Understanding System Policies
System policies allow you to enforce settings and restrictions on users' computers — one of the best forms of control an administrator can have over users' computers. The Microsoft Office policy templates (ADM files) describe all of the policy settings you can set for Office. These ADM files can be used with the System Policy Editor and Group Policy snap-in tools in Microsoft Windows® operating systems to apply policies to users' computers.
The System Policy Editor uses ADM templates, which come with the Office XP Resource Kit and are in standard text format. The ADM files describe the policies available in Office XP. Each policy is a registry setting that Office will respect. ADM templates for respective Office applications must be loaded prior to configuring a policy for Office.
System policies can only be enabled and enforced on computers connected to a network whose primary domain controller is a Microsoft Windows NT® server or Microsoft Windows 2000 server.
What policies can do
System policies have several advantages. For instance, they enable an administrator to:
- Disable or enable most menu commands and
corresponding toolbar buttons.
- Disable or enable shortcut keys.
- Specify settings for many dialog box items, including most of the options in the Options dialog box (Tools menu).
- Set Windows Installer to always install applications with elevated privileges.
- Disable patching of software by Windows
Installer.
- Customize the shared Startup folder for all users.
There are also specific Office XP policies to support many of the new Office XP features listed here:
Note When you enforce the Installed version of Microsoft Office language policy (Microsoft Office XP | Language settings | Enabled Languages), you should also run a configuration maintenance file (CMW file) with the language changes you want to make. This will force Office applications to perform an optimization of their language configuration the next time each application is started.
Set the default encryption cipher for all users.
Office XP policies
Office XP has enhanced and improved system policies.
As part of the support for policies in Office 2000 and XP, policies are consolidated in a separate subkey in the Windows registry:
HKEY_CURRENT_USER\Software\Policies . In Office 97, policies were stored in application-specific Software subkeys, such as
HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word or
HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel .
Note Because policy configuration settings are stored in a different area of the registry for each release of Office, policy configuration settings from one release do not transfer to a new release. You are required to use the new policy templates to configure your policies for Office XP.
Safer policies
In Windows 2000, you can set an Access Control List (ACL) to lock the Policies subkey in the Windows registry. (The HKEY_CURRENT_USER policies branch is locked by default on Windows 2000). This step prevents users from changing a policy configuration setting by modifying security settings to nodes in their registry. Or, if you prefer, you can set security permissions manually using the regedt32 utility in both Windows 2000 and Windows NT 4.0 Service Pack 6a or later.
More Excel and Word policies
Most of the settings in the Options dialog box (Tools menu) in Microsoft Word and Microsoft Excel can be set through a policy, except for settings stored internal to the document, or for settings that are valid only for the current edit session.
Corporate Error Reporting tool policies
The new crash-reporting tool, Corporate Error Reporting, has policy settings you can set in the Office10.adm template. This new tool is a critical component of Microsoft Office. When used in a corporate setting, Corporate Error Reporting requires administrators to decide how they are going to use the crash-reporting data produced by Office applications, and how the reporting tool will be configured. For more information about the Corporate Error Reporting tool, see Reporting Office Application Crashes.
Overview of the System Policy Editor
System policy files are created by using the System Policy Editor. The editor requires the loading of ADM templates created for use with the System Policy Editor from the Policy Template… option (Options menu). When the ADM templates necessary for creating a policy file are loaded, selecting the New Policy option (File menu) creates two policy profiles. The Default Computer profile is for controlling policies associated with the HKEY_LOCAL_MACHINE registry node, and the Default User profile is for controlling policies associated with the HKEY_CURRENT_USER registry node.
After these two policy profiles are created, the administrator must make the necessary changes to enable and enforce policies on each computer connected to the network, or for each user who logs on to the network. Enabling a policy is accomplished by setting a leaf in the policy profile properties tree to checked. Disabling it is accomplished by setting it to unchecked (cleared). A setting of grayed is ignored by the System Policy Editor.
After creating a policy file, rename it and copy it to the NetLogon folder of the primary domain controller. If the policy is for use with Windows 98, name it config.pol. If the policy file is for NT-based operating systems (including Windows 2000), name it NTConfig.pol. When the file appears in this folder, the domain controller automatically activates and enforces the policy settings. When users log on to the network, the system policy file is read and enforced at the user's computer. Changes to an existing policy are automatically propagated to users the next time they log on to the network.
Because of subtle differences in how the Windows registry works for the Microsoft Windows 98, Microsoft Windows Millennium Edition, Microsoft Windows NT, and Microsoft Windows 2000 operating systems, you need to create groups of policies to enforce for each operating system. The System Policy Editor can be used with all of these Windows operating systems. The Group Policy snap-in can only be used with Windows 2000. See the Group Policy snap-in Help for information on how to activate policies using the Active Directory™ directory service in the Windows 2000 environment.
Using policy templates
Policy templates are the starting point for all policies. Find the ADM templates you need and then create a policy file based on the available policy settings within the templates. You can add several ADM files to the policy editor and set the entire configuration of a user's computer with just one policy file. For example, include the Office10.adm, Pub10.adm, Word10.adm, Excel10.adm, and Instlr11.adm files into the System Policy Editor using the Policy Template… menu option (Options menu). Then select New Policy from the File menu option. You should see Default Computer and Default User icons appear in the work area. Default Computer controls the HKLM (HKEY_LOCAL_MACHINE) registry entries, and Default User controls the HKCU (HKEY_CURRENT_USER) registry entries. Double-click the Default User icon. Then double-click Windows Installer. You will see the policy settings for Windows Installer.
A policy setting is tri-state: if the policy is checked, it is enforced; if the policy is empty (clear), it is not enforced (turned off); if the policy is grayed, it implies the registry setting is ignored on the user's computer. In other words, if the policy is set to grayed, and the policy is either set or not set on the user's computer, the registry entry is left alone on the user's computer.
Note Part of the confusion for some users of the System Policy Editor is the tri-state logic implemented with each policy. Along with this tri-state logic is a second option to "activate" or "enforce" the policy. Even though the policy setting is checked, most instances require "enforcing" the policy by setting the Check to enforce setting on; uncheck to enforce setting off check box to checked in the work area at the bottom of the Policy Properties dialog.
Policy templates available with the Office Resource Kit
The following list includes all of the policy templates shipping with the Office XP Resource Kit. Those with the name of an Office application contain policy settings used exclusively with that application. The Office10.adm has policy settings related to more than one Office application (shared).
Access10.adm |
Office10.adm |
Excel10.adm |
Outlk10.adm |
FP10.adm |
Ppt10.adm |
GAL10.adm |
Pub10.adm |
Instlr11.adm |
Word10.adm |
To load Group Policy templates for Windows 2000, start the Group Policy snap-in. You may need to start the Microsoft Management Console and load the Group Policy snap-in before you can perform the following steps.
The Group Policy file gpedit.msc file is installed to the C:\WINNT\SYSTEM32 folder during a default install of Windows 2000. If you create a shortcut to this file using Windows Explorer, it will create a Group Policy shortcut on your Desktop.
To add a Windows 2000 ADM template to the Group Policy snap-in
- Start Group Policy.
- Select Administrative Templates from either the Computer Configuration or User Configuration branches.
These two nodes of the Group Policy tree are parallel to the Default Computer and Default User policy profiles in the System Policy Editor.
- Right-click on the Administrative Templates branch and select All Tasks.
- Select Add/Remove Templates…
- Click Add…
- Load any or all of the ADM templates.
The new policy entries will appear within the appropriate branches of the Group Policy tree.
Note The ADM template syntax for Group Policy snap-in is now a superset of the ADM template syntax used by the System Policy Editor. ADM templates created specifically for the Group Policy snap-in will not work with the System Policy Editor.
Office enforces system policies
When you set a policy to be turned off for an element of an application, such as a menu command or toolbar button, that element appears dimmed (grayed) in the user interface. Users will not be able to use or reset that option. With previous versions of Office, users could change a setting back to enabled, even if the element had been turned off by system policies.
Office now enforces and respects policy settings even if a user happens to edit a registry setting on the fly. When an Office application restarts, it reviews policies and reinforces settings, rather than having to wait for the user to log on again and revalidate the policy settings.
Special policy configurations
The System Policy Editor allows you to create policies for unique situations. You can create policies for one user, one computer, or a group of users. If you need to enforce a set of policies for one individual, you can create a policy for this user, and the policy will be applied when the user logs on. You can also create specific policies for more than one user, user group, a computer, default computers, and default users within one policy file. See the System Policy Editor Help for more information on creating special policy profiles. See the Group Policy snap-in Help for more information on configuring policies for Windows 2000.
Note To see the exact registry setting controlled by a policy, you can view the ADM file with a text editor and examine the registry entry for that policy.
|