Because so many viruses and worms exploit macros and Visual Basic for Applications (VBA) support in Microsoft Office applications, I'd like to lock down Office for most of our employees, who don't use macros or VBA. How can I do so without manually configuring each workstation? Our domain is Windows 2000 Active Directory (AD), and all our workstations run Windows XP.
You need to install administrative templates from the Microsoft Office XP Resource Kit into your Group Policy Objects (GPOs) in AD. Download the Office XP Resource Kit tools (orktools.exe) from http://www.microsoft.com/office/ork/xp/appndx/appc00.htm and open the file, which opens the Microsoft Office XP Resource Kit Tools Setup wizard. Select Add or Remove Features and click Next. In the Features to install list, clear everything except System Policy Editor & Office Policy Templates. Click Update and finish the setup.
Next, open a GPO linked to an organizational unit (OU) that contains all the users for whom you want to lock down Office. For example, if your restricted users are in an OU called RestrictedUsers, right-click that OU, select Properties, then select the Group Policy tab on the Properties window. Click New, rename the GPO to MS Office Lockdown Policies, and click Edit. Right-click User Configuration, Administrative Templates, and select Add/Remove Templates. In the Add/Remove Templates window, click Add and select OFFICE10.ADM and the template for each Office product installed on your user workstations, as Figure 1 shows. Click Open, then click Close.
Back on the Group Policy window, select User Configuration, Administrative Templates, Microsoft Office XP, Security Settings, and enable Disable VBA for Office applications. Next, select User Configuration, Administrative Templates, Microsoft Word 2002, Tools, Macro, Security, then double-click Security level in the details pane. Enable the policy and set the security level to High. Click OK.
Repeat the process to set the macro security level to High for the other installed Office products. Now, AD will automatically configure all the users in the RestrictedUsers OU with high-level macro security and will disable VBA.