Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, June 1, 2016 2:26 AM | 2 votes
Deny users from changing word font using gpo
Outlook Group Policy across Outlook versions
Recently, we have received some threads above about how to use Group Policy to configure and enforce settings for Microsoft Office. For the convenience of readers who are interested in Office Group Policy, I would like to pull all of these information together and provide a brief summary as below, hope these help.
Before we begin, please make sure you have a basic understanding of Group Policy as below:
Group Policy Management Console
Loading .ADMX templates and manage Office with the built-in settings
ADMX files are XML-based administrative template files that contain the registry-based/built-in policy settings. To configure and enforce settings for Microsoft Office, you will first need to download and import Office .ADMX templates into the Group Policy Editor. Then you can create GPOs based on these templates.
Refer to these articles for more details on how to manage Office with the built-in policy settings:
Overview of Group Policy for Office 2013
Use Group Policy to enforce Office 2010 settings
Disable built-in UI commands by using the Control IDs
“But what if we don’t have built-in policy settings for some options/buttons, and you still would like to disable them?”
As mentioned in thread “Deny users from changing word font using gpo”, <Robert> would like to disable the “Font” option in Word, but we don’t have a built-in option for this purpose. We suggested accomplishing it via the "Disable Items in User Interface" policy setting with the correct “Control IDs”:
Police setting path:User Configuration>Administrative Template>Microsoft Word 2013>Disable Items in User Interface>Custom>Disable commands
Before starting enabling the “Disable command bar buttons and menu items” Group Policy Setting, we need to know the Control IDs for that specific Ribbon item.
“Where can I find the Control IDs?”
You can download the spreadsheets via these links:
Office 2016 Help Files: Office Fluent User Interface Control Identifiers
Office 2013 Help Files: Office Fluent User Interface Control Identifiers
Office 2010 Help Files: Office Fluent User Interface Control Identifiers
As we mentioned in the thread, we need to enter the Controls IDs we found into the policy setting in GPE and save the changes. After you refresh the Group Policy by running “Gpupdate /force” command, the Font Options in Word will be greyed out:
Enforce settings by pushing out the associated registry key
If you go through the “Help Files” we shared above, you maybe notice that there are only Control IDs for options, buttons in the Ribbon, Backstage and other menus and toolbars.
“So what about other settings, for example those settings under File>Options? If there are no built-in policy settings exist for them, can I still manage them by means of Group Policies?”
We can achieve the goal via Group Policy as well – by using “Group Policy Preference” to create related registry keys on the client machine directly.
In the first section of this discussion, when we introduce the .ADMX files, we mentioned “…files that contain the registry-based/built-in policy settings.”, the “registry-based” means that each policy setting will generate a registry key on the client machine. That’s how policy settings control UI components for you.
More information about registry-based Group Policy: https://msdn.microsoft.com/en-us/library/bb742499.aspx
For example, for the first case, the “Disable Items in User Interface” will create these registry keys on the client machine:
So, for this one, instead of using the Control IDs, we can also accomplish this by creating the following registry keys on the client machine with GPP directly:
Key path: HKEY_CURRENT_USER\Software\Policies\Microsoft\office\xx.0\outlook\disabledcmdbaritemslist
(Replace xx with the version of Outlook: Outlook 2013 is 15; Outlook 2010 is 14; 2007 is 12.)
Value name: TCIDn (n is the order in which the command was entered.)
Value data: <Control Ids>
For example:
For more information about how to create registry keys by using GPP, please refer to this article: https://technet.microsoft.com/en-us/library/cc753092(v=ws.11).aspx
“How do you find the associated registry keys? It seems hard to find some of them by just searching over the net.”
In the second thread we shared above (Outlook 2013 GPO), the support engineer was trying to use the “Process Monitor” to capture the actual registry key that is associated with a specific option.
“Process Monitor*”* is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity, we can use it to capture registry changes for our use.
Process Monitor v3.2: https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx
How to manage multiple versions of Office in an environment
If you are an admin of an enterprise environment, you might have the same question as <Sandy> asked in the third thread shared above (Outlook Group Policy across Outlook versions):
“How to centrally manage multiple versions of Office clients in the environment?”
There are separate sets of administrative templates for each version of Office, aka version-specific. Each of them will generate registry keys under different sub-keys (for example, ...\Office\15.0\.. and ...\Office\16.0\..). Here are the steps for your reference.
- Download all the required versions of .ADMX templates, then
- Follow the instructions mentioned in the first section of this discussion to import them. Then,
- Create separate GPOs based on each version of .ADMX templates for all versions of Office installation in your environment.
If your users account or computers are located in a relatively flat structure instead of specific OU’s, there are two ways to centrally manage multiple versions of Office clients:
- When applying the GPOs, you can create some WMI filters to detect each office version to limit each policy. WMI filters can be used to add a decision on when to apply a given group policy. More reference about WMI filters: https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/
- Manage the users in specific OU’s according to the Office version that they are using, then only link specific GPO to corresponding OU’s. However, in this way, whenever a user upgrades his/her Office client, or switch to a computer with a different version of Office installed, you will need to adjust his/her OU info, which might affect other settings in your environment if you have a complex OU structure.
And if you need further assistance on the domain-based GPO management, we suggest you post them on the dedicated Group Policy forum: https://social.technet.microsoft.com/Forums/office/en-US/home?forum=winserverGP