Managing Users Configurations by Policy

Managing Users’ Configurations by Policy

In a Microsoft Windows–based network, Group Policy settings help administrators control how users work with Microsoft Office 2003. By setting policies, you can define and maintain a particular Office 2003 configuration on users’ computers. Unlike other customizations—for example, default settings distributed in a transform (MST file)—policies are reapplied each time a user logs on to the network (or at some other interval set by the administrator), and users cannot edit the Windows registry to change them.

You can use Office policies to:

• Control entry points to the Internet.

• Manage security settings in Office applications.

• Hide or disable new behavior that might confuse users and result in unnecessary calls for support.

• Hide settings and options that are not needed and might distract users.

• Lock down a standard configuration on users’ computers.

You can set policies that apply to the local computer (and every user of that computer) or that apply only to individual users. Per-computer policies are set under Computer Configuration in the Group Policy snap-in and are applied the first time any user logs on to the network from that computer. Per-user policies are set under User Configuration and are applied when the specified user logs on to the network from any computer.

Active Directory and Group Policy

In Office 2003, Group Policy has replaced the System Policy Editor as the recommended mechanism for setting and maintaining policies throughout an organization. The Active Directory™ directory service provides the framework for centralized administration of users and computers. Active Directory stores information about objects on the network and makes this information easy for administrators and users to find and use.

Network objects in this context include users, computers, and printers, as well as domains, sites, and organizational units. A structured data store provides the basis for a logical, hierarchical organization of all directory information.

Active Directory makes it possible to manage all users, computers, and software on the network through administrator-defined policies, known as Group Policy in Windows 2000 or later. A collection of Group Policy settings is contained in a Group Policy object (GPO), and the GPO is associated with an Active Directory container. You can set policies that apply to an entire site, a domain, or an individual organizational unit.

Group Policy encompasses a wide range of options, including registry-based policy settings, security settings, software installation scripts, folder redirection, remote installation services, and Internet Explorer maintenance. The policies contained in the Office policy templates are registry-based policies.

Office 2003 policies

Office policies allow administrators to manage most options that configure the Office 2003 user interface, including:

• Disabling or enabling menu commands and their corresponding toolbar buttons.

• Disabling or enabling shortcut keys.

• Specifying settings for most options in the Options dialog box (Tools menu).

The Office policy templates (ADM files) also include policies that help you control the way Windows Installer functions.

Each Office 2003 policy represents an option or feature in an Office application. Each policy also corresponds to one or more value entries in the Windows registry. All policy information is stored in the same area of the registry.

For example, all user-specific policy settings are stored in the HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0 subkey, which mirrors most of the HKEY_CURRENT_USER\Software\Microsoft\Office\11.0 subkey. Computer-specific policies are stored in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\11.0 subkey. By default, both Policy subkeys are locked, making them inaccessible to users.

Office 2003 policy template files

When you use the Group Policy snap-in to set policy, you first load the Office policy templates (ADM files) and then configure the settings you want to manage. You can add several ADM files and set the entire configuration of a computer at one time.

The Office 2003 Editions Resource Kit includes the following policy template files (ADM files), which list the options you can control for each application.

ADM file	Application
Office11.adm	Shared Office 2003 components
Access11.adm	Microsoft Office Access 2003
Excel11.adm	Microsoft Office Excel 2003
Gal11.adm	Clip Organizer
Instlr11.adm	Windows Installer 2.0
Outlk11.adm	Microsoft Office Outlook 2003
Ppt11.adm	Microsoft Office PowerPoint 2003
Pub11.adm	Microsoft Office Publisher 2003
Rm11.adm	Relationship Manager
Scrib11.adm	Microsoft Office OneNote™ 2003
Word11.adm	Microsoft Office Word 2003
Inf11.adm	Microsoft Office InfoPath™ 2003

When you install the Office policy template files, they are automatically saved to the %SystemRoot%\Inf folder on your computer. To download the templates, see the Office 2003 Editions Resource Kit Toolbox on the companion CD.

Policies in the templates are organized in a hierarchy that, in general, follows the user interface. Settings found in the Options dialog box (Tools menu) are listed under Tools | Options in the template for each application. However, the policies for some settings that appear in multiple applications are consolidated in the Office11.adm template.

For example, several Office applications allow users to customize the way the application works with the Web through the Web Options button on the General tab of the Options dialog box. You set policies to manage users’ interaction with the Web in all Office applications in the Office11.adm template under Tools | Options\General\Web options.

Because policy settings are stored in a different area of the registry for each release of Office, you cannot use the policy templates from a previous version. To configure policies for Office 2003, you must use the policy templates for Office 2003.

Using the Group Policy snap-in

After you set up an Active Directory™ and Group Policy infrastructure in your organization, you use the Group Policy Microsoft Management Console (MMC) snap-in to set Office 2003 policies from the Office policy templates (ADM files). Once you set policies for a particular Group Policy object, Windows automatically implements the policies on users’ computers.

To set policy using the Group Policy snap-in

1. Open the Group Policy object (GPO) for which you want to set policy.

2. Right-click Administrative Templates and select Add/Remove Templates.

   A list of ADM files already added to the GPO appears.

3. To add another ADM file, click Add.

   A list of all the ADM files in the %SystemRoot%\Inf folder of the local computer appears. (You can also select an ADM file from another location.)

4. Select an ADM file and click Open to add it to the GPO.

5. Double-click Computer Configuration or User Configuration and then expand the tree under Administrative Templates to find the Office 2003 policies.

6. Under Settings in the right pane, set the policies you want.

7. Save the Group Policy object.

   Windows automatically enforces the policies the next time each user logs on. Policies remain in effect until the administrator clears them.

Policies in the Group Policy snap-in can have one of three states:

• Not configured The policy is not enforced. If the policy was previously enforced, those settings are removed from the registry and the option returns to either the default setting or the last setting specified by the user.

• Enabled The policy is enforced. For most policies, additional settings appear in the box. These settings determine what happens when the policy is enforced. Note that clearing a particular setting only changes the behavior enforced by the policy; to reverse the policy altogether, choose Not Configured.

• Disabled The policy is not configured or is ignored.

For most Office 2003 policies, the effect of setting a policy to Disabled is the same as setting it to Not configured. Settings return to their default values, and users can change settings to which they have access through the user interface or the Windows registry.

For more information about setting Group Policy, see the “Step-by-Step Guide to Understanding the Group Policy Feature Set” at http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp.

Using the Group Policy Management Console (Windows Server 2003 only)

Microsoft Windows Server™ 2003 includes the new Group Policy Management Console (GPMC), a single solution for managing all Group Policy–related tasks. By using GPMC, administrators can manage Group Policy for multiple domains and sites within a given forest.

The simplified user interface supports drag-and-drop functionality and also allows administrators to back up, restore, import, copy, and create reports for Group Policy objects (GPOs). These operations are fully scriptable, which lets administrators customize and automate management.

More information about GPMC is available on the Microsoft Windows Server 2003 Web site at http://www.microsoft.com/windows.netserver/gpmc/default.mspx.

Disabling user interface elements

You can set policies that disable menu commands, toolbar buttons, and shortcut keys. By setting these policies, you can help prevent users from changing or gaining access to particular features or options. A menu item or command bar button that has been disabled by policy appears grayed out in the user interface and is unavailable to users.

Disabling menu items and command bar buttons

A number of menu items and command bar buttons are listed by name in the policy templates in the Disable items in user interface | Predefined | Disable command bar buttons and menu items policy. These items include commands that administrators frequently choose to disable, such as the Hyperlink command (Insert menu) and the Macro command (Tools menu).

To disable any other command in an Office 2003 application, you set the Custom | Disable command bar buttons and menu items policy and add the control ID for the command you want to disable.

To disable a menu item and the corresponding command bar button

1. Select the check box to set the Custom | Disable command bar buttons and menu items policy for the appropriate Office 2003 application.

2. Click the Show button.

3. Click Add and enter the control ID for the item you want to disable.

Menu items and their corresponding command bar buttons share the same control ID. For example, in Microsoft Word the control ID for both the Save command (File menu) and Save button (Standard toolbar) is 3.

Finding control IDs in Visual Basic for Applications

You can look up control IDs for any item on a menu or toolbar in Office 2003 applications by using Microsoft Visual Basic for Applications (VBA). You can either look up a single control ID or use a macro to find a series of control IDs. Then you enter the control ID into the Group Policy snap-in to disable that menu command and toolbar button.

Menu commands and their corresponding toolbar buttons share the same control ID. For example, the control ID for both the Save command (File menu) and the Save button (Standard toolbar) in Microsoft Word is 3.

Finding a single control ID

You use the Immediate window in VBA to look up the control ID for a single item on a menu. For example, the following command returns the value 748, which is the control ID for the Save As command on the File menu in Microsoft Word:

? commandbars("menu bar").controls("file").controls("save as...").id

For Microsoft Excel, use worksheet menu bar instead of menu bar in the previous example.

You use the same command to find the control ID for a toolbar button. For example, the following command displays the control ID for the Document Map button (Standard toolbar) in Word:

? commandbars ("standard").controls ("document map").id

Finding all the control IDs for a menu or toolbar

If you want to find the control IDs for all the items on a menu or toolbar, you can create a macro in VBA. For example, the following macro opens a series of message boxes to display the commands and corresponding control IDs for each item on the File menu for any Office 2003 application:

Sub EnumerateControls()     Dim icbc As Integer     Dim cbcs As CommandBarControls     Set cbcs = Application.CommandBars("Menu Bar").Controls("File").Controls     For icbc = 1 To cbcs.Count       MsgBox cbcs(icbc).Caption & " = " & cbcs(icbc).ID     Next icbc End Sub

To disable all of the items on a menu, you can enter each item individually in the Group Policy snap-in. Or, you can disable the entire menu by entering the control ID for the menu itself.

For more information about using Visual Basic for Applications, see the Language Center for Visual Basic at http://msdn.microsoft.com/vbasic/vblang/default.asp.

Disabling shortcut keys

Several built-in shortcut keys are listed by name in the policy templates in the Disable items in user interface | Predefined | Disable shortcut keys policy. For example, you can disable CTRL+K, the shortcut for the Hyperlink command (Insert menu).

To disable any other shortcut key in an Office 2003 application, you set the Custom | Disable shortcut keys policy and add the virtual key code for the shortcut. (A virtual key code is a hardware-independent number that uniquely identifies a key on the keyboard.)

To disable a shortcut key

1. Select the check box to set the Custom | Disable shortcut keys policy for the appropriate Office 2003 application.

2. Click Show.

3. Click Add and enter the shortcut key and modifier for the item you want to disable by using the following syntax:

   key,modifier

   where key is the value of a key (for example, G) in Windows, and modifier is the value of either a modifier key (for example, ALT or SHIFT) or a combination of modifier keys in Windows.

Use the following values to refer to keys in the Group Policy snap-in:

Modifier or key	Value
ALT	16
CONTROL	8
SHIFT	4
A-Z	A sequential number between 65 and 90, where A = 65, and Z = 90

For example, to disable the shortcut key ALT+K, enter 75,16 (key = 75; modifier = 16).

If you have multiple modifier keys for the shortcut key, you add the values of the modifier keys together to determine the actual modifier key value you enter. For example, for ALT+SHIFT, enter 20 (16+4).

Locking down an Office configuration

Many administrators use policies to lock down users’ Office configurations as one part of their overall security strategy. In addition, maintaining a standard Office configuration throughout an organization can help reduce support costs, create a consistent user environment for users who share computers, and limit access to the Internet by disabling entry points in Office applications.

Using environment variables in policies

Environment variables—which use the REG_EXPAND_SZ data type—expand in the Windows registry to replace file names, paths, or other changeable values. You can use environment variables in policies. For example, the Default file location policy for Excel 2003 specifies the default location for saving Excel files. If you want users to store their Excel files on the network under their user names, you can specify a network drive and the following environment variable:

 drive:\%Username%\

When you distribute the policy, the environment variable is written to each user’s registry. Office 2003 recognizes %Username% as an environment variable and expands it to whatever the %Username% variable is set to on the user’s computer. For example, Office expands the environment variable in the preceding example to drive:\UserA\ for User A, drive:\UserB\ for User B, and so on.

You can also use any other appropriately defined environment variable to set Default file location to a particular path or folder. Because Office recognizes the REG_EXPAND_SZ data type, you can use environment variables that exist by default in the operating system or variables you set on your own.