Planning for Group Policy in Office 2010


Applies to: Office 2010

Topic Last Modified: 2011-10-12

Banner stating end of support date for Office 2010 with link to more info

IT administrators who plan to manage Microsoft Office 2010 applications by using Group Policy should understand their business requirements, security, network, and IT requirements, and their current Office application management practices.

  • Planning for Group Policy

  • Defining business objectives and security requirements

  • Evaluating your current environment

  • Designing managed configurations based on business and security requirements

  • Determining the scope of application

  • Testing and staging Group Policy deployments

  • Involving key stakeholders

Planning for Group Policy

Group Policy enables IT administrators to apply configurations or policy settings to users and computers in an Active Directory directory service environment. Configurations can be made specifically to Office 2010. For more information, see Group Policy overview for Office 2010.

Planning for the deployment of Group Policy-based solutions includes several steps:

  1. Define your business objectives and security requirements.

  2. Evaluate your current environment.

  3. Design managed configurations based on your business and security requirements.

  4. Determine the scope of application of your solution.

  5. Plan for testing, staging, and deploying your Group Policy solution.

  6. Involve key stakeholders in planning and deploying the solution.

Defining business objectives and security requirements

Identify your specific business and security requirements and determine how Group Policy can help you manage standard configurations for the Office 2010 applications. Identify the resources (groups of users and computers) for which you are managing Office settings by using Group Policy and define the scope of your project.

Evaluating your current environment

Examine how you currently perform management tasks related to configurations for Microsoft Office applications to help you determine which kinds of Office policy settings to use. Document the current practices and requirements. You will use this information to help you design managed configurations, in the next step. Items to include are as follows:

  • Existing corporate security policies and other security requirements. Identify which locations and publishers are considered secure. Evaluate your requirements for managing Internet Explorer feature control settings, document protection, privacy options, and blocking file format settings.

  • Messaging requirements for the organization. Evaluate requirements for configuring user interface settings, virus-prevention, and other security settings for Office Outlook 2007 by using Group Policy. For example, Group Policy provides settings for limiting the size of .pst files, which can improve performance on the workstation.

  • User requirements for Office applications for the various kinds of user roles. This depends largely on users' job requirements and the organization's security requirements.

  • Default file save options to use for Microsoft Access 2010, Microsoft Excel 2010, Microsoft PowerPoint 2010, and Microsoft Word 2010.

  • Access restrictions to set for Office 2010 user interface items; for example, including disabling commands, menu items, and keyboard shortcuts.

  • Software installation issues, if you are considering this deployment method. Although Group Policy can be used to install software applications in small-sized organizations that have Active Directory installed, there are some limitations, and you must determine whether it is an appropriate solution for your deployment requirements. For more information, see "Identifying issues pertaining to software installation" in Group Policy Planning and Deployment Guide (

    If you manage large numbers of clients in a complex or rapidly changing environment, Microsoft System Center Configuration Manager 2007 is the recommended method for installing and maintaining Office 2010 in medium- and large-sized organizations. System Center Configuration Manager 2007 offers additional functionality, including inventory, scheduling, and reporting features.

    Another option for deployment of Office 2010 in Active Directory environments is to use Group Policy computer startup scripts.

  • Whether to use Group Policy or the OCT. Although both Group Policy and the OCT can be used to customize user configurations for the Office 2010 applications, there are important differences:

    • Group Policy is used to configure Office 2010 policy settings contained in Administrative Templates, and the operating system enforces those policy settings. These settings have system access control list (SACL) restrictions that prevent non-administrator users from changing them. Use Group Policy for configuring settings that you want to enforce.

    • The OCT is used to create a Setup customization file (.msp file). Administrators can use the OCT to customize features and configure user settings. Users can modify most of the settings after the installation. We recommend that you use the OCT for preferred or default settings only.

    For more information, see Office Customization Tool and Group Policy.

  • Whether to use local Group Policy to configure Office settings. You can use local Group Policy to control settings in environments that include stand-alone computers that are not part of an Active Directory domain. For more information, see Group Policy overview for Office 2010.

Designing managed configurations based on business and security requirements

Understanding your business requirements, security, network, IT requirements, and your organization's current Office application management practices helps you identify appropriate policy settings for managing the Office applications for users in your organization. The information that you collect during the evaluation of your current environment step helps you design your Group Policy objectives.

When you define your objectives for using Group Policy to manage configurations for Office applications, determine the following:

  • The purpose of each Group Policy object (GPO).

  • The owner of each GPO — the person who is responsible for managing the GPO.

  • The number of GPOs to use. Keep in mind that the number of GPOs applied to a computer affects startup time, and the number of GPOs applied to a user affects the amount of time needed to log on to the network. The greater the number of GPOs that are linked to a user — especially the greater the number of settings within those GPOs — the longer it takes to process the GPOs when a user logs on. During the logon process, each GPO from the user’s site, domain, and organizational unit (OU) hierarchy is applied, provided both the Read and Apply Group Policy permissions are set for the user.

  • The appropriate Active Directory container to which to link each GPO (site, domain, or OU).

  • The location of Office applications to install, if you are deploying the Office 2010 with Group Policy Software Installation.

  • The location of computer startup scripts to execute, if you are deploying Office 2010 by assigning Group Policy computer startup scripts.

  • The kinds of policy settings contained in each GPO. This depends on your business and security requirements and how you currently manage settings for Office applications. We recommend that you configure only settings that are considered critical for stability and security and that you keep configurations to a minimum. Also consider using policy settings that can improve performance on the workstation, such as controlling Outlook .pst file size, for example.

  • Whether to set exceptions to the default processing order for Group Policy.

  • Whether to set filtering options for Group Policy to target specific users and computers.

To help you plan for ongoing administration of GPOs, we recommend that you establish administrative procedures to track and manage GPOs. This helps ensure that all changes are implemented in a prescribed manner.

Determining the scope of application

Identify Office 2010 policy settings that apply to all corporate users (such as any application security settings that are considered critical to the security of your organization) and those that are appropriate for groups of users based on their roles. Plan your configurations according to the requirements that you identify.

In an Active Directory environment, you assign Group Policy settings by linking GPOs to sites, domains, or OUs. Most GPOs are typically assigned at the organizational unit level, so make sure that your OU structure supports your Group Policy-based management strategy for Office 2010. You might also apply some Group Policy settings at the domain level, such as security-related policy settings or Outlook settings that you want to apply to all users in the domain.

Testing and staging Group Policy deployments

Planning for testing and staging is a critical part of any Group Policy deployment process. This step includes creating standard Group Policy configurations for Office 2010 applications and testing the GPO configurations in a non-production environment before you deploy to users in the organization. If necessary, you can filter the scope of application of GPOs and define exceptions to Group Policy inheritance. Administrators can use Group Policy Modeling (in Group Policy Management Console) to evaluate which policy settings would be applied by a specific GPO, and Group Policy Results (in Group Policy Management Console) to evaluate which policy settings are in effect.

Group Policy provides the ability to affect configurations across hundreds and even thousands of computers in an organization. Consequently, it is critical that you use a change management process and rigorously test all new Group Policy configurations or deployments in a non-production environment before you move them into your production environment. This process ensures that the policy settings contained in a GPO produce the expected results for the intended users and computers in Active Directory environments.

As a best practice for managing Group Policy implementations, we recommend that you stage Group Policy deployments by using the following pre-deployment process:

  • Deploy new GPOs in a test environment that reflects the production environment as closely as possible.

  • Use Group Policy Modeling to evaluate how a new GPO will affect users and interoperate with existing GPOs.

  • Use Group Policy Results to evaluate which GPO settings are applied in the test environment.

For more information, see “Using Group Policy Modeling and Group Policy Results to evaluate Group Policy settings” in the Group Policy Planning and Deployment Guide (

Involving key stakeholders

Group Policy deployments in enterprises are likely to have cross-functional boundaries. As part of preparing for your deployment, it is important to consult key stakeholders from the various functional teams in your organization and ensure they participate during the analysis, design, test, and implementation phases, as appropriate.

Make sure that you conduct reviews of the policy settings that you plan to deploy for managing the Office 2010 applications with your organization's security and IT operations teams to ensure that the configurations suit the organization and that you apply as strict a set of policy settings as necessary to protect the network resources.