Internet Explorer Maintenance in a GPO

Trying to decifer how this Internet Explorer Maintenance interacts with the Normal Administrative Template Settings.  I currently use IEM to push a false proxy address to all my users to block web access.  I have a reversing policy that a security group has access to and this is how we control internet access.  That is all i have configured there.  I use the administrative templates to lock down internet explorer including the ability to get into the connection and proxy information.

I read an article online that stated that the IEM will only apply it's settings if the setting
Admin Templates > System > Group Policy - IEM Policy processing is enabled.

is this true?  I have it set to disabled and everything is working.  The article kind of leaned towards the use of one or the other.

could someone elaborate more because i am not getting this.  The reason for my post is that i have 1 user (who up until recently was working just fine) who's IE security tab is being locked down.  None of the other users have this issue and this user has the same group memberships, same rights, same everything.   I think it may have something to do with my setup.
LVL 3
beaconlightboyAsked:
Who is Participating?
 
beaconlightboyConnect With a Mentor Author Commented:
This was caused by a bad default user profile.  Go figure that out.
0
 
bluntTonyCommented:
My understanding of this policy is that it allows you to specify when IEM policies are processed.

If you enable it, you can restrict when IEM maintenance policies are processed, e.g. if you don't want policies to be processed across a WAN, enable it and then do not select 'Allow processing across a slow WAN connection'.

If it's disabled or not configured, then IEM maintenance policies will be processed the same as other group policies.
0
 
bluntTonyCommented:
Have a look at this : http://technet.microsoft.com/en-us/library/cc978526.aspx

With regards to the user having problems, run an RSoP query first of all (rsop.msc) and see exactly what policy settings are being applied from where.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
beaconlightboyAuthor Commented:
blunt - when i run the rsop, it tells me the same thing it does for any other user.  the policy comes back the same.  but this users security tab is locked.

what's interesting is that when you run a rsop on a user, you get far less information than if you run it on the ou the user is in.  
0
 
bluntTonyConnect With a Mentor Commented:
The difference in the results for an OU and a use might be the result of the security filtering you have applied. Running a query against the OU wouldn't take this into account.

How about running a gpresult on the affected machine/user login, does this show any difference? If you're using the IEM Policy processing, I would set it to 'not configured' as well.
0
 
beaconlightboyAuthor Commented:
blunt - already did a gpresult, the problem user and a good user's results are identical.  I have the IEM policy set to 'not configured'.  This is what's blowing my mind.  It doesn't make any sense.  I even tried wiping the profiles as sometimes the profiles get stupid.
0
 
bluntTonyCommented:
On the machine, does the following reg value exist:

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab (DWORD = 1)

The is the registry setting that the GPO modifies. If it does, delete the value or set it to 0.

Then run a gpupdate and see if it re-appears.
0
 
beaconlightboyAuthor Commented:
           GPO: TS Policy
                KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
                State:       disabled

this is what i get back from a verbose gpresult.  the interesting thing is that so does the user that's working.
0
 
beaconlightboyAuthor Commented:
The key you mention above does not even exist in this users registry.
0
 
beaconlightboyAuthor Commented:
which is odd because gpresult lists it.
0
 
bluntTonyCommented:
How about the same key but in HKLM? There is a GPO setting which sets this key:

Computer Config | Admin Templates | Windows Components | Internet Explorer | Internet Control Panel | Disable the security page

This writes to the same value but in HKLM.

Even if you don't have this policy set, I would check the machine's registry.
0
 
beaconlightboyAuthor Commented:
That key doesn't exist in HKLM.  i checked it from the user's session and from remote registry.
0
 
beaconlightboyAuthor Commented:
here is the verbose gpresult file for you to look at.  if that will help.
linda.txt
0
 
beaconlightboyAuthor Commented:
Ok, here's an update.  I copied the user's account in active directory who is having the problem.  I then logged in as the copy.  i have the same problem.  I then copied the user who is working, and when i log in as the good copy, it is still not working.  so, why would a copy of a good user not work when they are in the same ou?  this is bizzare.
0
 
beaconlightboyAuthor Commented:
here's some more info.

i find these two keys repeatedly in the gpresult output.  any ideas what they map to in the GPO snapin?

            GPO: Accounting TS Policy
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTab
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Accounting TS Policy
                KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
                State:       disabled

            GPO: TS Policy
                KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
                State:       disabled

            GPO: TS Policy
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTab
                Value:       1, 0, 0, 0
                State:       Enabled
0
 
beaconlightboyAuthor Commented:
Ok - i have found that this key actually makes the tab disappear.

                KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
                State:       disabled

 My user has the tab, you just can't change anything in it.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.