Office Administrative Templates and Office Customization Tool
Goals
Remove or disable items that would not add value to the user experience
Microsoft is a very large and complicated product. There are many features we don't need and other we can't use. Although we already excluded a number of applications, there is more to be done. The general categories of features we want to disable include:
- Things that require an Internet servicesto operate (e.g. Powerpoint broadcast, Sharepoint workspace, Blog publisher)
- Links to Internet webpages (e.g. various Help and Learn more features)
- Dependencies on components we didn't install (e.g. Email and Sharepoint)
- Invitations to download new content or updates (e.g. templates, clipart, addins)
Leaving these features enabled diminishes the value of the experience because it is not clear to the user which features are expected to work or not. They may be very interested in features that help them share and collaborate, but clicking those buttons and selecting those options will just lead to error messages, opening web browsers to nowhere. Our students have very limited time with the computers, lets not distract them from the useful parts.
Remove All Encryption opportunities
At this time we don't want to expose any opportunities to create encrypted documents or databases. The administration is wary of concealed data or messages, and we have promised that they would have access to all data on the server.
Tools
Policy templates
Download the Office 2010 Administrative Template files(documentation)
Just like our default windows policy templates, We'll install these permenantely into our windows Policues directoy to make them available. Then we can use the Policy editor to adjust the settings
Control Identification
Download the Office Fluent User Interface Control Identifiers
The office user interface is very configurable. Every button and menu (controls) can individually be disabled. These excel spreadsheets are a catalog of all the controls (all, so wen can identify them in the policies. Many of the things we want to disable are already specified in the policy templates, but for the ones that aren't we can use these ID's for custom policies.
| Disable commands | Enabled | \Microsoft Access 2010\Disable Items in User Interface\Predefined | "Databast tools…Encrypt with password'" | ||||||
| Disable commands | Enabled | \Microsoft Excel 2010\Disable Items in User Interface\Custom | 15675 | 18209 | 18209 | 18204 | 10014 | 7991 | |
| Disable commands | Enabled | \Microsoft Excel 2010\Disable Items in User Interface\Predefined | "File…Send Using email" | ||||||
| Disable commands | Enabled | \Microsoft PowerPoint 2010\Disable Items in User Interface\Custom | 16461 | 18204 | 15675 | 7991 | 10014 | ||
| Disable commands | Enabled | \Microsoft PowerPoint 2010\Disable Items in User Interface\Predefined | "File…Send Using email" | ||||||
| Disable commands | Enabled | \Microsoft Publisher 2010\Disable Items in User Interface\Custom | 3738 | 11539 | |||||
| Disable commands | Enabled | \Microsoft Publisher 2010\Disable Items in User Interface\Predefined | "File…Sen | "File…Email Preview" | |||||
| Disable commands | Enabled | \Microsoft Word 2010\Disable Items in User Interface\Custom | 18204 | 18209 | 15675 | 12809 | 5908 | 7991 | 10014 |
| Disable commands | Enabled | \Microsoft Word 2010\Disable Items in User Interface\Predefined | "File…Send Using email" | ||||||
| Disable commands under File tab | Help | Enabled | \Microsoft Office 2010\Disable Items in User Interface | "Getting S | "Contact | "Take offi | "Check for updates" | |||
| Disable default service | Enabled | \Microsoft PowerPoint 2010\Broadcast | |||||||
Save/Restore for policy
The two policy files for local computers are
"C:\Windows\System32\GroupPolicy\User\Registry.pol" "C:\Windows\System32\GroupPolicy\Machine\Registry.pol"
You can copy those from one computer and drop them ont he next. So you can careful craft your perfect policy state and redeploy it as needed. One problem with this is that you can't merge or edit. It is all or nothing.
After you deposit the policy files in thoer destination folders on the computer you are applying them to, you can perform the command:
C:\Users\aantony> GPUPDATE /force Updating policy... Computer Policy update has completed successfully. User Policy update has completed successfully.