?
Solved

Update IE Ratings registry  key  via logon script in group policy

Posted on 2003-03-27
14
Medium Priority
?
3,806 Views
Last Modified: 2007-12-19
I am using ratings in internet explorer to prevent users from accessing unauthorized websites.  I have found that if I creat e a reg file of that key, I can take it to all other machines and apply it.  I would like to have the file in one central location on the server so that i may update it and use group policy \user configuration \ windows settings \ Scripts (logon \ logoff) to perform this task.  I am not familiar with creating logon scripts either.

Thanks,

Mark
0
Comment
Question by:admin007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
14 Comments
 
LVL 9

Expert Comment

by:MSGeek
ID: 8255786
If your using Group Policies just load the template for IE and place those sites in the policy.  It will distribute them for you.
0
 

Author Comment

by:admin007
ID: 8256269
How do you load the template?  It seems to give me the option of setting it up but then it modifies my server and applies it to the server as if what I am really doing is modifying the server IE settings.  I dont want the server to have the same restrictions.

Mark
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8256476
Whooaa!  To access group policy you neeed to figure out where you are going to apply it.  At the domain level or at an OU level.  Most will be at an OU level.  So create an OU, right click on the OU go to properties.  Go to Group Policy, Add, Global Policy, Edit, Right-Click Administrative Template, Add-Remove Templates, Add, select all and Add.  Now your on your way.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:admin007
ID: 8257722
I went to properties of the OU (San Rafael) and created a new Group Policy called Terminals and modified that policy. Terminals[d3server.watersavers.local]Policy.  I went to User Configuration, Internet Explorer Maintenance, Security, Security Zones and Content Ratings and selected Import the current Content Ratings settings.  Whenever I modified this it modified it for the server so I went back to the original state.  Did I make a wrong move here? Or is there something else I need to do.

Thanks,

Mark
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8257803
No I have seen this before, while modifying these.   My reaction was however intentional.  Make absolutely sure that those policies will in no way be associated with the administrator or the server.  In fact it is a good idea to document any settings that are restrictive and create a backup administrator account with a group policy that is the converse of any restrictive settings.
0
 

Author Comment

by:admin007
ID: 8258761
My workaround is I exported the ratings registry key with restrictions and without restrictions and created a batch file which I place in their profiles.  When an authorized user logs in it runs the batch file which deletes the existing key and inserts the new one.  The same occurs with a restricted user except it deletes then adds the reg key with the modifications.  When I want to add or remove sites, I go to one of the machines make the modifications, export the registry key and place it on the server so that all systems update via one file.  This reg key does not require a reboot to be applied correctly and can be applied while in internet explorer.  I created a noaccess.rat which prevents access to all sites except those in the allowed list.  Do you have a better solution?

Thanks,

Mark
0
 

Author Comment

by:admin007
ID: 8259197
My workaround is I exported the ratings registry key with restrictions and without restrictions and created a batch file which I place in their profiles.  When an authorized user logs in it runs the batch file which deletes the existing key and inserts the new one.  The same occurs with a restricted user except it deletes then adds the reg key with the modifications.  When I want to add or remove sites, I go to one of the machines make the modifications, export the registry key and place it on the server so that all systems update via one file.  This reg key does not require a reboot to be applied correctly and can be applied while in internet explorer.  I created a noaccess.rat which prevents access to all sites except those in the allowed list.  Do you have a better solution?

Thanks,

Mark
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8261048
That's a pretty good way to accomplish your solution, but you really should work with the policies.  They will centralize all this kind of adminsitration for you.

My concern expressed above is I have seen techs start playing with policies, and they end up applying them to a server or an administrator group inadvertently.  It's not much different to a tech taking all administrator rights away from a file and explicitly giving ownership and rights of that file to an individual.  Policies are extremely powerful, I just wanted to make that point.  I think you should give them another chance if you have the time.
0
 

Author Comment

by:admin007
ID: 8261922
I would like to stick with group policy. Yes you are right.  I have found it to be very powerful.  I have found it useful for restricting users capabilities on the machines.  I just can't figure out how to apply registry keys or batch files through the policy.

Thanks,

Mark
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8262176
If you import (add) the proper templates into GPs there is not much you can't do.  I do agree with regard to registry keys and other batch files.  I try to put what I can in the policies, even logon and logoff scripts.  Lots of testing.  I still end up using a lot of the old methods to get stuff done.  I think there will come a time when they will incorporate custom registry changes in them as well.
0
 

Author Comment

by:admin007
ID: 8263905
I know you can create a logon script in Group Policy, so I tried adding the batch file to that location, but it did not work.  Is the logon script in Group Policy different then a batch file?  Do I have to write a script to run the batch file and if so what scripting language does it use?

Thanks,

Mark
0
 

Author Comment

by:admin007
ID: 8263932
Location:User Configuration/Windows Settings/Scripts(Logon/Logoff)Logon
0
 
LVL 9

Accepted Solution

by:
MSGeek earned 300 total points
ID: 8264341
Mark.. if you place the batch file in a public share like sysvol and then place the unc path under the logon script it should run.  Let me know if it does not.  Remember you have some authentication issues during logon, they have to have rights to read the file.
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 9033088
Mark.. glad I could be of some help.  Thanks, MSGeek.
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question