Solved

Internet Explorer Maintenance in a GPO

Posted on 2009-05-13
16
416 Views
Last Modified: 2012-05-06
Trying to decifer how this Internet Explorer Maintenance interacts with the Normal Administrative Template Settings.  I currently use IEM to push a false proxy address to all my users to block web access.  I have a reversing policy that a security group has access to and this is how we control internet access.  That is all i have configured there.  I use the administrative templates to lock down internet explorer including the ability to get into the connection and proxy information.

I read an article online that stated that the IEM will only apply it's settings if the setting
Admin Templates > System > Group Policy - IEM Policy processing is enabled.

is this true?  I have it set to disabled and everything is working.  The article kind of leaned towards the use of one or the other.

could someone elaborate more because i am not getting this.  The reason for my post is that i have 1 user (who up until recently was working just fine) who's IE security tab is being locked down.  None of the other users have this issue and this user has the same group memberships, same rights, same everything.   I think it may have something to do with my setup.
0
Comment
Question by:beaconlightboy
  • 11
  • 5
16 Comments
 
LVL 27

Expert Comment

by:bluntTony
ID: 24374233
My understanding of this policy is that it allows you to specify when IEM policies are processed.

If you enable it, you can restrict when IEM maintenance policies are processed, e.g. if you don't want policies to be processed across a WAN, enable it and then do not select 'Allow processing across a slow WAN connection'.

If it's disabled or not configured, then IEM maintenance policies will be processed the same as other group policies.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24374258
Have a look at this : http://technet.microsoft.com/en-us/library/cc978526.aspx

With regards to the user having problems, run an RSoP query first of all (rsop.msc) and see exactly what policy settings are being applied from where.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24374275
blunt - when i run the rsop, it tells me the same thing it does for any other user.  the policy comes back the same.  but this users security tab is locked.

what's interesting is that when you run a rsop on a user, you get far less information than if you run it on the ou the user is in.  
0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 500 total points
ID: 24374488
The difference in the results for an OU and a use might be the result of the security filtering you have applied. Running a query against the OU wouldn't take this into account.

How about running a gpresult on the affected machine/user login, does this show any difference? If you're using the IEM Policy processing, I would set it to 'not configured' as well.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24374570
blunt - already did a gpresult, the problem user and a good user's results are identical.  I have the IEM policy set to 'not configured'.  This is what's blowing my mind.  It doesn't make any sense.  I even tried wiping the profiles as sometimes the profiles get stupid.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24375385
On the machine, does the following reg value exist:

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab (DWORD = 1)

The is the registry setting that the GPO modifies. If it does, delete the value or set it to 0.

Then run a gpupdate and see if it re-appears.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24375791
           GPO: TS Policy
                KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
                State:       disabled

this is what i get back from a verbose gpresult.  the interesting thing is that so does the user that's working.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24375836
The key you mention above does not even exist in this users registry.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 3

Author Comment

by:beaconlightboy
ID: 24375846
which is odd because gpresult lists it.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24375924
How about the same key but in HKLM? There is a GPO setting which sets this key:

Computer Config | Admin Templates | Windows Components | Internet Explorer | Internet Control Panel | Disable the security page

This writes to the same value but in HKLM.

Even if you don't have this policy set, I would check the machine's registry.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24375975
That key doesn't exist in HKLM.  i checked it from the user's session and from remote registry.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24376075
here is the verbose gpresult file for you to look at.  if that will help.
linda.txt
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24376240
Ok, here's an update.  I copied the user's account in active directory who is having the problem.  I then logged in as the copy.  i have the same problem.  I then copied the user who is working, and when i log in as the good copy, it is still not working.  so, why would a copy of a good user not work when they are in the same ou?  this is bizzare.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24384833
here's some more info.

i find these two keys repeatedly in the gpresult output.  any ideas what they map to in the GPO snapin?

            GPO: Accounting TS Policy
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTab
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Accounting TS Policy
                KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
                State:       disabled

            GPO: TS Policy
                KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
                State:       disabled

            GPO: TS Policy
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTab
                Value:       1, 0, 0, 0
                State:       Enabled
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24385149
Ok - i have found that this key actually makes the tab disappear.

                KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
                State:       disabled

 My user has the tab, you just can't change anything in it.
0
 
LVL 3

Accepted Solution

by:
beaconlightboy earned 0 total points
ID: 24492270
This was caused by a bad default user profile.  Go figure that out.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now