• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2977
  • Last Modified:

"The recommended security level for this zone is "High".

Something within my SBS domain is enforcing a policy that's disallowing any user (including Domain Admins) with any profile from editing the IE security settings. Additionally, no one can successfully load the CompanyWeb page without being prompted to enter their domain username and password. This is a similar problem to:

http://www.experts-exchange.com/Operating_Systems/SBS_Small_Business_Server/Q_21813200.html

Only problem is, this is a different SBS, domain, network etc...

Any ideas? I suspect it's a recent patch for Windows as it's only recently started behaving in this way, except I've not changed the default policies or introduced any new ones!
0
DReade83
Asked:
DReade83
  • 6
  • 6
1 Solution
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
If users are being prompted to reenter domain username and password, and considering we haven't resolved your other issue, I'm thinking that you are manually creating users and placing them in Active Directory OU's other than the default MyBusiness/Users/SBSUsers OU.

Are you using the Add-User wizard and a default User template?

Jeff
TechSoEasy
0
 
DReade83Author Commented:
Hi Jeff,

I am using the Add-User wizard and my account is in the MyBusiness/Users/SBSUsers OU.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Actually, I realized that I haven't reviewed an IPCONFIG /ALL from your other problem... so it's most likely the way you are configuring the network settings.

Please post an IPCONFIG /ALL from the server as well as a workstation.

Thanks.

Jeff
TechSoEasy
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
DReade83Author Commented:
Server:

   Host Name . . . . . . . . . . . . : rsbs1
   Primary Dns Suffix  . . . . . . . : davidreade.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : davidreade.local

Ethernet adapter Server Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-13-72-08-92-5E
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.1.1.80
   Subnet Mask . . . . . . . . . . . : 255.0.0.0
   Default Gateway . . . . . . . . . : 10.1.1.50
   DNS Servers . . . . . . . . . . . : 10.1.1.80
   Primary WINS Server . . . . . . . : 10.1.1.80

Workstation:

        Host Name . . . . . . . . . . . . : pc2
        Primary Dns Suffix  . . . . . . . : davidreade.local
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : davidreade.local
                                            davidreade.local

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : davidreade.local
        Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethe
rnet NIC
        Physical Address. . . . . . . . . : 00-40-B9-CB-BF-00
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.1.1.11
        Subnet Mask . . . . . . . . . . . : 255.0.0.0
        Default Gateway . . . . . . . . . : 10.1.1.50
        DHCP Server . . . . . . . . . . . : 10.1.1.80
        DNS Servers . . . . . . . . . . . : 10.1.1.80
        Primary WINS Server . . . . . . . : 10.1.1.80
        Lease Obtained. . . . . . . . . . : 19 April 2006 18:07:30
        Lease Expires . . . . . . . . . . : 27 April 2006 18:07:30
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, other than using a Class A subnet on a small business network (where a Class C is just fine and preferred), all of that looks okay.

Can you access the \\rsbs1\netlogon and \\rsbs1\sysvol shares from a workstation without getting any errors?

Also please review the system and application event logs on a workstation and report any constant errors with event ID #.  

Jeff
TechSoEasy
0
 
DReade83Author Commented:
I can access both shares on the workstation no problem and there are no errors in EventVwr either.

I've also checked the local security and group policies and found the IE Zones to be "Not configured" for both user and computer config.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Actually I've just found out about this issue on another network that I manage.  It's not coming from SBS's Group policy, it came from this patch:  http://support.microsoft.com/kb/891781

Whether or not you want to change the settings is up to you... an overview of how is here:
http://support.microsoft.com/kb/182569

Jeff
TechSoEasy
0
 
DReade83Author Commented:
I can't see it being the patch. I've just managed to login using the Administrator logon and open the CompanyWeb page no problem, without being prompted for the username and password. I've removed the patch, but the same issue stands. I've also adjusted the registry settings to force the Internet Zone to be medium, which is now the case, but still I'm being prompted to enter my username and password for the one user!
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
If it's just the one user, then in the Server Management Console, and click the "change user permissions" link.  Select the appropriate template that you used for this user (leaving the "replace" option selected), and click next, then select the user that is having the problem, and finish out the wizard.

This should correct your problem.  Please advise if it doesn't.

Jeff
TechSoEasy
0
 
DReade83Author Commented:
Unfortunately, that didn't work. I'm having the same problem. Does it make any difference I'm using Roaming Profiles?
0
 
DReade83Author Commented:
I think I've found the problem...

About 2 weeks ago I logged on to the server accidently with my roaming profile, then logged off. Since then up to now I've not used IE, because I use Firefox instead. Now I know that SBS and Windows Server has the Internet Explorer Enhanced Security Configuration installed by default which, on the server, sets the minimum Internet zone to High. I've also noticed the CompanyWeb on the server is in the Local Intranet group.

I have tried testing my theory that the roaming profile has somehow saved the same security config when I've logged off that time by removing the CompanyWeb on the server from the Local Intranet group. When refreshing the page, I'm being prompted as the Administrator account to enter my domain username and password. When I add the web address back into the Sites part of the group and refresh, I'm being logged straight in.

This means I can log on to the CompanyWeb on my client by ensuring it's in the Local Intranet group.

However, it doesn't solve the issue with the Internet zone being set to High on the client. If I try to alter this setting on both the client and the server, I get the same error message (as the title of this topic).

The previous topic I made recently about a similar issue was actually happening to my brother, who made the same mistake as me, logging on to his server with his roaming profile and logging out again.

Does this mean to eradicate the problem we would have to remove the IEESC addon from the server, logon with the roaming profile, log off again and reinstall the addon? Or is there a quicker way around this, i.e. changing the registry?

Another thing, would using the File and Settings & Office 2003 Settings Wizards be a quicker way? Additionally, by using the wizard, would this transfer the security configuration?
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Tthe link I provided above (http://support.microsoft.com/kb/182569) will show you how to make these changes in the registry, which is where they should be changed.  You should also change the Roaming profile settings to delete cached copies of the profiles (http://support.microsoft.com/kb/274152).

You'll note that in the Roaming Profiles section of http://sbsurl.com/postinstall it is recommended that you DON'T include Application Data (along with not including My Documents and the Desktop).  Your security cache is kept in Application Data, and that is one of the reasons you shouldn't include that folder in the roaming profile.  I think roaming profiles are more trouble than they are worth on an SBS.  The main reason they are used in the enterprise space is so that users will get the same desktop, files, etc when they log into Terminal Services as they have on their own machine.  But since SBS uses Remote Web Workplace to take them to their actual machine instead of a Terminal Session, there is no benefit to using a roaming profile.

Jeff
TechSoEasy
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now