Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Internet Explorer Maintenance in a GPO

Posted on 2009-05-13
16
419 Views
Last Modified: 2012-05-06
Trying to decifer how this Internet Explorer Maintenance interacts with the Normal Administrative Template Settings.  I currently use IEM to push a false proxy address to all my users to block web access.  I have a reversing policy that a security group has access to and this is how we control internet access.  That is all i have configured there.  I use the administrative templates to lock down internet explorer including the ability to get into the connection and proxy information.

I read an article online that stated that the IEM will only apply it's settings if the setting
Admin Templates > System > Group Policy - IEM Policy processing is enabled.

is this true?  I have it set to disabled and everything is working.  The article kind of leaned towards the use of one or the other.

could someone elaborate more because i am not getting this.  The reason for my post is that i have 1 user (who up until recently was working just fine) who's IE security tab is being locked down.  None of the other users have this issue and this user has the same group memberships, same rights, same everything.   I think it may have something to do with my setup.
0
Comment
Question by:beaconlightboy
  • 11
  • 5
16 Comments
 
LVL 27

Expert Comment

by:bluntTony
ID: 24374233
My understanding of this policy is that it allows you to specify when IEM policies are processed.

If you enable it, you can restrict when IEM maintenance policies are processed, e.g. if you don't want policies to be processed across a WAN, enable it and then do not select 'Allow processing across a slow WAN connection'.

If it's disabled or not configured, then IEM maintenance policies will be processed the same as other group policies.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24374258
Have a look at this : http://technet.microsoft.com/en-us/library/cc978526.aspx

With regards to the user having problems, run an RSoP query first of all (rsop.msc) and see exactly what policy settings are being applied from where.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24374275
blunt - when i run the rsop, it tells me the same thing it does for any other user.  the policy comes back the same.  but this users security tab is locked.

what's interesting is that when you run a rsop on a user, you get far less information than if you run it on the ou the user is in.  
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 500 total points
ID: 24374488
The difference in the results for an OU and a use might be the result of the security filtering you have applied. Running a query against the OU wouldn't take this into account.

How about running a gpresult on the affected machine/user login, does this show any difference? If you're using the IEM Policy processing, I would set it to 'not configured' as well.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24374570
blunt - already did a gpresult, the problem user and a good user's results are identical.  I have the IEM policy set to 'not configured'.  This is what's blowing my mind.  It doesn't make any sense.  I even tried wiping the profiles as sometimes the profiles get stupid.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24375385
On the machine, does the following reg value exist:

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab (DWORD = 1)

The is the registry setting that the GPO modifies. If it does, delete the value or set it to 0.

Then run a gpupdate and see if it re-appears.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24375791
           GPO: TS Policy
                KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
                State:       disabled

this is what i get back from a verbose gpresult.  the interesting thing is that so does the user that's working.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24375836
The key you mention above does not even exist in this users registry.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24375846
which is odd because gpresult lists it.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24375924
How about the same key but in HKLM? There is a GPO setting which sets this key:

Computer Config | Admin Templates | Windows Components | Internet Explorer | Internet Control Panel | Disable the security page

This writes to the same value but in HKLM.

Even if you don't have this policy set, I would check the machine's registry.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24375975
That key doesn't exist in HKLM.  i checked it from the user's session and from remote registry.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24376075
here is the verbose gpresult file for you to look at.  if that will help.
linda.txt
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24376240
Ok, here's an update.  I copied the user's account in active directory who is having the problem.  I then logged in as the copy.  i have the same problem.  I then copied the user who is working, and when i log in as the good copy, it is still not working.  so, why would a copy of a good user not work when they are in the same ou?  this is bizzare.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24384833
here's some more info.

i find these two keys repeatedly in the gpresult output.  any ideas what they map to in the GPO snapin?

            GPO: Accounting TS Policy
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTab
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Accounting TS Policy
                KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
                State:       disabled

            GPO: TS Policy
                KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
                State:       disabled

            GPO: TS Policy
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTab
                Value:       1, 0, 0, 0
                State:       Enabled
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24385149
Ok - i have found that this key actually makes the tab disappear.

                KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
                State:       disabled

 My user has the tab, you just can't change anything in it.
0
 
LVL 3

Accepted Solution

by:
beaconlightboy earned 0 total points
ID: 24492270
This was caused by a bad default user profile.  Go figure that out.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question