Manage Learn to apply best practices and optimize your operations.

Using Group Policy settings to manage Office on virtual desktops

Application management can be tricky in VDI environments, but Group Policy settings give IT a flexible way to manage apps, such as Microsoft Office, on virtual desktops. Here’s how.

Network administrators use a variety of techniques for deploying, configuring and managing applications in a virtual desktop environment. In the case of Microsoft Office, your best approach might be to use Group Policy settings.

The main reason Group Policy-based configuration works so well for Microsoft Office in a VDI environment has to do with flexibility. You never know when your needs are going to change, and Group Policy settings allow you to centrally manage Microsoft Office configurations without permanently locking you in to any one configuration. If your needs change, you can simply modify Group Policy settings and the configuration changes will be applied to all of your virtual desktops. There is no need to individually reconfigure each virtual desktop, nor do you have to create and deploy a new virtual desktop image.

The other nice aspect of Group Policy management for Microsoft Office is that you can implement security and configuration settings through the Group Policy Object Editor that would otherwise only be possible through editing the registry. Registry edits are dangerous in that there can be disastrous consequences if you happen to make a mistake. Using the Group Policy Object Editor takes the danger out of securing and configuring Microsoft Office deployments.

Windows Server does not natively include the Group Policy settings necessary for configuring Microsoft Office, so Active Directory has to be retrofit with Microsoft Office-specific Administrative Templates by downloading them. The Administrative Templates for Microsoft Office are version and edition specific, so you'll need separate templates for Office 2007 and Office 2010. There is only one template for Office 2007, but Microsoft offers both a 32-bit template and a 64-bit template for Office 2010, which include the Office Customization Tool.

The Office Customization Tool
The Office Customization Tool for deploying Office 2010 lets you perform customized deployments in a consistent manner. This tool is necessary because the Administrative Templates for Office don't have anything to do with the initial deployment. They are used solely for controlling the way Microsoft Office is configured.

The Administrative Templates contain hundreds, if not thousands, of different configuration settings. For example, you could use the Administrative Templates to prevent users from opening files from unsafe locations from within protected view. Microsoft provides a spreadsheet that references all of the available configuration settings. It is available on the Office 2010 Administrative Template download page, and it is also bundled with the Administrative Templates themselves.

Deploying the Administrative Templates
The Administrative Templates for Office 2010 are encapsulated in an executable file. When you run this file, Windows will extract the Administrative Templates and the Office Customization Tool to a folder of your choosing. When the extraction process completes, the templates will be arranged into three folders, as shown in Figure A (below). As you can see, the extraction process also creates a copy of the reference spreadsheet that was mentioned earlier.

The templates themselves are made up of three main file types. ADM files are legacy template files that should only be used if your virtual desktops are running Windows XP. ADMX files are XML-based template files, and are used for Windows Vista and Windows 7 desktops. You will also find ADML files, which are language-specific versions of the template files. There are separate template files for each Microsoft Office program, such as Word and Excel.

Since you will be using the templates to manage virtual desktops that are presumably all domain members, you will have to create a central store on your primary domain controller (the first domain controller that was brought online within the domain).

Copy all of the ADMX files to the domain controller's %systemroot%\sysvol\domain\policies\PolicyDefinitions folder. You usually have to create the PolicyDefinitions folder. Next, copy the ADML files from the \SDMX\EN-US folder to the %systemroot%\sysvol\domain\policies\PolicyDefinitions\EN-US folder.

The Administrative Template files will be automatically detected in these locations when you open your domain security policy. As you can see in Figure B (below), there are separate templates shown within the Group Policy Editor for each Microsoft Office product. Most of the available settings apply to the user configuration, but there are some computer-specific settings available for Infopath, PowerPoint, Visio and for Office 2010 as a whole.

As you can see, using Group Policy settings to configure Microsoft Office is a great way to maintain flexibility. If your policy needs change, then you can simply modify the appropriate Group Policy settings and your changes will be applied to all of your virtual desktops. 

Read more from Brien M. Posey>

Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.

Dig Deeper on Application virtualization and streaming