Executive Summary:
Microsoft Office 2007 system makes it easy to manage your deployments with Group Policy by providing new Administrative Templates as well as 2007 Microsoft Office Security Guide and GPOAccelerator. You'll use the ADMX template files for Windows Vista or Windows Server 2008 or the ADM files for any older Windows OS. Administrative Templates can be used to lock down specific functions within each of the Office 2007 applications. The 2007 Microsoft Office Security Guide gives you a good head start on knowing what security settings are important as well as creating the policies to achieve the right protection.
|
If you’ve been administering Windows environments for very long, you’re probably
familiar with Administrative Template (ADM) files. Since the days of Office 97, Microsoft
has provided ADM files that let you customize the behavior of your Office applications
using Group Policy (or its predecessor, system policy). With the release of the Microsoft
Office 2007 system, Microsoft has continued this tradition and put considerable effort
into making Office 2007 a full citizen within the world of Group Policy. Microsoft has also
provided tools such as the GPOAccelerator for optimizing Office 2007 security configurations. To
take advantage of these management capabilities in your Office 2007 deployments, you’ll need
to know how to install the templates and how to use the templates and other tools to create the
appropriate policy settings for your environment.
Administrative Templates and Office
Group Policy Administrative Templates are the usual means of managing Office configurations
after Office is deployed to your desktops. The Office Administrative Templates let you customize
the options that are enabled and disabled within each of the Office 2007 applications.
Deploying Office versions earlier than Office 2007 often involved using the Group Policy Software
Installation (GPSI) feature, along with custom transform (.mst) files that modified the default
configuration according to your requirements. However, as Dan Holme noted in “Customizing
and Deploying Office 2007,” May 2007, InstantDoc ID 95433, customizing deployments of Office
2007 using Group Policy has changed radically.
Office 2007 uses something called the Office Customization Tool (OCT) to create custom Windows
Installer patch (.msp) files that you use to customize Office configurations. Therefore, you might
wonder how the post-deployment configuration of Office 2007 using Administrative Template files
has changed. The good news is that it has only gotten better: You now have more capabilities for configuring and locking down your Office 2007
deployments than you’ve ever had.
Getting the Administrative
Templates
You can dowload the Administrative Template
files from the Microsoft Download Center at
www.microsoft.com/downloads/details.aspx?FamilyID=92d8519a-e143-4aee-8f7a-e4bbaeba13e7. Microsoft provides both ADM files and
the new file format, ADMX, which you need with
Windows Vista and Windows Server 2008.
After you’ve downloaded AdminTemplates
.exe and extracted the files, you’ll see an ADM
folder and an ADMX folder. (You’ll also see a
folder called Admin, which contains OCT files
for customizing Office at deployment time; I
won’t discuss those files in this article.) Within
the ADM folder, you’ll see a number of folders
named by language code (e.g., de-de for Germany,
en-us for US English, es-es for Spanish).
These are the language-specific versions of the
ADM files; when configuring Office 2007, you’ll
pick the language folder that matches the version
of Windows you’re running.
The ADMX folder includes
language-specific folders in
addition to the ADMX files. The
folders contain the language
resource files (ADMLs) that
work with the language-neutral
ADMX files. If you’re managing
Office 2007 from a Vista or
Server 2008 system, these are the
files you’ll need to use.
Implementing
the ADM Office
Templates
For any version of Windows earlier
than Windows Vista, you’ll
use the ADM files. Note that in
pre-Vista versions of Windows,
ADM files are stored individually
within each Group Policy Object
(GPO), so you’ll need to perform
these steps within each GPO that you want to
implement Office 2007 policies.
The first thing you need to do to load the
ADM files for use in Group Policy is open
the Microsoft Management Console (MMC)
Group Policy Editor (GPE) snap-in, focused on
the GPO you want to manage. You can choose
either a GPO that’s part of an Active Directory
(AD) domain or a local GPO. Right-click the
Administrative Templates node under either
Computer Configuration or User Configuration
(it doesn’t matter which one you use when
you’re adding templates to a GPO), select Add/
Remove Templates from the context menu,
then click Add to browse to the folder of ADM
files for your language of Office 2007. Note
that you can select all the ADM files in a folder
at the same time to load into your GPO, as
Figure 1 shows. When you click Open in the
Policy Templates dialog box, the ADM files are
copied into the GPO and they’ll appear under
the Administrative Templates node of GPE, as
Figure 2 shows.
You’ll find Office configuration options
under both the Computer Configuration and
User Configuration nodes; options under
Computer Configuration apply to all users
on a computer where that GPO is applied,
whereas the ones under User Configuration
apply to any user object in AD that receives
the GPO. A potentially confusing circumstance
is that these ADM files (and the ADMX files
as well) ship with both true policies, which
can be fully managed by administrators, and preferences, which are settings made outside
of the designed policy keys within the registry.
Preferences aren’t shown by default in GPE.
To see all of the policy settings provided by the
Office templates, you’ll need to select View, Filtering
in GPE, then clear the Only show policy
settings that can be fully managed check box
so that all preferences will appear along with
the policy settings. Unfortunately, this filter
doesn’t persist, so you’ll have to reset it every
time you launch GPE.
Implementing the ADMX
Office Templates
Vista introduced a major improvement in
Administrative Template management with
the ADMX file format, which essentially
replaces the ADM files with an XML-based
format for defining new registry-based policy
settings. One advantage ADMX files provide is
that GPE no longer requires them to be stored
in the SYSVOL portion of every GPO in a
domain, saving space and network bandwidth
on your domain controllers (DCs) by not having
to replicate these files within every GPO
that uses them to every DC.
To get access to the Office 2007 ADMX files
on your Vista administrative workstation, you
can choose from two methods. The first and
easiest method is simply to copy the ADMX
files within the ADMX folder to your local
workstation, placing them in the folder called
c:\Windows\PolicyDefinitions. Make sure you
copy only the ADMX files into this folder at this
point—not all the sub-folders that contain the
language-specific ADML files, which is the next
step. Choose the language of ADML files you
need and copy them into the language-specific
folder under C:\Windows\PolicyDefinitions.
For example, if you’re using a German-language
version of Windows, you would copy the ADML
files within the de-de folder in the Administrative
Templates installation into C:\Windows PolicyDefinitions\de-de. After the files are copied
to the appropriate folders, you’ll see them
underneath Administrative Templates within
the Computer Configuration and User Configuration
nodes when you launch GPE.
Previous
Register
