Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

A GPO is Linked at the Domain level that controls IE7 Trusted Sites Zone content via User Configuration settings but does not seem to be processing correctly to all domain accounts. Why?

Posted on 2008-10-30
7
479 Views
Last Modified: 2013-12-08
We have a W2K3 Domain in Native mode. OS is W2K3 Srvr Ent. SP2 with R2. There is a GPO that is linked at the Domain level with ENFORCED enabled. The primary function of this GPO is to control the contents of the Trusted Sites Zone within IE7 via the User Configuration settings within the GPO. Within the GPO, some Computer Configuration settings have been configured however; the entire Computer Configuration settings section has been disabled. The trusted sites were implemented via the Site to Zone assignments list within the User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List and assigned a value of 2 which is supposed to add them to the Trusted Sites zone within IE7.

My problem comes from the fact that, on several server class machines within my domain the GPO appears to be applied (seen via the gpresult output) but in actuality the settings do not take place.

I have attempted logon with several different accounts that have Domain level administrative credentials and each reports via gpresult that the settings have been applied and yet when I go to check the contents of the Trusted Sites Zone, the assigned sites from the GPO are not there.

The exact same accounts have been used on other server and workstation class machines and have worked appropriately.  

I am completely at a loss for how to proceed forward in the troubleshooting train.

Any help is appreciated.
0
Comment
Question by:otifrank
  • 4
  • 3
7 Comments
 
LVL 6

Expert Comment

by:Leon Teale
ID: 22839986
hmm try not clicking ENFORCE and tick the LINKED box...and link it to the computers/groups/users within your domain..

also check to see if they have the policy applied or denied..click the GPO and then click on the delegation tab..at the bottom left is a button for advanced.. click that and then this will show u all the users/groups and if they have the policy applied or denied  (this is at the bottom of the list i think)
0
 

Author Comment

by:otifrank
ID: 22842896
In this situation, ENFORCED will eventually be required. For now, I have removed ENFORCED and Linked the GPO to the OU where the user account lives. This has resulted in the output of the GPRESULT now showing that the GPO has been applied twice and yet, it still doesn't work.

I checked the delegation tab per your instructions and the Domain Administrators group has Full Control (including Read and Apply) to the GPO. The account I am loggin onto the server in question with is a member of the Domain Admins group.
0
 
LVL 6

Expert Comment

by:Leon Teale
ID: 22843048
I´m afraid,you won´t be able to evade the password autorization if Microsoft did a good job, sorry.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:otifrank
ID: 22843968
Not to be disrespectful but, I don' understand your last comment. Can you calrify what you mean?
0
 

Author Comment

by:otifrank
ID: 22843977
err.. I mean CLARIFY

sorry
0
 
LVL 6

Assisted Solution

by:Leon Teale
Leon Teale earned 75 total points
ID: 22848573
sorry...i just meant..that if microsoft did a good job with this product ( which they did, as the point is for there not to be a way to get round the password authentication) then there aint no way of getting in...sorry mate
0
 

Accepted Solution

by:
otifrank earned 0 total points
ID: 22849436
I have arrived at a solution through my own troubleshooting.

It appears as though my culprit is the Internet Explorer Enhanced Security Configuration component. Apparently, as I stated in my original problem description, the GPO settings were being delivered (As witnessed in the gpresult output) but the IEESC was filtering out the settings. From the looks of things IEESC takes control after your desktop has been initialized, and thus after GPO processing has completed, and then IT controls what settings you get.

The IEESC component has 2 pieces. The settings for Administrative users and the settings for Other Users. Simply removing the Administrative settings piece, caused things to begin to function as I intended. This was done via Control Panel/Add Remove Programs/Internet Explorer Enhanced Security Configuration/Details.. then unchecking the Administrative Users piece.

Thank You to all who offered their support.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question