admin007
asked on
Update IE Ratings registry key via logon script in group policy
I am using ratings in internet explorer to prevent users from accessing unauthorized websites. I have found that if I creat e a reg file of that key, I can take it to all other machines and apply it. I would like to have the file in one central location on the server so that i may update it and use group policy \user configuration \ windows settings \ Scripts (logon \ logoff) to perform this task. I am not familiar with creating logon scripts either.
Thanks,
Mark
Thanks,
Mark
If your using Group Policies just load the template for IE and place those sites in the policy. It will distribute them for you.
ASKER
How do you load the template? It seems to give me the option of setting it up but then it modifies my server and applies it to the server as if what I am really doing is modifying the server IE settings. I dont want the server to have the same restrictions.
Mark
Mark
Whooaa! To access group policy you neeed to figure out where you are going to apply it. At the domain level or at an OU level. Most will be at an OU level. So create an OU, right click on the OU go to properties. Go to Group Policy, Add, Global Policy, Edit, Right-Click Administrative Template, Add-Remove Templates, Add, select all and Add. Now your on your way.
ASKER
I went to properties of the OU (San Rafael) and created a new Group Policy called Terminals and modified that policy. Terminals[d3server.watersa
Thanks,
Mark
Thanks,
Mark
No I have seen this before, while modifying these. My reaction was however intentional. Make absolutely sure that those policies will in no way be associated with the administrator or the server. In fact it is a good idea to document any settings that are restrictive and create a backup administrator account with a group policy that is the converse of any restrictive settings.
ASKER
My workaround is I exported the ratings registry key with restrictions and without restrictions and created a batch file which I place in their profiles. When an authorized user logs in it runs the batch file which deletes the existing key and inserts the new one. The same occurs with a restricted user except it deletes then adds the reg key with the modifications. When I want to add or remove sites, I go to one of the machines make the modifications, export the registry key and place it on the server so that all systems update via one file. This reg key does not require a reboot to be applied correctly and can be applied while in internet explorer. I created a noaccess.rat which prevents access to all sites except those in the allowed list. Do you have a better solution?
Thanks,
Mark
Thanks,
Mark
ASKER
My workaround is I exported the ratings registry key with restrictions and without restrictions and created a batch file which I place in their profiles. When an authorized user logs in it runs the batch file which deletes the existing key and inserts the new one. The same occurs with a restricted user except it deletes then adds the reg key with the modifications. When I want to add or remove sites, I go to one of the machines make the modifications, export the registry key and place it on the server so that all systems update via one file. This reg key does not require a reboot to be applied correctly and can be applied while in internet explorer. I created a noaccess.rat which prevents access to all sites except those in the allowed list. Do you have a better solution?
Thanks,
Mark
Thanks,
Mark
That's a pretty good way to accomplish your solution, but you really should work with the policies. They will centralize all this kind of adminsitration for you.
My concern expressed above is I have seen techs start playing with policies, and they end up applying them to a server or an administrator group inadvertently. It's not much different to a tech taking all administrator rights away from a file and explicitly giving ownership and rights of that file to an individual. Policies are extremely powerful, I just wanted to make that point. I think you should give them another chance if you have the time.
My concern expressed above is I have seen techs start playing with policies, and they end up applying them to a server or an administrator group inadvertently. It's not much different to a tech taking all administrator rights away from a file and explicitly giving ownership and rights of that file to an individual. Policies are extremely powerful, I just wanted to make that point. I think you should give them another chance if you have the time.
ASKER
I would like to stick with group policy. Yes you are right. I have found it to be very powerful. I have found it useful for restricting users capabilities on the machines. I just can't figure out how to apply registry keys or batch files through the policy.
Thanks,
Mark
Thanks,
Mark
If you import (add) the proper templates into GPs there is not much you can't do. I do agree with regard to registry keys and other batch files. I try to put what I can in the policies, even logon and logoff scripts. Lots of testing. I still end up using a lot of the old methods to get stuff done. I think there will come a time when they will incorporate custom registry changes in them as well.
ASKER
I know you can create a logon script in Group Policy, so I tried adding the batch file to that location, but it did not work. Is the logon script in Group Policy different then a batch file? Do I have to write a script to run the batch file and if so what scripting language does it use?
Thanks,
Mark
Thanks,
Mark
ASKER
Location:User Configuration/Windows Settings/Scripts(Logon/Log
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Mark.. glad I could be of some help. Thanks, MSGeek.