[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Internet Explorer Maintenance in a GPO

Posted on 2009-05-13
16
Medium Priority
?
424 Views
Last Modified: 2012-05-06
Trying to decifer how this Internet Explorer Maintenance interacts with the Normal Administrative Template Settings.  I currently use IEM to push a false proxy address to all my users to block web access.  I have a reversing policy that a security group has access to and this is how we control internet access.  That is all i have configured there.  I use the administrative templates to lock down internet explorer including the ability to get into the connection and proxy information.

I read an article online that stated that the IEM will only apply it's settings if the setting
Admin Templates > System > Group Policy - IEM Policy processing is enabled.

is this true?  I have it set to disabled and everything is working.  The article kind of leaned towards the use of one or the other.

could someone elaborate more because i am not getting this.  The reason for my post is that i have 1 user (who up until recently was working just fine) who's IE security tab is being locked down.  None of the other users have this issue and this user has the same group memberships, same rights, same everything.   I think it may have something to do with my setup.
0
Comment
Question by:beaconlightboy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 5
16 Comments
 
LVL 27

Expert Comment

by:bluntTony
ID: 24374233
My understanding of this policy is that it allows you to specify when IEM policies are processed.

If you enable it, you can restrict when IEM maintenance policies are processed, e.g. if you don't want policies to be processed across a WAN, enable it and then do not select 'Allow processing across a slow WAN connection'.

If it's disabled or not configured, then IEM maintenance policies will be processed the same as other group policies.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24374258
Have a look at this : http://technet.microsoft.com/en-us/library/cc978526.aspx

With regards to the user having problems, run an RSoP query first of all (rsop.msc) and see exactly what policy settings are being applied from where.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24374275
blunt - when i run the rsop, it tells me the same thing it does for any other user.  the policy comes back the same.  but this users security tab is locked.

what's interesting is that when you run a rsop on a user, you get far less information than if you run it on the ou the user is in.  
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 2000 total points
ID: 24374488
The difference in the results for an OU and a use might be the result of the security filtering you have applied. Running a query against the OU wouldn't take this into account.

How about running a gpresult on the affected machine/user login, does this show any difference? If you're using the IEM Policy processing, I would set it to 'not configured' as well.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24374570
blunt - already did a gpresult, the problem user and a good user's results are identical.  I have the IEM policy set to 'not configured'.  This is what's blowing my mind.  It doesn't make any sense.  I even tried wiping the profiles as sometimes the profiles get stupid.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24375385
On the machine, does the following reg value exist:

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab (DWORD = 1)

The is the registry setting that the GPO modifies. If it does, delete the value or set it to 0.

Then run a gpupdate and see if it re-appears.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24375791
           GPO: TS Policy
                KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
                State:       disabled

this is what i get back from a verbose gpresult.  the interesting thing is that so does the user that's working.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24375836
The key you mention above does not even exist in this users registry.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24375846
which is odd because gpresult lists it.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24375924
How about the same key but in HKLM? There is a GPO setting which sets this key:

Computer Config | Admin Templates | Windows Components | Internet Explorer | Internet Control Panel | Disable the security page

This writes to the same value but in HKLM.

Even if you don't have this policy set, I would check the machine's registry.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24375975
That key doesn't exist in HKLM.  i checked it from the user's session and from remote registry.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24376075
here is the verbose gpresult file for you to look at.  if that will help.
linda.txt
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24376240
Ok, here's an update.  I copied the user's account in active directory who is having the problem.  I then logged in as the copy.  i have the same problem.  I then copied the user who is working, and when i log in as the good copy, it is still not working.  so, why would a copy of a good user not work when they are in the same ou?  this is bizzare.
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24384833
here's some more info.

i find these two keys repeatedly in the gpresult output.  any ideas what they map to in the GPO snapin?

            GPO: Accounting TS Policy
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTab
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Accounting TS Policy
                KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
                State:       disabled

            GPO: TS Policy
                KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
                State:       disabled

            GPO: TS Policy
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTab
                Value:       1, 0, 0, 0
                State:       Enabled
0
 
LVL 3

Author Comment

by:beaconlightboy
ID: 24385149
Ok - i have found that this key actually makes the tab disappear.

                KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
                State:       disabled

 My user has the tab, you just can't change anything in it.
0
 
LVL 3

Accepted Solution

by:
beaconlightboy earned 0 total points
ID: 24492270
This was caused by a bad default user profile.  Go figure that out.
0

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question