Updated: 2008-10-02
In this article:
-
Group Policy object permissions in Group Policy Management Console
-
Using Group Policy Management Console and Group Policy Object Editor
In a Windows-based network, administrators can use Group Policy settings to help control how users work with the 2007 Microsoft Office system. Administrators can use Group Policy settings to define and maintain an Office configuration on users' computers. Unlike other customizations — for example, default settings distributed in a Setup customization file — policy settings are enforced and can be used to create highly managed or lightly managed configurations.
You can use the 2007 Office system policy settings to:
-
Control entry points to the Internet from the 2007 Office system applications.
-
Manage security settings in the 2007 Office system applications.
-
Hide settings and options that are unnecessary for users to perform their jobs and that might distract users or result in unnecessary calls for support.
-
Create a highly managed standard configuration on users' computers.
You can set policy settings that apply to the local computer and every user of that computer, or that apply only to individual users. Per-computer policy settings are set under the Computer Configuration node of the Group Policy Object Editor Microsoft Management Console (MMC) snap-in and are applied the first time any user logs on to the network from that computer. Per-user policy settings are set under the User Configuration node and are applied when the specified user logs on to the network from any computer. Group Policy is also applied periodically in the background after it is initially processed at startup and logon.
For detailed information about Group Policy infrastructure, see Group Policy Technical Reference on the Microsoft TechNet site.
Important: |
---|
Before you implement Group Policy, you must have a good understanding of Active Directory infrastructure and Group Policy concepts. You must carefully plan and design your Group Policy solution based on your organization's business and security requirements, and you must fully test your solution in a non-production environment before you deploy the solution to users and computers. |
If you have not already deployed Active Directory and Group Policy in your organization, the following resources provide information about deployment of these technologies:
For detailed information about Group Policy deployment, see Designing a Group Policy Infrastructure and Staging Group Policy Deployments in the Designing a Managed Environment book of the Windows Server 2003 Deployment Kit on the Microsoft TechNet Web site.
For information about Active Directory deployment, see Designing and Deploying Directory and Security Services on the Microsoft TechNet Web site.
Active Directory and Group Policy
Active Directory directory service is the distributed directory service that is included with Microsoft® Windows Server 2003 and Microsoft Windows 2000 Server operating systems. Active Directory stores information about objects on a network and makes this information available to users and network administrators.
Group Policy is an infrastructure that enables administrators to implement specific computing configurations for groups of users and computers. Policy settings can also be applied to member servers and domain controllers within the scope of an Active Directory forest.
Group Policy settings are contained in Group Policy objects (GPOs), which are linked to selected Active Directory containers: sites, domains, or organizational units (OUs). The settings within GPOs are evaluated by the affected targets, using the hierarchical nature of Active Directory.
To configure Group Policy settings in GPOs, administrators use the Group Policy Object Editor Microsoft Management Console (MMC) snap-in from the Group Policy Management Console snap-in. Administrators can use Group Policy to specify configurations for a wide range of areas, such as Administrative Templates (registry-based policies), security, software installation, scripts, folder redirection, remote installation services, and Internet Explorer maintenance.
The 2007 Office system policy settings are contained in Administrative Template files (.adm and ADMX files). For more information about Administrative Templates, see the 2007 Office system Administrative Template Files section.
Group Policy settings for the 2007 Office system
Administrators can use policy settings for the 2007 Office system applications to manage most options that configure the Office user interface, including:
-
Menu commands and their corresponding toolbar buttons
-
Shortcut keys
-
Most options in the Options dialog box
The 2007 Office system Administrative Template files (.adm files) also include policy settings that help you control the way in which Windows Installer functions.
Each Office policy setting represents an option or feature in a 2007 Office system application. Each policy setting also corresponds to one or more value entries in the Windows registry. All policy setting information is stored in the same area of the registry.
For example, all user-specific policy settings are stored in the HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0 sub-key, which mirrors most of the HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 sub-keys. Computer-specific policies are stored in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\12.0 sub-key. By default, both policy sub-keys are locked to prevent users from accessing them.
Group Policy settings can have one of three states:
-
Not configured—The policy setting is not enforced.
-
Enabled—The policy setting is activated. Additional settings appear in the dialog box for some policy settings. These settings determine what happens when the policy setting is enforced.
-
Disabled—For most policy settings, Disabled enforces the opposite behavior as the Enabled state. For example, if Enabled forces a feature's state to Off, Disabled forces the feature's state to On.
2007 Office system Administrative Template files
To set policy settings for the 2007 Office system applications, you use the Group Policy Object Editor snap-in and load the 2007 Office system Administrative Template files into the GPO you want to deploy. You then configure the policy settings you want to manage. You can add several .adm files and set the entire configuration of a computer at one time.
You can download the Administrative Template files for the 2007 Office system from 2007 Office system Administrative Templates (ADM) in the Microsoft Download Center. You can also download the 2007 Microsoft Office system Open XML Format converters Administrative Template (ADM) file from the Microsoft Download Center. Administrators can use this template to modify the default behavior for the Microsoft Office Word, Excel, and PowerPoint 2007 Open XML Format converters.
For information about modifying Microsoft Office 2003 and Microsoft Office XP Administrative Template files to set default File Save As options to include the Open XML Formats of the 2007 Microsoft Office programs, refer to KB article 932127, How to modify an existing Office policy file (ADM file) for Office 2003 and for Office XP to set the Save As default file format to include the new OpenXML file formats of the 2007 Microsoft Office programs on the Microsoft Support Knowledge Base (KB) Web site.
Note: |
---|
In Windows Vista and Windows Server 2008 operating systems, .adm files are replaced by ADMX files, which use an XML-based file format to display registry-based policy settings. For more information about ADMX files in Windows Vista and Windows Server 2008, see Managing Group Policy ADMX Files Step-by-Step Guide, Requirements for Editing Group Policy Objects Using ADMX Files, and Scenario 2: Editing Domain-Based GPOs Using ADMX Files on the Microsoft TechNet Web site. The policy settings contained in the Office 2007 ADM and ADMX files are the same. |
The following Administrative Template files are available for the 2007 Office system:
ADM file | Application |
---|---|
office12.adm |
shared Office components |
access12.adm |
Microsoft Office Access 2007 |
cpao12.adm |
Calendar Printing Assistant for Microsoft Office Outlook 2007 |
excel12.adm |
Microsoft Office Excel 2007 |
groove12.adm |
Microsoft Office Groove 2007 |
ic12.adm |
Microsoft Office InterConnect 2007 |
inf12.adm |
Microsoft Office InfoPath 2007 |
onent12.adm |
Microsoft Office OneNote 2007 |
outlk12.adm |
Microsoft Office Outlook 2007 |
ppt12.adm |
Microsoft Office PowerPoint 2007 |
proj12.adm |
Microsoft Office Project 2007 |
pub12.adm |
Microsoft Office Publisher 2007 |
spd12.adm |
Microsoft Office SharePoint Designer 2007 |
visio12.adm |
Microsoft Office Visio 2007 |
word12.adm |
Microsoft Office Word 2007 |
The policy settings in the Administrative Template files are organized in a hierarchy that, in general, follows the user interface. Application-specific settings appear in the individual templates. The policy settings for some settings that appear in multiple applications are consolidated in the Office12.adm template. For example, customizations to the Office File Open dialog box are made in the Office12.adm template.
Note: |
---|
Because policy settings are stored in a different area of the registry for each release of Office, you cannot use the Administrative Template files from a previous version. You must use the Administrative Template files for the 2007 Office system to configure policy settings for the 2007 Office system. |
Preventing policy setting conflicts between Office 2003 and the 2007 Office system
Policy setting information for Office 2003 and for the 2007 Office system is stored in separate locations in the Windows registry.
Policy settings for Office 2003 are in the HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0 subkey for user-specific policy settings, and in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\11.0 subkey for computer-specific policy settings.
Policy settings for the 2007 Office system are in HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0 subkey for user-specific policy settings, and in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\12.0 subkey for computer-specific policy settings.
However, there are a few policy settings for Office 2003 and Office 2007 that have the same name and function for which the policy setting information is stored in the identical registry subkey, regardless of Office version. For these policy settings, if you had previously configured the Office 2003 versions, you must set those policy settings to their Not Configured state before you remove the previous Office 2003 ADM files and load the 2007 Office system ADM files. This removes the registry key information for the policy setting from the registry. The reason for this is that if an .adm file is removed, the settings that correspond to the .adm file do not appear in Group Policy Object Editor; however, the policy settings that are configured from the .adm file remain in the Registry.pol file and continue to apply to the appropriate target client or user.
These policy settings are listed in the following table.
Application | Policy setting name | Location in Group Policy Object Editor console tree | Registry key location |
---|---|---|---|
Office Excel |
Connection File Locations |
Microsoft Office Excel <version>\Data Access Security |
Software\Policies\Microsoft\Office\Common\Server Links\Published |
Office Groove |
Groove Account Configuration Code Required |
Microsoft Office Groove <version> |
Software\Policies\Microsoft\Office\Groove |
Office Groove |
Groove Manager Server Name |
Microsoft Office Groove <version>\Groove Manager |
Software\Policies\Microsoft\Office\Groove\Manager |
Office System |
Graphics filter import |
Microsoft Office <version> system <computer_name>\Security Settings |
Software\Policies\Microsoft\Office\Common\Security\AllowLists\GraphicsFilterImport |
Office System |
Restrict ActiveX Install |
Microsoft Office <version> system <computer_name>\Security Settings\IE Security |
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL |
Office System |
Restrict File Download |
Microsoft Office <version> system <computer_name>\Security Settings\IE Security |
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD |
Office System |
Add-on Management |
Microsoft Office <version> system <computer_name>\Security Settings\IE Security |
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT |
Office System |
Local Machine Zone Lockdown Security |
Microsoft Office <version> system <computer_name>\Security Settings\IE Security |
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN |
Office System |
Consistent Mime Handling |
Microsoft Office <version> system <computer_name>\Security Settings\IE Security |
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING |
Office System |
Mime Sniffing Safety Feature |
Microsoft Office <version> system <computer_name>\Security Settings\IE Security |
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING |
Office System |
Object Caching Protection |
Microsoft Office <version> system <computer_name>\Security Settings\IE Security |
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING |
Office System |
Scripted Window Security Restrictions |
Microsoft Office <version> system <computer_name>\Security Settings\IE Security |
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS |
Office System |
Protection From Zone Elevation |
Microsoft Office <version> system <computer_name>\Security Settings\IE Security |
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION |
Office System |
Information Bar |
Microsoft Office <version> system <computer_name>\Security Settings\IE Security |
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND |
Office System |
Disable user name and password |
Microsoft Office <version> system <computer_name>\Security Settings\IE Security |
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE |
Office System |
Bind to object |
Microsoft Office <version> system <computer_name>\Security Settings\IE Security |
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT |
Office System |
Saved from URL |
Microsoft Office <version> system <computer_name>\Security Settings\IE Security |
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK |
Office System |
Navigate URL |
Microsoft Office <version> system <computer_name>\Security Settings\IE Security |
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL |
Office System |
Block popups |
Microsoft Office <version> system <computer_name>\Security Settings\IE Security |
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT |
Office System |
Graphic filter legacy mode |
Microsoft Office <version> system <computer_name>\Miscellaneous |
Software\Policies\Microsoft\Shared Tools\Graphics Filters |
Office System |
More Smart Tags URL |
Microsoft Office <version> system\Tools | AutoCorrect Options... (Excel, Word, PowerPoint, Access)\Smart Tags |
Software\Policies\Microsoft\Office\Common\Smart Tag |
Office System |
Check for new actions URL |
Microsoft Office <version> system\Tools | AutoCorrect Options... (Excel, Word, PowerPoint, Access)\Smart Tags |
Software\Policies\Microsoft\Office\Common\Smart Tag |
Office System |
Flag Repeated Words |
Microsoft Office <version> system\ Tools | Options | Spelling |
Software\Policies\Microsoft\Shared Tools\Proofing Tools\1.0\Office |
Office System |
Ignore words in UPPERCASE |
Microsoft Office <version> system\ Tools | Options | Spelling |
Software\Policies\Microsoft\Shared Tools\Proofing Tools\1.0\Office |
Office System |
Ignore words with numbers |
Microsoft Office <version> system\ Tools | Options | Spelling |
Software\Policies\Microsoft\Shared Tools\Proofing Tools\1.0\Office |
Office System |
Ignore Internet and file addresses |
Microsoft Office <version> system\ Tools | Options | Spelling |
Software\Policies\Microsoft\Shared Tools\Proofing Tools\1.0\Office |
Office System |
Suggest from main dictionary only |
Microsoft Office <version> system\ Tools | Options | Spelling |
Software\Policies\Microsoft\Shared Tools\Proofing Tools\1.0\Office |
Office System |
German: Use post-reform rules |
Microsoft Office <version> system\ Tools | Options | Spelling |
Software\Policies\Microsoft\Shared Tools\Proofing Tools\Spelling |
Office System |
Allow accented uppercase in French |
Microsoft Office <version> system\Tools | Options | Spelling |
Software\Policies\Microsoft\Shared Tools\Proofing Tools\1.0\Office |
Office System |
French Language Options |
Microsoft Office <version> system\Tools | Options | Spelling |
Software\Policies\Microsoft\Shared Tools\Proofing Tools\1.0\Office |
Office System |
ActiveX Control Initialization |
Microsoft Office <version> system\Security Settings |
Software\Policies\Microsoft\Office\Common\Security |
Office System |
Load Controls in Forms 3 |
Microsoft Office <version> system\Security Settings |
Software\Policies\Microsoft\VBA\Security |
Office System |
Automation Security |
Microsoft Office <version> system\Security Settings |
Software\Policies\Microsoft\Office\Common\Security |
Office System |
Prevent Word and Excel from loading managed code extensions |
Microsoft Office <version> system\Security Settings |
Software\Policies\Microsoft\Office\Common\Smart Tag |
Office System |
Disable All ActiveX |
Microsoft Office <version> system\Security Settings |
Software\Policies\Microsoft\Office\Common\Security |
Office System |
Disable Smart Document's use of manifests |
Microsoft Office <version> system\ Smart Documents (Word, Excel) |
Software\Policies\Microsoft\Office\Common\Smart Tag |
Office System |
Completely disable the Smart Documents feature in Word and Excel |
Microsoft Office <version> system\ Smart Documents (Word, Excel) |
Software\Policies\Microsoft\Office\Common\Smart Tag |
Office System |
Disable Office Diagnostics |
Microsoft Office <version> system\Office Diagnostics |
Software\Policies\Microsoft\Office\Common\OffDiag |
Office System |
Disable Check For Solutions |
Microsoft Office <version> system\Office Diagnostics |
Software\Policies\Microsoft\Office\Common\OffDiag |
Office System |
Disable Compatibility Diagnostic |
Microsoft Office <version> system\Office Diagnostics |
Software\Policies\Microsoft\Office\Common\OffDiag |
Office System |
Disable Disk Diagnostic |
Microsoft Office <version> system\Office Diagnostics |
Software\Policies\Microsoft\Office\Common\OffDiag |
Office System |
Disable Memory Diagnostic |
Microsoft Office <version> system\Office Diagnostics |
Software\Policies\Microsoft\Office\Common\OffDiag |
Office System |
Disable Setup Diagnostic |
Microsoft Office <version> system\Office Diagnostics |
Software\Policies\Microsoft\Office\Common\OffDiag |
Office System |
Disable Update Diagnostic |
Microsoft Office <version> system\Office Diagnostics |
Software\Policies\Microsoft\Office\Common\OffDiag |
Office System |
Help Desk Web Address |
Microsoft Office <version> system\Office Diagnostics |
Software\Policies\Microsoft\Office\Common\OffDiag |
Office System |
Disable Office Sessions Logging |
Microsoft Office <version> system\Office Diagnostics |
Software\Policies\Microsoft\Office\Common\OffDiag |
Office System |
Disable Japanese IME Misconversion Logging |
Microsoft Office <version> system\IME (Japanese) |
Software\Policies\Microsoft\TipShared\4.0\CustomerFeedback\1041 |
Office System |
Workflow Cache 1 |
Microsoft Office <version> system\Miscellaneous\Workflow Cache |
Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow1 |
Office System |
Workflow Cache 2 |
Microsoft Office <version> system \Miscellaneous\Workflow Cache |
Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow2 |
Office System |
Workflow Cache 3 |
Microsoft Office <version> system \Miscellaneous\Workflow Cache |
Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow3 |
Office System |
Workflow Cache 4 |
Microsoft Office <version> system \Miscellaneous\Workflow Cache |
Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow4 |
Office System |
Workflow Cache 5 |
Microsoft Office <version> system \Miscellaneous\Workflow Cache |
Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow5 |
Office System |
Workflow Cache 6 |
Microsoft Office <version> system \Miscellaneous\Workflow Cache |
Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow6 |
Office System |
Workflow Cache 7 |
Microsoft Office <version> system \Miscellaneous\Workflow Cache |
Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow7 |
Office System |
Workflow Cache 8 |
Microsoft Office <version> system \Miscellaneous\Workflow Cache |
Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow8 |
Office System |
Workflow Cache 9 |
Microsoft Office <version> system \Miscellaneous\Workflow Cache |
Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow9 |
Office System |
Workflow Cache 10 |
Microsoft Office <version> system \Miscellaneous\Workflow Cache |
Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow10 |
Office System |
Workflow Cache 11 |
Microsoft Office <version> system \Miscellaneous\Workflow Cache |
Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow11 |
Office System |
Workflow Cache 12 |
Microsoft Office <version> system \Miscellaneous\Workflow Cache |
Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow12 |
Office System |
Workflow Cache 13 |
Microsoft Office <version> system\Miscellaneous\Workflow Cache |
Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow13 |
Office System |
Workflow Cache 14 |
Microsoft Office <version> system\Miscellaneous\Workflow Cache |
Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow14 |
Office System |
Workflow Cache 15 |
Microsoft Office <version> system\Miscellaneous\Workflow Cache |
Software\Policies\Microsoft\Office\Common\Workflow\Cache\Workflow15 |
Office System |
Control Blogging |
Microsoft Office <version> system\Miscellaneous |
Software\Policies\Microsoft\Office\Common\Blog |
Office System |
Enable Workflows on My Site |
Microsoft Office <version> system\Miscellaneous |
Software\Policies\Microsoft\Office\Common\Workflow\Home |
Office System |
Home Workflow Library |
Microsoft Office <version> system\Miscellaneous |
Software\Policies\Microsoft\Office\Common\Workflow\Home |
Office System |
Web Folders: Managing pairs of Web pages and folders |
Microsoft Office <version> system\Miscellaneous |
Software\Policies\Microsoft\Windows\CurrentVersion\Explorer |
Office System |
Block updates from the Office Update Site from applying |
Microsoft Office <version> system\Miscellaneous |
Software\Policies\Microsoft\Office\Common\OfficeUpdate |
Office OneNote |
OneNote Spelling Options |
Microsoft Office OneNote <version>\Tools | Options…\Spelling |
Software\Policies\Microsoft\Shared Tools\Proofing Tools\1.0\Office |
Office Outlook |
Do not record listed Outlook items in Journal |
Microsoft Office Outlook <version>\Tools | Options…\Preferences |
Software\Policies\Microsoft\Shared Tools\Outlook\Journaling |
Office Outlook |
Automatically journal these items |
Microsoft Office Outlook <version>\Tools | Options…\Preferences |
Software\Policies\Microsoft\Shared Tools\Outlook\Journaling |
Office Outlook |
S/MIME password settings |
Microsoft Office Outlook <version>\Security\Cryptography |
Software\Policies\Microsoft\Cryptography\Defaults\Provider\Microsoft Exchange Cryptographic Provider v1.0 |
Office Outlook |
Display option for downloading OAB changes since last Send/Receive |
Microsoft Office Outlook <version>\Tools | Account Settings\Exchange\Offline Address Book |
Software\Policies\Microsoft\Exchange\Exchange Provider |
Office Outlook |
Offline Address Book: Limit number of full OAB downloads |
Microsoft Office Outlook <version>\Tools | Account Settings\Exchange\Offline Address Book |
Software\Policies\Microsoft\Exchange\Exchange Provider |
Office Outlook |
Offline Address Book: Limit number of incremental OAB downloads |
Microsoft Office Outlook <version>\Tools | Account Settings\Exchange\Offline Address Book |
Software\Policies\Microsoft\Exchange\Exchange Provider |
Office Outlook |
Offline Address Book: Limit manual OAB downloads |
Microsoft Office Outlook <version>\Tools | Account Settings\Exchange\Offline Address Book |
Software\Policies\Microsoft\Exchange\Exchange Provider |
Office Outlook |
Offline Address Book: Prompt before Downloading Full OAB |
Microsoft Office Outlook <version>\Tools | Account Settings\Exchange\Offline Address Book |
Software\Policies\Microsoft\Exchange\Exchange Provider |
Office Outlook |
Use only OABv4 |
Microsoft Office Outlook <version>\Tools | Account Settings\Exchange\Offline Address Book |
Software\Policies\Microsoft\Exchange\Exchange Provider |
Office Outlook |
Return e-mail alias if it exactly matches the provided e-mail address when searching OAB |
Microsoft Office Outlook <version>\Tools | Account Settings\Exchange\Offline Address Book |
Software\Policies\Microsoft\Exchange\Exchange Provider |
Office Outlook |
Maximum wait time for Offline Address Book downloads |
Microsoft Office Outlook <version>\Tools | Account Settings\Exchange\Offline Address Book |
Software\Policies\Microsoft\Exchange\Exchange Provider |
Office Outlook |
Define custom label for SharePoint store |
Microsoft Office Outlook <version>\Tools | Account Settings\SharePoint Lists |
Software\Policies\Microsoft\Office\Common\Offline\Options |
Office PowerPoint |
Use contextual spelling |
Microsoft Office PowerPoint <version>\PowerPoint Options\Proofing |
Software\Policies\Microsoft\Shared Tools\Proofing Tools\1.0\Office |
Office Word |
Enable Context Sensitive Spelling for Word |
Microsoft Office Word <version>\Word Options\Proofing |
Software\Policies\Microsoft\Shared Tools\Proofing Tools\1.0\Office |
Office Word |
Check spelling as you type |
Microsoft Office Word <version>\Word Options\Proofing |
Software\Policies\Microsoft\Shared Tools\Proofing Tools\1.0\Office |
Office Word |
Mark grammar errors as you type\Color for marking grammatical errors |
Microsoft Office Word <version>\Word Options\Proofing |
Software\Policies\Microsoft\Shared Tools\Proofing Tools |
Office Word |
Mark formatting inconsistencies\Color for marking inconsistencies |
Microsoft Office Word <version>\Word Options\Advanced\Smart Cut and Paste |
Software\Policies\Microsoft\Shared Tools\Proofing Tools |
Office Word |
Translation direction |
Microsoft Office Word <version>\Tools | Language\Chinese Translation… |
Software\Policies\Microsoft\Shared Tools\Proofing Tools\TCSC Translator |
Office Word |
Use Taiwan, Hong Kong SAR and Macao SAR character variants |
Microsoft Office Word <version>\Tools | Language\Chinese Translation… |
Software\Policies\Microsoft\Shared Tools\Proofing Tools\TCSC Translator |
Office Word |
Translate common terms |
Microsoft Office Word <version>\Tools | Language\Chinese Translation… |
Software\Policies\Microsoft\Shared Tools\Proofing Tools\TCSC Translator |
Group Policy management tools
Administrators use the following tools to manage Group Policy:
-
Group Policy Management Console (GPMC) MMC snap-in is used for most Group Policy management tasks.
-
Group Policy Object Editor MMC snap-in for configuring and editing policy settings in GPOs. In a domain environment, administrators can edit GPOs from GPMC, which invokes Group Policy Object Editor.
Group Policy Management Console
GPMC is an MMC snap-in that is used for managing most aspects of Group Policy: scoping, delegating, filtering, and manipulating inheritance of GPOs; and backing up (export), restoring, importing, and copying GPOs. GPMC also invokes Group Policy Object Editor to edit policy settings in GPOs in domain-based environments.
GPMC is the preferred tool for Group Policy management in a domain environment.
Resultant Set of Policy (RSoP) is a feature of Group Policy that makes implementation, troubleshooting, and planning of Group Policy easier. GPMC includes two RSoP capabilities that are provided by Windows:
-
Group Policy Results: Represents the actual policy data that is applied to a computer and user. Data is obtained by querying the target computer and retrieving the RSoP data that was applied to that computer. The Group Policy Results capability is provided by the client operating system and requires Windows XP, Windows Server 2003, or later versions of the operating system.
-
Group Policy Modeling: Simulates what policy settings are applied under circumstances specified by an administrator. Administrators can use Group Policy Modeling to simulate the RSoP data that would be applied for an existing configuration, or they can analyze the effects of simulated, hypothetical changes to their directory environment. Group Policy Modeling requires that you have at least one domain controller running Windows Server 2003, because this simulation is performed by a service running on a domain controller that is running Windows Server 2003.
Note: |
---|
GPMC was provided as a separate download component for Microsoft Windows® Server 2003 and Windows XP. To download GPMC, see Download Group Policy Management Console (GPMC). In Windows Vista and Windows Server 2008, GPMC is integrated into the operating system. |
Group Policy Object Editor
Group Policy Object Editor is an MMC snap-in that is used to configure policy settings within a GPO. On computers running Windows 2000, Windows XP with the Windows Server 2003 Administration Tools Pack installed, and Windows Server 2003, the Group Policy Object Editor can be accessed from the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. Group Policy Object Editor operates as an extension to these Active Directory management tools.
If administrators edit a GPO from within GPMC, Group Policy Object Editor displays and shows the settings for that specific GPO.
To configure Group Policy settings for a local computer that is not a member of a domain, use Group Policy Object Editor to manage local GPOs.
Group Policy object permissions in Group Policy Management Console
GPMC manages GPO permissions as a single unit and displays the security filtering for the GPO on the GPO Scope tab. Administrators can use GPMC to add and remove groups, users, and computers to be used as security filters for each GPO. The security principals used for security filtering are listed on the Delegation tab for a GPO as having Read (from Security Filtering) permission, because they have read access to the GPO.
There are five permission options on GPOs in the GPMC user interface. Each option corresponds to a set of individual Windows NT permissions in Access Control List (ACL) Editor. The ACL Editor sets access control policy for Active Directory and Windows objects. The following table summarizes the correspondence.
GPMC user interface option | Corresponding permission in ACL Editor |
---|---|
Read |
Allow Read access on the GPO |
Edit settings |
Allow Read, Write, Create Child Objects, and Delete Child Objects |
Edit, delete, and modify security |
Allow Read, Write, Create Child Objects, Delete Child Objects, Delete, Modify Permissions, and Modify Owner. This grants full control on the GPO, except that the Apply Group Policy permission is not set. |
Read (from Security Filtering) |
This setting cannot be set directly, but appears on the delegation tab if the user has Read and Apply Group Policy permissions to the GPO. |
Custom |
Any other combination of permissions, including the use of Deny, displays as Custom. GPMC can only set custom permission sets by clicking the Advanced button and opening the ACL Editor. |
GPO creation privileges are required to create a GPO. By default, only domain administrators, enterprise administrators, and members of the Group Policy creator owners group can create GPOs.
Edit permissions for the GPO that you want to edit are required to edit a GPO.
Edit, delete, and modify security permissions for the GPO are required to delete a GPO.
Permissions on a GPO are managed from the Delegation tab of that GPO. For step-by-step instructions, see Delegate Group Policy tasks on the Microsoft TechNet Web site.
Using Group Policy Management Console and Group Policy Object Editor
GPMC is used for managing Group Policy tasks in a domain environment. GPMC invokes Group Policy Editor, which is used to configure policy settings within GPOs.
After you set up an Active Directory and Group Policy infrastructure in your organization, you use Group Policy Object Editor from GPMC to set Office policy settings from the Office .adm files. After you set policy settings for a GPO and link that GPO to a site, domain, or organizational unit, the operating system enforces the policy settings.
Use the following procedures to start GPMC and link GPOs in GPMC. Use Group Policy Object Editor from GPMC to create GPOs, edit GPOs, and load Administrative Template files.
Note: |
---|
The following procedures assume you have already installed GPMC. You can download GPMC from the Microsoft Download Center site. See Download Group Policy Management Console (GPMC) for more information. If you are using Windows Vista, GPMC is integrated into the operating system. |
Start Group Policy Management Console
-
Click Start, click Control Panel, click Administrative Tools, and click Group Policy Management.
Create a Group Policy object
-
Open GPMC.
-
In the console tree, right-click Group Policy Objects in the forest and domain in which you want to create a GPO. For example, navigate to Forest name, Domains, Domain name, Group Policy Objects.
-
Click New.
-
In the New GPO dialog box, specify a name for the new GPO and click OK.
Edit a Group Policy object
-
Open GPMC.
-
In the console tree, double-click Group Policy Objects in the forest and domain that contain the GPO that you want to edit. This is located in Forest name, Domains, Domain name, Group Policy Objects.
-
Right-click the GPO you want to modify and click Edit. This opens Group Policy Object Editor. Edit settings as appropriate in the Group Policy Object Editor console.
Important: Administrative Templates policy settings provide Explain text, which you can view by clicking the Extended tab in the details pane (right side) of the Group Policy Object Editor console. You can also see this text by double-clicking a policy setting and clicking the Explain tab in the Properties dialog box for the policy setting. Explain text provides information about the policy setting.
Avoid editing the default domain policy. If you want to apply Group Policy settings to the entire domain, create a new GPO, link the GPO to the domain, and create the settings in that GPO.
The default domain policy and default domain controllers policy are critical to the health of any domain. Do not edit the Default Domain Controller Policy or the Default Domain Policy GPOs, except in the following cases:
We recommend that you set account policy in the Default Domain Policy.
If you install applications on domain controllers that require modifications to User Rights or Audit Policies, the modifications must be made in the Default Domain Controllers Policy.
To edit the local GPO: open Group Policy Object Editor by clicking Start, then click Run, type gpedit.msc, and click OK.
Load Administrative Template files and set Office policy settings
-
In Group Policy Object Editor, right-click Administrative Templates in the Computer Configuration or User Configuration node and select Add/Remove Templates. A list of the .adm files that are already added to the GPO is displayed.
-
To add another adm file, click Add.
A list of the .adm files in the %SystemRoot%\Inf folder of the local computer is displayed. You can also select an .adm file from another location.
-
In the Policy Templates dialog box, browse to the 2007 Office system templates that you want to add. Click Open and click Close in the Add/Remove Templates dialog box.
-
Double-click Computer Configuration or User Configuration and expand the tree under Administrative Templates to find the Office policy settings.
-
In the details pane (in the right pane), double-click the folders and double-click a policy setting to open the Properties dialog box. Configure the Office policy settings you want to use and click OK.
Note: The Explain tab on the Properties page for the policy setting provides information about the setting.
-
Save the GPO.
Link a Group Policy object
-
Open Group Policy Management.
-
In the console tree, locate the site, domain, or organizational unit to which you want to link a GPO. These are located under Forest name, Domains or Sites, or Site name, Domain name or organizational unit name.
-
To link an existing GPO, right-click the domain or organizational unit within the domain and click Link an Existing GPO. In the Select GPO dialog box, click the GPO which you want to link and click OK.
-or-
To link a new GPO, right-click the domain or organizational unit within a domain and click Create and Link a GPO Here. In the Name box, type a name for the new GPO and click OK.
Note: To link an existing GPO to a site, domain, or organization unit, requires Link GPOs permission on that site, domain, or organizational unit. By default, only Domain Administrators and Enterprise Administrators have this privilege for domains and organizational units, and only Enterprise Administrators and Domain Administrators of the forest root domain have this privilege for sites.
To create and link a GPO requires Link GPOs permissions on the domain or organizational unit to which you want to link, and you must have permission to create GPOs in that domain. By default, only Domain Administrators, Enterprise Administrators, and Group Policy Creator owners have permission to create GPOs.
The Create and Link a GPO Here option is not available for sites, because it is unclear in which domain to create the GPO. The user must first create a GPO in any domain in the forest, and then use the Link an Existing GPO option to link the GPO to the site.
For more detailed information about using GPMC, see Step-by-Step Guide to Using Group Policy Management Console and the online Help for Group Policy Management on the Microsoft TechNet Web site.
If you want to set the 2007 Office system policy settings for a local, non-domain joined computer, you can use gpedit.msc console to open Group Policy Object Editor as an MMC snap-in from the command line to edit the local GPO.
Open Group Policy Object Editor from the command line
-
Click Start, click Run, type gpedit.msc and click OK.
Note: To edit the local GPO on another computer (Computer1 in this example), type the following at the command prompt: gpedit.msc /gpcomputer:"Computer1"
For more information about setting Group Policy, see Step-by-Step Guide to Understanding the Group Policy Feature Set.
Download this book
This article is included in the following downloadable book for easier reading and printing:
See the full list of available books at Office Resource Kit information.