techlinden
asked on
Does Group Policy reset IE's or IIS's saved passwords or inherited logons?
We have a corporate Intranet running on IIS 6.0 and IE 6 on the desktop side. This morning I added a new GPO, and as it pushes out it seems to be resetting my users inherited Intranet logons. All they have to do is log in once, and the problem is resolved. But does anyone know why this is happening? Does a new GPO usually cause this? It has happened to me before.
Thanks in advance!
Pat L
Thanks in advance!
Pat L
ASKER
the only thing i added to the new policy was disabling outlook 03 from asking to empty deleted items upon exit
and thanks!
and thanks!
Then this should not affect IE or IIS settings.
Install the GPMC http://www.microsoft.com/downloads/details.aspx?familyid=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en and use it to pull GP modeling against a computer you are having problems with, this will show what policies and settings are affecting the computer/ user.
eb
Install the GPMC http://www.microsoft.com/downloads/details.aspx?familyid=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en and use it to pull GP modeling against a computer you are having problems with, this will show what policies and settings are affecting the computer/ user.
eb
ASKER
Thanks. Done that already. Using GPMC. Also checked with gpresult at a few consoles. The policy is coming down fine, and functioniong as it should. But still kicking out inherited passwords. ONLY once. Once I have the user log back in, everything is back to normal. just want to see why and how i can prevent this in the future
Thanks for your feedback
Thanks for your feedback
Again the settings you say you set in the GP should not affect IE or IIS at all. Can you send a list of the settings applied to a computer/ user as shown in GPMC?
eb
eb
ASKER
OK as requested here is the report. The only thing that was changed like i said was the Outlook03 deleted items policy. thanks again for checking this out
Standard Agent
Data collected on: 8/12/2008 10:42:11 AM hide all
Generalhide
Detailshide
Domain lindentvl.com
Owner LINDENTVL\Domain Admins
Created 12/2/2007 6:48:24 PM
Modified 8/11/2008 11:29:36 AM
User Revisions 24 (AD), 24 (sysvol)
Computer Revisions 36 (AD), 36 (sysvol)
Unique ID {91C117C1-F773-4CCD-AD20-1 0E7587F5AB 5}
GPO Status Enabled
Linkshide
Location Enforced Link Status Path
lindentvl Yes Enabled lindentvl.com
This list only includes links in the domain of the GPO.
Security Filteringhide
The settings in this GPO can only apply to the following groups, users, and computers:Name
LINDENTVL\Group Policy 909 Agents
LINDENTVL\Group Policy Computers All 909
WMI Filteringhide
WMI Filter Name None
Description Not applicable
Delegationhide
These groups and users have the specified permission for this GPOName Allowed Permissions Inherited
LINDENTVL\Domain Admins Edit settings, delete, modify security No
LINDENTVL\Enterprise Admins Edit settings, delete, modify security No
LINDENTVL\Group Policy 909 Agents Read (from Security Filtering) No
LINDENTVL\Group Policy Computers All 909 Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
Computer Configuration (Enabled)hide
Windows Settingshide
Security Settingshide
Account Policies/Account Lockout Policyhide
Policy Setting
Account lockout duration 30 minutes
Account lockout threshold 5 invalid logon attempts
Reset account lockout counter after 30 minutes
Local Policies/Audit Policyhide
Policy Setting
Audit account logon events Success, Failure
Local Policies/Security Optionshide
Network Accesshide
Policy Setting
Network access: Sharing and security model for local accounts Classic - local users authenticate as themselves
Public Key Policies/Autoenrollment Settingshide
Policy Setting
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked certificates Disabled
Update certificates that use certificate templates Disabled
Public Key Policies/Encrypting File Systemhide
Propertieshide
Policy Setting
Allow users to encrypt files using Encrypting File System (EFS) Enabled
Public Key Policies/Trusted Root Certification Authoritieshide
Propertieshide
Policy Setting
Allow users to select new root certification authorities (CAs) to trust Enabled
Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only
Administrative Templateshide
Network/Network Connections/Windows Firewall/Domain Profilehide
Policy Setting
Windows Firewall: Protect all network connections Disabled
Network/Network Connections/Windows Firewall/Standard Profilehide
Policy Setting
Windows Firewall: Allow Remote Desktop exception Enabled
Allow unsolicited incoming messages from:
Syntax:
Type "*" to allow messages from any network, or
else type a comma-separated list that contains
any number or combination of these:
IP addresses, such as 10.0.0.1
Subnet descriptions, such as 10.2.3.0/24
The string "localsubnet"
Example: to allow messages from 10.0.0.1,
10.0.0.2, and from any system on the
local subnet or on the 10.3.4.x subnet,
type the following:
10.0.0.1,10.0.0.2,localsub net,10.3.4 .0/24
Policy Setting
Windows Firewall: Protect all network connections Disabled
System/Group Policyhide
Policy Setting
Group Policy refresh interval for domain controllers Enabled
This setting allows you to customize how often Group Policy is applied
to domain controllers. The range is 0 to 64800 minutes (45 days).
Minutes: 60
This is a random time added to the refresh interval to prevent
all clients from requesting Group Policy at the same time.
The range is 0 to 1440 minutes (24 hours)
Minutes: 90
Policy Setting
Scripts policy processing Enabled
Allow processing across a slow network connection Enabled
Do not apply during periodic background processing Disabled
Process even if the Group Policy objects have not changed Disabled
Policy Setting
Turn off background refresh of Group Policy Disabled
Windows Components/Internet Explorer/Internet Control Panel/Advanced Pagehide
Policy Setting
Automatically check for Internet Explorer updates Disabled
Windows Components/Windows Installerhide
Policy Setting
Disable Windows Installer Enabled
Disable Windows Installer For non-managed apps only
Policy Setting
Prohibit User Installs Enabled
User Install Behavior: Prohibit User Installs
Windows Components/Windows Updatehide
Policy Setting
Allow Automatic Updates immediate installation Disabled
Allow non-administrators to receive update notifications Enabled
Automatic Updates detection frequency Enabled
Check for updates at the following
interval (hours): 12
Policy Setting
Configure Automatic Updates Enabled
Configure automatic updating: 3 - Auto download and notify for install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day: 0 - Every day
Scheduled install time: 03:00
Policy Setting
No auto-restart for scheduled Automatic Updates installations Enabled
Re-prompt for restart with scheduled installations Disabled
Reschedule Automatic Updates scheduled installations Disabled
Specify intranet Microsoft update service location Enabled
Set the intranet update service for detecting updates: http://tech
Set the intranet statistics server: http://tech
(example: http://IntranetUpd01)
User Configuration (Enabled)hide
Windows Settingshide
Security Settingshide
Public Key Policies/Autoenrollment Settingshide
Policy Setting
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked certificates Disabled
Update certificates that use certificate templates Disabled
Administrative Templateshide
Microsoft Office Outlook 2003/Tools | Options.../Otherhide
Policy Setting
Empty Deleted Items Folder Enabled
Empty the Deleted Items folder upon exiting Enabled
Microsoft Office Outlook 2003/Tools | Options.../Other/Advancedh ide
Policy Setting
More Options Enabled
Warn before permanently deleting items Enabled
Extra Registry Settingshide
Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.
Setting State
Software\Policies\Microsof t\Windows\ CurrentVer sion\Inter net Settings\ListBox_Support_Z oneMapKey 1
Software\Policies\Microsof t\Windows\ CurrentVer sion\Inter net Settings\ZoneMapKey\*.lind entravel.c om 2
Software\Policies\Microsof t\Windows\ CurrentVer sion\Inter net Settings\ZoneMapKey\*.lind entvl.com 2
Standard Agent
Data collected on: 8/12/2008 10:42:11 AM hide all
Generalhide
Detailshide
Domain lindentvl.com
Owner LINDENTVL\Domain Admins
Created 12/2/2007 6:48:24 PM
Modified 8/11/2008 11:29:36 AM
User Revisions 24 (AD), 24 (sysvol)
Computer Revisions 36 (AD), 36 (sysvol)
Unique ID {91C117C1-F773-4CCD-AD20-1
GPO Status Enabled
Linkshide
Location Enforced Link Status Path
lindentvl Yes Enabled lindentvl.com
This list only includes links in the domain of the GPO.
Security Filteringhide
The settings in this GPO can only apply to the following groups, users, and computers:Name
LINDENTVL\Group Policy 909 Agents
LINDENTVL\Group Policy Computers All 909
WMI Filteringhide
WMI Filter Name None
Description Not applicable
Delegationhide
These groups and users have the specified permission for this GPOName Allowed Permissions Inherited
LINDENTVL\Domain Admins Edit settings, delete, modify security No
LINDENTVL\Enterprise Admins Edit settings, delete, modify security No
LINDENTVL\Group Policy 909 Agents Read (from Security Filtering) No
LINDENTVL\Group Policy Computers All 909 Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
Computer Configuration (Enabled)hide
Windows Settingshide
Security Settingshide
Account Policies/Account Lockout Policyhide
Policy Setting
Account lockout duration 30 minutes
Account lockout threshold 5 invalid logon attempts
Reset account lockout counter after 30 minutes
Local Policies/Audit Policyhide
Policy Setting
Audit account logon events Success, Failure
Local Policies/Security Optionshide
Network Accesshide
Policy Setting
Network access: Sharing and security model for local accounts Classic - local users authenticate as themselves
Public Key Policies/Autoenrollment Settingshide
Policy Setting
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked certificates Disabled
Update certificates that use certificate templates Disabled
Public Key Policies/Encrypting File Systemhide
Propertieshide
Policy Setting
Allow users to encrypt files using Encrypting File System (EFS) Enabled
Public Key Policies/Trusted Root Certification Authoritieshide
Propertieshide
Policy Setting
Allow users to select new root certification authorities (CAs) to trust Enabled
Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only
Administrative Templateshide
Network/Network Connections/Windows Firewall/Domain Profilehide
Policy Setting
Windows Firewall: Protect all network connections Disabled
Network/Network Connections/Windows Firewall/Standard Profilehide
Policy Setting
Windows Firewall: Allow Remote Desktop exception Enabled
Allow unsolicited incoming messages from:
Syntax:
Type "*" to allow messages from any network, or
else type a comma-separated list that contains
any number or combination of these:
IP addresses, such as 10.0.0.1
Subnet descriptions, such as 10.2.3.0/24
The string "localsubnet"
Example: to allow messages from 10.0.0.1,
10.0.0.2, and from any system on the
local subnet or on the 10.3.4.x subnet,
type the following:
10.0.0.1,10.0.0.2,localsub
Policy Setting
Windows Firewall: Protect all network connections Disabled
System/Group Policyhide
Policy Setting
Group Policy refresh interval for domain controllers Enabled
This setting allows you to customize how often Group Policy is applied
to domain controllers. The range is 0 to 64800 minutes (45 days).
Minutes: 60
This is a random time added to the refresh interval to prevent
all clients from requesting Group Policy at the same time.
The range is 0 to 1440 minutes (24 hours)
Minutes: 90
Policy Setting
Scripts policy processing Enabled
Allow processing across a slow network connection Enabled
Do not apply during periodic background processing Disabled
Process even if the Group Policy objects have not changed Disabled
Policy Setting
Turn off background refresh of Group Policy Disabled
Windows Components/Internet Explorer/Internet Control Panel/Advanced Pagehide
Policy Setting
Automatically check for Internet Explorer updates Disabled
Windows Components/Windows Installerhide
Policy Setting
Disable Windows Installer Enabled
Disable Windows Installer For non-managed apps only
Policy Setting
Prohibit User Installs Enabled
User Install Behavior: Prohibit User Installs
Windows Components/Windows Updatehide
Policy Setting
Allow Automatic Updates immediate installation Disabled
Allow non-administrators to receive update notifications Enabled
Automatic Updates detection frequency Enabled
Check for updates at the following
interval (hours): 12
Policy Setting
Configure Automatic Updates Enabled
Configure automatic updating: 3 - Auto download and notify for install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day: 0 - Every day
Scheduled install time: 03:00
Policy Setting
No auto-restart for scheduled Automatic Updates installations Enabled
Re-prompt for restart with scheduled installations Disabled
Reschedule Automatic Updates scheduled installations Disabled
Specify intranet Microsoft update service location Enabled
Set the intranet update service for detecting updates: http://tech
Set the intranet statistics server: http://tech
(example: http://IntranetUpd01)
User Configuration (Enabled)hide
Windows Settingshide
Security Settingshide
Public Key Policies/Autoenrollment Settingshide
Policy Setting
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked certificates Disabled
Update certificates that use certificate templates Disabled
Administrative Templateshide
Microsoft Office Outlook 2003/Tools | Options.../Otherhide
Policy Setting
Empty Deleted Items Folder Enabled
Empty the Deleted Items folder upon exiting Enabled
Microsoft Office Outlook 2003/Tools | Options.../Other/Advancedh
Policy Setting
More Options Enabled
Warn before permanently deleting items Enabled
Extra Registry Settingshide
Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.
Setting State
Software\Policies\Microsof
Software\Policies\Microsof
Software\Policies\Microsof
OK there is nothing in there that would reset stored passwords in IE so I don't think it is your GP that caused the problem.
Are the passwords continuing to be removed or once a user stores the info again is it still there next time they log in?
eb
Are the passwords continuing to be removed or once a user stores the info again is it still there next time they log in?
eb
ASKER
once the user logs in again, IE holds the credentials as usual.. just seemed strange the ONLY change i made was to the policy.
I have no idea why that policy would have wiped out stored credentials, but as long as they are staying after loging back in then I think you are OK
ASKER
Yes seems ok now. This has happened before, but I never pinned in on GP. I'll give it a day or 2 and see how things go. I appreciate your time and effort!
what caused it before? Do you know?
eb
eb
ASKER
not sure it all. seems to happen every couple of months. and JUST the intranet site hosted in IIS. everything else is fine.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Doesnt seem to be a GP issue. Thanks for your help
eb