are located under Forest name, Domains or Sites, or Site name, Domain name or organizational unit name.

  3. To link an existing GPO, right-click the domain or organizational unit within the domain and click Link an Existing GPO. In the Select GPO dialog box, click the GPO which you want to link and click OK.

    -or-

    To link a new GPO, right-click the domain or organizational unit within a domain and click Create and Link a GPO Here. In the Name box, type a name for the new GPO and click OK.

    NoteNote:

    To link an existing GPO to a site, domain, or organization unit, requires Link GPOs permission on that site, domain, or organizational unit. By default, only Domain Administrators and Enterprise Administrators have this privilege for domains and organizational units, and only Enterprise Administrators and Domain Administrators of the forest root domain have this privilege for sites.

    To create and link a GPO requires Link GPOs permissions on the domain or organizational unit to which you want to link, and you must have permission to create GPOs in that domain. By default, only Domain Administrators, Enterprise Administrators, and Group Policy Creator owners have permission to create GPOs.

    The Create and Link a GPO Here option is not available for sites, because it is unclear in which domain to create the GPO. The user must first create a GPO in any domain in the forest, and then use the Link an Existing GPO option to link the GPO to the site.

For more detailed information about using GPMC, see Step-by-Step Guide to Using Group Policy Management Console and the online Help for Group Policy Management on the Microsoft TechNet Web site.

If you want to set the 2007 Office system policy settings for a local, non-domain joined computer, you can use gpedit.msc console to open Group Policy Object Editor as an MMC snap-in from the command line to edit the local GPO.

Open Group Policy Object Editor from the command line

  • Click Start, click Run, type gpedit.msc and click OK.

    NoteNote:

    To edit the local GPO on another computer (Computer1 in this example), type the following at the command prompt: gpedit.msc /gpcomputer:"Computer1"

For more information about setting Group Policy, see Step-by-Step Guide to Understanding the Group Policy Feature Set.

Download this book

This article is included in the following downloadable book for easier reading and printing:

See the full list of available books at Office Resource Kit information.

See Also