Solved

Internet Explorer Maintenance in a GPO

Posted on 2009-05-13
16
420 Views
Last Modified: 2012-05-06
Trying to decifer how this Internet Explorer Maintenance interacts with the Normal Administrative Template Settings.  I currently use IEM to push a false proxy address to all my users to block web access.  I have a reversing policy that a security group has access to and this is how we control internet access.  That is all i have configured there.  I use the administrative templates to lock down internet explorer including the ability to get into the connection and proxy information.

I read an article online that stated that the IEM will only apply it's settings if the setting
Admin Templates > System > Group Policy - IEM Policy processing is enabled.

is this true?  I have it set to disabled and everything is working.  The article kind of leaned towards the use of one or the other.

could someone elaborate more because i am not getting this.  The reason for my post is that i have 1 user (who up until recently was working just fine) who's IE security tab is being locked down.  None of the other users have this issue and this user has the same group memberships, same rights, same everything.   I think it may have something to do with my setup.
0
Comment
Question by:beaconlightboy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 5
16 Comments
 
LVL 27

Expert Comment

by:bluntTony
ID: 24374233
My understanding of this policy is that it allows you to specify when IEM policies are processed.

If you enable it, you can restrict when IEM maintenance policies are processed, e.g. if you don't want policies to be processed across a WAN, enable it and then do not select 'Allow processing across a slow WAN connection'.

If it's disabled or not configured, then IEM maintenance policies will be processed the same as other group policies.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24374258
Have a look at this : http://technet.microsoft.com/en-us/library/cc978526.aspx

With regards to the user having problems, run an RSoP query first of all (rsop.msc) and see exactly what policy settings are being applied from where.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24374275
blunt - when i run the rsop, it tells me the same thing it does for any other user.  the policy comes back the same.  but this users security tab is locked.

what's interesting is that when you run a rsop on a user, you get far less information than if you run it on the ou the user is in.  
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 500 total points
ID: 24374488
The difference in the results for an OU and a use might be the result of the security filtering you have applied. Running a query against the OU wouldn't take this into account.

How about running a gpresult on the affected machine/user login, does this show any difference? If you're using the IEM Policy processing, I would set it to 'not configured' as well.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24374570
blunt - already did a gpresult, the problem user and a good user's results are identical.  I have the IEM policy set to 'not configured'.  This is what's blowing my mind.  It doesn't make any sense.  I even tried wiping the profiles as sometimes the profiles get stupid.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24375385
On the machine, does the following reg value exist:

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab (DWORD = 1)

The is the registry setting that the GPO modifies. If it does, delete the value or set it to 0.

Then run a gpupdate and see if it re-appears.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24375791
           GPO: TS Policy
                KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
                State:       disabled

this is what i get back from a verbose gpresult.  the interesting thing is that so does the user that's working.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24375836
The key you mention above does not even exist in this users registry.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24375846
which is odd because gpresult lists it.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24375924
How about the same key but in HKLM? There is a GPO setting which sets this key:

Computer Config | Admin Templates | Windows Components | Internet Explorer | Internet Control Panel | Disable the security page

This writes to the same value but in HKLM.

Even if you don't have this policy set, I would check the machine's registry.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24375975
That key doesn't exist in HKLM.  i checked it from the user's session and from remote registry.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24376075
here is the verbose gpresult file for you to look at.  if that will help.
linda.txt
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24376240
Ok, here's an update.  I copied the user's account in active directory who is having the problem.  I then logged in as the copy.  i have the same problem.  I then copied the user who is working, and when i log in as the good copy, it is still not working.  so, why would a copy of a good user not work when they are in the same ou?  this is bizzare.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24384833
here's some more info.

i find these two keys repeatedly in the gpresult output.  any ideas what they map to in the GPO snapin?

            GPO: Accounting TS Policy
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTab
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Accounting TS Policy
                KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
                State:       disabled

            GPO: TS Policy
                KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
                State:       disabled

            GPO: TS Policy
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTab
                Value:       1, 0, 0, 0
                State:       Enabled
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24385149
Ok - i have found that this key actually makes the tab disappear.

                KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
                State:       disabled

 My user has the tab, you just can't change anything in it.
0
 
LVL 3

Accepted Solution

by:
beaconlightboy earned 0 total points
ID: 24492270
This was caused by a bad default user profile.  Go figure that out.
0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Migrate PKI into AWS - lift and shift. 1 56
AD account Auto logoff 1 39
DNS forwarders "unable to resolve" 1 69
Local admin account 3 45
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question