Planning for Group Policy

Updated: March 30, 2007

Applies To: Office Resource Kit

This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.


Topic Last Modified: 2017-01-25

In an Active Directory-based environment, administrators can use Group Policy settings for the 2007 Microsoft Office system applications to centrally manage tasks such as the following:

  • Setting security options for 2007 Office system applications. For example, administrators can specify policy settings to manage:

    • Trusted locations and trusted publishers

    • Internet Explorer feature control settings in the 2007 Office system

    • Privacy options in the 2007 Office system

    • Document protection settings in the 2007 Office system

    • Block file format settings in the 2007 Office system

  • Managing Microsoft Office Outlook 2007 security and configuration settings. For example, administrators can specify policy settings to manage areas such as the following:

    • Cached Exchange Mode options

    • Customization of attachment settings

    • Options for Outlook Security Mode to specify which security settings are enforced in Outlook

    • Security for Outlook 2007 folder home pages

    • Customization of programmatic security settings

    • Customization of ActiveX and custom forms security settings

    • Trusted add-ins for Outlook 2007

    • Junk e-mail filter settings

    • Outlook Personal Folders (PST) and Offline Folder (OST) file settings; for example, to limit the PST file size, specify the default location of PST and OST files, and so on

    • Really Simple Syndication (RSS), Instant Messaging integration options, Internet Calendar options, and Meeting Workspace settings

    • Outlook feature customizations for Instant Search, categories, Search Folder options, Unicode options, message encoding options, and Lightweight Directory Access Protocol (LDAP) directory browsing and custom filter options

    • Disabling Outlook user interface items

  • Specifying the default file save options for Microsoft Office Word 2007, Microsoft Office Excel 2007, and Microsoft Office PowerPoint 2007. Administrators can also configure default file format policy settings to specify whether to use Access 2007 or Access 2002-2003, and whether to convert older databases.

  • Controlling settings that are important to the organization. For example, administrators can set the default file format for 2007 Office system applications to the legacy format until all clients in their organization can read the Open XML Formats.

  • Restricting access to the 2007 Office system user interface items. For example, administrators can disable commands, menu items, and shortcut keys for Office applications.

  • Specifying policy settings to enforce default language settings for Office.

  • Providing standard configurations of 2007 Office system user interface application settings within the organization.

  • Providing highly restricted or lightly managed configurations of 2007 Office system applications within the organization.

This topic discusses the planning process for deploying a Group Policy-based solution.

Planning for deploying Group Policy-based solutions includes several steps:

  1. Defining your business objectives and security requirements.

  2. Evaluating your current environment.

  3. Designing managed configurations based on your business and security requirements.

  4. Determining the scope of application of your solution.

  5. Planning for testing and staging, and deploying your Group Policy solution.

  6. Involving key stakeholders in planning and deploying the solution.

Identify your specific business and security requirements and determine how Group Policy can help you manage standard configurations for the 2007 Office system applications. Identify the resources (groups of users and computers) for which you are managing Office settings with Group Policy and define the scope of your project.

Examine how you currently perform management tasks related to configurations for Microsoft Office applications to help you determine which types of Office policy settings to use. Document the current practices and requirements. You will use this information to help you design managed configurations, in the next step. Items to include are:

  • Existing corporate security policies and other security requirements. Identify which locations and publishers are considered secure. Evaluate your requirements for managing Internet Explorer feature control settings, document protection, privacy options, and blocking file format settings.

  • Messaging requirements for the organization. Evaluate requirements for configuring user interface settings, and virus-prevention and other security settings for Office Outlook 2007 with Group Policy.

    Group Policy also provides settings for limiting the size of PST files, which can improve performance on the workstation.

  • User requirements for Office applications for the various types of user roles. This depends largely on users' job requirements and the organization's security requirements.

  • Determine the default file save options to use for Microsoft Office Word 2007, Microsoft Office Excel 2007, Microsoft Office PowerPoint 2007, and Microsoft Access 2007.

  • Determine the types of access restrictions to set for various user groups for the 2007 Office system user interface items, including disabling commands, menu items, and shortcut keys.

  • In mixed environments, identify which computers are running Windows Vista.

    New Windows Vista–based or Windows Server 2008–based policy settings can be managed only from Windows Vista–based or Windows Server 2008–based administrative computers running Group Policy Object Editor or Group Policy Management Console. These policy settings are defined only in ADMX files and are not exposed on the Windows Server 2003, Windows XP, or Windows 2000 versions of these tools. Administrators have to use the Group Policy Object Editor from a Windows Vista–based or Windows Server 2008–based administrative computer to configure new Windows Vista–based Group Policy settings. In the case of Office 2007, the policy settings contained in .adm and ADMX files are the same.

    For more information about administering ADMX files in Vista, see Managing Group Policy ADMX Files Step-by-Step Guide on the Microsoft TechNet Web site.

  • Identify issues pertaining to Software Installation if you are considering this deployment method. Although Group Policy can be used to install software applications in small-sized organizations with Active Directory installed, there are some limitations, and you must determine whether it is an appropriate solution for your deployment requirements. For more information, see the "Deployment considerations" section of Use Group Policy Software Installation to deploy the 2007 Office system.

    If you manage large numbers of clients in a complex or rapidly changing environment, Microsoft Systems Management Server is the recommended method for installing and maintaining the 2007 Office release in medium- and large-sized organizations. Microsoft Systems Management Server offers additional functionality, including inventory, scheduling and reporting features. For information about using Microsoft Systems Management Server to deploy the 2007 Office release, see Using Systems Management Server 2003 to deploy the 2007 Office system.

    Another option for deployment of the 2007 Office system in Active Directory environments is to use Group Policy computer startup scripts. For more information about this method, see Use Group Policy to assign computer startup scripts for 2007 Office deployment.

  • Determine when to use Group Policy settings to enforce configuration of an Office application feature or option and when to set the option with the Office Customization Tool (OCT). Although both Group Policy and the OCT can be used to customize user configurations for the 2007 Office release applications, there are important distinctions.

    Group Policy is used to configure the 2007 Office release policy settings contained in Administrative Templates, and the operating system enforces those policy settings. These settings have access control list (ACL) restrictions that prevent non-administrator users from changing them. Use Group Policy for configuring settings that you want to enforce.

    The OCT is used to create a Setup customization file (MSP file). Administrators can use the OCT to customize features and configure user settings. Users can modify most of the settings after the installation. It is recommended that you use the OCT for preferred or default settings only.

    For more information, see Office Customization Tool and Group Policy in Group Policy overview (2007 Office system).

  • Determine when to use local Group Policy to configure Office settings. Administrators can use local Group Policy to control settings in environments that include stand-alone computers that are not part of an Active Directory domain. Although you can configure local Group Policy objects on individual computers, maximum benefits of Group Policy are realized in a Windows 2000 or Windows Server 2003-based network with Active Directory installed.

    Windows Vista and Windows Server 2008 provide support for managing multiple local Group Policy objects (GPOs) on stand-alone computers. Multiple GPOs can be used for managing environments that involve shared computing on a single computer, such as libraries or computer labs. You can assign multiple local GPOs to local users or built-in groups. For more information about local GPOs and the multiple local GPOs feature, see Local and Active Directory-based Group Policy and Group Policy processing in Group Policy overview (2007 Office system), and Step-by-Step Guide to Managing Multiple Local Group Policy Objects on the Microsoft TechNet Web site.

Understanding your business requirements, security, network, IT requirements, and your organization's current Office application management practices helps you identify appropriate policy settings for managing the Office applications for users in your organization. The information you collect during the evaluation of your current environment step helps you design your Group Policy objectives.

When you define your objectives for using Group Policy to manage configurations for Office applications, determine the following:

  • The purpose of each GPO.

  • The owner of each GPO—the person who is responsible for managing the GPO.

  • The number of GPOs to use. Keep in mind that the number of GPOs applied to a computer affects startup time, and the number of GPOs applied to a user affects the amount of time needed to log on to the network. The greater the number of Group Policy objects that are linked to a user—particularly the greater the number of settings within those GPOs—the longer it takes to process the GPOs when a user logs on. During the logon process, each GPO from the user’s site, domain, and organizational unit (OU) hierarchy is applied, provided both the Read and Apply Group Policy permissions are set for the user.

  • The appropriate Active Directory container to which to link each GPO (site, domain, or OU).

  • The location of Office applications to install, if you are deploying the 2007 Office system with Group Policy Software Installation.

  • The location of computer startup scripts to execute, if you are deploying 2007 Office system by assigning Group Policy computer startup scripts.

  • The types of policy settings contained in each GPO. This depends on your business and security requirements and how you currently manage settings for Office applications. It is recommended that you configure only settings that are considered critical for stability and security and that you keep configurations to a minimum. Also consider using policy settings that can improve performance on the workstation, such as controlling Outlook PST file size, for example.

  • Whether to set exceptions to the default processing order for Group Policy.

  • Whether to set filtering options for Group Policy to target specific users and computers.

Consider general recommendations for GPO management as you design your Group Policy configurations. For information, see Best practices for Group Policy objects on the Microsoft TechNet Web site.

To help you plan for ongoing administration of Group Policy objects, it is recommended that you establish administrative procedures to track and manage GPOs. This helps ensure that all changes are implemented in a prescribed manner.

Identify the 2007 Office system policy settings that are applicable to all corporate users (such as any application security settings that are considered critical to the security of your organization) and those that are appropriate for groups of users based on their roles. Plan your configurations according to the requirements you identify.

In an Active Directory environment, you assign Group Policy settings by linking GPOs to sites, domains, or organizational units. Most GPOs are typically assigned at the organizational unit level, so make sure your OU structure supports your Group Policy-based management strategy for the 2007 Office system. You might also apply some Group Policy settings at the domain level, such as security-related policy settings or Outlook settings that you want to apply to all users in the domain.

This step is a critical part of any Group Policy deployment process. This step includes creating standard Group Policy configurations for the 2007 Office system applications and testing the GPO configurations in a non-production environment before you deploy to users in the organization. If necessary, you can filter the scope of application of GPOs and define exceptions to Group Policy inheritance. Administrators can use Group Policy Modeling (in Group Policy Management Console) to evaluate which policy settings would be applied by a specific GPO, and Group Policy Results (in Group Policy Management Console) to evaluate which policy settings are in effect.

Group Policy provides the ability to affect configurations across hundreds and even thousands of computers in an organization. Consequently, it is critical that you use a change management process and rigorously test all new Group Policy configurations or deployments in a non-production environment before you move them into your production environment. This process ensures that the policy settings contained in a GPO produce the expected results for the intended users and computers in Active Directory environments.

As a best practice for managing Group Policy implementations, it is recommended that administrators stage Group Policy deployments by using the following pre-deployment process:

  • Deploy new GPOs in a test environment that reflects the production environment as closely as possible.

  • Use Group Policy Modeling (GPMC) to evaluate how a new GPO will affect users and interoperate with existing GPOs.

  • Use Group Policy Results (GPMC) to evaluate which GPO settings are applied in the test environment.

For detailed information about staging deployments, see "Staging Deployments" in the Group Policy Planning and Deployment Guide.

For information about Group Policy Management Console (GPMC), Group Policy Modeling and Group Policy Results, see Group Policy Management Tools in Group Policy overview (2007 Office system).

Group Policy deployments in enterprises are likely to have cross-functional boundaries. As part of preparing for your deployment, it is important to consult key stakeholders from the various functional teams in your organization and ensure they participate during the analysis, design, test, and implementation phases, as appropriate.

Make sure you conduct reviews of the policy settings you plan to deploy for managing the 2007 Office system applications with your organization's security and IT operations teams to ensure that the configurations suit the organization and that you apply as strict a set of policy settings as necessary to protect your network resources.

This topic is included in the following downloadable book for easier reading and printing:

See the full list of available books at Office Resource Kit information.